snort2-docker/docker/etc/rules/server-webapp.rules

3930 lines
1.8 MiB
Plaintext
Raw Normal View History

2020-02-24 13:56:30 +00:00
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#---------------------
# SERVER-WEBAPP RULES
#---------------------
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt"; flow:to_server,established; content:"_mdm_session=BAhvOkBB"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71424; reference:cve,2014-6140; classtype:attempted-user; sid:33169; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt"; flow:to_server,established; content:"_trusted-services-provider_session=BAhvOkBB"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71424; reference:cve,2014-6140; classtype:attempted-user; sid:33168; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt"; flow:to_server,established; content:"_self-service-portal_session=BAhvOkBB"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71424; reference:cve,2014-6140; classtype:attempted-user; sid:33167; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt"; flow:to_server,established; content:"_admin-portal_session=BAhvOkBB"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71424; reference:cve,2014-6140; classtype:attempted-user; sid:33166; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products HTTP connection header overflow attempt"; flow:to_server,established; content:"Connection|3A 20|"; nocase; http_header; isdataat:50,relative; content:!"|0D 0A|"; within:100; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,99137; reference:cve,2017-7668; reference:url,ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/; classtype:attempted-user; sid:43587; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"SERVER-WEBAPP Reprise License Manager licfile stack buffer overflow attempt"; flow:to_server,established; content:"/goform/service_setup_doit"; depth:35; nocase; content:"licfile="; nocase; isdataat:500,relative; content:!"&"; within:500; content:!"|0D|"; within:500; content:!"|0A|"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6946; reference:url,redr2e.com/cve-to-poc-cve-2015-6946/; classtype:attempted-admin; sid:38288; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"SERVER-WEBAPP Reprise License Manager akey stack buffer overflow attempt"; flow:to_server,established; content:"/goform/activate_doit"; depth:35; nocase; content:"akey="; nocase; isdataat:500,relative; content:!"&"; within:500; content:!"|0D|"; within:500; content:!"|0A|"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6946; reference:url,redr2e.com/cve-to-poc-cve-2015-6946/; classtype:attempted-admin; sid:38287; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"SERVER-WEBAPP Reprise License Manager actserver stack buffer overflow attempt"; flow:to_server,established; content:"/goform/activate_doit"; depth:35; nocase; content:"actserver="; nocase; isdataat:500,relative; content:!"&"; within:500; content:!"|0D|"; within:500; content:!"|0A|"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6946; reference:url,redr2e.com/cve-to-poc-cve-2015-6946/; classtype:attempted-admin; sid:38286; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-100 User-Agent backdoor access attempt"; flow:to_server,established; content:"User-Agent: xmlset_roodkcableoj28840ybtide|0D 0A|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62990; reference:cve,2013-6026; reference:url,www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor; classtype:attempted-admin; sid:28240; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress login denial of service attempt"; flow:to_server,established,only_stream; content:"wp-postpass_"; fast_pattern:only; content:"wp-postpass_"; http_cookie; content:"|25|24P|25|24Spaddding"; http_cookie; detection_filter:track by_src, count 500, seconds 5; metadata:service http; reference:url,seclists.org/bugtraq/2013/Jun/41; classtype:denial-of-service; sid:26981; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-300/DIR-600 unauthenticated remote command execution attempt"; flow:to_server,established; content:"POST"; depth:4; nocase; http_method; content:"/command.php"; fast_pattern:only; http_uri; content:"cmd="; nocase; http_client_body; metadata:service http; reference:bugtraq,57734; reference:url,exploit-db.com/exploits/24453/; reference:url,www.s3cur1ty.de/m1adv2013-003; classtype:attempted-admin; sid:26953; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-WEBAPP SAP ConfigServlet command execution attempt"; flow:to_server,established; content:"/ctc/servlet/ConfigServlet"; http_uri; content:"param=com.sap.ctc.util.FileSystemConfig"; distance:0; http_uri; content:"EXECUTE_CMD"; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf; classtype:attempted-admin; sid:26929; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TWiki search function remote code execution attempt"; flow:to_server,established; content:"POST"; http_method; content:"/twiki/"; fast_pattern:only; http_uri; pcre:"/[?&](search|topic)=[^&]*?(\x27|%27)(\s*|(%20)*)(\x3b|%3b)/Psi"; metadata:service http; reference:bugtraq,11674; reference:cve,2004-1037; classtype:attempted-user; sid:26908; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TWiki search function remote code execution attempt"; flow:to_server,established; content:"/twiki/"; fast_pattern:only; http_uri; pcre:"/[?&](search|topic)=[^&]*?(\x27|%27)(\s*|(%20)*)(\x3b|%3b)/Usi"; metadata:service http; reference:bugtraq,11674; reference:cve,2004-1037; classtype:attempted-user; sid:26907; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP FosWiki and TWiki MAKETEXT macro memory consumption denial of service attempt"; flow:to_server,established; content:"WIKISID="; http_cookie; content:"MAKETEXT"; fast_pattern:only; http_client_body; content:"%5b%5f"; http_client_body; pcre:"/\%5b\%5f[0-9]{16}/Psm"; metadata:service http; reference:bugtraq,56950; reference:cve,2012-6329; reference:cve,2012-6330; reference:url,foswiki.org/Support/SecurityAlert-CVE-2012-6330; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329; classtype:attempted-dos; sid:26905; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Mutiny editdocument servlet arbitrary file upload attempt"; flow:to_server,established; content:"/interface/editdocument"; fast_pattern:only; http_uri; content:"uploadFile"; nocase; http_client_body; content:"uploadPath"; nocase; http_client_body; pcre:"/uploadPath[^-]+?(%2e|\x2e){2}(%2f|\x2f)/miP"; metadata:policy security-ips drop, service http; reference:cve,2013-0136; classtype:attempted-admin; sid:26798; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Mutiny editdocument servlet arbitrary file access attempt"; flow:to_server,established; content:"/interface/editdocument"; fast_pattern:only; http_uri; content:"operation="; nocase; http_client_body; content:"paths"; nocase; http_client_body; pcre:"/(^|&)paths(%5b|\x5b)(%5d|\x5d)=[^&]*?(%2e|\x2e){2}(%2f|\x2f)/miP"; metadata:policy security-ips drop, service http; reference:cve,2013-0136; classtype:attempted-recon; sid:26797; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center UAM acmServletDownload information disclosure attempt"; flow:to_server,established; content:"/imc/download?"; fast_pattern:only; http_uri; content:"Name="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&](path|file)Name=[^&]*?\x2e\x2e\x2f/iU"; metadata:service http; reference:bugtraq,58385; reference:cve,2012-5211; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; classtype:attempted-recon; sid:26794; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center SyslogDownloadServlet information disclosure attempt"; flow:to_server,established; content:"/imc/tmp/syslog/download?"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; content:"../"; distance:0; http_uri; metadata:service http; reference:bugtraq,58385; reference:cve,2012-5206; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; classtype:attempted-recon; sid:26669; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Windows 2012 Server additional empty Accept-Encoding field denial of service attempt"; flow:to_server,established; content:"Accept-Encoding:"; http_header; content:"Accept-Encoding:|0D 0A|"; distance:0; http_header; metadata:service http; reference:cve,2013-1305; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-039; classtype:attempted-dos; sid:26632; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt"; flow:to_server,established; content:"&#0000000000000000000000000000000000000000000001111|3B|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51860; reference:url,bugs.php.net/bug.php?id=60965; classtype:attempted-admin; sid:26593; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress brute-force login attempt"; flow:to_server,established,only_stream; content:"POST"; nocase; http_method; content:"|2F|wp|2D|login|2E|php"; fast_pattern:only; http_uri; detection_filter:track by_src, count 26, seconds 60; metadata:service http; reference:url,blog.spiderlabs.com/2013/04/defending-wordpress-logins-from-brute-force-attacks.html; reference:url,blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html; classtype:suspicious-login; sid:26557; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center ReportImgServlet information disclosure attempt"; flow:to_server,established; content:"/imc/reportImg?"; fast_pattern:only; http_uri; content:"path="; nocase; http_uri; content:"../"; distance:0; http_uri; metadata:service http; reference:bugtraq,58672; reference:cve,2012-5203; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; classtype:attempted-recon; sid:26523; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center IctDownloadServlet information disclosure attempt"; flow:to_server,established; content:"/imc/tmp/ict/download"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; content:"../"; distance:0; http_uri; metadata:service http; reference:bugtraq,58676; reference:bugtraq,68546; reference:cve,2012-5204; reference:cve,2014-2621; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03689276; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c04369484; classtype:attempted-recon; sid:26505; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt"; flow:to_server,established; content:"User-Agent|3A| <SCRIPT>"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html; classtype:web-application-attack; sid:26483; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center FaultDownloadServlet information disclosure attempt"; flow:to_server,established; content:"/imc/tmp/fault/download"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; content:"../"; distance:0; http_uri; metadata:service http; reference:bugtraq,58675; reference:bugtraq,68544; reference:cve,2012-5202; reference:cve,2014-2620; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03689276; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c04369484; classtype:attempted-recon; sid:26436; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Apache mod_proxy_balancer cross site scripting attempt"; flow:to_server,established; content:"<script"; http_uri; content:"/balancer-manager/"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,58165; reference:cve,2012-4558; classtype:web-application-attack; sid:26431; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Redmine SCM rev parameter command injection attempt"; flow:to_server,established; content:"/repository/annotate?"; fast_pattern:only; http_uri; content:"rev=|60|"; nocase; http_uri; metadata:service http; reference:cve,2011-4929; reference:url,www.redmine.org/news/49; classtype:attempted-admin; sid:26320; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Media Wiki script injection attempt"; flow:to_server,established; content:"action|3D|submit"; fast_pattern:only; http_uri; content:"{{{"; http_client_body; content:"|7C|"; distance:0; http_client_body; content:"}}}"; distance:0; http_client_body; pcre:"/[\x7b]{3}[\w\x7c\s]+\x3c[\w\x7c\s]+\x3d[\w\x7c\s]+\x3e[\x7d]{3}/smi"; metadata:service http; reference:cve,2006-2611; classtype:web-application-attack; sid:26298; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_uri; content:"PasswdModify=1"; nocase; http_uri; content:"http_passwd="; nocase; http_uri; content:"http_passwdConfirm="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26279; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_client_body; content:"PasswdModify=1"; nocase; http_client_body; content:"http_passwd="; nocase; http_client_body; content:"http_passwdConfirm="; nocase; http_client_body; metadata:ruleset community, service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26278; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi submit_button page redirection attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"submit_button"; http_raw_uri; content:"%0"; distance:0; http_raw_uri; pcre:"/[?&]submit_button=[^&]+%0[^&]/i"; metadata:ruleset community, service http; classtype:attempted-admin; sid:26277; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi submit_button page redirection attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"submit_button"; http_client_body; content:"%0"; distance:0; http_client_body; pcre:"/(^|&)submit_button=[^&]+%0[^&]/Pim"; metadata:ruleset community, service http; classtype:attempted-admin; sid:26276; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt"; flow:to_server,established; content:"/cgi-bin/"; depth:10; nocase; http_uri; content:"${IFS}"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,35742; reference:bugtraq,94819; reference:cve,2009-2765; reference:cve,2016-6277; classtype:attempted-admin; sid:26275; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios3 statuswml.cgi remote command execution attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/cgi-bin/statuswml.cgi"; fast_pattern:only; http_uri; pcre:"/(traceroute|ping)=[^&]*?(%3b|\x3b)/Pi"; metadata:service http; reference:cve,2009-2288; classtype:attempted-admin; sid:26274; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Alcatel-Lucent OmniPCX arbitrary command execution attempt"; flow:to_server,established; content:"/cgi-bin/masterCGI"; fast_pattern:only; http_uri; content:"ping="; nocase; http_uri; content:"user="; nocase; http_uri; pcre:"/[?&]user=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:service http; reference:bugtraq,25694; reference:cve,2007-3010; classtype:attempted-admin; sid:26230; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MobileCartly arbitrary PHP file upload attempt"; flow:to_server,established; content:"/mobilecartly/includes/savepage.php"; fast_pattern:only; http_uri; content:"pagecontent=<?php "; http_uri; metadata:service http; reference:bugtraq,54970; classtype:attempted-admin; sid:26191; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TP-Link http/tftp backdoor initiation attempt"; flow:to_server,established; content:"/userRpmNatDebugRpm26525557"; fast_pattern:only; http_uri; metadata:service http; reference:url,sekurak.pl/tp-link-httptftp-backdoor/; classtype:policy-violation; sid:26179; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint Server directory traversal attempt"; flow:to_server,established; content:"/_layouts/ScriptResx.ashx"; fast_pattern:only; http_uri; content:"name="; nocase; http_uri; pcre:"/[?&]name=(\x5c\x5c|%5c%5c)/iI"; metadata:service http; reference:cve,2013-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-024; classtype:attempted-admin; sid:26167; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint Server directory traversal attempt"; flow:to_server,established; content:"/_layouts/ScriptResx.ashx"; fast_pattern:only; http_uri; content:"name="; nocase; http_uri; pcre:"/[?&]name=[^&]*\x2e\x2e\x2f[^&]*\x2e\x2e\x2f[^&]*\x2e\x2e\x2f/iU"; metadata:service http; reference:cve,2013-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-024; classtype:attempted-admin; sid:26166; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint Server directory traversal attempt"; flow:to_server,established; content:"/_layouts/ScriptResx.ashx"; fast_pattern:only; http_uri; content:"name=c:"; nocase; http_uri; metadata:service http; reference:cve,2013-0084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-024; classtype:attempted-admin; sid:26165; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint cross site scripting attempt"; flow:to_server,established; content:"/_layouts/filter.aspx"; fast_pattern:only; http_uri; pcre:"/[?&](CallbackParam|CallbackFn)=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|eval|script|onload|src)/Ui"; metadata:service http; reference:cve,2013-0080; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-024; classtype:web-application-attack; sid:26131; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint cross site scripting attempt"; flow:to_server,established; content:"OSSSearchResults.aspx"; fast_pattern:only; http_uri; pcre:"/[?&](k|u|cs)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2013-0083; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-024; classtype:web-application-attack; sid:26124; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHPmyadmin brute force login attempt - User-Agent User-Agent"; flow:to_server,established,only_stream; content:"User-Agent: User-Agent: Mozilla/4.0"; fast_pattern:only; http_header; content:"/phpmyadmin/index.php?lang=en&server=1&pma_username=root"; nocase; http_uri; detection_filter:track by_src, count 30, seconds 4; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1110; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:25907; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI alert cloud cross site scripting attempt"; flow:to_server,established; content:"/includes/components/alertcloud/index.php"; fast_pattern:only; http_uri; pcre:"/[?&](height|width)=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; classtype:web-application-attack; sid:25855; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moveable Type unauthenticated remote command execution attempt"; flow:to_server,established; content:"POST"; http_method; content:"/mt-upgrade.cgi"; fast_pattern:only; http_uri; content:"mode"; http_client_body; content:"actions"; http_client_body; content:"installing"; http_client_body; metadata:service http; reference:cve,2013-0209; reference:url,movabletype.org/news/2013/01/movable_type_438_patch.html; classtype:attempted-admin; sid:25528; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MoinMoin arbitrary file upload attempt"; flow:to_server,established; content:"action="; http_uri; content:"wikidraw"; within:11; http_uri; content:"target="; http_uri; pcre:"/target=\.\.[\x2f\x5c]\.\.[\x2f\x5c]/Ui"; metadata:service http; reference:bugtraq,57082; reference:cve,2012-6081; classtype:attempted-admin; sid:25286; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SCOM Web Console cross-site scripting attempt"; flow:to_server,established; content:"/InternalPages/ExecuteTask.aspx"; fast_pattern:only; http_uri; content:"__CALLBACKPARAM="; nocase; http_client_body; pcre:"/__CALLBACKPARAM=[^\r\n]+?([\x22\x27]|%22|%27)([\x3E\x3C\x28\x29]|%3E|%3C|%28|%29)/iP"; metadata:service http; reference:cve,2013-0010; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-003; classtype:attempted-user; sid:25273; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft System Center Operations Manger cross site scripting attempt"; flow:to_server,established; content:"default.aspx"; fast_pattern:only; http_uri; pcre:"/[?&][^=&]+'[^=&]*?=/U"; metadata:service http; reference:cve,2013-0009; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-003; classtype:attempted-user; sid:25272; rev:4;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-WEBAPP revoked subsidiary CA certificate for ego.gov.tr detected"; flow:to_client,established; ssl_state:server_hello; content:"110808070751Z|17 0D|210706070751Z"; fast_pattern:only; content:"*.EGO.GOV.TR"; nocase; metadata:service http; reference:url,technet.microsoft.com/security/advisory/2798897; classtype:misc-attack; sid:25265; rev:2;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-WEBAPP revoked subsidiary CA certificate for e-islem.kktcmerkezbankasi.org detected"; flow:to_client,established; ssl_state:server_hello; content:"110808070751Z|17 0D|210805070751Z"; fast_pattern:only; content:"e-islem.kktcmerkezbankasi.org"; nocase; metadata:service http; reference:url,technet.microsoft.com/security/advisory/2798897; classtype:misc-attack; sid:25264; rev:2;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-WEBAPP fraudulent digital certificate for google.com detected"; flow:to_client,established; ssl_state:server_hello; content:"|0A 88 90 40 CE 12 6E 65 57 AE C2 42 7B 4A C1 FB|"; fast_pattern:only; content:"*.google.com"; nocase; content:"*.EGO.GOV.TR"; nocase; metadata:service http; reference:url,technet.microsoft.com/security/advisory/2798897; classtype:misc-attack; sid:25263; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenX server file upload PHP code execution attempt"; flow:to_server,established; content:"/www/admin/banner-edit.php"; fast_pattern:only; http_uri; content:"campaignid"; nocase; http_client_body; content:"clientid"; nocase; http_client_body; content:"<?"; http_client_body; metadata:service http; reference:bugtraq,37110; reference:cve,2009-4098; classtype:attempted-admin; sid:25238; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WikkaWikki php code injection attempt"; flow:to_server,established; content:"/addcomment"; http_uri; content:"User-Agent|3A 20 3C 3F|php"; fast_pattern:only; http_header; metadata:service http; reference:bugtraq,50866; reference:cve,2011-4451; classtype:web-application-attack; sid:25236; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP W3 Total Cache for Wordpress access - likely information disclosure"; flow:to_server,established; content:"/wp-content/w3tc/"; fast_pattern:only; http_uri; metadata:service http; reference:url,seclists.org/fulldisclosure/2012/Dec/242; classtype:successful-recon-limited; sid:25120; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [41080,41443] (msg:"SERVER-WEBAPP Symantec Messaging Gateway directory traversal attempt"; flow:to_server,established; content:"brightmail/admin/restore/download.do?"; fast_pattern:only; http_uri; content:"APPLIANCE&localBackupFileSelection="; http_uri; content:"../"; http_raw_uri; metadata:service http; reference:cve,2012-4347; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00; classtype:attempted-admin; sid:25105; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [41080,41443] (msg:"SERVER-WEBAPP Symantec Messaging Gateway directory traversal attempt"; flow:to_server,established; content:"brightmail/export"; fast_pattern:only; http_uri; content:"../"; http_raw_uri; metadata:service http; reference:cve,2012-4347; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00; classtype:attempted-admin; sid:25104; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt"; flow:to_server,established; content:".php"; fast_pattern:only; http_uri; pcre:"/(&#|%26%23)x?[0-9a-f]{40}/Pi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51860; reference:url,bugs.php.net/bug.php?id=60965; classtype:attempted-admin; sid:25064; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP httpdx tolog function format string code execution attempt"; flow:to_server,established; content:"%25hn"; fast_pattern:only; http_uri; pcre:"/(%(\d+\x24)?(\d+)?[nxcsd]){3}/Ui"; metadata:service http; reference:cve,2009-4769; classtype:attempted-admin; sid:25017; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PmWiki pagelist injection attempt"; flow:to_server,established; content:"pmwiki.php"; fast_pattern:only; http_uri; content:"action=edit"; http_client_body; content:"text="; http_client_body; content:"pagelist"; within:20; http_client_body; metadata:service http; reference:bugtraq,50776; reference:cve,2011-4453; classtype:web-application-attack; sid:25008; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/"; depth:7; http_uri; content:".exe"; nocase; http_uri; content:"arg="; nocase; http_uri; pcre:"/[?&]arg=(?![^&]*?-)[^&]{190}/iU"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40638; reference:cve,2010-1961; classtype:attempted-user; sid:24913; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell GroupWise WebAccess directory traversal attempt - GET request"; flow:to_server,established; content:"/gw/webacc"; fast_pattern:only; http_uri; content:"User.interface"; nocase; http_uri; pcre:"/[\x3f&]User\x2einterface=(\x2E\x2E[\x5C\x2F]){3}[^&]+?(&|$)/iU"; metadata:service http; reference:bugtraq,54253; reference:cve,2012-0410; reference:url,www.novell.com/support/kb/doc.php?id=7000708; classtype:attempted-recon; sid:24807; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell GroupWise WebAccess directory traversal attempt - POST request"; flow:to_server,established; content:"/gw/webacc"; fast_pattern:only; http_uri; content:"User.interface"; nocase; http_client_body; pcre:"/(^|&)User\x2einterface=(\x2E\x2E[\x5C\x2F]|%2E%2E(%5C|%2F)){3}[^&]+?(&|$)/iP"; metadata:service http; reference:bugtraq,54253; reference:cve,2012-0410; reference:url,www.novell.com/support/kb/doc.php?id=7000708; classtype:attempted-recon; sid:24806; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Invision IP Board PHP unserialize code execution attempt"; flow:to_server,established; content:"<?"; fast_pattern:only; http_uri; content:"member_id="; nocase; http_cookie; pcre:"/member_id=[^\x3b]*?O(\x3a|%3a)/Ci"; metadata:service http; reference:bugtraq,56288; reference:cve,2012-5692; reference:url,community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-critical-security-update; classtype:attempted-admin; sid:24804; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3037 (msg:"SERVER-WEBAPP Novell File Reporter FSFUI request directory traversal attempt"; flow:to_server,established; content:"<NAME>FSFUI</NAME>"; fast_pattern:only; http_client_body; pcre:"/<FILE>(\x2e\x2e\x5c|%2E%2E%5C){2}/iP"; metadata:policy security-ips drop, service http; reference:bugtraq,56579; reference:cve,2012-4958; reference:cve,2012-4959; classtype:attempted-admin; sid:24767; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3037 (msg:"SERVER-WEBAPP Novell File Reporter SRS request arbitrary file download attempt"; flow:to_server,established; content:"<NAME>SRS</NAME>"; nocase; http_client_body; content:"<OPERATION>4</OPERATION>"; nocase; http_client_body; content:"<CMD>103</CMD>"; fast_pattern:only; http_client_body; content:"<PATH>c:|5C|"; nocase; http_client_body; metadata:service http; reference:bugtraq,56579; reference:cve,2012-4957; classtype:attempted-admin; sid:24766; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3037 (msg:"SERVER-WEBAPP Novell File Reporter SRS request heap overflow attempt"; flow:to_server,established; content:"<NAME>SRS</NAME>"; fast_pattern:only; http_client_body; content:"<CMD>7</CMD>"; nocase; http_client_body; isdataat:10000,relative; content:"<VOL>"; nocase; http_client_body; content:"<VOL>"; distance:0; nocase; http_client_body; content:"<VOL>"; distance:0; nocase; http_client_body; metadata:policy security-ips drop, service http; reference:bugtraq,56579; reference:cve,2012-4956; classtype:attempted-admin; sid:24765; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Business Transaction Management flashtunnelservice arbitrary file deletion attempt"; flow:to_server,established; content:"/btmui/soa/flash_svc/"; fast_pattern:only; http_uri; content:"deleteFile"; nocase; http_client_body; content:"handle"; within:64; nocase; http_client_body; pcre:"/handle\s*=\s*[\x22\x27][^\x22\x27]*?\x2e{2}/iP"; metadata:service http; reference:bugtraq,54870; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; classtype:attempted-user; sid:24740; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; content:"/xhp"; fast_pattern:only; http_uri; pcre:"/[?&]key=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24737; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; content:"/web/grizzly/transports.jsf"; fast_pattern:only; http_uri; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24736; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; content:"/web/grizzly/protocols.jsf"; fast_pattern:only; http_uri; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24735; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; content:"/jms/jmsHosts.jsf"; fast_pattern:only; http_uri; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24734; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; content:"/common/security/msgSecurity/msgSecurity.jsf"; fast_pattern:only; http_uri; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24733; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; content:"/common/security/jacc/jaccProviders.jsf"; fast_pattern:only; http_uri; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24732; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; content:"/common/security/auditModules/auditModules.jsf"; fast_pattern:only; http_uri; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24731; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; content:"/web/grizzly/networkListeners.jsf"; fast_pattern:only; http_uri; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24730; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; content:"/common/security/realms/realms.jsf"; fast_pattern:only; http_uri; pcre:"/[?&]configName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24729; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish cross site scripting attempt"; flow:to_server,established; content:"/common/applications/lifecycleEdit.jsf"; fast_pattern:only; http_uri; pcre:"/[?&]appName=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,53136; reference:cve,2012-0551; classtype:web-application-attack; sid:24728; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP Netop Remote Control dws file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.dws; file_data; pcre:"/[^\x0d\x0a]{520}/smi"; metadata:service smtp; reference:bugtraq,47631; classtype:attempted-user; sid:24707; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link Wireless Router CAPTCHA data processing buffer overflow attempt"; flow:to_server,established; content:"/goform/formLogin"; fast_pattern:only; http_uri; content:"FILECODE="; nocase; http_client_body; isdataat:91,relative; pcre:"/FILECODE=[^&]{91}/iP"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,56330; classtype:attempted-admin; sid:24647; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt"; flow:to_server,established; content:"/jmx-console/HtmlAdaptor"; fast_pattern:only; http_uri; pcre:"/[&?]arg\d+\s*=\s*[^\x26]*?(import|http)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,39710; reference:cve,2010-0738; reference:cve,2014-7883; classtype:attempted-admin; sid:24642; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Fusion Middleware WebCenter selectedLocale parameter sql injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/cs/ContentServer"; fast_pattern:only; http_uri; content:"selectedLocale="; nocase; http_client_body; pcre:"/(^|&)selectedLocale=[^&]+?([\x22\x27]|%22|%27)/iP"; metadata:service http; reference:bugtraq,55984; reference:cve,2012-3186; reference:url,attack.mitre.org/techniques/T1190; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html; classtype:web-application-attack; sid:24629; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [10000] (msg:"SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt"; flow:to_server,established; content:"/file/show.cgi/"; http_uri; content:"|7C|"; distance:0; http_uri; content:"sid="; http_cookie; metadata:service http; reference:bugtraq,55446; reference:cve,2012-2982; reference:url,www.kb.cert.org/vuls/id/788478; classtype:web-application-attack; sid:24628; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress XSS fs-admin.php injection attempt"; flow:to_server,established; content:"page=forum-server/fs-admin/fs-admin.php"; fast_pattern:only; http_uri; pcre:"/[?&](groupid|usergroup_id)=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; classtype:web-application-attack; sid:24561; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8774 (msg:"SERVER-WEBAPP OpenStack Compute directory traversal attempt"; flow:to_server,established; content:"<file"; content:"path="; within:25; content:"../"; within:5; metadata:service http; reference:cve,2012-3360; reference:cve,2012-3361; classtype:attempted-admin; sid:24521; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Web Gateway PHP remote code execution attempt"; flow:to_server,established; content:"/spywall/images/upload/"; fast_pattern:only; http_uri; content:".php"; nocase; http_uri; metadata:policy security-ips drop, service http; reference:bugtraq,53443; reference:cve,2012-0299; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00; classtype:attempted-admin; sid:24519; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Web Gateway PHP remote code injection attempt"; flow:to_server,established; content:"/spywall/blocked_file.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy security-ips drop, service http; reference:bugtraq,53443; reference:cve,2012-0299; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00; classtype:attempted-admin; sid:24518; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP F5 Networks FirePass my.activation.php3 state parameter sql injection attempt"; flow:to_server,established; content:"/my.activation.php3"; fast_pattern:only; http_uri; content:"state="; nocase; http_uri; pcre:"/[?&]state=[^&]*?[\x22\x27]/Ui"; metadata:service http; reference:cve,2012-1777; reference:url,attack.mitre.org/techniques/T1190; reference:url,support.f5.com/kb/en-us/solutions/public/13000/400/sol13463.html; classtype:attempted-admin; sid:24517; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TikiWiki tiki-graph_formula.php remote php code execution attempt"; flow:to_server,established; content:"/tikiwiki/tiki-graph_formula.php"; fast_pattern:only; http_uri; content:"f[]="; nocase; http_uri; pcre:"/(^|&)f\[\]=([^&]+(eval|exec|system|passthru|info))|([^&]{50})/iU"; metadata:service http; reference:bugtraq,26006; reference:cve,2007-5423; classtype:attempted-admin; sid:24502; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope UploadFilesHandler directory traversal attempt"; flow:to_server,established; content:"REMOTE_HANDLER_KEY=UploadFilesHandler"; fast_pattern:only; http_uri; content:"UploadFilesHandler.file.name="; http_uri; content:".."; within:3; http_uri; metadata:service http; reference:bugtraq,55273; reference:cve,2012-3264; classtype:web-application-activity; sid:24448; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope DownloadFilesHandler directory traversal attempt"; flow:to_server,established; content:"REMOTE_HANDLER_KEY=DownloadFilesHandler"; fast_pattern:only; http_uri; content:"DownloadFilesHandler.file.name="; http_uri; content:".."; within:3; http_uri; metadata:service http; reference:bugtraq,55273; reference:cve,2012-3264; classtype:web-application-activity; sid:24447; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP JBoss JMXInvokerServlet access attempt"; flow:to_server,established; content:"/invoker/JMXInvokerServlet"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-1036; reference:cve,2013-2185; reference:url,docs.jboss.org/jbossas/6/Admin_Console_Guide/en-US/pdf/Admin_Console_Guide.pdf; classtype:attempted-admin; sid:24343; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP JBoss web console access attempt"; flow:to_server,established; content:"/web-console/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2007-1036; reference:cve,2013-2185; reference:url,docs.jboss.org/jbossas/6/Admin_Console_Guide/en-US/pdf/Admin_Console_Guide.pdf; classtype:attempted-recon; sid:24342; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 78|"; depth:12; offset:12; http_client_body; byte_test:2,>,1024,12,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24314; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Fortinet FortiOS appliedTags field cross site scripting attempt"; flow:to_server,established; content:"/firewall/policy"; fast_pattern:only; http_uri; content:"&tagList="; http_client_body; pcre:"/[?&]tagList=[^&]+?([\x3E\x3C\x28\x29]|%3E|%3C|%28|%29)([\x22\x27]|%22|%27)/Pi"; metadata:service http; reference:bugtraq,51708; classtype:web-application-attack; sid:24289; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Microsoft Office SharePoint name field cross site scripting attempt"; flow:to_client,established; file_data; content:"href=|22|/_layouts/userdisp.aspx?ID=6|22|><img width=|22|62|22| height=|22|62|22| border=|22|0|22| src=|22|/_layouts/images/person.gif|22|"; nocase; pcre:"/^\s+?alt=\x22[^\x22]+?\x22[^>]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/iR"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-1861; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-050; classtype:attempted-user; sid:24198; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP socket_connect buffer overflow attempt"; flow:to_client,established; file_data; content:"$padd = str_repeat(|22|A|22|, 196)"; content:"$evil = $padd.$payload"; distance:0; fast_pattern; content:"socket_create(AF_UNIX, SOCK_STREAM, 1)"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49241; reference:cve,2011-1938; classtype:attempted-user; sid:24194; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP socket_connect buffer overflow attempt"; flow:to_server,established; file_data; content:"str_repeat(|22 5C|x90|22|, EVIL_SPACE_SIZE)"; content:"for ($i = 0, $j = EVIL_SPACE_SIZE - strlen($SHELLCODE) - 1"; distance:0; content:"socket_create(AF_UNIX, SOCK_STREAM, 1)"; metadata:service smtp; reference:bugtraq,49241; reference:cve,2011-1938; classtype:attempted-user; sid:24193; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP socket_connect buffer overflow attempt"; flow:to_client,established; file_data; content:"str_repeat(|22 5C|x90|22|, EVIL_SPACE_SIZE)"; content:"for ($i = 0, $j = EVIL_SPACE_SIZE - strlen($SHELLCODE) - 1"; distance:0; content:"socket_create(AF_UNIX, SOCK_STREAM, 1)"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49241; reference:cve,2011-1938; classtype:attempted-user; sid:24192; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager nnmRptConfig.exe multiple parameters buffer overflow attempt"; flow:to_server,established; content:"nnmRptConfig.exe"; fast_pattern:only; http_uri; pcre:"/(data_select1|nameParams|schdParams|text1|schd_select1)=[^\x26]{512}/iU"; metadata:service http; reference:bugtraq,45762; reference:cve,2011-0265; reference:cve,2011-0266; reference:cve,2011-0267; reference:cve,2011-0268; reference:cve,2011-0269; classtype:attempted-user; sid:24147; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP inTouch SQL injection in index.php user attempt"; flow:to_server,established; content:"index.php"; fast_pattern:only; http_uri; content:"user"; nocase; http_header; pcre:"/user=[^\r\n\x26]*?([\x22\x27]|%2[27])/Hi"; metadata:service http; reference:bugtraq,16110; reference:cve,2006-0088; classtype:web-application-attack; sid:24112; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP RFC1867 file-upload implementation denial of service attempt"; flow:to_server,established; content:"POST"; http_method; content:"|0A|Content-Disposition|3A|"; fast_pattern:only; http_client_body; pcre:"/\nContent-Disposition\x3a[^\n]*?name\s*=\s*(?P<quote>[\x22\x27]).*?\[(?P=quote)\x3b/Pims"; metadata:service http; reference:cve,2012-1172; classtype:attempted-dos; sid:24093; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP 5.3.3 mt_rand integer overflow attempt"; flow:to_server,established; content:"mt_getrandmax("; fast_pattern:only; http_client_body; content:"<?"; pcre:"/(define\(\s*(?P<q1>[\x22\x27])\s*(?P<m1>\w+)(?P=q1)\s*,\s*mt_getrandmax\(\)\s*\+\d+\s*\)\x3b.*?mt_rand\(\s*0\s*,\s*(?P=m1)\s*\)|(?P<m2>\$\w+)\s*=\s*mt_getrandmax\(\)\s*\+\s*\d+\s*\x3b.*?mt_rand\(\s*0\s*,\s*(?P=m2)\s*\)|mt_rand\(\s*0\s*,\s*mt_getrandmax\(\)\s*\+\s*\d+\s*\)\x3b)/smi"; metadata:service http; reference:cve,2011-0755; classtype:misc-activity; sid:24061; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP PHP 5.3.3 mt_rand integer overflow attempt"; flow:to_client,established; file_data; content:"mt_getrandmax("; fast_pattern:only; content:"<?"; pcre:"/(define\(\s*(?P<q1>[\x22\x27])\s*(?P<m1>\w+)(?P=q1)\s*,\s*mt_getrandmax\(\)\s*\+\d+\s*\)\x3b.*?mt_rand\(\s*0\s*,\s*(?P=m1)\s*\)|(?P<m2>\$\w+)\s*=\s*mt_getrandmax\(\)\s*\+\s*\d+\s*\x3b.*?mt_rand\(\s*0\s*,\s*(?P=m2)\s*\)|mt_rand\(\s*0\s*,\s*mt_getrandmax\(\)\s*\+\s*\d+\s*\)\x3b)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-0755; classtype:misc-activity; sid:24060; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP 5.3.3 mt_rand integer overflow attempt"; flow:to_server,established; file_data; content:"mt_getrandmax("; fast_pattern:only; content:"<?"; pcre:"/(define\(\s*(?P<q1>[\x22\x27])\s*(?P<m1>\w+)(?P=q1)\s*,\s*mt_getrandmax\(\)\s*\+\d+\s*\)\x3b.*?mt_rand\(\s*0\s*,\s*(?P=m1)\s*\)|(?P<m2>\$\w+)\s*=\s*mt_getrandmax\(\)\s*\+\s*\d+\s*\x3b.*?mt_rand\(\s*0\s*,\s*(?P=m2)\s*\)|mt_rand\(\s*0\s*,\s*mt_getrandmax\(\)\s*\+\s*\d+\s*\)\x3b)/smi"; metadata:service smtp; reference:cve,2011-0755; classtype:misc-activity; sid:24059; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP libtidy null pointer dereference attempt"; flow:to_server,established; content:"<?"; content:"Tidy"; distance:0; content:"diagnose"; fast_pattern:only; pcre:"/(?P<var>\x24\w+)\s*=\s*(new Tidy|Tidy->new)\x28\s*[\x22\x27]\x2a[\x22\x27]\s*\x29.{1,256}(?P=var)->diagnose/ims"; metadata:service http; reference:cve,2011-4153; classtype:attempted-dos; sid:23995; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP zend_strndup null pointer dereference attempt"; flow:to_server,established; content:"define|28|"; nocase; content:"str_repeat|28|"; fast_pattern:only; pcre:"/<\?(php)?.{1,256}define\s*\x28\s*str_repeat\s*\x28\s*[\x22\x27][^\x22\x27]+[\x22\x27]\s*\x2c\s*\x24argv/ims"; metadata:service http; reference:cve,2011-4153; classtype:attempted-dos; sid:23994; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP ocPortal cms cross site request forgery attempt"; flow:to_client,established; file_data; content:"ocPortal/adminzone/index.php?page=admin_ocf_join&type=step2|22|"; fast_pattern:8,20; nocase; pcre:"/<form[^>]*?action\s*=\s*[\x22\x27][^\x22\x27]+ocPortal\/adminzone\/index\.php\?page=admin_ocf_join&type=step2[\x22\x27][^>]*?>/ims"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,yehg.net/lab/pr0js/advisories/%5Bocportal_8x%5D_csrf; classtype:attempted-admin; sid:23988; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP LongTail Video JW Player XSS attempt link param"; flow:to_server,established; content:"/player.swf?"; fast_pattern; http_uri; content:"link="; distance:0; http_uri; content:"javascript:"; distance:0; http_uri; metadata:service http; reference:bugtraq,54101; reference:cve,2012-3351; classtype:web-application-attack; sid:23984; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP calendar conversion remote integer overflow attempt"; flow:to_client,established; file_data; content:"cal_from_jd"; fast_pattern:only; pcre:"/cal_from_jd\x28\s*\d{9,}/mi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46967; reference:cve,2011-1466; classtype:attempted-user; sid:23975; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP calendar conversion remote integer overflow attempt"; flow:to_client,established; file_data; content:"cal_from_jd"; fast_pattern:only; pcre:"/\x24(?P<var>\w*)\s*=\s*(rand\x28\d\x2c\s*\d{9,}|\d{9,}).*?cal_from_jd\x28\s*\x24(?P=var)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,46967; reference:cve,2011-1466; classtype:attempted-user; sid:23974; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP empty zip file upload attempt"; flow:to_server,established; content:"|50 4B 05 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:service http; reference:bugtraq,46354; reference:cve,2011-0421; classtype:denial-of-service; sid:23944; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Invalid global flag attachment attempt"; flow:to_client,established; file_data; content:"<?php"; content:"ZipArchive"; content:"addGlob"; distance:0; pcre:"/\x24(?P<var1>\w*)\s*\x3d\s*new\s*ZipArchive\x28\x29.*?\x24(?P=var1)\x2d\x3eaddGlob\x28[\x22\x27]?(?!GLOB_BRACE|GLOB_MARK|GLOB_NOSORT|GLOB_NOCHECK|GLOB_NOESCAPE|GLOB_ERR|GLOB_ONLYDIR)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,49252; reference:cve,2011-1471; classtype:denial-of-service; sid:23937; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP truncated crypt function attempt"; flow:to_server,established; content:"crypt("; fast_pattern:only; http_client_body; content:"<?"; http_client_body; pcre:"/((?P<m1>\$\w+)\s*=\s*(?P<q1>[\x22\x27])\s*[^(?P=q1)]+(\\x80|\x80).*?crypt\(\s*(?P=m1)|crypt\(\s*(?P<q2>[\x22\x27])\s*[^(?P=q1)]+(\\x80|\x80))/Psmi"; metadata:service http; reference:cve,2012-2143; classtype:attempted-admin; sid:23896; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP PHP truncated crypt function attempt"; flow:to_client,established; file_data; content:"crypt("; fast_pattern:only; content:"<?"; pcre:"/((?P<m1>\$\w+)\s*=\s*(?P<q1>[\x22\x27])\s*[^(?P=q1)]+(\\x80|\x80).*?crypt\(\s*(?P=m1)|crypt\(\s*(?P<q2>[\x22\x27])\s*[^(?P=q1)]+(\\x80|\x80))/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2012-2143; classtype:attempted-admin; sid:23895; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP truncated crypt function attempt"; flow:to_server,established; file_data; content:"crypt("; fast_pattern:only; content:"<?"; pcre:"/((?P<m1>\$\w+)\s*=\s*(?P<q1>[\x22\x27])\s*[^(?P=q1)]+(\\x80|\x80).*?crypt\(\s*(?P=m1)|crypt\(\s*(?P<q2>[\x22\x27])\s*[^(?P=q1)]+(\\x80|\x80))/smi"; metadata:service smtp; reference:cve,2012-2143; classtype:attempted-admin; sid:23894; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Remote File Include upload attempt"; flow:to_server,established; content:"POST"; http_method; content:"/admin/addcontent.inc.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,stopmalvertising.com/security/95.211.20.103-local-file-inclusion-attack.html; reference:url,www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla; classtype:attempted-user; sid:23828; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Remote File Include upload attempt"; flow:to_server,established; content:"POST"; http_method; content:"/images/psg.php"; http_uri; metadata:service http; reference:url,stopmalvertising.com/security/95.211.20.103-local-file-inclusion-attack.html; reference:url,www.mmleoni.net/sql-iniection-lfi-protection-plugin-for-joomla; classtype:attempted-user; sid:23827; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP exif invalid tag data buffer overflow attempt"; flow:to_server,established; content:"Exif|00 00|II|2A 00|"; depth:16; offset:6; http_client_body; content:"|05 02 05 00|"; within:1024; http_client_body; byte_test:4,>,268435457,0,relative,little; metadata:service http; reference:bugtraq,46365; reference:cve,2011-0708; classtype:denial-of-service; sid:23796; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP use-after-free in substr_replace attempt"; flow:to_server,established; file_data; content:"substr_replace("; fast_pattern:only; content:"<?"; pcre:"/substr_replace\((\s*\$\w+\s*,\s*){3,}.*?\)\x3b/smi"; metadata:service smtp; reference:cve,2011-1148; classtype:misc-activity; sid:23793; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP use-after-free in substr_replace attempt"; flow:to_server,established; content:"substr_replace("; fast_pattern:only; http_client_body; content:"<?"; http_client_body; pcre:"/substr_replace\((\s*\$\w+\s*,\s*){3,}.*?\)\x3b/Psmi"; metadata:service http; reference:cve,2011-1148; classtype:misc-activity; sid:23792; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP PHP use-after-free in substr_replace attempt"; flow:to_client,established; file_data; content:"substr_replace("; fast_pattern:only; content:"<?"; pcre:"/substr_replace\((\s*\$\w+\s*,\s*){3,}.*?\)\x3b/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2011-1148; classtype:misc-activity; sid:23791; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Arbitrary file location upload attempt"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type: multipart/form-data"; http_header; content:"filename="; fast_pattern:only; http_client_body; pcre:"/filename=(\x22|\x27)\.\.\x2f/smi"; metadata:service http; reference:bugtraq,11190; reference:cve,2004-0959; classtype:web-application-activity; sid:23613; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Invit0r plugin php upload attempt"; flow:to_server,established; content:"/wp-content/plugins/invit0r/lib/php-ofc-library/ofc_upload_image.php"; fast_pattern:only; http_uri; content:"name="; http_uri; content:"<?php "; nocase; http_client_body; metadata:service http; reference:bugtraq,53995; reference:url,www.opensyscom.fr/Actualites/wordpress-plugins-invit0r-arbitrary-file-upload-vulnerability.html; classtype:web-application-attack; sid:23485; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Lotus Domino webadmin.nsf directory traversal attempt"; flow:to_server,established; content:"/webadmin.nsf"; fast_pattern:only; http_uri; pcre:"/\.\.[\x5C\x2F]/Pmi"; metadata:service http; reference:bugtraq,9900; reference:cve,2004-2311; reference:cve,2004-2369; classtype:web-application-attack; sid:23480; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM System Storage DS storage manager profiler XSS attempt"; flow:to_server,established; content:"/SoftwareRegistration.do"; fast_pattern:only; http_uri; pcre:"/SoftwareRegistration\.do.*?updateRegn=[^\x26\r\n]+(script|onclick|onload|onmouseover|html|[\x22\x27\x3c\x3e\x28\x29])/Ui"; metadata:service http; reference:bugtraq,54112; reference:cve,2012-2172; reference:url,www.exploit-db.com/exploits/19321/; classtype:web-application-attack; sid:23466; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Lotus Domino cross site scripting attempt"; flow:to_server,established; content:"/CitiPayPro.nsf"; fast_pattern:only; http_uri; pcre:"/[?&]Src=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,14845; reference:cve,2005-3015; classtype:web-application-attack; sid:23434; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Lotus Domino cross site scripting attempt"; flow:to_server,established; content:"/CitiPayPro.nsf"; fast_pattern:only; http_uri; pcre:"/[?&]BaseTarget=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,14845; reference:cve,2005-3015; classtype:web-application-attack; sid:23433; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Apple iChat url format string exploit attempt"; flow:to_client,established; file_data; content:"href="; content:"aim:GoChat"; fast_pattern:only; pcre:"/aim\x3AGoChat[^\n]*?\x25(\d+\x24)?(\d+)?[nxXcsd]/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22146; reference:cve,2007-0021; classtype:attempted-user; sid:23407; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt"; flow:to_server,established; content:"insert"; fast_pattern:only; http_header; content:"index.php"; nocase; http_uri; pcre:"/Referer\x3a[^\r\n]*?[\x27\x22][\x29\x3b][^\r\n]*?INSERT/Hi"; metadata:service http; reference:bugtraq,22638; reference:cve,2007-1061; classtype:web-application-attack; sid:23406; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt"; flow:to_server,established; content:"select"; fast_pattern:only; http_header; content:"index.php"; nocase; http_uri; pcre:"/Referer\x3a[^\r\n]*?[\x27\x22][\x29\x3b][^\r\n]*?SELECT/Hi"; metadata:service http; reference:bugtraq,22638; reference:cve,2007-1061; classtype:web-application-attack; sid:23405; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Adobe JRun directory traversal attempt"; flow:to_server,established; content:"/logviewer.jsp"; fast_pattern; http_uri; content:"logfile="; nocase; http_uri; content:"../../../../"; http_uri; metadata:service http; reference:cve,2009-1873; reference:cve,2009-1874; reference:url,adobe.com/support/security/bulletins/apsb09-12.html; classtype:attempted-recon; sid:23403; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-WEBAPP CVS remote file information disclosure attempt"; flow:to_server,established; content:"Argument -X"; content:"history"; distance:0; reference:bugtraq,10955; reference:cve,2004-0788; classtype:attempted-recon; sid:23402; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint query.iqy XSS attempt"; flow:to_server,established; content:"/owssvr.dll?"; nocase; http_uri; content:"query.iqy"; distance:0; fast_pattern; nocase; http_uri; pcre:"/[?&]Using=_layouts\/query.iqy.*?&List=[^&]+(script|src|location|document|onlick|onload)/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-1863; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-050; classtype:attempted-user; sid:23282; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint scriptresx.ashx XSS attempt"; flow:to_server,established; content:"_layouts/scriptresx.ashx"; fast_pattern:only; http_uri; pcre:"/sections=[^\r\n\x26]+(script|onclick|onload|onmouseover|html|[\x22\x27\x3c\x3e\x28\x29])/Ui"; metadata:service http; reference:cve,2012-1859; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-050; classtype:web-application-attack; sid:23281; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint name field cross site scripting attempt"; flow:to_server,established; content:"/_layouts/useredit.aspx"; http_uri; content:"name=|22|ctl00|24|PlaceHolderMain|24|UserListForm|24|ctl00|24|ctl02|24|ctl00|24|ctl00|24|ctl00|24|ctl04|24|ctl00|24|ctl00|24|TextField|22 0D 0A 0D 0A|"; fast_pattern; nocase; pcre:"/^[^\r\n]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ri"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-1861; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-050; classtype:web-application-attack; sid:23279; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP NetWeaver cross site scripting attempt"; flow:to_server,established; content:"/RequestParts.htm"; fast_pattern:only; http_uri; pcre:"/[?&]sap-ffield=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:url,service.sap.com/sap/support/notes/1422273; classtype:web-application-attack; sid:23260; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory traversal attempt"; flow:to_server,established; content:"POST"; http_method; content:"/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx"; fast_pattern:only; http_uri; content:"<RunAMTCommand"; nocase; http_client_body; content:"-RunEnhancedRemediation"; distance:0; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,52023; reference:cve,2012-1195; classtype:attempted-user; sid:23259; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ruby on Rails SQL injection attempt"; flow:to_server,established; content:"[mysql where "; http_uri; metadata:service http; reference:cve,2012-2661; classtype:web-application-attack; sid:23216; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft ASP.NET improper comment handling XSS attempt"; flow:to_server,established; content:".aspx|3F|"; nocase; http_uri; content:"/*-*/"; distance:0; http_uri; content:"/**/"; distance:0; http_uri; metadata:service http; reference:bugtraq,20753; reference:cve,2006-7192; reference:cve,2008-3842; reference:cve,2008-3843; classtype:web-application-attack; sid:23172; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EXIF header parsing integer overflow attempt little endian"; flow:to_server,established; content:"Exif|00 00 49 49 2A 00 08 00 00 00|"; http_client_body; content:"|03 90 02 00|"; distance:0; http_client_body; byte_test:4,>,2048,0,relative,little; metadata:policy max-detect-ips drop, service http; reference:cve,2011-4566; classtype:web-application-attack; sid:22951; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-CGI command injection attempt"; flow:to_server,established; content:"-s"; http_uri; content:!"="; http_raw_uri; pcre:"/\x3F\s*?-s/Ui"; metadata:service http; reference:cve,2012-1823; reference:cve,2012-2311; reference:cve,2012-2335; reference:cve,2012-2336; classtype:attempted-admin; sid:22097; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-CGI command injection attempt"; flow:to_server,established; content:".php?"; http_uri; content:"-s"; nocase; http_uri; content:!"="; http_raw_uri; pcre:"/\x2ephp\x3f\s*-s/Ui"; metadata:service http; reference:cve,2012-1823; reference:cve,2012-2311; reference:cve,2012-2335; reference:cve,2012-2336; classtype:attempted-admin; sid:22064; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-CGI remote file include attempt"; flow:to_server,established; content:"auto_prepend_file"; http_uri; metadata:ruleset community, service http; reference:cve,2012-1823; reference:cve,2012-2311; reference:cve,2012-2335; reference:cve,2012-2336; classtype:attempted-admin; sid:22063; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla JCE multiple plugin arbitrary PHP file execution attempt"; flow:to_server,established; content:"option=com_jce"; fast_pattern:only; http_uri; content:"json"; nocase; http_client_body; pcre:"/json\s*=\s*\x7b.*?\x22fn\x22\s*\x3a\s*\x22(getItems|folderRename|file(Delete|Copy))\x22\s*\x2c\s*\x22args\x22\s*\x3a\x5b?[^\x7d]*?\x22[^\x22]*?(\.\.|0day)[^\x22]*?\x22.*?\x7d/imsP"; metadata:service http; reference:url,joomlacontenteditor.net/index.php?option=com_content&view=article&id=567&catid=7&Itemid=121; classtype:attempted-user; sid:21926; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %USERDOMAIN%"; flow:to_server,established; content:"%USERDOMAIN%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21844; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %PROMPT%"; flow:to_server,established; content:"%PROMPT%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21843; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %PATHEXT%"; flow:to_server,established; content:"%PATHEXT%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21842; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %PATH%"; flow:to_server,established; content:"%PATH%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21841; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %LOGONSERVER%"; flow:to_server,established; content:"%LOGONSERVER%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21840; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %COMPUTERNAME%"; flow:to_server,established; content:"%COMPUTERNAME%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21839; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PSModulePath%"; flow:to_server,established; content:"%PSModulePath%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21838; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PUBLIC%"; flow:to_server,established; content:"%PUBLIC%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21837; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %WINDIR%"; flow:to_server,established; content:"%WINDIR%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21836; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERPROFILE%"; flow:to_server,established; content:"%USERPROFILE%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21835; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERNAME%"; flow:to_server,established; content:"%USERNAME%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21834; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERDATA%"; flow:to_server,established; content:"%USERDATA%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21833; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %TMP%"; flow:to_server,established; content:"%TMP%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21832; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %TEMP%"; flow:to_server,established; content:"%TEMP%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21831; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %SystemRoot%"; flow:to_server,established; content:"%SystemRoot%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21830; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %SystemDrive%"; flow:to_server,established; content:"%SystemDrive%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21829; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMFILES - X86%"; flow:to_server,established; content:"%PROGRAMFILES|40|X86|41|%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21828; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMFILES%"; flow:to_server,established; content:"%PROGRAMFILES%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21827; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %LOCALAPPDATA%"; flow:to_server,established; content:"%LOCALAPPDATA%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21826; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %HOMEPATH%"; flow:to_server,established; content:"%HOMEPATH%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21825; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %HOMEDRIVE%"; flow:to_server,established; content:"%HOMEDRIVE%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21824; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMSPEC%"; flow:to_server,established; content:"%COMSPEC%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21823; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES - x86%"; flow:to_server,established; content:"%COMMONPROGRAMFILES|40|x86|41|%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21822; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES%"; flow:to_server,established; content:"%COMMONPROGRAMFILES%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21821; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %APPDATA%"; flow:to_server,established; content:"%APPDATA%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21820; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMDATA%"; flow:to_server,established; content:"%PROGRAMDATA%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21819; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %ALLUSERSPROFILE%"; flow:to_server,established; content:"%ALLUSERSPROFILE%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21818; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Youngzsoft CMailServer CMailCOM buffer overflow attempt"; flow:to_server,established; content:"/mail/mvmail.asp"; fast_pattern:only; http_uri; content:"indexOfMail="; nocase; http_client_body; isdataat:4108,relative; metadata:service http; reference:bugtraq,30098; reference:cve,2008-6922; classtype:attempted-admin; sid:21762; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP PECL zip URL wrapper buffer overflow attempt"; flow:to_client,established; file_data; content:"|3C 3F|"; content:"php"; distance:0; nocase; content:"zip|3A 2F 2F|"; distance:0; pcre:"/zip\x3a\x2f\x2f[^\x0A\x20\x09\x0B\x0C\x85\x3E\x3C]{400}/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,22883; reference:cve,2007-1399; reference:url,php-security.org/MOPB/MOPB-16-2007.html; classtype:attempted-user; sid:21671; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP phpinfo cross site scripting attempt"; flow:to_server,established; content:"/phpinfo.php"; fast_pattern:only; http_uri; content:"[]="; http_uri; pcre:"/\x5b\x5d=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2007-1287; reference:url,php-security.org/MOPB/MOPB-08-2007.html; classtype:attempted-user; sid:21670; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SurgeMail webmail.exe page format string exploit attempt"; flow:to_server,established; content:"/scripts/webmail.exe"; fast_pattern:only; http_uri; pcre:"/[\x26\x3f]page=[^\x26]*?\x25/Ii"; metadata:service http; reference:bugtraq,27990; reference:cve,2008-1055; reference:url,aluigi.altervista.org/adv/surgemailz-adv.txt; classtype:web-application-attack; sid:21609; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Gravity GTD objectname parameter injection attempt"; flow:to_server,established; content:"/library/setup/rpc.php"; fast_pattern:only; http_uri; pcre:"/objectname=[^\x26]*?(\x2e\x2e\x2f|[^a-z0-9])/iU"; metadata:service http; reference:cve,2008-5962; classtype:attempted-admin; sid:21594; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP JBoss admin-console access"; flow:to_server,established; content:"/admin-console/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-2185; reference:url,docs.jboss.org/jbossas/6/Admin_Console_Guide/en-US/pdf/Admin_Console_Guide.pdf; classtype:attempted-recon; sid:21517; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HTTP response splitting attempt"; flow:to_server,established; content:"Content-Length: 0|0D 0A|"; fast_pattern:only; http_uri; metadata:service http; classtype:attempted-user; sid:21465; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Common Services Device Center XSS attempt"; flow:to_server,established; content:"/cwhp/device.center.do"; fast_pattern:only; http_uri; pcre:"/device\.center\.do\?[^$\n]*(DeviceID|objectID|dsOsName|device)=[^$\n]*([\x3C\x3E\x22\x27]|script|src|location|document)/Ui"; metadata:service http; reference:cve,2011-0962; classtype:web-application-attack; sid:21389; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Common Services Help servlet XSS attempt"; flow:to_server,established; content:"com.cisco.nm.help.ServerHelpEngine"; fast_pattern:only; http_uri; pcre:"/com\.cisco\.nm\.help\.ServerHelpEngine\?[^$\n]*tag=[^$\n]*([\x3C\x3E\x22\x27]|script|src|location|document)/OUi"; metadata:service http; reference:cve,2011-0961; classtype:web-application-attack; sid:21385; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Unified Communications Manager sql injection attempt"; flow:to_server,established; content:"/ccmcip/xmldirectorylist"; fast_pattern:only; http_uri; pcre:"/xmldirectorylist(\.utf-8|\.other)?\.jsp[^\n]*?[\x3F\x26][lfn]=[^\x26]*?[\x22\x27][^\x26]*?\x20(or|union|like|select)\x20/Ui"; metadata:service http; reference:cve,2011-1610; reference:url,attack.mitre.org/techniques/T1190; classtype:web-application-attack; sid:21377; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Remote Execution Backdoor Attempt Against Horde"; flow:to_server,established; content:"/services/javascript.php"; fast_pattern:only; http_uri; content:"href="; http_cookie; content:"file=open_calendar.js"; http_client_body; metadata:ruleset community, service http; reference:cve,2012-0209; reference:url,dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155; reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/; reference:url,pastebin.com/U3ADiWrP; classtype:web-application-attack; sid:21375; rev:7;)
# alert tcp $HOME_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP iPlanet Webserver command injection attempt"; flow:to_server,established; content:"https-admserv/bin/perl/importInfo"; fast_pattern:only; pcre:"/https-admserv\x2fbin\x2fperl\x2fimportInfo\x3F.*?dir=[^\x26]*?[\x7c]/iU"; metadata:service http; reference:bugtraq,6202; reference:cve,2002-1315; classtype:web-application-attack; sid:21358; rev:4;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 500 (msg:"SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt"; flow:to_server; content:"|8D 29|"; depth:2; offset:38; isdataat:!41; reference:bugtraq,34296; reference:cve,2009-0790; classtype:attempted-dos; sid:21334; rev:2;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 500 (msg:"SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt"; flow:to_server; content:"|8D 28|"; depth:2; offset:38; isdataat:!41; reference:bugtraq,34296; reference:cve,2009-0790; classtype:attempted-dos; sid:21333; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Insight Diagnostics XSS attempt"; flow:to_server,established; content:"/hpdiags/"; fast_pattern:only; pcre:"/\x2fhpdiags\x2f(parameters|idstatusframe|survey|globals|custom)\.php\x3f.*?(device|pid|cfg|category|tabpage|testmode)=[^\x26]*?(script|onclick|onload|onmouseover|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:service http; reference:cve,2010-3003; classtype:web-application-attack; sid:21314; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint chart webpart XSS attempt"; flow:to_server,established; content:"_layouts/Chart/WebUI/WizardList.aspx"; fast_pattern:only; http_uri; pcre:"/([sp]key|csk)=[^\r\n\x26]+(script|onclick|onload|onmouseover|html|[\x22\x27\x3c\x3e\x28\x29])/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0145; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-011; classtype:web-application-attack; sid:21298; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint themeweb.aspx XSS attempt"; flow:to_server,established; content:"/_layouts/themeweb.aspx"; fast_pattern:only; http_uri; pcre:"/ctl\d+\x24PlaceHolderMain\x24ctl\d+\x24customizeThemeSection\x24(accent1|accent2|accent3|accent4|accent5|accent6|dark1|dark2|light1|light2)=[^\r\n\x26]+(script|onclick|onload|onmouseover|[\x22\x27\x3c\x3e\x28\x29])/i"; metadata:service http; reference:cve,2012-0144; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-011; classtype:web-application-attack; sid:21297; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Devellion CubeCart searchStr parameter SQL injection"; flow:to_server,established; content:"searchStr='"; fast_pattern; http_uri; content:"/index.php?"; nocase; http_uri; metadata:service http; reference:url,www.acunetix.com/blog/web-security-zone/articles/sql-injection-xss-cubecart-4-3-3/; classtype:web-application-attack; sid:21271; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Devellion CubeCart multiple parameter XSS vulnerability"; flow:to_server,established; content:"gateway/WorldPay/return.php?"; http_uri; pcre:"/(amount|cartId|email|transId|transStatus)=[^&]*[\x22\x27\x3c\x3e]/R"; metadata:service http; reference:url,www.acunetix.com/blog/web-security-zone/articles/sql-injection-xss-cubecart-4-3-3/; classtype:web-application-attack; sid:21270; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP UNLOCK Webdav Stack Buffer Overflow attempt"; flow:to_server,established; content:"UNLOCK"; depth:6; nocase; isdataat:200,relative; pcre:"/^UNLOCK\s+[^\s]{200}/smi"; metadata:service http; reference:bugtraq,37874; reference:cve,2010-0361; classtype:attempted-admin; sid:21236; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP LOCK WebDAV Stack Buffer Overflow attempt"; flow:to_server,established; content:"LOCK"; http_method; content:"LOCK"; depth:4; fast_pattern; urilen:>200; metadata:service http; reference:bugtraq,7116; reference:cve,2003-0109; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:21235; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP MKCOL Webdav Stack Buffer Overflow attempt"; flow:to_server,established; content:"MKCOL"; depth:5; nocase; isdataat:1000,relative; pcre:"/^MKCOL\s+[^\s]{1000}/smi"; metadata:service http; reference:bugtraq,37874; reference:cve,2010-0361; classtype:attempted-admin; sid:21234; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt"; flow:to_server,established; content:"Content-Length|3A| 4294967295"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,15001; reference:cve,2005-2758; classtype:attempted-admin; sid:21233; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec IM Manager TOC_simple cross site scripting attempt"; flow:to_server,established; content:"/IMManager/Admin/IMAdminTOC_simple.asp"; fast_pattern:only; http_uri; pcre:"/(menuitem=|nav=)[^\x26\s]*[\x3e\x3d\x29\x3b]/Ui"; metadata:service http; reference:bugtraq,49739; reference:cve,2011-0552; classtype:attempted-user; sid:21067; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec IM Manager Systemdashboard cross site scripting attempt"; flow:to_server,established; content:"/IMManager/Admin/IMAdminSystemDashboard.asp"; fast_pattern:only; http_uri; content:"refreshRateSetting="; nocase; http_uri; pcre:"/refreshRateSetting=[^\x26\s]*[\x3e\x3d\x26]/Ui"; metadata:service http; reference:bugtraq,49739; reference:cve,2011-0552; classtype:attempted-user; sid:21066; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec IM Manager Edituser cross site scripting attempt"; flow:to_server,established; content:"/IMManager/Admin/IMAdminEdituser.asp"; fast_pattern:only; http_uri; content:"action="; nocase; http_uri; pcre:"/action=[^\x26\s]*[\x3e\x3d\x26]/Ui"; metadata:service http; reference:bugtraq,49739; reference:cve,2011-0552; classtype:attempted-user; sid:21065; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Apple OSX software update command execution attempt"; flow:to_client,established; file_data; content:"installer-gui-script"; fast_pattern:only; content:"allow-external-scripts"; nocase; pcre:"/^\s*\x3d\s*([\x22\x27])\s*yes\s*\1/Ri"; content:"system.run"; nocase; metadata:service http; reference:cve,2007-5863; classtype:attempted-admin; sid:21051; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Worldweaver DX Studio Player shell.execute command execution attempt"; flow:to_client,established; flowbits:isset,http.dxstudio.clsid; content:"Content-Type|3A|"; nocase; http_header; content:"application/octet-stream"; within:30; fast_pattern; nocase; http_header; file_data; content:"header.xml"; depth:10; offset:30; nocase; metadata:service http; reference:bugtraq,35273; reference:cve,2009-2011; classtype:attempted-user; sid:20872; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Worldweaver DX Studio Player shell.execute command execution attempt"; flow:to_client,established; file_data; content:"0AC2706C-8623-46F8-9EDD-8F71A897FDAE"; fast_pattern:only; flowbits:set,http.dxstudio.clsid; flowbits:noalert; metadata:service http; reference:bugtraq,35273; reference:cve,2009-2011; classtype:attempted-user; sid:20871; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Jive Software Openfire muc-room-edit-form.jsp XSS attempt"; flow:to_server,established; content:"/muc-room-edit-form.jsp"; fast_pattern:only; http_uri; pcre:"/muc-room-edit-form\.jsp\?.*?=([^\x26]*[\x22\x27\x3C\x3E\x28\x29\x3B]|script|src|location|document)/U"; metadata:service http; reference:bugtraq,32935; reference:cve,2009-0496; classtype:web-application-attack; sid:20868; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Jive Software Openfire server-properties.jsp XSS attempt"; flow:to_server,established; content:"/server-properties.jsp"; fast_pattern:only; http_uri; pcre:"/server-properties\.jsp\?.*?=([^\x26]*[\x22\x27\x3C\x3E\x28\x29\x3B]|script|src|location|document)/U"; metadata:service http; reference:bugtraq,32935; reference:cve,2009-0496; classtype:web-application-attack; sid:20867; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Jive Software Openfire audit-policy.jsp XSS attempt"; flow:to_server,established; content:"/audit-policy.jsp"; fast_pattern:only; http_uri; pcre:"/audit-policy\.jsp\?.*?=([^\x26]*[\x22\x27\x3C\x3E\x28\x29\x3B]|script|src|location|document)/U"; metadata:service http; reference:bugtraq,32935; reference:cve,2009-0496; classtype:web-application-attack; sid:20866; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Jive Software Openfire user-properties.jsp XSS attempt"; flow:to_server,established; content:"/user-properties.jsp"; fast_pattern:only; http_uri; pcre:"/user-properties\.jsp\?.*?=([^\x26]*[\x22\x27\x3C\x3E\x28\x29\x3B]|script|src|location|document)/U"; metadata:service http; reference:bugtraq,32935; reference:cve,2009-0496; classtype:web-application-attack; sid:20865; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Jive Software Openfire group-summary.jsp XSS attempt"; flow:to_server,established; content:"/group-summary.jsp"; fast_pattern:only; http_uri; pcre:"/group-summary\.jsp\?.*?=([^\x26]*[\x22\x27\x3C\x3E\x28\x29\x3B]|script|src|location|document)/U"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32935; reference:cve,2009-0496; classtype:web-application-attack; sid:20864; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Jive Software Openfire log.jsp XSS attempt"; flow:to_server,established; content:"/log.jsp"; fast_pattern:only; http_uri; pcre:"/log\.jsp\?.*?=([^\x26]*[\x22\x27\x3C\x3E\x28\x29\x3B]|script|src|location|document)/U"; metadata:service http; reference:bugtraq,32935; reference:cve,2009-0496; classtype:web-application-attack; sid:20863; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Jive Software Openfire logviewer.jsp XSS attempt"; flow:to_server,established; content:"/logviewer.jsp"; fast_pattern:only; http_uri; pcre:"/logviewer\.jsp\?.*?=([^\x26]*[\x22\x27\x3C\x3E\x28\x29\x3B]|script|src|location|document)/U"; metadata:service http; reference:bugtraq,32935; reference:cve,2009-0496; classtype:web-application-attack; sid:20862; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HP Network Node Manager cross site scripting attempt"; flow:to_server,established; content:"/nnm/"; fast_pattern:only; http_uri; pcre:"/\x2Fnnm\x2F(mibdiscover|protected\x2Fconfigurationpoll\.jsp|protected\x2Fping\.jsp|protected\x2Fstatuspoll\.jsp|protected\x2Ftraceroute\.jsp|validate)/Ui"; pcre:"/(node|nodename|field)=[^\x26]+(script|onload|onmouseover|\x27|\x22|\x3c|\x3e|src)/i"; metadata:service http; reference:cve,2011-4155; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03035744; classtype:web-application-attack; sid:20845; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec IM Manager administrator interface SQL injection attempt"; flow:to_server,established; content:"/IMManager/Admin/IMAdminLDAPConfig.asp"; fast_pattern; http_uri; content:"action=edit"; nocase; http_uri; pcre:"/(IMManager_LdapUpdate_ServerName|IMManager_LdapUpdate_UserDN|IMManager_LdapUpdate_Port|IMManager_LdapUpdate_Secure_Port|IMManager_LdapUpdate_UserQuery|IMManager_LdapUpdate_GroupQuery|hdn_IMManager_LdapUpdate_ObjectClasses)=[^\x26]*?([\x27\x22]|%(22|27))/i"; metadata:service http; reference:bugtraq,49738; reference:cve,2011-0553; reference:url,secunia.com/advisories/43157; classtype:web-application-attack; sid:20832; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpThumb fltr[] parameter remote command execution attempt"; flow:to_server,established; content:"/phpThumb.php?"; nocase; http_uri; content:"fltr[]="; nocase; http_uri; content:"|3B|"; within:200; nocase; http_uri; pcre:"/\x2FphpThumb\.php\x3F[^\r\n]*fltr\[\]=[^\r\n\x26]+\x3B/Ui"; metadata:service http; reference:bugtraq,39605; reference:cve,2010-1598; reference:url,blog.spiderlabs.com/2011/12/honeypot-alert-phpthumb-fltr-parameter-command-injection-detected.html; classtype:attempted-user; sid:20827; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OABoard forum script remote file injection attempt"; flow:to_server,established; content:"oaboard"; nocase; http_uri; content:"forum|2E|php|3F|"; nocase; http_uri; content:"inc|3D|http:/"; distance:0; nocase; http_uri; pcre:"/\/oaboard[^\r\n]*?\/forum\.php[^\r\n]*[\x26\x3F]inc\x3Dhttp\x3A\x2F/iU"; metadata:service http; reference:bugtraq,16105; reference:cve,2006-0076; classtype:attempted-user; sid:20826; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ACal Calendar Project cookie based authentication bypass attempt"; flow:to_server,established; content:"login.php"; nocase; http_uri; content:"ACalAuthenticate|3D|inside"; nocase; http_cookie; metadata:service http; reference:cve,2006-0182; classtype:attempted-user; sid:20819; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Vmist Downstat remote file include in stats.php art"; flow:to_server,established; content:"downstat"; nocase; http_uri; content:"stats.php"; nocase; http_uri; content:"art="; nocase; http_uri; pcre:"/\x2Fstats\.php\x3F[^\r\n]*?art\x3Dhttp\x3A\x2F/Ui"; metadata:service http; reference:bugtraq,20007; reference:cve,2006-4827; classtype:web-application-activity; sid:20818; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Vmist Downstat remote file include in modes.php art"; flow:to_server,established; content:"downstat"; nocase; http_uri; content:"modes.php"; nocase; http_uri; content:"art="; nocase; http_uri; pcre:"/\x2Fmodes\.php\x3F[^\r\n]*?art\x3Dhttp\x3A\x2F/Ui"; metadata:service http; reference:bugtraq,20007; reference:cve,2006-4827; classtype:web-application-activity; sid:20817; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Vmist Downstat remote file include in admin.php art"; flow:to_server,established; content:"downstat"; nocase; http_uri; content:"admin.php"; nocase; http_uri; content:"art="; nocase; http_uri; pcre:"/\x2Fadmin\.php\x3F[^\r\n]*?art\x3Dhttp\x3A\x2F/Ui"; metadata:service http; reference:bugtraq,20007; reference:cve,2006-4827; classtype:web-application-activity; sid:20816; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Vmist Downstat remote file include in chart.php art"; flow:to_server,established; content:"downstat"; nocase; http_uri; content:"chart.php"; nocase; http_uri; content:"art="; nocase; http_uri; pcre:"/\x2Fchart\.php\x3F[^\r\n]*?art\x3Dhttp\x3A\x2F/Ui"; metadata:service http; reference:bugtraq,20007; reference:cve,2006-4827; classtype:web-application-activity; sid:20815; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1311 (msg:"SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt"; flow:to_server,established; content:"Dell Computer Corporation"; fast_pattern; nocase; content:"user|3D|"; distance:0; nocase; content:"password|3D|"; distance:0; nocase; content:"application|3D|"; distance:0; nocase; isdataat:194,relative; content:!"|26|"; within:194; reference:cve,2004-0331; classtype:attempted-user; sid:20740; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP 427BB cookie-based authentication bypass attempt"; flow:to_server,established; content:"username=admin"; nocase; http_cookie; content:"authenticated=1"; nocase; http_cookie; content:"usertype=admin"; nocase; http_cookie; metadata:service http; reference:cve,2006-0153; classtype:attempted-admin; sid:20737; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sabdrimer PHP pluginpath remote file include attempt"; flow:to_server,established; content:"pluginpath[0]="; fast_pattern:only; http_uri; pcre:"/\x2Fadvanced1\.php\?[^\r\n]*?pluginpath\x5B0\x5D=(https?|ftps?)/Ui"; metadata:service http; reference:bugtraq,18907; reference:cve,2006-3520; classtype:web-application-attack; sid:20732; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TSEP tsep_config absPath parameter PHP remote file include attempt"; flow:to_server,established; content:"tsep_config|5B|absPath|5D|="; fast_pattern:only; http_uri; pcre:"/tsep_config\x5babsPath\x5d=[^&]*?(https?|ftps?|php)/Ui"; metadata:service http; reference:bugtraq,19326; reference:cve,2006-3993; reference:cve,2006-4055; classtype:web-application-attack; sid:20731; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WoW Roster remote file include with hslist.php and conf.php attempt"; flow:to_server,established; content:"subdir="; fast_pattern:only; http_uri; pcre:"/\x2F(conf|hslist)\.php\?[^\r\n]*?subdir=(https?|ftps?)/Ui"; metadata:service http; reference:bugtraq,19269; reference:cve,2006-3997; reference:cve,2006-3998; classtype:web-application-attack; sid:20728; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1111 (msg:"SERVER-WEBAPP F-Secure web console username overflow attempt"; flow:to_server,established; content:"/authorise"; nocase; content:"userName"; fast_pattern; nocase; content:"|5C|"; distance:292; reference:bugtraq,18201; reference:cve,2006-2838; classtype:attempted-admin; sid:20726; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Flashchat aedating4CMS.php remote file include attempt"; flow:to_server,established; content:"/aedating4CMS.php"; fast_pattern:only; http_uri; content:"dir[inc]="; nocase; http_uri; pcre:"/\x2Faedating4CMS\.php?[^\r\n]*?dir\[inc\]=(https?|ftps?)/Ui"; metadata:service http; reference:bugtraq,19826; reference:cve,2006-4583; classtype:web-application-activity; sid:20680; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sourceforge Gallery search engine cross-site scripting attempt"; flow:to_server,established; content:"search.php?"; nocase; http_uri; content:"<script>"; within:25; nocase; http_uri; metadata:service http; reference:cve,2003-0614; reference:url,secunia.com/advisories/9376/; reference:url,www.securityfocus.com/bid/8288; classtype:attempted-admin; sid:20674; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Comet WebFileManager remote file include in CheckUpload.php Language"; flow:to_server,established; content:"CheckUpload.php"; fast_pattern:only; http_uri; pcre:"/Language=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,19433; reference:cve,2006-4077; classtype:web-application-attack; sid:20663; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Free File Hosting remote file include in forgot_pass.php ad_body_temp"; flow:to_server,established; content:"forgot_pass.php"; fast_pattern:only; http_uri; content:"ad_body_temp"; nocase; pcre:"/ad_body_temp=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,20781; reference:cve,2006-5762; classtype:web-application-attack; sid:20657; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GestArtremote file include in aide.php3 aide"; flow:to_server,established; content:"aide.php3"; fast_pattern:only; http_uri; content:"aide"; nocase; pcre:"/aide=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,22825; reference:cve,2006-5612; classtype:web-application-attack; sid:20656; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GrapAgenda remote file include in index.php page"; flow:to_server,established; content:"index.php"; fast_pattern:only; http_uri; content:"page"; nocase; pcre:"/page=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,19857; reference:cve,2006-4610; classtype:web-application-attack; sid:20654; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ME Download System remote file include in header.php Vb8878b936c2bd8ae0cab"; flow:to_server,established; content:"header.php"; fast_pattern:only; http_uri; content:"Vb8878b936c2bd8ae0cab="; nocase; pcre:"/Vb8878b936c2bd8ae0cab=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,19336; reference:cve,2006-4053; classtype:web-application-attack; sid:20652; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Modernbill remote file include in config.php DIR"; flow:to_server,established; content:"config.php"; fast_pattern:only; http_uri; content:"DIR"; nocase; pcre:"/DIR=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,19335; reference:cve,2006-4034; classtype:web-application-attack; sid:20651; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MyNewsGroups remote file include in layersmenu.inc.php myng_root"; flow:to_server,established; content:"layersmenu.inc.php"; fast_pattern:only; http_uri; content:"myng_root"; nocase; pcre:"/myng_root=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,19258; reference:cve,2006-3966; classtype:web-application-attack; sid:20650; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ADNForum SQL injection in index.php fid attempt"; flow:to_server,established; content:"fid="; fast_pattern:only; http_uri; content:"/index.php"; nocase; http_uri; pcre:"/[?&]fid=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,16157; reference:cve,2006-0123; classtype:web-application-attack; sid:20649; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Bit 5 Blog SQL injection in processlogin.php username via"; flow:to_server,established; content:"processlogin.php"; fast_pattern:only; http_uri; content:"username"; nocase; pcre:"/username=[^\r\n\x26]*?([\x22\x27]|%2[27])/i"; metadata:service http; reference:bugtraq,16244; reference:cve,2006-0320; classtype:web-application-attack; sid:20648; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP inTouch SQL injection in index.php user attempt"; flow:to_server,established; content:"index.php"; fast_pattern:only; http_uri; content:"user"; nocase; http_uri; pcre:"/user=[^\r\n\x26]*?([\x22\x27]|%2[27])/Ui"; metadata:service http; reference:bugtraq,16110; reference:cve,2006-0088; classtype:web-application-attack; sid:20647; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Benders Calendar SQL injection in index.php this_day attempt"; flow:to_server,established; content:"index.php"; fast_pattern:only; http_uri; content:"this_day"; nocase; pcre:"/this_day=[^\r\n\x26]*?([\x22\x27]|%2[27])/i"; metadata:service http; reference:bugtraq,16242; reference:cve,2006-0252; classtype:web-application-attack; sid:20646; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lizard Cart CMS SQL injection in pages.php id attempt"; flow:to_server,established; content:"/pages.php"; fast_pattern:only; http_uri; content:"id"; nocase; http_uri; pcre:"/id=[^\r\n\x26]*?[\x22\x27]/Ui"; metadata:service http; reference:bugtraq,16140; reference:cve,2006-0087; classtype:web-application-attack; sid:20645; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lizard Cart CMS SQL injection in detail.php id attempt"; flow:to_server,established; content:"/detail.php"; fast_pattern:only; http_uri; content:"id"; nocase; http_uri; pcre:"/id=[^\r\n\x26]*?[\x22\x27]/Ui"; metadata:service http; reference:bugtraq,16140; reference:cve,2006-0087; classtype:web-application-attack; sid:20644; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ScozBook SQL injection in auth.php adminname attempt"; flow:to_server,established; content:"auth.php"; fast_pattern:only; http_uri; content:"adminname"; nocase; pcre:"/adminname=[^\r\n\x26]*?([\x22\x27]|%2[27])/i"; metadata:service http; reference:bugtraq,16115; reference:cve,2006-0079; classtype:web-application-attack; sid:20643; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TankLogger SQL injection in showInfo.php livestock_id attempt"; flow:to_server,established; content:"showInfo.php"; fast_pattern:only; http_uri; content:"livestock_id"; nocase; pcre:"/livestock_id=[^\r\n\x26]*?([\x22\x27]|%2[27])/i"; metadata:service http; reference:bugtraq,16228; reference:cve,2006-0209; classtype:web-application-attack; sid:20642; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TheWebForum SQL injection in login.php username attempt"; flow:to_server,established; content:"login.php"; fast_pattern:only; http_uri; content:"username"; nocase; pcre:"/username=[^\r\n\x26]*?([\x22\x27]|%2[27])/i"; metadata:service http; reference:bugtraq,16161; reference:cve,2006-0135; classtype:web-application-attack; sid:20641; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP VEGO Web Forum SQL injection in login.php username attempt"; flow:to_server,established; content:"login.php"; fast_pattern:only; http_uri; content:"username"; nocase; pcre:"/username=[^\r\n\x26]*?([\x22\x27]|%2[27])/i"; metadata:service http; reference:bugtraq,16108; reference:cve,2006-0067; classtype:web-application-attack; sid:20640; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Boite de News remote file include in inc.php url_index"; flow:to_server,established; content:"url_index="; fast_pattern:only; http_uri; pcre:"/\x2F(inc2?|index)\.php?[^\r\n]*?url_index=(https?|ftps?)/Ui"; metadata:service http; reference:bugtraq,19440; reference:cve,2006-4123; classtype:web-application-activity; sid:20633; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AnnoncesV annonce.php remote file include attempt"; flow:to_server,established; content:"/annonce.php"; fast_pattern:only; http_uri; content:"page="; nocase; http_uri; pcre:"/[?&]page=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,19854; reference:cve,2006-4622; classtype:web-application-attack; sid:20632; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Akarru remote file include in main_content.php bm_content"; flow:to_server,established; content:"main_content.php"; fast_pattern:only; http_uri; pcre:"/\x2Fmain_content\.php?[^\r\n]*?bm_content=(https?|ftps?)/Ui"; metadata:service http; reference:bugtraq,19870; reference:cve,2006-4645; classtype:web-application-activity; sid:20631; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP geoBlog SQL injection in viewcat.php cat parameter attempt"; flow:to_server,established; content:"viewcat.php"; fast_pattern:only; http_uri; pcre:"/cat=[^\r\n\x26]*([\x22\x27]|%2[27])/i"; metadata:service http; reference:bugtraq,16249; reference:cve,2006-0249; classtype:web-application-activity; sid:20629; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Venom Board SQL injection attempt"; flow:to_server,established; content:"venomboard|2F|forum"; fast_pattern; nocase; http_uri; content:"post.php3"; nocase; http_uri; content:"root="; nocase; http_uri; pcre:"/\x2Fpost\.php3?[^\r\n]*?root=[^\r\n\x26]*?union[^\r\n\x26]*select/Ui"; metadata:service http; reference:bugtraq,16176; reference:cve,2006-0160; classtype:web-application-activity; sid:20625; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Venom Board SQL injection attempt"; flow:to_server,established; content:"venomboard|2F|forum"; fast_pattern; nocase; http_uri; content:"post.php3"; nocase; http_uri; content:"parent="; nocase; http_uri; pcre:"/\x2Fpost\.php3?[^\r\n]*?parent=[^\r\n\x26]*?union[^\r\n\x26]*select/Ui"; metadata:service http; reference:bugtraq,16176; reference:cve,2006-0160; classtype:web-application-activity; sid:20624; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Venom Board SQL injection attempt "; flow:to_server,established; content:"venomboard|2F|forum"; fast_pattern; nocase; http_uri; content:"post.php3"; nocase; http_uri; content:"topic_id="; nocase; http_uri; pcre:"/\x2Fpost\.php3?[^\r\n]*?topic_id=[^\r\n\x26]*?union[^\r\n\x26]*select/Ui"; metadata:service http; reference:bugtraq,16176; reference:cve,2006-0160; classtype:web-application-activity; sid:20623; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-WEBAPP CoreHTTP Long buffer overflow attempt"; flow:to_server,established; content:"GET"; depth:3; isdataat:500; content:!"|0A|"; within:500; metadata:service http; reference:bugtraq,25120; reference:cve,2007-4060; reference:url,www.exploit-db.com/exploits/4243/; classtype:attempted-user; sid:20620; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-WEBAPP CoreHTTP Long buffer overflow attempt"; flow:to_server,established; content:"X"; depth:1; nocase; isdataat:500; content:!"|0A|"; within:500; metadata:service http; reference:bugtraq,25120; reference:cve,2007-4060; reference:url,www.exploit-db.com/exploits/4243/; classtype:attempted-user; sid:20619; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sage SalesLogix admin authentication bypass attempt"; flow:to_server,established; content:"teams=ADMIN!"; fast_pattern:only; content:"slxweb=user=Admin"; nocase; http_cookie; content:"teams=ADMIN!"; nocase; http_cookie; content:"usertype=Administrator"; nocase; http_cookie; metadata:service http; reference:bugtraq,11450; reference:cve,2004-1612; classtype:attempted-admin; sid:20617; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordcircle SQL injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"password="; nocase; http_uri; pcre:"/\x2Findex\.php?[^\r\n]*?password=[^\r\n\x26]*?[\x22\x27][^\r\n\x26]*[\x22\x27]/Ui"; metadata:service http; reference:bugtraq,16227; reference:cve,2006-0205; classtype:web-application-activity; sid:20615; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP php tiny shell upload attempt"; flow:to_server,established; content:"<?=($_=@$_GET[2]).@$_($_GET[1])?>"; fast_pattern:only; http_client_body; metadata:service http; reference:url,h.ackack.net/tiny-php-shell.html; classtype:misc-activity; sid:20533; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9120 (msg:"SERVER-WEBAPP DiskPulseServer GetServerInfo request buffer overflow"; flow:to_server,established; content:"GetServerInfo|02|"; nocase; isdataat:256,relative; content:!"|0D|"; within:256; reference:bugtraq,43919; classtype:attempted-user; sid:20446; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM snmp.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/Main/Snmp|2E|exe"; fast_pattern:only; http_uri; content:"Oid|3D|"; nocase; http_client_body; isdataat:1000,relative; pcre:"/Oid\x3D[^\x0D\x0A]{1000}/Pi"; metadata:service http; reference:cve,2009-3849; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20241; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM nnmRptConfig.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/nnmRptConfig|2E|exe"; fast_pattern:only; http_uri; content:"Action|3D|Create"; nocase; http_client_body; content:"Template|3D|"; isdataat:1000,relative; pcre:"/Template\x3D[^\x0D\x0A]{1000}/Pi"; metadata:service http; reference:cve,2009-3848; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20240; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM ovlogin.exe passwd parameter buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/ovlogin|2E|exe"; fast_pattern:only; http_uri; content:"passwd|3D|"; nocase; http_client_body; isdataat:29,relative; pcre:"/passwd\x3D[^\x26\x3F\x3B\x0D\x0A]{29}/iP"; metadata:service http; reference:bugtraq,37295; reference:cve,2009-3846; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20180; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM ovlogin.exe userid parameter buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/ovlogin|2E|exe"; fast_pattern:only; http_uri; content:"userid|3D|"; nocase; http_client_body; isdataat:29,relative; pcre:"/userid\x3D[^\x26\x3F\x3B\x0D\x0A]{29}/iP"; metadata:service http; reference:bugtraq,37295; reference:cve,2009-3846; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20179; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM ovlogin.exe CGI Host parameter buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/snmpviewer|2E|exe"; fast_pattern:only; http_uri; content:"Host|3A|"; nocase; isdataat:121,relative; pcre:"/Host\x3A\s*[^\x0D\x0A]{121}/iH"; metadata:service http; reference:cve,2009-4180; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-user; sid:20177; rev:4;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP Oracle GlassFish Server successful authentication bypass attempt"; flow:to_client,established; flowbits:isset,glassfish_unauth_attempt; flowbits:unset,glassfish_unauth_attempt; file_data; content:"Deploy"; fast_pattern:only; content:"Applications"; pcre:"/<title>Deploy\s*(Enterprise)?\s*Applications/si"; metadata:service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20160; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Microsoft SharePoint XSS"; flow:to_client,established; file_data; content:"|26|amp|3B|"; nocase; content:"expression|28|"; distance:0; nocase; pcre:"/\x26amp\x3B[^\r\n]+expression\x28/"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1252; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-074; classtype:web-application-attack; sid:20117; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt"; flow:to_server,established; content:"Using=_layouts/query"; nocase; http_uri; pcre:"/^(\.iqy|\.bqy).*(View|RowFolder)=[^&\x3b]*<\s*script/Ri"; metadata:service http; reference:cve,2011-1893; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-074; classtype:web-application-attack; sid:20116; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Microsoft Office SharePoint XML external entity exploit attempt"; flow:to_client,established; file_data; content:"<?xml"; content:"<!DOCTYPE"; distance:0; nocase; content:"[<!ENTITY"; distance:0; fast_pattern; nocase; content:"SYSTEM"; distance:0; nocase; pcre:"/\x3c\x21DOCTYPE\s*doc\s*\x5b\x3c\x21ENTITY\s*[^\s]*\s*SYSTEM/i"; metadata:service http; reference:cve,2011-1892; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-074; classtype:web-application-attack; sid:20115; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint hiddenSpanData cross site scripting attempt"; flow:to_server,established; content:"/_layouts/Picker.aspx"; fast_pattern:only; http_uri; pcre:"/hiddenSpanData=[^=]*(%3c|%28)/iP"; metadata:service http; reference:cve,2011-1891; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-074; classtype:web-application-attack; sid:20114; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint XSS vulnerability attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/Home.aspx"; nocase; http_uri; content:"RichHtmlField$hiddenDisplay"; nocase; http_client_body; content:"%3Cscript"; distance:0; nocase; http_client_body; metadata:service http; reference:cve,2011-1890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-074; classtype:attempted-user; sid:20113; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint XSS vulnerability attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/NewForm.aspx"; nocase; http_uri; content:"TextField_spSave"; nocase; http_client_body; content:"%3Cscript"; distance:0; nocase; http_client_body; metadata:service http; reference:cve,2011-1890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-074; classtype:attempted-user; sid:20112; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint XSS vulnerability attempt"; flow:to_server,established; content:"/calendar.aspx"; nocase; http_uri; content:"Calendardate="; distance:0; nocase; http_uri; pcre:"/[?&]CalendarDate=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2011-0653; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-074; classtype:attempted-user; sid:20111; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager webappmon.exe host header buffer overflow attempt"; flow:to_server,established; content:"webappmon.exe"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:!"|0A|"; within:120; http_header; metadata:service http; reference:bugtraq,37341; reference:cve,2009-4177; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-admin; sid:20013; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Windows .NET Chart Control directory traversal attempt"; flow:to_server,established; content:"charImg.axd?"; content:"i=/"; distance:0; http_uri; content:".."; http_raw_uri; metadata:service http; reference:cve,2011-1977; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-066; classtype:attempted-recon; sid:19694; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress timthumb.php theme remote file include attack attempt"; flow:to_server,established; content:"/timthumb.php?"; nocase; http_uri; content:"src=http"; distance:0; nocase; http_uri; pcre:"/\x2ftimthumb\x2ephp\x3f[^\r\n]*?src=https?\x3a\x2f([^\x2e\x2f]+?\x2e){3}/Ui"; metadata:service http; reference:bugtraq,47374; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:web-application-attack; sid:19653; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP JBoss expression language actionOutcome remote code execution"; flow:to_server,established; content:"actionOutcome=/"; nocase; http_uri; content:"|23 7B|"; distance:0; nocase; http_uri; pcre:"/actionOutcome=\x2F[^\x3F]+\x3F[^\x26]*\x23\x7B/Ui"; metadata:service http; reference:bugtraq,41994; reference:cve,2010-1871; classtype:attempted-admin; sid:19558; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpMyAdmin session_to_unset session variable injection attempt"; flow:to_server,established; content:"session_to_unset="; fast_pattern:only; http_uri; content:"_SESSION["; nocase; http_uri; metadata:service http; reference:cve,2011-2505; reference:cve,2011-2506; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2011-5.php; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2011-6.php; classtype:attempted-user; sid:19553; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP cookiejacking attempt"; flow:to_client,established; file_data; content:"file|3A 2F 2F 2F|"; nocase; pcre:"/<\s*[A-Z]+\s+[^>]*file\x3A\x2F\x2F\x2F/smi"; metadata:policy max-detect-ips drop, service http; reference:url,www.swisscyberstorm.com/speakers/valotta-slides; classtype:attempted-recon; sid:19177; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP cookiejacking attempt"; flow:to_client,established; file_data; content:"file|3A 5C 5C|127.0.0.1"; nocase; pcre:"/<\s*[A-Z]+\s+[^>]*file\x3A\x5C\x5C127\x2e0\x2e0\x2e1/smi"; metadata:policy max-detect-ips drop, service http; reference:url,www.soom.cz/index.php?name=articles/show&aid=550; classtype:attempted-recon; sid:19176; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 (msg:"SERVER-WEBAPP HP OpenView Network Node Manager server name exploit attempt"; flow:to_server,established; content:"/topology/pathView"; http_uri; content:"|02 65 6E 74 00 00 73 71 00 7E 00 00 00 00 00 02|"; fast_pattern:only; metadata:service http; reference:bugtraq,45762; reference:cve,2011-0263; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02670501; classtype:attempted-admin; sid:18993; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt"; flow:to_server,established; content:"/IMManager/rdPage.aspx?"; fast_pattern:only; http_uri; pcre:"/\x2FIMManager\x2FrdPage\x2Easpx\x3F.*?(loginTimeStamp|dbo|dateDiffParam|whereClause)\x3D[^\x26]*?(\x3B|\x23|\x2D{2})/sU"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,44299; reference:cve,2010-0112; classtype:web-application-attack; sid:18956; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt"; flow:to_server,established; content:"/IMManager/rdpageimlogic.aspx?"; fast_pattern:only; http_uri; pcre:"/\x2FIMManager\x2Frdpageimlogic\x2Easpx\x3F.*?(loginTimeStamp|dbo|dateDiffParam|whereClause)\x3D[^\x26]*?(\x3B|\x23|\x2D{2})/sU"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,44299; reference:cve,2010-0112; classtype:web-application-attack; sid:18955; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Jboss default configuration unauthorized application add attempt"; flow:to_server,established; content:"/jmx-console/HtmlAdaptor?"; nocase; http_uri; content:"action=inspectMBean"; nocase; http_uri; content:"name=jboss.deployment|3A|type=DeploymentScanner,flavor=URL"; nocase; http_uri; content:"addURL|28|"; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; classtype:web-application-attack; sid:18932; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/Toolbar.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18925; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/Title.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18924; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/snmpviewer.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18923; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/printsession.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18922; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/OvWebHelp.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18921; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/OvHelp.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18920; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/ovsipexport.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18919; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/ovsessioninfo.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18918; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/ovlogin.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18917; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/ovlaunchreg.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18916; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/ovlaunch.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18915; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/ovalarm.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18914; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/OpenView.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18913; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/OpenView5.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18912; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/nnmRptPresenter.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18911; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/nnmRptConfig.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18910; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/jovwreg.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18909; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/jovw.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18908; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/getnnmdata.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18907; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/getcvdata.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18906; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/Main/Snmp.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:18905; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Majordomo2 http directory traversal attempt"; flow:to_server,established; content:"mj_wwwusr"; fast_pattern; nocase; http_uri; content:"extra="; distance:0; nocase; http_uri; content:"../../.."; http_raw_uri; metadata:service http; reference:bugtraq,46127; reference:cve,2011-0049; classtype:web-application-attack; sid:18761; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 901 (msg:"SERVER-WEBAPP Samba SWAT HTTP Authentication overflow attempt"; flow:to_server,established; content:"Authorization|3A|"; fast_pattern:only; http_header; content:"Basic|20 3D|"; nocase; http_header; metadata:service http; reference:bugtraq,10780; reference:cve,2004-0600; classtype:attempted-user; sid:18751; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Power Manager formExportDataLogs buffer overflow attempt"; flow:to_server,established; content:"|2F|goform|2F|formExportDataLogs"; nocase; http_uri; content:"fileName"; http_client_body; pcre:"/fileName\x3d[^\r\n&]{235}/iP"; metadata:service http; reference:bugtraq,37866; reference:cve,2009-3999; classtype:attempted-user; sid:18745; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP VLC player web interface format string attack"; flow:to_server,established; content:"Connection|3A|"; nocase; http_raw_header; content:"%"; distance:0; http_raw_header; pcre:"/^Connection\x3A[^\r\n]+%/smiD"; metadata:service http; reference:bugtraq,27015; reference:cve,2007-6682; classtype:attempted-admin; sid:18743; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM WebSphere Expect header cross-site scripting"; flow:to_server,established; content:"Expect|3A|"; nocase; http_header; content:"<script>"; nocase; http_header; pcre:"/^Expect\x3A[^\r\n]+<script>/smiH"; metadata:service http; reference:bugtraq,26457; reference:cve,2007-5944; classtype:web-application-attack; sid:18742; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP osCommerce categories.php Arbitrary File Upload And Code Execution"; flow:to_server,established; content:"/admin/categories.php/login.php?cPath=&action=new_product_preview"; fast_pattern:only; metadata:service http; reference:bugtraq,44995; classtype:web-application-attack; sid:18678; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Visuplay CMS news_article.php unspecified SQL injection attempt "; flow:to_server,established; content:"news_article|2E|php"; fast_pattern; nocase; http_uri; content:"press_id|3D|"; nocase; pcre:"/press_id\x3D\d+[^\&\r\n]/i"; metadata:service http; reference:bugtraq,33209; classtype:web-application-activity; sid:18586; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager OpenView5 CGI buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/OpenView5.exe"; fast_pattern:only; http_uri; pcre:"/(Context|Action)\x3D[^\x26\x3b]{1024}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33147; reference:cve,2008-0067; classtype:attempted-user; sid:18579; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP openview network node manager ovlogin.exe buffer overflow - password parameter"; flow:to_server,established; content:"/ovlogin.exe"; nocase; http_uri; content:"password="; nocase; http_client_body; pcre:"/password=[^\x26\r\n]{128}/Psmi"; metadata:service http; reference:bugtraq,37330; reference:cve,2009-4176; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-admin; sid:18481; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP openview network node manager ovlogin.exe buffer overflow - userid parameter"; flow:to_server,established; content:"/ovlogin.exe"; nocase; http_uri; content:"userid="; nocase; http_client_body; pcre:"/userid=[^\x26\r\n]{128}/Psmi"; metadata:service http; reference:bugtraq,37330; reference:cve,2009-4176; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-admin; sid:18480; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP miniBB rss.php pathToFiles remote file include attempt"; flow:to_server,established; content:"rss.php"; nocase; http_uri; content:"pathToFiles="; nocase; http_uri; pcre:"/pathToFiles=(ftp|https?)/Ui"; metadata:service http; classtype:web-application-attack; sid:18479; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP miniBB rss.php premodDir remote file include attempt"; flow:to_server,established; content:"rss.php"; nocase; http_uri; content:"premodDir="; nocase; http_uri; pcre:"/premodDir=(ftp|https?)/Ui"; metadata:service http; classtype:web-application-attack; sid:18478; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Openview OvWebHelp.exe buffer overflow"; flow:to_server,established; content:"POST"; http_method; content:"/OvCgi/OvWebHelp.exe"; http_uri; content:"Topic="; nocase; isdataat:500,relative; pcre:"/^[^&\x3b]{500}/Ri"; metadata:service http; reference:bugtraq,37261; reference:bugtraq,37340; reference:cve,2009-4178; reference:url,h2000.ww2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877; classtype:attempted-admin; sid:18475; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Java floating point number denial of service - via POST"; flow:to_server,established; content:"2.2250738585072012e-308"; nocase; http_client_body; metadata:service http; reference:cve,2010-4476; reference:url,www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html; classtype:attempted-dos; sid:18471; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Java floating point number denial of service - via URI"; flow:to_server,established; content:"2.2250738585072012e-308"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2010-4476; reference:url,www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html; classtype:attempted-dos; sid:18470; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP raSMP User-Agent XSS injection attempt"; flow:established, to_server; content:"onload"; fast_pattern:only; http_header; content:"index.php"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?onload=/imH"; metadata:service http; reference:bugtraq,16138; reference:cve,2006-0084; classtype:attempted-admin; sid:18467; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP raSMP User-Agent XSS injection attempt"; flow:established, to_server; content:"<script"; fast_pattern:only; http_header; content:"index.php"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?<script/imH"; metadata:service http; reference:bugtraq,16138; reference:cve,2006-0084; classtype:attempted-admin; sid:18466; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpBook mail command execution attempt"; flow:established, to_server; content:"/lwc/index.php"; nocase; http_uri; pcre:"/index\.php\?.*mail=[^\r\n\x26]*\x3C\x3F/smiU"; metadata:service http; reference:bugtraq,16106; reference:cve,2006-0075; classtype:attempted-admin; sid:18334; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpBook date command execution attempt"; flow:established, to_server; content:"/lwc/index.php"; nocase; http_uri; pcre:"/index\.php\?.*date=[^\r\n\x26]*\x29\x3B/smiU"; metadata:service http; reference:bugtraq,16229; reference:cve,2006-0206; classtype:attempted-admin; sid:18333; rev:6;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP 407 Proxy Authentication Required"; flow:to_client,established; content:"407"; http_stat_code; flowbits:set,http.stat_code_407; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:17447; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lighttpd mod_fastcgi Extension CGI Variable Overwriting Vulnerability attempt"; flow:to_server,established; content:"SCRIPT_FILENAME/etc/passwd|06 80 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25622; reference:cve,2007-4727; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-user; sid:17386; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office Outlook Web Access XSRF attempt"; flow:to_server,established; content:"/owa/ev.owa"; http_uri; content:"ns=Rule"; http_uri; content:"ev=Save"; http_uri; content:"&#60params&#62&#60Id&#62&#60/Id&#62&#60Name&#62Test&#60/Name&#62&#60RecpA4&#62&#60item&#62&#60Rcp"; http_client_body; content:"AO=|22|3|22|&#62&#60/Rcp&#62&#60/item&#62&#60/RecpA4&#62&#60Actions&#62&#60item&#62&#60rca"; http_client_body; content:" t=|22|4|22|&#62&#60/rca&#62&#60/item&#62&#60/Actions&#62&#60/params&#62"; http_client_body; metadata:service http; reference:bugtraq,41462; reference:cve,2010-3213; reference:url,technet.microsoft.com/en-us/security/advisory/2401593; classtype:attempted-user; sid:17296; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8022 (msg:"SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt"; flow:to_server,established; content:"|2E 2E 5C 2E 2E 5C 2E 2E 5C|"; depth:100; pcre:"/^(GET|POST)\h+[^\n]*?\x2E\x2E\x5C\x2E\x2E\x5C\x2E\x2E\x5C[^\n]*?HTTP/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,15291; reference:cve,2005-1939; classtype:attempted-user; sid:17280; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Secure Backup Administration Server authentication bypass attempt"; flow:to_server,established; content:"login.php"; nocase; http_uri; content:"attempt"; nocase; http_uri; content:"uname="; nocase; http_uri; pcre:"/uname\x3D[^\x26\x2D\s]*?\x2D/iU"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41596; reference:cve,2010-0904; classtype:attempted-admin; sid:17050; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe OVwSelection buffer overflow attempt - POST"; flow:to_server,established; content:"|2F|OvCgi|2F|jovgraph.exe"; nocase; http_uri; content:"OVwSelection"; nocase; http_client_body; pcre:"/(arg=[^\x26]*?OVwSelection[^\x26]*?\x26.*?sel=[^\s\x26]{1023}|sel=[^\x26]{1023,}\x26.*?arg=[^\s\x26]*?OVwSelection)/sP"; metadata:service http; reference:bugtraq,37343; reference:cve,2009-4181; classtype:attempted-user; sid:16713; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe OVwSelection buffer overflow attempt - GET"; flow:to_server,established; content:"|2F|OvCgi|2F|jovgraph.exe"; nocase; http_uri; content:"OVwSelection"; nocase; http_uri; pcre:"/(arg=[^\x26]*?OVwSelection[^\x26]*?\x26.*?sel=[^\s\x26]{1023}|sel=[^\x26]{1023,}\x26.*?arg=[^\s\x26]*?OVwSelection)/sU"; metadata:service http; reference:bugtraq,37343; reference:cve,2009-4181; classtype:attempted-user; sid:16712; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle ONE Web Server JSP source code disclosure attempt"; flow:to_server,established; content:".jsp"; nocase; http_uri; content:"|3A 3A 24|DATA"; distance:0; nocase; metadata:service http; reference:cve,2009-2445; classtype:misc-attack; sid:16682; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Basic Authorization string overflow attempt"; flow:to_server,established; content:"Authorization|3A|"; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s[^\n]{512}/smi"; metadata:service http; reference:bugtraq,3230; reference:bugtraq,8375; reference:cve,2001-1067; reference:cve,2003-0727; classtype:attempted-dos; sid:16681; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Tandberg VCS local file disclosure attempt"; flow:to_server,established; content:"helppage.php"; fast_pattern; nocase; http_uri; content:"page="; nocase; http_uri; content:".."; http_raw_uri; metadata:service http; reference:cve,2009-4511; reference:url,secunia.com/advisories/39275/; classtype:web-application-attack; sid:16678; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovalarm.exe Accept-Language buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/ovalarm.exe"; nocase; http_uri; content:"OVABverbose="; nocase; pcre:"/^(?!false|off|no|0)/iR"; pcre:"/(OvAcceptLang|Accept-Language)\s*[\x3D\x3A]\s*[^\n]{69}/i"; metadata:service http; reference:bugtraq,37261; reference:cve,2009-4179; classtype:attempted-user; sid:16604; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Novell iManager eDirectory plugin schema buffer overflow attempt - POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/nps/servlet/"; nocase; http_uri; content:"taskId=base.ExtendSchema"; nocase; http_uri; pcre:"/(((DestFile|encryptPass)\x3D[^\x26]{50})|((BaseDN|SearchFilter)\x3D[^\x26]{128}))/Pi"; metadata:service http; reference:bugtraq,37672; reference:cve,2009-4486; classtype:attempted-admin; sid:16430; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Novell iManager eDirectory plugin schema buffer overflow attempt - GET request"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/nps/servlet/"; nocase; http_uri; content:"taskId=base.ExtendSchema"; nocase; http_uri; pcre:"/(((DestFile|encryptPass)\x3D[^\x26]{50})|((BaseDN|SearchFilter)\x3D[^\x26]{128}))/Ui"; metadata:service http; reference:bugtraq,37672; reference:cve,2009-4486; classtype:attempted-admin; sid:16429; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - LOCK method"; flow:to_server,established; content:"LOCK"; nocase; http_method; content:"<?xml"; fast_pattern; content:"encoding"; within:50; pcre:"/\<\?xml[^\>]+encoding\s*\=\s*(\'|\")[^\'\"\>\%]*\%/"; metadata:service http; reference:bugtraq,37910; reference:cve,2010-0388; classtype:attempted-user; sid:16427; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method"; flow:to_server,established; content:"PROPFIND"; depth:8; fast_pattern; nocase; content:"<?xml"; content:"encoding"; within:30; pcre:"/\<\?xml[^\>]+encoding\s*\=\s*(\'|\")[^\'\"\>\%]*\%/"; metadata:service http; reference:bugtraq,37910; reference:cve,2010-0388; classtype:attempted-user; sid:16426; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Content-Length request offset smuggling attempt"; flow:to_server,established,no_stream; content:"Content-Length|3A|"; http_raw_header; byte_jump:10,0,string,relative,post_offset 4; pcre:"/^(GET|POST|TRACE|DESCRIBE|DELETE)/R"; metadata:service http; reference:bugtraq,14106; reference:cve,2005-2088; classtype:misc-attack; sid:16218; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8008,8010,8028,8030] (msg:"SERVER-WEBAPP Novell eDirectory HTTP request content-length heap buffer overflow attempt"; flow:to_server,established; content:"POST /SOAP"; depth:10; nocase; pcre:"/^Content-Length\s*\x3A\s*[1-9][0-9]{8}/mi"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-4478; classtype:attempted-user; sid:16194; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP memory_limit vulnerability exploit attempt"; flow:to_server,established; content:"---------------------------153501500631101"; fast_pattern:only; http_header; metadata:service http; reference:bugtraq,10725; reference:cve,2004-0594; classtype:attempted-user; sid:16078; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8004,8005] (msg:"SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt"; flow:to_server,established; content:"<key mod=|22|784607708866"; content:"pub=|22|75429754206"; reference:bugtraq,17637; reference:cve,2006-0230; classtype:attempted-recon; sid:16056; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"SERVER-WEBAPP Novell Groupwise Messenger parameters invalid memory access attempt"; flow:to_server,established; content:"tag=NM_A_PARM1"; fast_pattern:only; content:"POST"; http_method; content:"/login"; depth:6; nocase; http_uri; content:"|0D 0A 0D 0A|"; content:"cmd=0"; distance:0; nocase; pcre:"/(^|[\x26\x3f])val\s*?=\s*?([\x26]|$)/mi"; metadata:service http; reference:bugtraq,20316; reference:cve,2006-4511; classtype:attempted-admin; sid:16028; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ipswitch WhatsUp Gold DOS Device HTTP request denial of service attempt"; flow:to_server,established; content:"prn"; http_uri; pcre:"/^(GET|POST)\s+[^\x0a]*?\x2fprn\x2e(htm|html|asp|cgi)/i"; metadata:service http; reference:bugtraq,11110; reference:cve,2004-0799; classtype:attempted-dos; sid:15982; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Macromedia JRun 4 mod_jrun buffer overflow attempt"; flow:to_server,established; content:".jsp"; http_uri; content:"HOST"; nocase; isdataat:1000,relative; pcre:"/^HOST\s*\x3a\s*[^\x0a]{1000}/mi"; metadata:service http; reference:bugtraq,11245; reference:cve,2004-0646; classtype:attempted-user; sid:15978; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP strip_tags bypass vulnerability exploit attempt"; flow:to_server,established; content:"/strip/getPoc.php?note=%3Cs%00cript%3Ealert%28%27Oops!%27%29%3B%3C%2Fs%00cript%3E"; fast_pattern:only; metadata:service http; reference:bugtraq,10724; reference:cve,2004-0595; classtype:attempted-user; sid:15977; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt"; flow:to_server,established; content:"GET /what.jsp?|5C|..|5C|.."; fast_pattern:only; metadata:service http; reference:bugtraq,13727; reference:cve,2005-1252; classtype:attempted-recon; sid:15953; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3443 (msg:"SERVER-WEBAPP HP OpenView Network Node Manager URI rping stack buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/webappmon.exe"; nocase; http_uri; content:"act=rping"; distance:0; nocase; http_uri; pcre:"/sel\x3d[^\x26\x0a]{73}/Ui"; metadata:service http; reference:bugtraq,35267; reference:cve,2009-1420; classtype:attempted-user; sid:15726; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Subversion 1.0.2 dated-rev-report buffer overflow over http attempt"; flow:to_server,established; content:"dated-rev-report"; nocase; content:"<D|3A|CREATIONDATE>"; distance:0; nocase; isdataat:75,relative; pcre:"/dated-rev-report.*?<D\x3aCREATIONDATE>([^\x3C]{75}|[\s\x20-\x3B\x3D-\x7E]{0,74}[^\s\x20-\x7E])/ims"; metadata:service http; reference:bugtraq,10386; reference:cve,2004-0397; classtype:attempted-user; sid:15491; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP wordpress cat parameter arbitrary file execution attempt"; flow:to_server,established; content:"/wordpress/"; fast_pattern; nocase; http_uri; content:"cat="; nocase; content:"../"; distance:0; pcre:"/\x2Fwordpress\x2F\x3F[^\r\n]*cat\s*=\s*[^\r\n\x26]*\x2F\x2E\x2E/smi"; metadata:service http; reference:bugtraq,28845; reference:cve,2008-4769; classtype:web-application-attack; sid:15432; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpBB mod tag board sql injection attempt"; flow:to_server,established; content:"tag_board.php"; fast_pattern; nocase; http_uri; content:"action=delete"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/tag_board\.php\x3F[^\r\n]*action=delete[^\r\n]*id=[^\r\n\x26]*(select|insert|delete)/Usmi"; metadata:service http; reference:bugtraq,32701; reference:cve,2008-6314; reference:url,attack.mitre.org/techniques/T1190; classtype:web-application-attack; sid:15425; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpBB mod shoutbox sql injection attempt"; flow:to_server,established; content:"shoutbox_view.php"; fast_pattern; nocase; http_uri; content:"mode="; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/shoutbox_view\.php\x3F[^\r\n]*mode\s*=\s*(delete|edit)[^\r\n]*id\s*=\s*[^\r\n\x26]*[^\d]+/Usmi"; metadata:service http; reference:bugtraq,32123; reference:cve,2008-6301; reference:url,attack.mitre.org/techniques/T1190; classtype:web-application-attack; sid:15424; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8030,8028,8008,8010] (msg:"SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt"; flow:to_server,established; content:"/SOAP"; fast_pattern; nocase; http_uri; content:"Accept-Charset|3A|"; nocase; pcre:"/^Accept\x2dCharset\x3a\s*?([^\x3b\x3d\x2c]{1,36}\s*?[\x2d\x3b\x3d\x2c]\s*?)*[^\x2d\x3b\x2c\x3d\n]{37}/smi"; metadata:policy max-detect-ips drop; reference:cve,2008-4479; classtype:attempted-user; sid:14990; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla invalid token administrative password reset attempt"; flow:to_server,established; content:"task=confirmreset"; nocase; http_uri; content:"option=com_user"; http_uri; content:"token=%27&"; nocase; metadata:service http; reference:bugtraq,30667; reference:cve,2008-3681; reference:url,developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html; classtype:attempted-admin; sid:14610; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-WEBAPP SAP DB web server stack buffer overflow attempt"; flow:to_server,established; content:"/webdbm"; fast_pattern:only; http_uri; content:"HTTP_"; nocase; http_uri; isdataat:263,relative; pcre:"/[?&]HTTP_(COOKIE|SERVER)=[^&]{256}/iU"; metadata:service http; reference:bugtraq,24773; reference:cve,2007-3614; classtype:attempted-admin; sid:14230; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP alternate xmlrpc.php command injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"xml version"; http_client_body; content:"<methodCall><methodName>"; distance:0; http_client_body; content:"</methodName><params><param><value><string></string></value></param><param><value><string>"; distance:0; http_client_body; content:"AND ascii|28|substring|28|pass,1,1|29 29 0A|/**/BETWEEN/**/52/**/AND/**/58|29|/*"; http_client_body; metadata:service http; reference:bugtraq,14088; reference:cve,2005-1921; classtype:attempted-admin; sid:13818; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP xmlrpc.php command injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"xml version"; http_client_body; content:"<methodCall><methodName>"; distance:0; http_client_body; content:"</methodName><params><param><value><name>"; distance:0; http_client_body; content:"',''|29 29 3B|echo '_begin_|0A|'|3B|echo"; distance:0; http_client_body; metadata:service http; reference:bugtraq,14088; reference:cve,2005-1921; classtype:attempted-admin; sid:13817; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP xmlrpc.php command injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"xml version"; http_client_body; content:"<methodCall><methodName>"; distance:0; http_client_body; content:"</methodName><params><param><name>"; distance:0; http_client_body; content:"'|29 3B|echo|28|'"; distance:0; http_client_body; content:"'|29 3B| passthru|28|chr|28|"; distance:0; http_client_body; metadata:service http; reference:bugtraq,14088; reference:cve,2005-1921; classtype:attempted-admin; sid:13816; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt"; flow:to_server,established; content:"/cgiChkMasterPwd.exe"; fast_pattern:only; content:"CRYPT"; nocase; isdataat:512,relative; pcre:"/TMlogonEncrypted=(\!|\%21)CRYPT(\!|\%21)[A-Z0-9]{512}/i"; metadata:policy max-detect-ips drop; reference:bugtraq,28020; reference:cve,2008-1365; reference:url,secunia.com/advisories/29124; classtype:web-application-attack; sid:13591; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpBB viewtopic double URL encoding attempt"; flow:to_server,established; content:"viewtopic.php"; http_uri; content:"highlight="; http_uri; content:"%25"; metadata:service http; reference:cve,2004-1315; classtype:web-application-attack; sid:12610; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Squid HTTP Proxy-Authorization overflow attempt"; flow:to_server,established; content:"TlRMTVNTUAADAAAA"; fast_pattern:only; content:"Proxy-Authorization"; nocase; pcre:"/^\s*\x3a\s*[Nn][Tt][Ll][Mm]\s+TlRMTVNTUAADAAAA/R"; base64_decode:relative; base64_data; byte_test:2,>,24,0,little; metadata:service http; reference:bugtraq,10500; reference:cve,2004-0541; classtype:attempted-user; sid:12362; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP function CRLF injection attempt"; flow:to_server,established; content:".php"; http_uri; content:"|0A|"; http_uri; metadata:service http; reference:bugtraq,52630; reference:bugtraq,5681; reference:cve,2002-1783; classtype:web-application-attack; sid:12360; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CSGuestbook setup attempt"; flow:to_server,established; content:"csGuestbook.cgi"; fast_pattern:only; http_uri; content:"command=savesetup"; nocase; http_uri; content:"setup="; nocase; http_uri; metadata:service http; reference:bugtraq,4448; reference:cve,2002-1750; classtype:web-application-activity; sid:12255; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP file upload GLOBAL variable overwrite attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; http_header; content:"multipart/form-data"; fast_pattern; nocase; http_header; content:"name="; nocase; content:"GLOBALS"; within:20; nocase; metadata:service http; reference:bugtraq,15250; reference:cve,2005-3390; classtype:web-application-attack; sid:12221; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ipswitch WhatsUpGold configuration access"; flow:to_server,established; content:"/_maincfgret.cgi"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,11043; reference:bugtraq,11109; reference:cve,2004-0798; classtype:web-application-activity; sid:12057; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle iSQL Plus cross site scripting attempt"; flow:to_server,established; content:"/isqlplus"; nocase; http_uri; content:"password="; nocase; http_uri; pcre:"/password[\x3d\x3f][^\n\x26]*\x3c[^\n\x26]+\x3e/Ui"; metadata:service http; reference:bugtraq,9484; reference:cve,2004-2115; classtype:web-application-attack; sid:11685; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP vbulletin php code injection"; flow:to_server,established; content:"misc.php"; http_uri; pcre:"/template\s*=\s*\x7b\x24/sUmi"; metadata:service http; reference:cve,2005-0511; reference:url,marc.info/?l=bugtraq&m=110910899415763&w=2; classtype:attempted-user; sid:11668; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sphpblog arbitrary file delete attempt"; flow:to_server,established; content:"sphpblog"; http_uri; content:"comment_delete_cgi.php"; fast_pattern; nocase; http_uri; pcre:"/comment=[^\x26\s]*[\x2f\x5c]/sUmi"; metadata:service http; reference:bugtraq,14667; reference:cve,2005-2733; classtype:attempted-user; sid:11667; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sphpblog upload_img_cgi access attempt"; flow:to_server,established; content:"sphpblog"; http_uri; content:"upload_img_cgi.php"; fast_pattern; nocase; http_uri; metadata:service http; reference:bugtraq,14667; reference:cve,2005-2733; classtype:attempted-user; sid:11666; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sphpblog install03_cgi access attempt"; flow:to_server,established; content:"sphpblog"; http_uri; content:"install03_cgi.php"; fast_pattern; nocase; http_uri; metadata:service http; reference:bugtraq,14667; reference:cve,2005-2733; classtype:attempted-user; sid:11665; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sphpblog password.txt access attempt"; flow:to_server,established; content:"sphpblog"; http_uri; content:"password.txt"; fast_pattern; nocase; http_uri; metadata:service http; reference:bugtraq,14667; reference:cve,2005-2733; classtype:attempted-user; sid:11664; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Sygate Policy Manager SQL injection"; flow:to_server,established; content:"/servlet/Sygate.Servlet.login"; nocase; http_uri; pcre:"/[^\x26\x20\x0a]*insert[^\x26\x20\x0a]*Login[^\x26\x20\x0a]*Admin/smi"; metadata:service http; reference:bugtraq,16452; reference:cve,2006-0522; classtype:attempted-admin; sid:11616; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP google proxystylesheet arbitrary command execution attempt"; flow:to_server,established; content:"proxystylesheet"; http_uri; content:"/search"; http_uri; pcre:"/proxystylesheet=[-a-z0-9_\.]*[^-a-z0-9_\.&\s]/sUmi"; metadata:service http; reference:bugtraq,15509; reference:cve,2005-3757; reference:url,metasploit.com/research/vulns/google_proxystylesheet/; classtype:web-application-attack; sid:11223; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle iSQL Plus cross site scripting attempt"; flow:to_server,established; content:"/isqlplus"; nocase; http_uri; content:"username="; nocase; http_uri; pcre:"/username[\x3d\x3f][^\n\x26]*\x3c[^\n\x26]+\x3e/Ui"; metadata:service http; reference:bugtraq,9484; reference:cve,2004-2115; classtype:web-application-attack; sid:11194; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle iSQL Plus cross site scripting attempt"; flow:to_server,established; content:"/isqlplus"; nocase; http_uri; content:"action="; nocase; http_uri; pcre:"/action[\x3d\x3f][^\n\x26]*\x3c[^\n\x26]+\x3e/Ui"; metadata:service http; reference:bugtraq,9484; reference:cve,2004-2115; classtype:web-application-attack; sid:11193; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-WEBAPP chetcpasswd access"; flow:to_server,established; content:"chetcpasswd.cgi"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,21102; reference:bugtraq,6472; reference:cve,2002-2220; reference:cve,2006-6679; classtype:web-application-activity; sid:10999; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2 OpenSSl KEY_ARG buffer overflow attempt"; flow:to_server,established; ssl_version:sslv2; ssl_state:client_keyx; content:"|02|"; depth:1; offset:2; byte_test:2,>,8,7,relative; metadata:service ssl; reference:bugtraq,5362; reference:cve,2002-0656; classtype:misc-attack; sid:10997; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP encoded cross site scripting HTML Image tag attempt"; flow:to_server,established; content:"ONERROR="; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,5847; reference:cve,2002-0840; classtype:web-application-attack; sid:10990; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Content-Length buffer overflow attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; http_header; isdataat:100,relative; pcre:"/^Content-Length\x3A\s*[^\r\n]{100}/smiH"; metadata:service http; reference:cve,2007-1260; reference:url,djeyl.net/w.php; classtype:attempted-admin; sid:10195; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP uTorrent announce buffer overflow attempt"; flow:to_client,established; file_data; content:"d8|3A|announce"; nocase; pcre:"/^(\d{5,}|390[1-9]|39[1-9][0-9]|[4-9][0-9]{3})\x3A/R"; metadata:service http; reference:bugtraq,22530; reference:cve,2007-0927; classtype:attempted-user; sid:10172; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .cmd? access"; flow:to_server,established; content:".cmd?"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,4335; reference:cve,2002-0061; classtype:web-application-activity; sid:9791; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Pajax call_dispatcher remote code execution attempt"; flow:to_server,established; content:"pajax_call_dispatcher.php"; fast_pattern:only; http_uri; content:"method"; nocase; http_client_body; pcre:"/method[\x22\x27]\s*?\x3a\s*?[\x22\x27][^\x22\x27]*?(system|eval)\s*?\x28/Pi"; metadata:service http; reference:bugtraq,17519; reference:cve,2006-1551; classtype:attempted-admin; sid:9620; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Pajax call_dispatcher className directory traversal attempt"; flow:to_server,established; content:"pajax_call_dispatcher.php"; fast_pattern:only; http_uri; content:"className"; nocase; http_client_body; pcre:"/className[\x22\x27]\s*\x3a\s*[\x22\x27][^\x22\x27]*?(\x2e\x2e|%2e%2e)([\x5c\x2f]|%5c|%2f)/Pi"; metadata:service http; reference:bugtraq,17519; reference:cve,2006-1789; classtype:web-application-attack; sid:8734; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cacti graph_image SQL injection attempt"; flow:to_server,established; content:"graph.php"; nocase; http_uri; pcre:"/local_graph_id=(?!(\d+|)([\x26\s]|$))/smi"; metadata:service http; reference:bugtraq,14128; reference:bugtraq,14129; reference:cve,2005-2148; classtype:web-application-attack; sid:8716; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cacti graph_image SQL injection attempt"; flow:to_server,established; content:"graph.php"; nocase; http_uri; pcre:"/rra_id=(?!(\d+|all|)([\x26\s]|$))/smi"; metadata:service http; reference:bugtraq,14128; reference:bugtraq,14129; reference:cve,2005-2148; classtype:web-application-attack; sid:8715; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cacti graph_image SQL injection attempt"; flow:to_server,established; content:"graph_image.php"; nocase; http_uri; pcre:"/local_graph_id=(?!(\d+|)([\x26\s]|$))/smi"; metadata:service http; reference:bugtraq,14128; reference:bugtraq,14129; reference:cve,2005-2148; classtype:web-application-attack; sid:8714; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cacti graph_image SQL injection attempt"; flow:to_server,established; content:"graph_image.php"; nocase; http_uri; pcre:"/rra_id=(?!(\d+|all|)([\x26\s]|$))/smi"; metadata:service http; reference:bugtraq,14128; reference:bugtraq,14129; reference:cve,2005-2148; classtype:web-application-attack; sid:8713; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cacti graph_image arbitrary command execution attempt"; flow:to_server,established; content:"graph_image.php"; nocase; http_uri; pcre:"/graph_(start|end|height|width)=(?!(\d+|)[\x26\s])/smi"; metadata:service http; reference:bugtraq,14042; reference:bugtraq,14129; reference:cve,2005-1524; classtype:web-application-attack; sid:8712; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress cache_lastpostdate code injection attempt"; flow:to_server,established; content:"wp_filter"; pcre:"/cache_lastpostdate\[[^\]]+\]=[^\x00\x3B\x3D]{30}/smi"; metadata:service http; reference:bugtraq,14533; reference:cve,2005-2612; classtype:attempted-admin; sid:8708; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [80,8000] (msg:"SERVER-WEBAPP IceCast header buffer overflow attempt"; flow:to_server,established; content:"HTTP/1."; nocase; isdataat:32,relative; pcre:"/HTTP\/1\.[01].*?\n([^\r\n]+?\r?\n){32}/i"; reference:bugtraq,11271; reference:cve,2004-1561; reference:url,archives.neohapsis.com/archives/bugtraq/2004-09/0366.html; classtype:attempted-admin; sid:8701; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Trend Micro atxconsole format string server response attempt"; flow:to_client,established; file_data; content:"-99 Cannot+find+"; content:"%25n"; distance:0; metadata:service http; reference:bugtraq,20284; reference:cve,2006-5157; classtype:attempted-user; sid:8444; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CVSTrac filediff function access"; flow:to_server,established; content:"filediff"; fast_pattern; nocase; http_uri; content:"f="; nocase; metadata:service http; reference:bugtraq,10878; reference:cve,2004-1456; reference:nessus,14238; reference:url,www.kb.cert.org/vuls/id/770816; classtype:web-application-activity; sid:8084; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP encoded cross site scripting HTML Image tag set to javascript attempt"; flow:to_server,established; content:"img src=javascript"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,4858; reference:cve,2002-0902; classtype:web-application-attack; sid:7071; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1000 (msg:"SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt"; flow:to_server,established; content:"POST"; content:"/WebAdmin.dll?"; nocase; content:"View=Logon"; distance:0; nocase; pcre:"/WebAdmin\x2Edll\x3F[^\r\n]*?View=Logon.*?\r\n\r\n[^\r\n\x26]*User=[^\r\n\x26]{100}/smi"; reference:bugtraq,8024; reference:cve,2003-0471; classtype:attempted-admin; sid:6511; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"SERVER-WEBAPP novell edirectory imonitor overflow attempt"; flow:to_server,established; content:"/nds"; nocase; http_uri; isdataat:1000,relative; pcre:"/\x2fnds[^\r\n]{1000}/Usmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,18026; reference:cve,2006-2496; classtype:attempted-admin; sid:6507; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP horde help module arbitrary command execution attempt"; flow:to_server,established; content:"/services/help/"; http_uri; pcre:"/[\?\x20\x3b\x26]module=[a-zA-Z0-9]*[\x3b\x21\x7c\x3c\x3e\x60\x5c\x2f]/Ui"; metadata:service http; reference:bugtraq,17292; reference:cve,2006-1491; classtype:web-application-attack; sid:6403; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WinProxy host header port buffer overflow attempt"; flow:to_server,established; content:"Host|3A|"; nocase; http_header; content:!"|0A|"; within:100; http_header; pcre:"/^Host\x3a\s+?[^\x3a\n]*?\x3a[^\n]{100}/miH"; metadata:service http; reference:bugtraq,16147; reference:cve,2005-4085; reference:url,www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html; classtype:attempted-admin; sid:5997; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP file upload directory traversal"; flow:to_server,established; content:"POST"; http_method; content:"upload.php"; fast_pattern; nocase; http_uri; pcre:"/^Content-Type\x3A\s+multipart\/form-data/smiH"; content:"Content-Disposition|3A|"; nocase; http_header; pcre:"/filename=\S*\x2e\x2e\x2f/smiH"; content:"|0A|"; distance:0; metadata:service http; reference:url,bugs.php.net/bug.php?id=28456; classtype:misc-attack; sid:5709; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt"; flow:to_server,established; content:"/img.pl"; nocase; http_uri; pcre:"/img\.pl\x3f[^\r\n]*f=[^\x26\r\n\x2e]*\x2e\x2e/Usmi"; metadata:service http; reference:bugtraq,14712; reference:cve,2005-2847; classtype:attempted-admin; sid:4988; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Twiki viewfile rev command injection attempt"; flow:to_server,established; content:"/viewfile/"; nocase; http_uri; content:"twiki"; distance:0; nocase; http_uri; content:"|7C|"; distance:0; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14834; reference:cve,2005-2877; classtype:attempted-admin; sid:4987; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Twiki view rev command injection attempt"; flow:to_server,established; content:"/view/"; nocase; http_uri; content:"twiki"; distance:0; nocase; http_uri; content:"|7C|"; distance:0; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14834; reference:cve,2005-2877; classtype:attempted-admin; sid:4986; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cacti graph_image.php access"; flow:to_server,established; content:"/cacti/graph_image.php"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,14042; classtype:web-application-activity; sid:4650; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP 4DWebstar ShellExample.cgi information disclosure"; flow:to_server,established; content:"/ShellExample.cgi"; fast_pattern:only; http_uri; pcre:"/ShellExample\.cgi\?[^\n\r\&]*\x2a/Ui"; metadata:service http; reference:bugtraq,10721; reference:cve,2004-0696; reference:url,www.atstake.com/research/advisories/2004/a071304-1.txt; classtype:attempted-recon; sid:4128; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP xmlrpc.php post attempt"; flow:to_server,established; content:"POST"; http_method; content:"/xmlrpc.php"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,14088; reference:cve,2005-1921; reference:cve,2014-5266; classtype:web-application-attack; sid:3827; rev:15;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP RealNetworks RealPlayer realtext long URI request attempt"; flow:to_server,established; content:".rt"; fast_pattern:only; http_uri; pcre:"/\x2f[^\x2f]{188,}\x2ert/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14048; reference:cve,2005-1766; reference:nessus,18558; classtype:protocol-command-decode; sid:3822; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BadBlue ext.dll buffer overflow attempt"; flow:to_server,established; content:"ext.dll"; http_uri; content:"mfcisapicommand="; nocase; isdataat:250,relative; pcre:"/mfcisapicommand=[^&\r\n\x3b]{250}/smi"; metadata:service http; reference:bugtraq,12673; reference:cve,2005-0595; classtype:attempted-admin; sid:3816; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP awstats.pl configdir command execution attempt"; flow:to_server,established; content:"/awstats.pl?"; fast_pattern; nocase; http_uri; content:"configdir="; nocase; http_uri; pcre:"/awstats.pl?[^\r\n]*configdir=\x7C/Ui"; metadata:service http; reference:bugtraq,12298; reference:cve,2005-0116; reference:nessus,16189; classtype:attempted-user; sid:3813; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Nucleus CMS action.php itemid SQL injection"; flow:to_server,established; content:"action.php"; fast_pattern; nocase; http_uri; content:"itemid="; nocase; pcre:"/itemid=\d*[^\d\&\;\r\n]/i"; metadata:service http; reference:bugtraq,10798; reference:cve,2004-2056; reference:nessus,14194; classtype:web-application-activity; sid:3690; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP newsscript.pl admin attempt"; flow:to_server,established; content:"/newsscript.pl"; nocase; http_uri; content:"mode=admin"; nocase; metadata:service http; reference:bugtraq,12761; reference:cve,2005-0735; reference:nessus,17309; classtype:web-application-attack; sid:3676; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP db4web_c directory traversal attempt"; flow:to_server,established; content:"/db4web_c"; fast_pattern:only; http_uri; pcre:"/db4web_c(\.exe)?\/.*(\.\.[\\\/]|[a-z]\:)/smiU"; metadata:service http; reference:bugtraq,5723; reference:cve,2002-1483; reference:nessus,11182; classtype:web-application-attack; sid:3674; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SoftCart.exe CGI buffer overflow attempt"; flow:to_server,established; content:"/SoftCart.exe"; fast_pattern:only; http_uri; pcre:"/\/SoftCart\.exe\?[^\s]{100}/smi"; metadata:service http; reference:bugtraq,10926; reference:cve,2004-2221; classtype:web-application-attack; sid:3638; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sambar /search/results.stm access"; flow:to_server,established; content:"POST"; nocase; content:"/search/results.stm"; nocase; metadata:service http; reference:bugtraq,7975; reference:bugtraq,9607; reference:cve,2004-2086; reference:nessus,18650; classtype:web-application-activity; sid:3629; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"SERVER-WEBAPP TrackerCam negative Content-Length attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a(\s*|\s*\r?\n\s+)-\d+/smi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-attack; sid:3548; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt"; flow:to_server,established; content:"php"; nocase; isdataat:255,relative; pcre:"/php.*\x3f[^\n]{256}/smi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-attack; sid:3547; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt"; flow:to_server,established; content:"User-Agent|3A|"; nocase; isdataat:215,relative; pcre:"/^User-Agent\x3a[^\n]{216}/smi"; reference:bugtraq,12592; reference:cve,2005-0481; classtype:web-application-attack; sid:3546; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure"; flow:to_server,established; content:"/ComGetLogFile.php3"; nocase; pcre:"/fn=Eye\d{4}_\d{2}\.log/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; reference:nessus,17160; classtype:web-application-activity; sid:3545; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8090 (msg:"SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt"; flow:to_server,established; content:"/ComGetLogFile.php3"; nocase; pcre:"/fn=\x2e\x2e(\x2f|\x5c)/Rmsi"; reference:bugtraq,12592; reference:cve,2005-0481; reference:nessus,17160; classtype:web-application-attack; sid:3544; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ipswitch WhatsUp Gold dos attempt"; flow:to_server,established; content:"/prn"; fast_pattern:only; http_uri; pcre:"/\/prn\.(asp|cgi|html?)/Ui"; metadata:service http; reference:bugtraq,11110; reference:cve,2004-0799; reference:url,www.idefense.com/application/poi/display?id=142&type=vulnerabilities; reference:url,www.ipswitch.com/Support/WhatsUp/patch-upgrades.html; reference:url,www.secunia.com/advisories/12578/; classtype:attempted-dos; sid:3469; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP math_sum.mscgi access"; flow:to_server,established; content:"/math_sum.mscgi"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,10831; reference:nessus,14182; classtype:web-application-activity; sid:3468; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CISCO VoIP Portinformation access"; flow:to_server,established; content:"/PortInformation"; http_uri; metadata:service http; reference:bugtraq,4798; reference:cve,2002-0882; classtype:web-application-activity; sid:3467; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP RiSearch show.pl proxy attempt"; flow:to_server,established; content:"/show.pl"; fast_pattern; nocase; http_uri; content:"url="; nocase; http_uri; metadata:service http; reference:bugtraq,10812; reference:cve,2004-2061; classtype:web-application-activity; sid:3465; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP awstats.pl command execution attempt"; flow:to_server,established; content:"/awstats.pl?"; fast_pattern; nocase; http_uri; content:"update="; http_uri; pcre:"/update=[^\r\n\x26]+/Ui"; content:"logfile="; nocase; http_uri; pcre:"/awstats.pl?[^\r\n]*logfile=\x7C/Ui"; metadata:ruleset community, service http; reference:bugtraq,12572; reference:nessus,16456; classtype:web-application-attack; sid:3464; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP awstats access"; flow:to_server,established; content:"/awstats.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,12572; reference:nessus,16456; classtype:web-application-activity; sid:3463; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mailman directory traversal attempt"; flow:to_server,established; content:"/mailman/"; http_uri; content:".../"; http_raw_uri; metadata:ruleset community, service http; reference:cve,2005-0202; classtype:web-application-attack; sid:3131; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt"; flow:to_server,established; content:"/app_sta.stm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,11408; reference:cve,2004-1596; classtype:web-application-activity; sid:3086; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; content:"/delhomepage.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9791; reference:cve,2004-0347; classtype:web-application-activity; sid:3062; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PhpGedView PGV base directory manipulation"; flow:to_server,established; content:"_conf.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2926; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle 10g iSQLPlus login.unix connectID overflow attempt"; flow:to_server,established; content:"/login.uix"; nocase; http_uri; content:"connectID="; nocase; isdataat:255,relative; pcre:"/connectID=[^&\x3b\r\n]{255}/smi"; metadata:ruleset community, service http; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2704; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; content:"/login.uix"; nocase; http_uri; pcre:"/username=[^&\x3b\r\n]{250}/smi"; metadata:ruleset community, service http; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2703; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle iSQLPlus username overflow attempt"; flow:to_server,established; content:"/isqlplus"; nocase; http_uri; pcre:"/username=[^&\x3b\r\n]{255}/si"; metadata:ruleset community, service http; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2702; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle iSQLPlus sid overflow attempt"; flow:to_server,established; content:"/isqlplus"; nocase; http_uri; pcre:"/sid=[^&\x3b\r\n]{255}/si"; metadata:ruleset community, service http; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2701; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sresult.exe access"; flow:to_server,established; content:"/sresult.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,10837; reference:cve,2004-2528; reference:nessus,14186; classtype:web-application-activity; sid:2672; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pgpmail.pl access"; flow:to_server,established; content:"/pgpmail.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3605; reference:cve,2001-0937; reference:nessus,11070; classtype:web-application-activity; sid:2670; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ibillpm.pl access"; flow:to_server,established; content:"/ibillpm.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3476; reference:cve,2001-0839; reference:nessus,11083; classtype:web-application-activity; sid:2669; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP processit access"; flow:to_server,established; content:"/processit.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10649; classtype:web-application-activity; sid:2668; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ipswitch WhatsUpGold instancename overflow attempt"; flow:to_server,established; content:"/_maincfgret.cgi"; fast_pattern:only; http_uri; content:"instancename="; nocase; http_uri; isdataat:513,relative; pcre:"/instancename=[^&\x3b\r\n]{513}/Usmi"; metadata:ruleset community, service http; reference:bugtraq,11043; reference:cve,2004-0798; classtype:web-application-attack; sid:2663; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt"; flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello; content:"|01 00 02|"; depth:3; offset:2; byte_test:2,>,32,9; metadata:ruleset community, service ssl; classtype:attempted-admin; sid:2657; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt"; flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello; content:"|01 00 02|"; depth:3; offset:2; byte_test:1,>,127,0; byte_test:2,>,32,9; metadata:ruleset community, service ssl; reference:bugtraq,11015; reference:cve,2004-0826; classtype:attempted-admin; sid:2656; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; content:"/modules.php"; nocase; http_uri; content:"name=Forums"; content:"file=viewtopic"; fast_pattern:only; pcre:"/forum=.*'/"; metadata:ruleset community, service http; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+=/smi"; metadata:ruleset community, service http; reference:bugtraq,10780; reference:cve,2004-0600; classtype:web-application-attack; sid:2598; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Samba SWAT Authorization overflow attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Basic"; within:50; nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+=/smiH"; metadata:ruleset community, service http; reference:bugtraq,10780; reference:cve,2004-0600; classtype:web-application-attack; sid:2597; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TUTOS path disclosure attempt"; flow:to_server,established; content:"/note_overview.php"; http_uri; content:"id="; metadata:ruleset community, service http; reference:bugtraq,10129; reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html; classtype:web-application-activity; sid:2588; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nessus 2.x 404 probe"; flow:to_server,established; content:"/NessusTest"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10386; classtype:attempted-recon; sid:2585; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SAP Crystal Reports crystalimagehandler.aspx access"; flow:to_server,established; content:"/crystalimagehandler.aspx"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2004-0204; reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx; classtype:web-application-activity; sid:2581; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP server negative Content-Length attempt"; flow:to_client,established; content:"Content-Length"; nocase; pcre:"/^Content-Length\s*\x3a\s*-\d+/mi"; metadata:ruleset community, service http; reference:bugtraq,10508; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2580; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Opt-X header.php remote file include attempt"; flow:to_server,established; content:"/header.php"; nocase; http_uri; content:"systempath="; fast_pattern:only; pcre:"/systempath=(https?|ftps?|php)/i"; metadata:ruleset community, service http; reference:bugtraq,9732; reference:cve,2004-2368; classtype:web-application-attack; sid:2575; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cPanel resetpass access"; flow:to_server,established; content:"/resetpass"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9848; reference:cve,2004-1769; classtype:web-application-activity; sid:2569; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Emumail emumail.fcgi access"; flow:to_server,established; content:"/emumail.fcgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9861; reference:cve,2004-2334; reference:cve,2004-2385; reference:nessus,12095; classtype:web-application-activity; sid:2568; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Emumail init.emu access"; flow:to_server,established; content:"/init.emu"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9861; reference:cve,2004-2334; reference:cve,2004-2385; reference:nessus,12095; classtype:web-application-activity; sid:2567; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHPBB viewforum.php access"; flow:to_server,established; content:"/viewforum.php"; nocase; http_uri; content:"topic_id="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9865; reference:bugtraq,9866; reference:cve,2004-1809; reference:nessus,12093; classtype:web-application-activity; sid:2566; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP modules.php access"; flow:to_server,established; content:"/modules.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9879; reference:cve,2004-1817; classtype:web-application-activity; sid:2565; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"SERVER-WEBAPP McAfee ePO file upload attempt"; flow:to_server,established; content:"/spipe/repl_file"; nocase; content:"Command=BEGIN"; nocase; metadata:ruleset community; reference:bugtraq,10200; reference:cve,2004-0038; classtype:attempted-admin; sid:2562; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP source.jsp access"; flow:to_server,established; content:"/source.jsp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,12119; classtype:web-application-activity; sid:2484; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP setinfo.hts access"; flow:to_server,established; content:"/setinfo.hts"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9973; reference:cve,2004-1857; reference:nessus,12120; classtype:web-application-activity; sid:2448; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ServletManager access"; flow:to_server,established; content:"/servlet/ServletManager"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3697; reference:cve,2001-1195; reference:nessus,12122; classtype:web-application-activity; sid:2447; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000:8001 (msg:"SERVER-WEBAPP generic server user-agent buffer overflow attempt"; flow:to_server,established; content:"User-Agent|3A|"; nocase; isdataat:244,relative; pcre:"/^User-Agent\x3a[^\n]{244}/smi"; reference:bugtraq,9735; reference:cve,2004-0169; reference:cve,2008-0550; classtype:web-application-attack; sid:2442; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP NetObserve authentication bypass attempt"; flow:to_server,established; content:"login=0"; nocase; content:"login=0"; nocase; http_cookie; metadata:ruleset community, service http; reference:bugtraq,9319; classtype:web-application-attack; sid:2441; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP MDaemon form2raw.cgi access"; flow:to_server,established; content:"/form2raw.cgi"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9317; reference:cve,2003-1200; reference:url,secunia.com/advisories/10512/; classtype:web-application-activity; sid:2434; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt"; flow:to_server,established; content:"/form2raw.cgi"; fast_pattern:only; pcre:"/\Wfrom=[^\x3b&\n]{100}/si"; metadata:ruleset community; reference:bugtraq,9317; reference:cve,2003-1200; reference:url,secunia.com/advisories/10512/; classtype:web-application-attack; sid:2433; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-WEBAPP RealNetworks RealSystem Server DESCRIBE buffer overflow attempt"; flow:to_server,established; content:"DESCRIBE"; nocase; content:"../"; distance:1; pcre:"/^DESCRIBE\s[^\n]{300}/smi"; metadata:ruleset community; reference:bugtraq,8476; reference:cve,2003-0725; reference:nessus,11642; reference:url,www.service.real.com/help/faq/security/rootexploit091103.html; classtype:web-application-attack; sid:2411; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; content:"/page.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Invision Power Board search.pl access"; flow:to_server,established; content:"/search.pl"; http_uri; content:"st="; nocase; metadata:ruleset community, service http; reference:bugtraq,9766; reference:cve,2004-0338; classtype:web-application-activity; sid:2408; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP util.pl access"; flow:to_server,established; content:"/util.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9748; reference:cve,2004-2379; classtype:web-application-activity; sid:2407; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phptest.php access"; flow:to_server,established; content:"/phptest.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9737; reference:cve,2004-2374; classtype:web-application-activity; sid:2405; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP edittag.pl access"; flow:to_server,established; content:"/edittag.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6675; reference:cve,2003-1351; classtype:web-application-activity; sid:2400; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WAnewsletter db_type.php access"; flow:to_server,established; content:"/sql/db_type.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6964; classtype:web-application-activity; sid:2399; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WAnewsletter newsletter.php file include attempt"; flow:to_server,established; content:"newsletter.php"; nocase; http_uri; content:"waroot"; fast_pattern:only; content:"start.php"; nocase; metadata:ruleset community, service http; reference:bugtraq,6965; classtype:web-application-attack; sid:2398; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CCBill whereami.cgi access"; flow:to_server,established; content:"/whereami.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-activity; sid:2397; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CCBill whereami.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/whereami.cgi?"; nocase; http_uri; content:"g="; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-attack; sid:2396; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP InteractiveQuery.jsp access"; flow:to_server,established; content:"/InteractiveQuery.jsp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8938; reference:cve,2003-0624; classtype:web-application-activity; sid:2395; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"SERVER-WEBAPP Compaq web-based management agent denial of service attempt"; flow:to_server,established; content:"<!"; depth:75; content:">"; within:50; metadata:ruleset community; reference:bugtraq,8014; classtype:web-application-attack; sid:2394; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /_admin access"; flow:to_server,established; content:"/_admin/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9537; reference:cve,2007-1156; reference:nessus,12032; classtype:web-application-activity; sid:2393; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Apple QuickTime streaming server view_broadcast.cgi access"; flow:to_server,established; content:"/view_broadcast.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2388; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt"; flow:to_server,established; content:"|3A|/"; offset:11; http_uri; pcre:"/^[^\x3a\x3f]{11,}\x3a\x2f/Usmi"; metadata:ruleset community, service http; reference:bugtraq,9581; reference:cve,2004-0039; reference:nessus,12084; classtype:attempted-admin; sid:2381; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Photopost PHP Pro showphoto.php access"; flow:to_server,established; content:"/showphoto.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9557; reference:cve,2004-0239; reference:cve,2004-0250; classtype:web-application-activity; sid:2372; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Sample_showcode.html access"; flow:to_server,established; content:"/Sample_showcode.html"; nocase; http_uri; content:"fname"; metadata:ruleset community, service http; reference:bugtraq,9555; reference:cve,2004-2170; classtype:web-application-activity; sid:2371; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BugPort config.conf file access"; flow:to_server,established; content:"/config.conf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9542; reference:cve,2004-2353; classtype:attempted-recon; sid:2370; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ISAPISkeleton.dll access"; flow:to_server,established; content:"/ISAPISkeleton.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9516; reference:cve,2004-2128; classtype:web-application-activity; sid:2369; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PhpGedView PGV config_gedcom.php base directory manipulation attempt"; flow:to_server,established; content:"/config_gedcom.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2368; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PhpGedView PGV functions.php base directory manipulation attempt"; flow:to_server,established; content:"/functions.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2367; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PhpGedView PGV authentication_index.php base directory manipulation attempt"; flow:to_server,established; content:"/authentication_index.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2366; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP newsPHP Language file include attempt"; flow:to_server,established; content:"/nphpd.php"; fast_pattern; nocase; http_uri; content:"LangFile"; nocase; metadata:ruleset community, service http; reference:bugtraq,8488; classtype:web-application-activity; sid:2365; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cyboards options_form.php access"; flow:to_server,established; content:"/options_form.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6597; classtype:web-application-activity; sid:2364; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cyboards default_header.php access"; flow:to_server,established; content:"/default_header.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6597; classtype:web-application-activity; sid:2363; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP YaBB SE packages.php file include"; flow:to_server,established; content:"/packages.php"; fast_pattern; nocase; http_uri; content:"packer.php"; nocase; metadata:ruleset community, service http; reference:bugtraq,6663; classtype:web-application-attack; sid:2362; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP news.php file include"; flow:to_server,established; content:"/news.php"; fast_pattern; nocase; http_uri; content:"template="; nocase; metadata:ruleset community, service http; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP myphpPagetool pt_config.inc file include"; flow:to_server,established; content:"/doc/admin"; nocase; http_uri; content:"ptinclude="; nocase; content:"pt_config.inc"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,6744; classtype:web-application-attack; sid:2360; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Invision Board ipchat.php file include"; flow:to_server,established; content:"/ipchat.php"; nocase; http_uri; content:"root_path="; content:"conf_global.php"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,6976; reference:cve,2003-1385; classtype:web-application-attack; sid:2359; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Typo3 translations.php file include"; flow:to_server,established; content:"/translations.php"; fast_pattern; nocase; http_uri; content:"ONLY="; nocase; metadata:ruleset community, service http; reference:bugtraq,6984; classtype:web-application-attack; sid:2358; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebChat english.php file include"; flow:to_server,established; content:"/defines.php"; nocase; http_uri; content:"WEBCHATPATH="; nocase; content:"english.php"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7000; reference:cve,2007-0485; classtype:web-application-attack; sid:2357; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebChat db_mysql.php file include"; flow:to_server,established; content:"/defines.php"; nocase; http_uri; content:"WEBCHATPATH="; nocase; content:"db_mysql.php"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7000; reference:cve,2007-0485; classtype:web-application-attack; sid:2356; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Invision Board emailer.php file include"; flow:to_server,established; content:"/ad_member.php"; fast_pattern; nocase; http_uri; content:"emailer.php"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,7204; classtype:web-application-activity; sid:2355; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IdeaBox notification.php file include"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"gorumDir="; fast_pattern:only; content:"notification.php"; nocase; metadata:ruleset community, service http; reference:bugtraq,7488; classtype:web-application-activity; sid:2354; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IdeaBox cord.php file include"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"ideaDir="; fast_pattern:only; content:"cord.php"; nocase; metadata:ruleset community, service http; reference:bugtraq,7488; classtype:web-application-activity; sid:2353; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP myPHPNuke partner.php access"; flow:to_server,established; content:"/partner.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP myPHPNuke chatheader.php access"; flow:to_server,established; content:"/chatheader.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6544; classtype:web-application-activity; sid:2346; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PhpGedView search.php access"; flow:to_server,established; content:"/search.php"; nocase; http_uri; content:"action=soundex"; fast_pattern; nocase; http_uri; content:"firstname="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,9369; reference:cve,2004-0032; classtype:web-application-activity; sid:2345; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCP-Portal remote file include lib script attempt"; flow:to_server,established; content:"/library/lib.php"; fast_pattern; nocase; http_uri; content:"root="; http_uri; metadata:ruleset community, service http; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCP-Portal remote file include editor script attempt"; flow:to_server,established; content:"/library/editor/editor.php"; fast_pattern; nocase; http_uri; content:"root="; http_uri; metadata:ruleset community, service http; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP authentication_index.php access"; flow:to_server,established; content:"/authentication_index.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2004-0032; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bsml.pl access"; flow:to_server,established; content:"/bsml.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9311; reference:nessus,11973; classtype:web-application-activity; sid:2327; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP iSoft-Solutions QuickStore shopping cart quickstore.cgi access"; flow:to_server,established; content:"/quickstore.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9282; reference:nessus,11975; classtype:web-application-activity; sid:2323; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PayPal Storefront remote file include attempt"; flow:to_server,established; content:"do=ext"; http_uri; content:"page="; http_uri; pcre:"/page=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP gallery remote file include attempt"; flow:to_server,established; content:"/setup/"; http_uri; content:"GALLERY_BASEDIR="; http_uri; pcre:"/GALLERY_BASEDIR=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,8814; reference:cve,2003-1227; reference:nessus,11876; classtype:web-application-attack; sid:2306; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP chatbox.php access"; flow:to_server,established; content:"/chatbox.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8930; reference:cve,2003-1191; classtype:web-application-activity; sid:2305; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP files.inc.php access"; flow:to_server,established; content:"/files.inc.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8910; reference:cve,2003-1153; classtype:web-application-activity; sid:2304; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll popup.php access"; flow:to_server,established; content:"/popup.php"; fast_pattern; nocase; http_uri; content:"include_path="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2303; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll poll_ssi.php access"; flow:to_server,established; content:"/poll_ssi.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2302; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll booth.php access"; flow:to_server,established; content:"/booth.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2301; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_tpl_new.php access"; flow:to_server,established; content:"/admin_tpl_new.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2300; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established; content:"/admin_tpl_misc_new.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2299; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_templates.php access"; flow:to_server,established; content:"/admin_templates.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2298; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_templates_misc.php access"; flow:to_server,established; content:"/admin_templates_misc.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2297; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_stats.php access"; flow:to_server,established; content:"/admin_stats.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2296; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_settings.php access"; flow:to_server,established; content:"/admin_settings.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2295; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_preview.php access"; flow:to_server,established; content:"/admin_preview.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2294; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_password.php access"; flow:to_server,established; content:"/admin_password.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2293; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_logout.php access"; flow:to_server,established; content:"/admin_logout.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2292; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_license.php access"; flow:to_server,established; content:"/admin_license.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2291; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_help.php access"; flow:to_server,established; content:"/admin_help.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2290; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_embed.php access"; flow:to_server,established; content:"/admin_embed.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2289; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_edit.php access"; flow:to_server,established; content:"/admin_edit.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2288; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_comment.php access"; flow:to_server,established; content:"/admin_comment.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2287; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP friends.php access"; flow:to_server,established; content:"/friends.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9088; classtype:web-application-activity; sid:2286; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rolis guestbook access"; flow:to_server,established; content:"/insert.inc.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9057; classtype:web-application-activity; sid:2285; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rolis guestbook remote file include attempt"; flow:to_server,established; content:"/insert.inc.php"; fast_pattern; nocase; http_uri; content:"path="; metadata:ruleset community, service http; reference:bugtraq,9057; classtype:web-application-attack; sid:2284; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DatabaseFunctions.php access"; flow:to_server,established; content:"/DatabaseFunctions.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9057; classtype:web-application-activity; sid:2283; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP GlobalFunctions.php access"; flow:to_server,established; content:"/GlobalFunctions.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9057; classtype:web-application-activity; sid:2282; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Setup.php access"; flow:to_server,established; content:"/Setup.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9057; reference:cve,2009-1151; classtype:web-application-activity; sid:2281; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Title.php access"; flow:to_server,established; content:"/Title.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9057; classtype:web-application-activity; sid:2280; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP UpdateClasses.php access"; flow:to_server,established; content:"/UpdateClasses.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9057; classtype:web-application-activity; sid:2279; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PeopleSoft PeopleBooks psdoccgi access"; flow:to_server,established; content:"/psdoccgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9037; reference:bugtraq,9038; reference:cve,2003-0626; reference:cve,2003-0627; classtype:web-application-activity; sid:2277; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP oracle portal demo access"; flow:to_server,established; content:"/pls/portal/PORTAL_DEMO"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11918; classtype:web-application-activity; sid:2276; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webadmin.dll access"; flow:to_server,established; content:"/webadmin.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7438; reference:bugtraq,7439; reference:bugtraq,8024; reference:cve,2003-0471; reference:nessus,11771; classtype:web-application-activity; sid:2246; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Webnews.exe access"; flow:to_server,established; content:"/Webnews.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4124; reference:cve,2002-0290; reference:nessus,11732; classtype:web-application-activity; sid:2245; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VsSetCookie.exe access"; flow:to_server,established; content:"/VsSetCookie.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3784; reference:cve,2002-0236; reference:nessus,11731; classtype:web-application-activity; sid:2244; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ndcgi.exe access"; flow:to_server,established; content:"/ndcgi.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3583; reference:cve,2001-0922; reference:nessus,11730; classtype:web-application-activity; sid:2243; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ddicgi.exe access"; flow:to_server,established; content:"/ddicgi.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1657; reference:cve,2000-0826; reference:nessus,11728; classtype:web-application-activity; sid:2242; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cwmail.exe access"; flow:to_server,established; content:"/cwmail.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4093; reference:cve,2002-0273; reference:nessus,11727; classtype:web-application-activity; sid:2241; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP changepw.exe access"; flow:to_server,established; content:"/changepw.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1256; reference:cve,2000-0401; reference:nessus,11723; classtype:web-application-activity; sid:2240; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP redirect.exe access"; flow:to_server,established; content:"/redirect.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1256; reference:cve,2000-0401; reference:nessus,11723; classtype:web-application-activity; sid:2239; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebLogic ConsoleHelp view source attempt"; flow:to_server,established; content:"/ConsoleHelp/"; nocase; http_uri; content:".jsp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1518; reference:cve,2000-0682; reference:nessus,11724; classtype:web-application-attack; sid:2238; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiWebupdate.exe access"; flow:to_server,established; content:"/cgiWebupdate.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3216; reference:cve,2001-1150; reference:nessus,11722; classtype:web-application-activity; sid:2237; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP spamrule.dll access"; flow:to_server,established; content:"/spamrule.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2236; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SpamExcp.dll access"; flow:to_server,established; content:"/SpamExcp.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2235; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TOP10.dll access"; flow:to_server,established; content:"/TOP10.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2234; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SFNofitication.dll access"; flow:to_server,established; content:"/SFNofitication.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2233; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ContentFilter.dll access"; flow:to_server,established; content:"/ContentFilter.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2232; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP register.dll access"; flow:to_server,established; content:"/register.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2231; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46cGFzc3dvcmQ"; nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+YWRtaW46cGFzc3dvcmQ/smiH"; metadata:ruleset community, service http; reference:nessus,11737; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:2230; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP viewtopic.php access"; flow:to_server,established; content:"/viewtopic.php"; fast_pattern; nocase; http_uri; content:"days="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; content:"db_details_importdocsql.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack; sid:2228; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP forum_details.php access"; flow:to_server,established; content:"forum_details.php"; http_uri; metadata:ruleset community, service http; reference:bugtraq,7933; reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pmachine remote file include attempt"; flow:to_server,established; content:"lib.inc.php"; fast_pattern; nocase; http_uri; content:"pm_path="; http_uri; pcre:"/pm_path=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys BEFSR41 gozila.cgi access"; flow:to_server,established; content:"/gozila.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6086; reference:cve,2002-1236; reference:nessus,11773; classtype:web-application-activity; sid:2225; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Psunami Bulletin Board psunami.cgi access"; flow:to_server,established; content:"/psunami.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6607; reference:nessus,11750; classtype:web-application-activity; sid:2224; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CGIScript.net csNews.cgi access"; flow:to_server,established; content:"/csNews.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4994; reference:cve,2002-0923; reference:nessus,11726; classtype:web-application-activity; sid:2223; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Infinity CGI exploit scanner nph-exploitscanget.cgi access"; flow:to_server,established; content:"/nph-exploitscanget.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7910; reference:bugtraq,7911; reference:bugtraq,7913; reference:cve,2003-0434; reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiCentral WebStore ws_mail.cgi access"; flow:to_server,established; content:"/ws_mail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2861; reference:bugtraq,4579; reference:cve,2001-1343; reference:nessus,11748; classtype:web-application-activity; sid:2221; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Leif M. Wright simplestmail.cgi access"; flow:to_server,established; content:"/simplestmail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2106; reference:bugtraq,4579; reference:cve,2001-0022; reference:nessus,11748; classtype:web-application-activity; sid:2220; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Interscan VirusWall setpasswd.cgi access"; flow:to_server,established; content:"/setpasswd.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2212; reference:bugtraq,4579; reference:cve,2001-0133; reference:nessus,11748; classtype:web-application-activity; sid:2219; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Cobalt RaQ service.cgi access"; flow:to_server,established; content:"/service.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2218; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ipswitch IMail printmail.cgi access"; flow:to_server,established; content:"/printmail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2217; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ipswitch IMail readmail.cgi access"; flow:to_server,established; content:"/readmail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2216; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Alabanza Control Panel nsManager.cgi access"; flow:to_server,established; content:"/nsManager.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1710; reference:bugtraq,4579; reference:cve,2000-1023; reference:nessus,11748; classtype:web-application-activity; sid:2215; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP 3R Soft MailStudio 2000 mailview.cgi access"; flow:to_server,established; content:"/mailview.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1335; reference:bugtraq,4579; reference:cve,2000-0526; reference:nessus,11748; classtype:web-application-activity; sid:2214; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oatmeal Studios Mail File mailfile.cgi access"; flow:to_server,established; content:"/mailfile.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1807; reference:bugtraq,4579; reference:cve,2000-0977; reference:nessus,11748; classtype:web-application-activity; sid:2213; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiCentral WebStore imageFolio.cgi access"; flow:to_server,established; content:"/imageFolio.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-1334; reference:nessus,11748; classtype:web-application-activity; sid:2212; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lars Ellingsen guestserver.cgi access"; flow:to_server,established; content:"/guestserver.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:cve,2001-0180; reference:nessus,11748; classtype:web-application-activity; sid:2211; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple Vendors global.cgi access"; flow:to_server,established; content:"/global.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:cve,2000-0952; reference:nessus,11748; classtype:web-application-activity; sid:2210; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Infonautics getdoc.cgi access"; flow:to_server,established; content:"/getdoc.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:cve,2000-0288; reference:nessus,11748; classtype:web-application-activity; sid:2209; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Faq-O-Matic fom.cgi access"; flow:to_server,established; content:"/fom.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:cve,2002-0230; reference:nessus,11748; classtype:web-application-activity; sid:2208; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP FileSeek fileseek.cgi access"; flow:to_server,established; content:"/fileseek.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:bugtraq,6784; reference:cve,2002-0611; reference:nessus,11748; classtype:web-application-activity; sid:2207; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP EasyBoard 2000 ezman.cgi access"; flow:to_server,established; content:"/ezman.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2206; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP EasyBoard 2000 ezboard.cgi access"; flow:to_server,established; content:"/ezboard.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2205; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP EasyBoard 2000 ezadmin.cgi access"; flow:to_server,established; content:"/ezadmin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2204; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Leif M. Wright everythingform.cgi access"; flow:to_server,established; content:"/everythingform.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2101; reference:bugtraq,4579; reference:cve,2001-0023; reference:nessus,11748; classtype:web-application-activity; sid:2203; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Webmin Directory edit_action.cgi access"; flow:to_server,established; content:"/edit_action.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3698; reference:bugtraq,4579; reference:cve,2001-1196; reference:nessus,11748; classtype:web-application-activity; sid:2202; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Matt Wright download.cgi access"; flow:to_server,established; content:"/download.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:cve,1999-1377; reference:nessus,11748; classtype:web-application-activity; sid:2201; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dnewsweb.cgi access"; flow:to_server,established; content:"/dnewsweb.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1172; reference:bugtraq,4579; reference:cve,2000-0423; reference:nessus,11748; classtype:web-application-activity; sid:2200; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP multidiff.cgi access"; flow:to_server,established; content:"/multidiff.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2199; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cvslog.cgi access"; flow:to_server,established; content:"/cvslog.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2198; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cvsview2.cgi access"; flow:to_server,established; content:"/cvsview2.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2197; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP catgy.cgi access"; flow:to_server,established; content:"/catgy.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3714; reference:bugtraq,4579; reference:cve,2001-1212; reference:nessus,11748; classtype:web-application-activity; sid:2196; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alert.cgi access"; flow:to_server,established; content:"/alert.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2195; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CSMailto.cgi access"; flow:to_server,established; content:"/CSMailto.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-0749; reference:nessus,11748; classtype:web-application-activity; sid:2194; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP mod_gzip_status access"; flow:to_server,established; content:"/mod_gzip_status"; http_uri; metadata:ruleset community, service http; reference:nessus,11685; classtype:web-application-activity; sid:2156; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttforum remote file include attempt"; flow:to_server,established; content:"forum/index.php"; http_uri; content:"template="; http_uri; pcre:"/template=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,7542; reference:bugtraq,7543; reference:cve,2003-1458; reference:cve,2003-1459; reference:nessus,11615; classtype:web-application-attack; sid:2155; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP autohtml.php access"; flow:to_server,established; content:"/autohtml.php"; http_uri; metadata:ruleset community, service http; reference:nessus,11630; classtype:web-application-activity; sid:2154; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP autohtml.php directory traversal attempt"; flow:to_server,established; content:"/autohtml.php"; fast_pattern; nocase; http_uri; content:"name="; content:"../../"; distance:0; metadata:ruleset community, service http; reference:nessus,11630; classtype:web-application-attack; sid:2153; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test.php access"; flow:to_server,established; content:"/test.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11617; classtype:web-application-activity; sid:2152; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttCMS header.php access"; flow:to_server,established; content:"/admin/templates/header.php"; http_uri; metadata:ruleset community, service http; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:cve,2003-1458; reference:cve,2003-1459; reference:nessus,11636; classtype:web-application-activity; sid:2151; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttCMS header.php remote file include attempt"; flow:to_server,established; content:"/admin/templates/header.php"; fast_pattern; nocase; http_uri; content:"admin_root="; nocase; http_uri; pcre:"/admin_root=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:cve,2003-1458; reference:cve,2003-1459; reference:nessus,11636; classtype:web-application-attack; sid:2150; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Turba status.php access"; flow:to_server,established; content:"/turba/status.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BLNews objects.inc.php4 access"; flow:to_server,established; content:"/objects.inc.php4"; http_uri; metadata:ruleset community, service http; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-activity; sid:2148; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; content:"/objects.inc.php4"; http_uri; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(https?|ftps?|php)/"; metadata:ruleset community, service http; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; content:"/admin.php"; http_uri; content:"op=admin_enter"; content:"password=12345"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7673; reference:nessus,11660; reference:url,attack.mitre.org/techniques/T1078; classtype:web-application-activity; sid:2146; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TextPortal admin.php default password admin attempt"; flow:to_server,established; content:"/admin.php"; http_uri; content:"op=admin_enter"; content:"password=admin"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7673; reference:nessus,11660; reference:url,attack.mitre.org/techniques/T1078; classtype:web-application-activity; sid:2145; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP b2 cafelog gm-2-b2.php access"; flow:to_server,established; content:"/gm-2-b2.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; content:"/gm-2-b2.php"; fast_pattern; nocase; http_uri; content:"b2inc="; pcre:"/b2inc=(https?|ftps?|php)/i"; metadata:ruleset community, service http; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP shoutbox.php access"; flow:to_server,established; content:"/shoutbox.php"; fast_pattern; nocase; http_uri; content:"conf="; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11668; classtype:web-application-activity; sid:2142; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP shoutbox.php directory traversal attempt"; flow:to_server,established; content:"/shoutbox.php"; http_uri; content:"conf="; content:"../"; distance:0; metadata:ruleset community, service http; reference:nessus,11668; classtype:web-application-attack; sid:2141; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP p-news.php access"; flow:to_server,established; content:"/p-news.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11669; classtype:web-application-activity; sid:2140; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP /*.shtml access"; flow:to_server,established; content:"/*.shtml"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1517; reference:cve,2000-0683; reference:nessus,11604; classtype:web-application-activity; sid:2139; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP logicworks.ini access"; flow:to_server,established; content:"/logicworks.ini"; http_uri; metadata:ruleset community, service http; reference:bugtraq,6996; reference:cve,2003-1383; reference:nessus,11639; classtype:web-application-activity; sid:2138; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP philboard_admin.asp access"; flow:to_server,established; content:"/philboard_admin.asp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-activity; sid:2137; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP philboard_admin.asp authentication bypass attempt"; flow:to_server,established; content:"/philboard_admin.asp"; http_uri; content:"Cookie"; nocase; content:"philboard_admin=True"; distance:0; metadata:ruleset community, service http; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-attack; sid:2136; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP philboard.mdb access"; flow:to_server,established; content:"/philboard.mdb"; http_uri; metadata:ruleset community, service http; reference:nessus,11682; classtype:web-application-activity; sid:2135; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP swsrv.cgi access"; flow:to_server,established; content:"/swsrv.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7510; reference:cve,2003-0217; reference:nessus,11608; classtype:web-application-activity; sid:2128; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ikonboard.cgi access"; flow:to_server,established; content:"/ikonboard.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7361; reference:nessus,11605; classtype:web-application-activity; sid:2127; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP chipcfg.cgi access"; flow:to_server,established; content:"/chipcfg.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2767; reference:cve,2001-1341; reference:url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html; classtype:web-application-activity; sid:2116; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP album.pl access"; flow:to_server,established; content:"/album.pl"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7444; reference:cve,2003-1456; reference:nessus,11581; classtype:web-application-activity; sid:2115; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP streaming server parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,6954; reference:bugtraq,6955; reference:bugtraq,6956; reference:bugtraq,6958; reference:cve,2003-0050; reference:cve,2003-0051; reference:cve,2003-0052; reference:cve,2003-0053; reference:cve,2003-0423; classtype:web-application-activity; sid:2086; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6954; reference:bugtraq,6955; reference:bugtraq,6956; reference:bugtraq,6958; reference:cve,2003-0050; reference:cve,2003-0051; reference:cve,2003-0052; reference:cve,2003-0053; reference:cve,2003-0423; classtype:web-application-activity; sid:2085; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpBB privmsg.php access"; flow:to_server,established; content:"/privmsg.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6634; reference:cve,2003-1530; classtype:web-application-activity; sid:2078; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Mambo upload.php access"; flow:to_server,established; content:"/upload.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-activity; sid:2077; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Mambo uploadimage.php access"; flow:to_server,established; content:"/uploadimage.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-activity; sid:2076; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Mambo upload.php upload php file attempt"; flow:to_server,established; content:"/upload.php"; http_uri; content:"userfile_name="; content:".php"; distance:1; metadata:ruleset community, service http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-attack; sid:2075; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; content:"/uploadimage.php"; http_uri; content:"userfile_name="; content:".php"; distance:1; metadata:ruleset community, service http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-attack; sid:2074; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP globals.pl access"; flow:to_server,established; content:"/globals.pl"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2073; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP lyris.pl access"; flow:to_server,established; content:"/lyris.pl"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1584; reference:cve,2000-0758; classtype:web-application-activity; sid:2072; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP post32.exe access"; flow:to_server,established; content:"/post32.exe"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1485; classtype:web-application-activity; sid:2071; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP post32.exe arbitrary command attempt"; flow:to_server,established; content:"/post32.exe|7C|"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1485; classtype:web-application-attack; sid:2070; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP chip.ini access"; flow:to_server,established; content:"/chip.ini"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2755; reference:bugtraq,2775; reference:cve,2001-0749; reference:cve,2001-0771; classtype:web-application-activity; sid:2069; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BitKeeper arbitrary command attempt"; flow:to_server,established; content:"/diffs/"; http_uri; content:"'"; content:"|3B|"; distance:0; content:"'"; distance:1; metadata:ruleset community, service http; reference:bugtraq,6588; classtype:web-application-attack; sid:2068; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus Notes .exe script source download attempt"; flow:to_server,established; content:".exe"; http_uri; content:".exe"; content:"."; within:1; metadata:ruleset community, service http; reference:bugtraq,6841; reference:cve,2003-1408; classtype:web-application-attack; sid:2067; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus Notes .pl script source download attempt"; flow:to_server,established; content:".pl"; http_uri; content:".pl"; content:"."; within:1; metadata:ruleset community, service http; reference:bugtraq,6841; reference:cve,2003-1408; classtype:web-application-attack; sid:2066; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus Notes .csp script source download attempt"; flow:to_server,established; content:".csp."; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:2065; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Demarc SQL injection attempt"; flow:to_server,established; content:"/dm/demarc"; http_uri; content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'"; distance:0; metadata:ruleset community, service http; reference:bugtraq,4520; reference:cve,2002-0539; classtype:web-application-activity; sid:2063; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP iPlanet .perf access"; flow:to_server,established; content:"/.perf"; http_uri; metadata:ruleset community, service http; reference:nessus,11220; classtype:web-application-activity; sid:2062; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DB4Web access"; flow:to_server,established; content:"/DB4Web/"; http_uri; metadata:ruleset community, service http; reference:nessus,11180; classtype:web-application-activity; sid:2060; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MsmMask.exe access"; flow:to_server,established; content:"/MsmMask.exe"; http_uri; metadata:ruleset community, service http; reference:nessus,11163; classtype:web-application-activity; sid:2059; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MsmMask.exe attempt"; flow:to_server,established; content:"/MsmMask.exe"; http_uri; content:"mask="; metadata:ruleset community, service http; reference:nessus,11163; classtype:web-application-attack; sid:2058; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP helpout.exe access"; flow:to_server,established; content:"/helpout.exe"; http_uri; metadata:ruleset community, service http; reference:bugtraq,6002; reference:cve,2002-1169; reference:nessus,11162; classtype:web-application-activity; sid:2057; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TRACE attempt"; flow:to_server,established; content:"TRACE"; depth:5; metadata:ruleset community, service http; reference:bugtraq,9561; reference:cve,2003-1567; reference:cve,2004-2320; reference:cve,2010-0360; reference:nessus,11213; classtype:web-application-attack; sid:2056; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Bugtraq enter_bug.cgi access"; flow:to_server,established; content:"/enter_bug.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2055; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Bugtraq enter_bug.cgi arbitrary command attempt"; flow:to_server,established; content:"/enter_bug.cgi"; fast_pattern; nocase; http_uri; content:"who="; content:"|3B|"; distance:0; metadata:ruleset community, service http; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-attack; sid:2054; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Bugtraq process_bug.cgi access"; flow:to_server,established; content:"/process_bug.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2053; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP overflow.cgi access"; flow:to_server,established; content:"/overflow.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6326; reference:cve,2002-1361; reference:nessus,11190; reference:url,www.cert.org/advisories/CA-2002-35.html; classtype:web-application-activity; sid:2052; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cached_feed.cgi moreover shopping cart access"; flow:to_server,established; content:"/cached_feed.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-activity; sid:2051; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP remote include path attempt"; flow:to_server,established; content:".php"; nocase; http_uri; content:"path="; fast_pattern:only; http_uri; pcre:"/path=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/File_inclusion_vulnerability; reference:url,php.net/manual/en/function.include.php; classtype:web-application-attack; sid:2002; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP smartsearch.cgi access"; flow:to_server,established; content:"/smartsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7133; classtype:web-application-activity; sid:2001; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP readmsg.php access"; flow:to_server,established; content:"/readmsg.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2001-1408; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP edit_image.php access"; flow:to_server,established; content:"/edit_image.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104; classtype:web-application-activity; sid:1999; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar.php access"; flow:to_server,established; content:"/calendar.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,5820; reference:bugtraq,9353; reference:cve,2002-1660; reference:cve,2004-1785; reference:nessus,11179; classtype:web-application-activity; sid:1998; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP read_body.php access attempt"; flow:to_server,established; content:"/read_body.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6302; reference:cve,2002-1341; reference:nessus,11415; classtype:web-application-activity; sid:1997; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP viralator.cgi access"; flow:to_server,established; content:"/viralator.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3495; reference:cve,2001-0849; reference:nessus,11107; classtype:web-application-activity; sid:1996; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alya.cgi access"; flow:to_server,established; content:"/alya.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11118; classtype:web-application-activity; sid:1995; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP vpasswd.cgi access"; flow:to_server,established; content:"/vpasswd.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6038; reference:nessus,11165; classtype:web-application-activity; sid:1994; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP perl post attempt"; flow:to_server,established; content:"POST"; depth:4; content:"/perl/"; http_uri; metadata:ruleset community, service http; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:1979; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1978; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1977; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ion-p access"; flow:to_server,established; content:"/ion-p"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6091; reference:cve,2002-1559; reference:nessus,11729; classtype:web-application-activity; sid:1969; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpbb quick-reply.php access"; flow:to_server,established; content:"/quick-reply.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6173; reference:cve,2002-2287; classtype:web-application-activity; sid:1968; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpbb quick-reply.php arbitrary command attempt"; flow:to_server,established; content:"/quick-reply.php"; http_uri; content:"phpbb_root_path="; metadata:ruleset community, service http; reference:bugtraq,6173; reference:cve,2002-2287; classtype:web-application-attack; sid:1967; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1; metadata:ruleset community; reference:bugtraq,1556; reference:cve,2000-0697; classtype:web-application-attack; sid:1947; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; metadata:ruleset community; reference:bugtraq,5383; reference:cve,2000-0696; classtype:web-application-activity; sid:1946; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /ecscripts/ecware.exe access"; flow:to_server,established; content:"/ecscripts/ecware.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6066; classtype:web-application-activity; sid:1944; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /Carello/add.exe access"; flow:to_server,established; content:"/Carello/add.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1245; reference:cve,2000-0396; reference:nessus,11776; classtype:web-application-activity; sid:1943; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cart.cgi access"; flow:to_server,established; content:"/cart.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1115; reference:cve,2000-0252; reference:nessus,10368; classtype:web-application-activity; sid:1933; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rpc-smb.pl access"; flow:to_server,established; content:"/rpc-smb.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1278; classtype:web-application-activity; sid:1932; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rpc-nlog.pl access"; flow:to_server,established; content:"/rpc-nlog.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1278; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2; classtype:web-application-activity; sid:1931; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0D 0A 0D 0A|"; depth:18; metadata:ruleset community, service http; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP oracle web application server access"; flow:to_server,established; content:"/ows-bin/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-activity; sid:1880; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP book.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/book.cgi"; fast_pattern:only; http_uri; content:"current=|7C|"; nocase; metadata:ruleset community, service http; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-attack; sid:1879; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sdbsearch.cgi access"; flow:to_server,established; content:"/sdbsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10503; classtype:web-application-activity; sid:1878; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP printenv access"; flow:to_server,established; content:"/printenv"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:1877; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nph-publish.cgi access"; flow:to_server,established; content:"/nph-publish.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1177; reference:nessus,10164; classtype:web-application-activity; sid:1876; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgicso access"; flow:to_server,established; content:"/cgicso"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6141; reference:cve,2002-1652; reference:nessus,10779; reference:nessus,10780; classtype:web-application-activity; sid:1875; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Java Process Manager access"; flow:to_server,established; content:"/oprocmgr-status"; http_uri; metadata:ruleset community, service http; reference:nessus,10851; classtype:web-application-activity; sid:1874; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP globals.jsa access"; flow:to_server,established; content:"/globals.jsa"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4034; reference:cve,2002-0562; reference:nessus,10850; classtype:web-application-activity; sid:1873; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Dynamic Monitoring Services dms access"; flow:to_server,established; content:"/dms0"; http_uri; metadata:ruleset community, service http; reference:nessus,10848; classtype:web-application-activity; sid:1872; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle XSQLConfig.xml access"; flow:to_server,established; content:"/XSQLConfig.xml"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4290; reference:cve,2002-0568; reference:nessus,10855; classtype:web-application-activity; sid:1871; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP siteUserMod.cgi access"; flow:to_server,established; content:"/.cobalt/siteUserMod/siteUserMod.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,951; reference:cve,2000-0117; reference:nessus,10253; classtype:web-application-activity; sid:1870; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Interactive Story story.pl access"; flow:to_server,established; content:"/story.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1869; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Interactive Story story.pl arbitrary file read attempt"; flow:to_server,established; content:"/story.pl"; http_uri; content:"next=../"; metadata:ruleset community, service http; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1868; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webdist.cgi arbitrary command attempt"; flow:to_server,established; content:"/webdist.cgi"; nocase; http_uri; content:"distloc=|3B|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-attack; sid:1865; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mrtg.cgi directory traversal attempt"; flow:to_server,established; content:"/mrtg.cgi"; http_uri; content:"cfg=/../"; metadata:ruleset community, service http; reference:bugtraq,4017; reference:cve,2002-0232; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Linksys router default username and password login attempt"; flow:to_server,established; content:"YWRtaW46YWRtaW4"; pcre:"/^Authorization\x3a\s*Basic\s+(?-i)YWRtaW46YWRtaW4[=\s]/smi"; metadata:ruleset community; reference:nessus,10999; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:1861; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Linksys router default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+OmFkbWlu/smiH"; metadata:ruleset community, service http; reference:nessus,10999; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:1860; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Oracle JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; metadata:ruleset community; reference:nessus,10995; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:1859; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; content:"/pixfir~1/how_to_login.html"; http_uri; metadata:ruleset community, service http; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:1858; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP robot.txt access"; flow:to_server,established; content:"/robot.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10302; classtype:web-application-activity; sid:1857; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP robots.txt access"; flow:to_server,established; content:"/robots.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP active.log access"; flow:to_server,established; content:"/active.log"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1497; reference:cve,2000-0642; reference:nessus,10470; classtype:web-application-activity; sid:1851; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP way-board.cgi access"; flow:to_server,established; content:"/way-board.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webfind.exe access"; flow:to_server,established; content:"/webfind.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1487; reference:cve,2000-0622; reference:nessus,10475; classtype:web-application-activity; sid:1849; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webcart-lite access"; flow:to_server,established; content:"/webcart-lite/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0610; reference:nessus,10298; classtype:web-application-activity; sid:1848; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webalizer access"; flow:to_server,established; content:"/webalizer/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:1847; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mailman cross site scripting attempt"; flow:to_server,established; content:"/mailman/"; nocase; http_uri; content:"?"; http_uri; content:"info="; http_uri; content:"<script"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,5298; reference:cve,2002-0855; reference:nessus,14984; classtype:web-application-attack; sid:1839; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Macromedia SiteSpring cross site scripting attempt"; flow:to_server,established; content:"/error/500error.jsp"; nocase; http_uri; content:"et="; http_uri; content:"<script"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,5249; reference:cve,2002-1027; classtype:web-application-attack; sid:1835; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-Wiki cross site scripting attempt"; flow:to_server,established; content:"/modules.php?"; http_uri; content:"name=Wiki"; fast_pattern; nocase; http_uri; content:"<script"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,5254; reference:cve,2002-1070; classtype:web-application-attack; sid:1834; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP jigsaw dos attempt"; flow:to_server,established; content:"/servlet/con"; http_uri; pcre:"/\x2Fcon\b/Ui"; metadata:ruleset community, service http; reference:bugtraq,5258; reference:cve,2002-1052; reference:nessus,11047; classtype:web-application-attack; sid:1831; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP iPlanet Search directory traversal attempt"; flow:to_server,established; content:"/search"; nocase; http_uri; content:"NS-query-pat="; fast_pattern:only; http_uri; content:"../"; http_uri; metadata:ruleset community, service http; reference:bugtraq,5191; reference:cve,2002-1042; reference:nessus,11043; classtype:web-application-attack; sid:1828; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WEB-INF access"; flow:to_server,established; content:"/WEB-INF"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1830; reference:bugtraq,5119; reference:cve,2000-1050; reference:cve,2001-0179; reference:nessus,11037; classtype:web-application-activity; sid:1826; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AlienForm af.cgi access"; flow:to_server,established; content:"/af.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1825; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AlienForm alienform.cgi access"; flow:to_server,established; content:"/alienform.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1824; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AlienForm af.cgi directory traversal attempt"; flow:to_server,established; content:"/af.cgi"; http_uri; content:".|7C|./.|7C|."; metadata:ruleset community, service http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1823; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AlienForm alienform.cgi directory traversal attempt"; flow:to_server,established; content:"/alienform.cgi"; http_uri; content:".|7C|./.|7C|."; metadata:ruleset community, service http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1822; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Net.Commerce orderdspc.d2w access"; flow:to_server,established; content:"/ncommerce3/ExecMacro/orderdspc.d2w"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2350; reference:cve,2001-0319; reference:nessus,11020; classtype:web-application-activity; sid:1820; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP directory.php access"; flow:to_server,established; content:"/directory.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP directory.php arbitrary command attempt"; flow:to_server,established; content:"/directory.php"; http_uri; content:"dir="; content:"|3B|"; metadata:ruleset community, service http; reference:bugtraq,4278; reference:cve,2002-0434; reference:nessus,11017; classtype:misc-attack; sid:1815; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CISCO VoIP DOS ATTEMPT"; flow:to_server,established; content:"/StreamingStatistics"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4794; reference:cve,2002-0882; reference:nessus,11013; classtype:misc-attack; sid:1814; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP apache chunked encoding memory corruption exploit attempt"; flow:to_server,established; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:1808; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Reports CGI access"; flow:to_server,established; content:"/rwcgi60"; fast_pattern:only; http_uri; content:"setauth="; metadata:ruleset community, service http; reference:bugtraq,4848; reference:cve,2002-0947; classtype:web-application-activity; sid:1805; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csPassword password.cgi.tmp access"; flow:to_server,established; content:"/password.cgi.tmp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4889; reference:cve,2002-0920; classtype:web-application-activity; sid:1788; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csPassword.cgi access"; flow:to_server,established; content:"/csPassword.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4885; reference:bugtraq,4886; reference:bugtraq,4887; reference:bugtraq,4889; reference:cve,2002-0917; reference:cve,2002-0918; classtype:web-application-activity; sid:1787; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb_smilies.php access"; flow:to_server,established; content:"/bb_smilies.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP php.exe access"; flow:to_server,established; content:"/php.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .FBCIndex access"; flow:to_server,established; content:"/.FBCIndex"; http_uri; metadata:ruleset community, service http; reference:url,www.securiteam.com/securitynews/5LP0O005FS.html; classtype:web-application-activity; sid:1770; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .DS_Store access"; flow:to_server,established; content:"/.DS_Store"; http_uri; metadata:ruleset community, service http; reference:url,www.macintouch.com/mosxreaderreports46.html; classtype:web-application-activity; sid:1769; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP search.dll access"; flow:to_server,established; content:"/search.dll"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-activity; sid:1767; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP search.dll directory listing attempt"; flow:to_server,established; content:"/search.dll"; http_uri; content:"query=%00"; metadata:ruleset community, service http; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-attack; sid:1766; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Nortel Contivity cgiproc access"; flow:to_server,established; content:"/cgiproc"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-activity; sid:1765; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; content:"/cgiproc?|24|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1764; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; content:"/cgiproc?Nocfile="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1763; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP b2 arbitrary command execution attempt"; flow:to_server,established; content:"/b2/b2-include/"; http_uri; content:"b2inc"; content:"http|3A|//"; metadata:ruleset community, service http; reference:bugtraq,4673; reference:cve,2002-0734; reference:cve,2002-1466; reference:nessus,11667; classtype:web-application-attack; sid:1757; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Messagerie supp_membre.php access"; flow:to_server,established; content:"/supp_membre.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok"; nocase; metadata:ruleset community, service http; reference:bugtraq,4621; classtype:web-application-attack; sid:1744; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Blahz-DNS dostuff.php access"; flow:to_server,established; content:"/dostuff.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-activity; sid:1743; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established; content:"/dostuff.php?"; nocase; http_uri; content:"action=modify_user"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-attack; sid:1742; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DNSTools access"; flow:to_server,established; content:"/dnstools.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-activity; sid:1741; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DNSTools authentication bypass attempt"; flow:to_server,established; content:"/dnstools.php"; fast_pattern; nocase; http_uri; content:"user_logged_in=true"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1740; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DNSTools administrator authentication bypass attempt"; flow:to_server,established; content:"/dnstools.php"; nocase; http_uri; content:"user_logged_in=true"; nocase; http_uri; content:"user_dnstools_administrator=true"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1739; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP global.inc access"; flow:to_server,established; content:"/global.inc"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:1738; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP squirrel mail theme arbitrary command attempt"; flow:to_server,established; content:"/left_main.php"; nocase; http_uri; content:"cmdd="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4385; reference:cve,2002-0516; classtype:web-application-attack; sid:1737; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; content:"/squirrelspell/modules/check_me.mod.php"; fast_pattern; nocase; http_uri; content:"SQSPELL_APP["; nocase; metadata:ruleset community, service http; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP a1stats access"; flow:to_server,established; content:"/a1stats/"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1731; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ustorekeeper.pl directory traversal attempt"; flow:to_server,established; content:"/ustorekeeper.pl"; nocase; http_uri; content:"file=../../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2536; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-attack; sid:1730; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SGI InfoSearch fname access"; flow:to_server,established; content:"/infosrch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:1727; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP emumail.cgi access"; flow:to_server,established; content:"/emumail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1724; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP emumail.cgi NULL attempt"; flow:to_server,established; content:"/emumail.cgi"; http_uri; content:"type="; nocase; content:"%00"; metadata:ruleset community, service http; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1723; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP MachineInfo access"; flow:to_server,established; content:"/MachineInfo"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1067; classtype:web-application-activity; sid:1722; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP adcycle access"; flow:to_server,established; content:"/adcycle"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3741; reference:cve,2001-1226; classtype:web-application-activity; sid:1721; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP talkback.cgi access"; flow:to_server,established; content:"/talkbalk.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-activity; sid:1720; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP talkback.cgi directory traversal attempt"; flow:to_server,established; content:"/talkbalk.cgi"; nocase; http_uri; content:"article=../../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-attack; sid:1719; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP statsconfig.pl access"; flow:to_server,established; content:"/statsconfig.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2211; reference:cve,2001-0113; classtype:web-application-activity; sid:1718; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP simplestguest.cgi access"; flow:to_server,established; content:"/simplestguest.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2106; reference:cve,2001-0022; classtype:web-application-activity; sid:1717; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP gbook.cgi access"; flow:to_server,established; content:"/gbook.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1940; reference:cve,2000-1131; classtype:web-application-activity; sid:1716; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP register.cgi access"; flow:to_server,established; content:"/register.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2157; reference:cve,2001-0076; classtype:web-application-activity; sid:1715; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP newdesk access"; flow:to_server,established; content:"/newdesk"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1714; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgforum.cgi access"; flow:to_server,established; content:"/cgforum.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1951; reference:cve,2000-1132; classtype:web-application-activity; sid:1713; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bslist.cgi access"; flow:to_server,established; content:"/bslist.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2160; reference:cve,2001-0100; classtype:web-application-activity; sid:1712; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bsguest.cgi access"; flow:to_server,established; content:"/bsguest.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2159; reference:cve,2001-0099; classtype:web-application-activity; sid:1711; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bbs_forum.cgi access"; flow:to_server,established; content:"/bbs_forum.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2177; reference:cve,2001-0123; reference:url,www.cgisecurity.com/advisory/3.1.txt; classtype:web-application-activity; sid:1710; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ad.cgi access"; flow:to_server,established; content:"/ad.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-activity; sid:1709; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP hello.bat access"; flow:to_server,established; content:"/hello.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1708; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP hello.bat arbitrary command execution attempt"; flow:to_server,established; content:"/hello.bat"; http_uri; content:"&"; metadata:ruleset community, service http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1707; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP echo.bat access"; flow:to_server,established; content:"/echo.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1706; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP echo.bat arbitrary command execution attempt"; flow:to_server,established; content:"/echo.bat"; http_uri; content:"&"; metadata:ruleset community, service http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1705; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cal_make.pl directory traversal attempt"; flow:to_server,established; content:"/cal_make.pl"; nocase; http_uri; content:"p0=../../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-attack; sid:1704; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP auktion.cgi directory traversal attempt"; flow:to_server,established; content:"/auktion.cgi"; fast_pattern; nocase; http_uri; content:"menue=../../"; nocase; metadata:ruleset community, service http; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-attack; sid:1703; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Amaya templates sendtemp.pl access"; flow:to_server,established; content:"/sendtemp.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-activity; sid:1702; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar-admin.pl access"; flow:to_server,established; content:"/calendar-admin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506; classtype:web-application-activity; sid:1701; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP imagemap.exe access"; flow:to_server,established; content:"/imagemap.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-activity; sid:1700; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /home/www access"; flow:to_server,established; content:"/home/www"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1671; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /home/ftp access"; flow:to_server,established; content:"/home/ftp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1670; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-dos/ access"; flow:to_server,established; content:"/cgi-dos/"; http_uri; content:"/cgi-dos/ HTTP"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1669; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-bin/ access"; flow:to_server,established; content:"/cgi-bin/"; http_uri; content:"/cgi-bin/ HTTP"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1668; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cross site scripting HTML Image tag set to javascript attempt"; flow:to_server,established; content:"img src=javascript"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4858; reference:cve,2002-0902; classtype:web-application-attack; sid:1667; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mkplog.exe access"; flow:to_server,established; content:"/mkplog.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1664; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP *%20.pl access"; flow:to_server,established; content:" .pl"; fast_pattern:only; http_uri; pcre:"/\/[^\r\n]*\x20.pl/Ui"; metadata:ruleset community, service http; reference:nessus,11007; reference:url,rtfm.vn.ua/inet/sec/cgi-bugs.htm; reference:url,www.securityfocus.com/archive/1/149482; classtype:web-application-attack; sid:1663; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /~ftp access"; flow:to_server,established; content:"/~ftp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1662; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pagelog.cgi access"; flow:to_server,established; content:"/pagelog.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1658; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pagelog.cgi directory traversal attempt"; flow:to_server,established; content:"/pagelog.cgi"; nocase; http_uri; content:"name=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1657; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pfdispaly.cgi access"; flow:to_server,established; content:"/pfdispaly.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,64; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-activity; sid:1656; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pfdispaly.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/pfdispaly.cgi?"; nocase; http_uri; content:"'"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-attack; sid:1655; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cart32.exe access"; flow:to_server,established; content:"/cart32.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1153; reference:nessus,10389; classtype:web-application-activity; sid:1654; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP campas attempt"; flow:to_server,established; content:"/campas?|0A|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:web-application-attack; sid:1652; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP environ.pl access"; flow:to_server,established; content:"/environ.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1651; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tst.bat access"; flow:to_server,established; content:"/tst.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10014; classtype:web-application-activity; sid:1650; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl command attempt"; flow:to_server,established; content:"/perl?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1649; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl.exe command attempt"; flow:to_server,established; content:"/perl.exe?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1648; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test.cgi access"; flow:to_server,established; content:"/test.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1646; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP testcgi access"; flow:to_server,established; content:"/testcgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7214; reference:cve,2003-1531; reference:nessus,11610; classtype:web-application-activity; sid:1645; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP db2www access"; flow:to_server,established; content:"/db2www"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2000-0677; classtype:web-application-activity; sid:1643; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP document.d2w access"; flow:to_server,established; content:"/document.d2w"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2017; reference:cve,2000-1110; classtype:web-application-activity; sid:1642; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP yabb access"; flow:to_server,established; content:"/YaBB"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1668; reference:cve,2000-0853; reference:nessus,10512; classtype:attempted-recon; sid:1637; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP FormHandler.cgi directory traversal attempt attempt"; flow:to_server,established; content:"/FormHandler.cgi"; nocase; http_uri; content:"reply_message_attach="; fast_pattern:only; content:"/../"; metadata:ruleset community, service http; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1628; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Bugzilla doeditvotes.cgi access"; flow:to_server,established; content:"/doeditvotes.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3800; reference:cve,2002-0011; classtype:web-application-activity; sid:1617; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htgrep attempt"; flow:to_server,established; content:"/htgrep"; http_uri; content:"hdr=/"; metadata:ruleset community, service http; reference:cve,2000-0832; reference:nessus,10495; classtype:web-application-attack; sid:1615; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Groupwise gwweb.exe attempt"; flow:to_server,established; content:"/GWWEB.EXE?"; nocase; http_uri; content:"HELP="; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1614; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP handler attempt"; flow:to_server,established; content:"/handler"; http_uri; content:"|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-attack; sid:1613; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ftp.pl attempt"; flow:to_server,established; content:"/ftp.pl?"; nocase; http_uri; content:"dir=../.."; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-attack; sid:1612; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP eXtropia webstore access"; flow:to_server,established; content:"/web_store.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-activity; sid:1611; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP formmail arbitrary command execution attempt"; flow:to_server,established; content:"/formmail"; fast_pattern; nocase; http_uri; content:"%0a"; nocase; metadata:ruleset community, service http; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:1610; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htmlscript attempt"; flow:to_server,established; content:"/htmlscript?../.."; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:web-application-attack; sid:1608; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HyperSeek hsx.cgi access"; flow:to_server,established; content:"/hsx.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-activity; sid:1607; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP icat access"; flow:to_server,established; content:"/icat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1069; classtype:web-application-activity; sid:1606; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"SERVER-WEBAPP iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; metadata:ruleset community; reference:cve,1999-0897; classtype:web-application-activity; sid:1604; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DELETE attempt"; flow:to_server,established; content:"DELETE "; depth:7; nocase; metadata:ruleset community, service http; reference:nessus,10498; classtype:web-application-activity; sid:1603; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htsearch access"; flow:to_server,established; content:"/htsearch"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-activity; sid:1602; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htsearch arbitrary file read attempt"; flow:to_server,established; content:"/htsearch?exclude=`"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-attack; sid:1601; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htsearch arbitrary configuration file attempt"; flow:to_server,established; content:"/htsearch?-c"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3410; reference:cve,2001-0834; classtype:web-application-attack; sid:1600; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP search.cgi access"; flow:to_server,established; content:"/search.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-activity; sid:1599; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Home Free search.cgi directory traversal attempt"; flow:to_server,established; content:"/search.cgi"; http_uri; content:"letter=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,921; reference:cve,2000-0054; reference:nessus,10101; classtype:web-application-attack; sid:1598; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP guestbook.cgi access"; flow:to_server,established; content:"/guestbook.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0237; reference:nessus,10098; classtype:web-application-activity; sid:1597; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP FormHandler.cgi access"; flow:to_server,established; content:"/FormHandler.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-activity; sid:1594; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP FormHandler.cgi external site redirection attempt"; flow:to_server,established; content:"/FormHandler.cgi"; fast_pattern:only; http_uri; content:"redirect=http"; metadata:ruleset community, service http; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1593; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /fcgi-bin/echo.exe access"; flow:to_server,established; content:"/fcgi-bin/echo.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10838; classtype:web-application-activity; sid:1592; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP faqmanager.cgi access"; flow:to_server,established; content:"/faqmanager.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3810; reference:cve,2002-2033; reference:nessus,10837; classtype:web-application-activity; sid:1591; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP faqmanager.cgi arbitrary file access attempt"; flow:to_server,established; content:"/faqmanager.cgi?"; nocase; http_uri; content:"toc="; distance:0; nocase; http_uri; content:"|00|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3810; reference:cve,2002-2033; reference:nessus,10837; classtype:web-application-attack; sid:1590; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP musicat empower attempt"; flow:to_server,established; content:"/empower?DB="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-attack; sid:1589; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SalesLogix Eviewer access"; flow:to_server,established; content:"/slxweb.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-activity; sid:1588; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgitest.exe access"; flow:to_server,established; content:"/cgitest.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; reference:nessus,11131; classtype:web-application-activity; sid:1587; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino mail.box access"; flow:to_server,established; content:"/mail.box"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,881; reference:cve,2000-0021; reference:cve,2000-0022; reference:cve,2000-0023; reference:nessus,10629; classtype:attempted-recon; sid:1586; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino agentrunner.nsf access"; flow:to_server,established; content:"/agentrunner.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1585; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino bookmark.nsf access"; flow:to_server,established; content:"/bookmark.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1584; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino mailw46.nsf access"; flow:to_server,established; content:"/mailw46.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1583; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino collect4.nsf access"; flow:to_server,established; content:"/collect4.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1582; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino ntsync4.nsf access"; flow:to_server,established; content:"/ntsync4.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1581; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino events4.nsf access"; flow:to_server,established; content:"/events4.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1580; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino webadmin.nsf access"; flow:to_server,established; content:"/webadmin.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9900; reference:bugtraq,9901; reference:cve,2004-2310; reference:cve,2004-2311; reference:cve,2004-2369; reference:nessus,10629; classtype:attempted-recon; sid:1579; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino statrep.nsf access"; flow:to_server,established; content:"/statrep.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1578; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino setup.nsf access"; flow:to_server,established; content:"/setup.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1577; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino cersvr.nsf access"; flow:to_server,established; content:"/cersvr.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1576; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino mab.nsf access"; flow:to_server,established; content:"/mab.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4022; reference:cve,2001-1567; reference:nessus,10953; classtype:attempted-recon; sid:1575; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP directorypro.cgi attempt"; flow:to_server,established; content:"/directorypro.cgi"; http_uri; content:"show="; content:"../.."; distance:1; metadata:ruleset community, service http; reference:bugtraq,2793; reference:cve,2001-0780; reference:nessus,10679; classtype:web-application-attack; sid:1574; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiforum.pl attempt"; flow:to_server,established; content:"/cgiforum.pl?"; nocase; http_uri; content:"thesection=../.."; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-attack; sid:1573; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP commerce.cgi arbitrary file access attempt"; flow:to_server,established; content:"/commerce.cgi"; http_uri; content:"page="; http_uri; content:"/../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:1572; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dcforum.cgi directory traversal attempt"; flow:to_server,established; content:"/dcforum.cgi"; http_uri; content:"forum=../.."; metadata:ruleset community, service http; reference:bugtraq,2611; reference:cve,2001-0436; reference:cve,2001-0437; reference:nessus,10583; classtype:web-application-attack; sid:1571; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP loadpage.cgi access"; flow:to_server,established; content:"/loadpage.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2109; reference:cve,2000-1092; reference:nessus,10065; classtype:web-application-activity; sid:1570; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP loadpage.cgi directory traversal attempt"; flow:to_server,established; content:"/loadpage.cgi"; http_uri; content:"file=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2109; reference:cve,2000-1092; reference:nessus,10065; classtype:web-application-attack; sid:1569; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP eshop.pl access"; flow:to_server,established; content:"/eshop.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-activity; sid:1566; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP eshop.pl arbitrary command execution attempt"; flow:to_server,established; content:"/eshop.pl?"; nocase; http_uri; content:"seite=|3B|"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-attack; sid:1565; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP login.htm access"; flow:to_server,established; content:"/login.htm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1564; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP login.htm attempt"; flow:to_server,established; content:"/login.htm?"; nocase; http_uri; content:"password="; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1563; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /doc/ access"; flow:to_server,established; content:"/doc/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,318; reference:cve,1999-0678; classtype:web-application-activity; sid:1560; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /doc/packages access"; flow:to_server,established; content:"/doc/packages"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1707; reference:cve,2000-1016; reference:nessus,10518; reference:nessus,11032; classtype:web-application-activity; sid:1559; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Delegate whois overflow attempt"; flow:to_server,established; content:"whois|3A|//"; nocase; metadata:ruleset community; reference:cve,2000-0165; reference:nessus,10054; classtype:web-application-activity; sid:1558; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCShop auth_user_file.txt access"; flow:to_server,established; content:"/auth_data/auth_user_file.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1557; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCShop orders.txt access"; flow:to_server,established; content:"/orders/orders.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1556; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCShop access"; flow:to_server,established; content:"/dcshop"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1555; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dbman db.cgi access"; flow:to_server,established; content:"/dbman/db.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1178; reference:cve,2000-0381; reference:nessus,10403; classtype:web-application-activity; sid:1554; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cvsweb version access"; flow:to_server,established; content:"/cvsweb/version"; http_uri; metadata:ruleset community, service http; reference:cve,2000-0670; reference:nessus,10465; classtype:web-application-activity; sid:1552; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /CVS/Entries access"; flow:to_server,established; content:"/CVS/Entries"; http_uri; metadata:ruleset community, service http; reference:nessus,10922; reference:nessus,11032; classtype:web-application-activity; sid:1551; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csSearch.cgi access"; flow:to_server,established; content:"/csSearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-activity; sid:1548; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/csSearch.cgi"; http_uri; content:"setup="; content:"`"; content:"`"; distance:1; metadata:ruleset community, service http; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-attack; sid:1547; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco HTTP double-percent DOS attempt"; flow:to_server,established; content:"/%%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1154; reference:cve,2000-0380; reference:nessus,10387; classtype:web-application-attack; sid:1546; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Catalyst command execution attempt"; flow:to_server,established; content:"/exec/show/config/cr"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1846; reference:cve,2000-0945; reference:nessus,10545; classtype:web-application-activity; sid:1544; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiwrap access"; flow:to_server,established; content:"/cgiwrap"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1238; reference:bugtraq,3084; reference:bugtraq,777; reference:cve,1999-1530; reference:cve,2000-0431; reference:cve,2001-0987; reference:nessus,10041; classtype:web-application-activity; sid:1543; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgimail access"; flow:to_server,established; content:"/cgimail"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:1542; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-bin/ls access"; flow:to_server,established; content:"/cgi-bin/ls"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,936; reference:cve,2000-0079; reference:nessus,10037; classtype:web-application-activity; sid:1539; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar_admin.pl access"; flow:to_server,established; content:"/calendar_admin.pl"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506; classtype:web-application-activity; sid:1537; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar_admin.pl arbitrary command execution attempt"; flow:to_server,established; content:"/calendar_admin.pl?"; nocase; http_uri; content:"config=|7C|"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506; classtype:web-application-attack; sid:1536; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bizdbsearch access"; flow:to_server,established; content:"/bizdb1-search.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-activity; sid:1535; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP agora.cgi attempt"; flow:to_server,established; content:"/store/agora.cgi?"; nocase; http_uri; content:"cart_id=<SCRIPT>"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-attack; sid:1534; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-hostscv.sh access"; flow:to_server,established; content:"/bb-hostsvc.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-activity; sid:1533; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-hostscv.sh attempt"; flow:to_server,established; content:"/bb-hostsvc.sh?"; fast_pattern:only; http_uri; content:"HOSTSVC"; nocase; http_uri; content:"../.."; distance:0; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-attack; sid:1532; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-hist.sh attempt"; flow:to_server,established; content:"/bb-hist.sh?"; nocase; http_uri; content:"HISTFILE=../.."; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BBoard access"; flow:to_server,established; content:"/servlet/sunexamples.BBoardServlet"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1459; reference:cve,2000-0629; reference:nessus,10507; classtype:web-application-activity; sid:1528; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP basilix mysql.class access"; flow:to_server,established; content:"/class/mysql.class"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1527; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP basilix sendmail.inc access"; flow:to_server,established; content:"/inc/sendmail.inc"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1526; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Axis Storpoint CD access"; flow:to_server,established; content:"/config/html/cnf_gi.htm"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-activity; sid:1525; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Axis Storpoint CD attempt"; flow:to_server,established; content:"/cd/../config/html/cnf_gi.htm"; metadata:ruleset community, service http; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-attack; sid:1524; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ans.pl access"; flow:to_server,established; content:"/ans.pl"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-activity; sid:1523; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ans.pl attempt"; flow:to_server,established; content:"/ans.pl?"; nocase; http_uri; content:"p=../../"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-attack; sid:1522; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP server-status access"; flow:to_server,established; content:"/server-status"; http_uri; metadata:ruleset community, service http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP server-info access"; flow:to_server,established; content:"/server-info"; http_uri; metadata:ruleset community, service http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP apache ?M=D directory list attempt"; flow:to_server,established; content:"/?M=D"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3009; reference:cve,2001-0731; reference:nessus,10704; classtype:web-application-activity; sid:1519; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"SERVER-WEBAPP nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; metadata:ruleset community; reference:nessus,10753; classtype:web-application-activity; sid:1518; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP envout.bat access"; flow:to_server,established; content:"/envout.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1517; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP envout.bat arbitrary command execution attempt"; flow:to_server,established; content:"/envout.bat|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1516; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP input2.bat access"; flow:to_server,established; content:"/input2.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1515; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP input2.bat arbitrary command execution attempt"; flow:to_server,established; content:"/input2.bat|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1514; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP input.bat access"; flow:to_server,established; content:"/input.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1513; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP input.bat arbitrary command execution attempt"; flow:to_server,established; content:"/input.bat|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1512; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test.bat access"; flow:to_server,established; content:"/test.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1511; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test.bat arbitrary command execution attempt"; flow:to_server,established; content:"/test.bat|7C|"; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1510; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AltaVista Intranet Search directory traversal attempt"; flow:to_server,established; content:"/query?mss=.."; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,896; reference:cve,2000-0039; reference:nessus,10015; classtype:web-application-attack; sid:1509; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alibaba.pl access"; flow:to_server,established; content:"/alibaba.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-activity; sid:1508; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alibaba.pl arbitrary command execution attempt"; flow:to_server,established; content:"/alibaba.pl|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-attack; sid:1507; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alchemy http server NUL arbitrary command execution attempt"; flow:to_server,established; content:"/NUL/"; fast_pattern; http_uri; content:"../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818; classtype:web-application-activity; sid:1506; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alchemy http server PRN arbitrary command execution attempt"; flow:to_server,established; content:"/PRN/"; fast_pattern; http_uri; content:"../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818; classtype:web-application-activity; sid:1505; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admentor admin.asp access"; flow:to_server,established; content:"/admentor/admin/admin.asp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4152; reference:cve,2002-0308; reference:nessus,10880; reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html; classtype:web-application-activity; sid:1503; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP a1stats a1disp3.cgi access"; flow:to_server,established; content:"/a1disp3.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1502; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP a1stats a1disp3.cgi directory traversal attempt"; flow:to_server,established; content:"/a1disp3.cgi?"; fast_pattern:only; http_uri; content:"/../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-attack; sid:1501; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP SiteScope Service access"; flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; metadata:ruleset community; reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP spin_client.cgi access"; flow:to_server,established; content:"/spin_client.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10393; classtype:web-application-activity; sid:1496; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SIX webboard generate.cgi access"; flow:to_server,established; content:"/generate.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-activity; sid:1495; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SIX webboard generate.cgi attempt"; flow:to_server,established; content:"/generate.cgi"; http_uri; content:"content=../"; metadata:ruleset community, service http; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-attack; sid:1494; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP RBS ISP /newuser access"; flow:to_server,established; content:"/newuser"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-activity; sid:1493; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP RBS ISP /newuser directory traversal attempt"; flow:to_server,established; content:"/newuser?Image=../.."; http_uri; metadata:ruleset community, service http; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-attack; sid:1492; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum /support/common.php access"; flow:to_server,established; content:"/support/common.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1997; reference:bugtraq,9361; reference:cve,2004-0034; classtype:web-application-attack; sid:1491; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum /support/common.php attempt"; flow:to_server,established; content:"/support/common.php"; http_uri; content:"ForumLang=../"; metadata:ruleset community, service http; reference:bugtraq,1997; classtype:web-application-attack; sid:1490; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nobody access"; flow:to_server,established; content:"/~nobody"; http_uri; metadata:ruleset community, service http; reference:nessus,10484; classtype:web-application-attack; sid:1489; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP store.cgi directory traversal attempt"; flow:to_server,established; content:"/store.cgi"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-attack; sid:1488; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ustorekeeper.pl access"; flow:to_server,established; content:"/ustorekeeper.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-activity; sid:1483; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP view_source access"; flow:to_server,established; content:"/view_source"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2251; reference:cve,1999-0174; reference:nessus,10294; classtype:attempted-recon; sid:1482; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP upload.cgi access"; flow:to_server,established; content:"/upload.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10290; classtype:attempted-recon; sid:1481; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttawebtop.cgi access"; flow:to_server,established; content:"/ttawebtop.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:attempted-recon; sid:1480; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttawebtop.cgi arbitrary file attempt"; flow:to_server,established; content:"/ttawebtop.cgi"; nocase; content:"pg=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:web-application-attack; sid:1479; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Simple Web Counter URI Parameter Buffer Overflow attempt"; flow:to_server,established; content:"/swc"; nocase; http_uri; content:"ctr="; distance:0; nocase; http_uri; urilen:>500; metadata:ruleset community, service http; reference:bugtraq,6581; reference:nessus,10493; classtype:attempted-user; sid:1478; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sdbsearch.cgi access"; flow:to_server,established; content:"/sdbsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1658; reference:cve,2001-1130; reference:nessus,10503; reference:nessus,10720; classtype:attempted-recon; sid:1476; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mailit.pl access"; flow:to_server,established; content:"/mailit.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10417; classtype:attempted-recon; sid:1475; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cal_make.pl access"; flow:to_server,established; content:"/cal_make.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-activity; sid:1474; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP newsdesk.cgi access"; flow:to_server,established; content:"/newsdesk.cgi"; fast_pattern:only; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2172; reference:cve,2001-0232; reference:nessus,10586; classtype:attempted-recon; sid:1473; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP book.cgi access"; flow:to_server,established; content:"/book.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-activity; sid:1472; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mailnews.cgi access"; flow:to_server,established; content:"/mailnews.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2391; reference:cve,2001-0271; reference:nessus,10641; classtype:attempted-recon; sid:1471; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP listrec.pl access"; flow:to_server,established; content:"/listrec.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3328; reference:cve,2001-0997; reference:nessus,10769; classtype:attempted-recon; sid:1470; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Web Shopper shopper.cgi access"; flow:to_server,established; content:"/shopper.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1776; reference:cve,2000-0922; classtype:attempted-recon; sid:1469; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Web Shopper shopper.cgi attempt"; flow:to_server,established; content:"/shopper.cgi"; fast_pattern; nocase; http_uri; content:"newpage=../"; nocase; metadata:ruleset community, service http; reference:bugtraq,1776; reference:cve,2000-0922; reference:nessus,10533; classtype:web-application-attack; sid:1468; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP directorypro.cgi access"; flow:to_server,established; content:"/directorypro.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2793; reference:cve,2001-0780; reference:nessus,10679; classtype:web-application-activity; sid:1467; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiforum.pl access"; flow:to_server,established; content:"/cgiforum.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-activity; sid:1466; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP auktion.cgi access"; flow:to_server,established; content:"/auktion.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-activity; sid:1465; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-replog.sh access"; flow:to_server,established; content:"/bb-replog.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-rep.sh access"; flow:to_server,established; content:"/bb-rep.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-histsvc.sh access"; flow:to_server,established; content:"/bb-histsvc.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-histlog.sh access"; flow:to_server,established; content:"/bb-histlog.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:1459; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP user_update_passwd.pl access"; flow:to_server,established; content:"/user_update_passwd.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP user_update_admin.pl access"; flow:to_server,established; content:"/user_update_admin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calender_admin.pl access"; flow:to_server,established; content:"/calender_admin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2000-0432; reference:nessus,10506; classtype:attempted-recon; sid:1456; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar.pl access"; flow:to_server,established; content:"calendar"; nocase; http_uri; pcre:"/calendar(|[-_]admin)\.pl/Ui"; metadata:ruleset community, service http; reference:bugtraq,1215; reference:cve,2000-0432; classtype:attempted-recon; sid:1455; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wwwwais access"; flow:to_server,established; content:"/wwwwais"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2001-0223; reference:nessus,10597; classtype:attempted-recon; sid:1454; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AT-generated.cgi access"; flow:to_server,established; content:"/AT-generated.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1072; classtype:attempted-recon; sid:1453; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP args.cmd access"; flow:to_server,established; content:"/args.cmd"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:1452; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP NPH-maillist access"; flow:to_server,established; content:"/nph-maillist.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2563; reference:cve,2001-0400; reference:nessus,10164; classtype:attempted-recon; sid:1451; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .bash_history access"; flow:to_server,established; content:"/.bash_history"; http_uri; metadata:ruleset community, service http; reference:bugtraq,337; reference:cve,1999-0408; reference:url,attack.mitre.org/techniques/T1139; classtype:web-application-attack; sid:1434; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .history access"; flow:to_server,established; content:"/.history"; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1433; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP content-disposition file upload attempt"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; http_header; content:"form-data|3B|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1425; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; http_header; content:"name=|22 CC CC CC CC CC|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1423; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dcboard.cgi access"; flow:to_server,established; content:"/dcboard.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP smssend.php access"; flow:to_server,established; content:"/smssend.php"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP agora.cgi access"; flow:to_server,established; content:"/store/agora.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-activity; sid:1406; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AHG search.cgi access"; flow:to_server,established; content:"/publisher/search.cgi"; fast_pattern; nocase; http_uri; content:"template="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3985; reference:cve,2002-2113; classtype:web-application-activity; sid:1405; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-Nuke remote file include attempt"; flow:to_server,established; content:"/index.php"; fast_pattern; nocase; http_uri; content:"file="; http_uri; pcre:"/file=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wayboard attempt"; flow:to_server,established; content:"/way-board/way-board.cgi"; http_uri; content:"db="; http_uri; content:"../.."; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-attack; sid:1397; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP zml.cgi access"; flow:to_server,established; content:"/zml.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3759; reference:cve,2001-1209; reference:nessus,10830; classtype:web-application-activity; sid:1396; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP zml.cgi attempt"; flow:to_server,established; content:"/zml.cgi"; http_uri; content:"file=../"; metadata:ruleset community, service http; reference:bugtraq,3759; reference:cve,2001-1209; reference:nessus,10830; classtype:web-application-activity; sid:1395; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP lastlines.cgi access"; flow:to_server,established; content:"/lastlines.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mod-plsql administration access"; flow:to_server,established; content:"/admin_/"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3726; reference:bugtraq,3727; reference:cve,2001-1216; reference:cve,2001-1217; reference:nessus,10849; classtype:web-application-activity; sid:1385; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro OfficeScan attempt"; flow:to_server,established; content:"/officescan/cgi/jdkRqNotify.exe?"; nocase; http_uri; content:"domain="; nocase; http_uri; content:"event="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP jrun directory browse attempt"; flow:to_server,established; content:"/?.jsp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3592; reference:cve,2001-1510; classtype:web-application-attack; sid:1376; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sadmind worm access"; flow:to_server,established; content:"GET x HTTP/1.0"; depth:15; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-11.html; classtype:attempted-recon; sid:1375; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htgroup access"; flow:to_server,established; content:".htgroup"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1374; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP zsh access"; flow:to_server,established; content:"/zsh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1309; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sendmessage.cgi access"; flow:to_server,established; content:"/sendmessage.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3673; reference:cve,2001-1100; classtype:attempted-recon; sid:1308; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP store.cgi access"; flow:to_server,established; content:"/store.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-activity; sid:1307; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP txt2html.cgi directory traversal attempt"; flow:to_server,established; content:"/txt2html.cgi"; fast_pattern:only; http_uri; content:"/../../../../"; http_raw_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1305; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP txt2html.cgi access"; flow:to_server,established; content:"/txt2html.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1304; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cs.exe access"; flow:to_server,established; content:"/cgi-bin/cs.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1303; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP console.exe access"; flow:to_server,established; content:"/cgi-bin/console.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1302; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admin.php access"; flow:to_server,established; content:"/admin.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admin.php file upload attempt"; flow:to_server,established; content:"/admin.php"; fast_pattern; nocase; http_uri; content:"file_name="; http_uri; metadata:ruleset community, service http; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sml3com access"; flow:to_server,established; content:"/graphics/sml3com"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2721; reference:cve,2001-0740; classtype:web-application-activity; sid:1291; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SWEditServlet access"; flow:to_server,established; content:"/SWEditServlet"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2868; classtype:attempted-recon; sid:1259; rev:14;)
# alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHPLIB remote command attempt"; flow:to_server,established; content:"/db_mysql.inc"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,3079; reference:cve,2001-1370; reference:nessus,14910; classtype:attempted-user; sid:1254; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SWEditServlet directory traversal attempt"; flow:to_server,established; content:"/SWEditServlet"; http_uri; content:"template=../../../"; metadata:ruleset community, service http; reference:bugtraq,2868; reference:cve,2001-0555; classtype:attempted-user; sid:1241; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall FtpSaveCVP access"; flow:to_server,established; content:"/FtpSaveCVP.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1235; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall FtpSaveCSP access"; flow:to_server,established; content:"/FtpSaveCSP.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1234; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"SERVER-WEBAPP VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; nocase; metadata:ruleset community; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1232; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1231; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall FtpSave access"; flow:to_server,established; content:"/FtpSave.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1230; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ROADS search.pl attempt"; flow:to_server,established; content:"/ROADS/cgi-bin/search.pl"; http_uri; content:"form="; nocase; metadata:ruleset community, service http; reference:bugtraq,2371; reference:cve,2001-0215; reference:nessus,10627; classtype:attempted-recon; sid:1224; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pals-cgi arbitrary file access attempt"; flow:to_server,established; content:"/pals-cgi"; fast_pattern; nocase; http_uri; content:"documentName="; http_uri; metadata:ruleset community, service http; reference:bugtraq,2372; reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack; sid:1222; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Muscat Empower cgi access"; flow:to_server,established; content:"/empower?DB"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-activity; sid:1221; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ultraboard access"; flow:to_server,established; content:"/ultraboard"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1164; reference:bugtraq,1175; reference:cve,2000-0332; reference:cve,2000-0426; reference:nessus,11748; classtype:attempted-recon; sid:1220; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dfire.cgi access"; flow:to_server,established; content:"/dfire.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,564; reference:cve,1999-0913; classtype:web-application-activity; sid:1219; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP adminlogin access"; flow:to_server,established; content:"/adminlogin"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1164; reference:bugtraq,1175; reference:cve,2000-0332; reference:cve,2000-0426; reference:nessus,11748; classtype:attempted-recon; sid:1218; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP plusmail access"; flow:to_server,established; content:"/plusmail"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2653; reference:cve,2000-0074; reference:nessus,10181; classtype:attempted-recon; sid:1217; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP filemail access"; flow:to_server,established; content:"/filemail"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1154; reference:cve,1999-1155; reference:url,www.securityfocus.com/archive/1/11175; classtype:attempted-recon; sid:1216; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ministats admin access"; flow:to_server,established; content:"/ministats/admin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1215; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP intranet access"; flow:to_server,established; content:"/intranet/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11626; classtype:attempted-recon; sid:1214; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP backup access"; flow:to_server,established; content:"/backup"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1213; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Admin_files access"; flow:to_server,established; content:"/admin_files"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1212; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP web-map.cgi access"; flow:to_server,established; content:"/web-map.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1211; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .nsconfig access"; flow:to_server,established; content:"/.nsconfig"; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1209; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP responder.cgi access"; flow:to_server,established; content:"/responder.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3155; classtype:web-application-activity; sid:1208; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htgrep access"; flow:to_server,established; content:"/htgrep"; http_uri; metadata:ruleset community, service http; reference:cve,2000-0832; reference:nessus,10495; classtype:web-application-activity; sid:1207; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cachemgr.cgi access"; flow:to_server,established; content:"/cachemgr.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2059; reference:cve,1999-0710; reference:nessus,10034; classtype:web-application-activity; sid:1206; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP axs.cgi access"; flow:to_server,established; content:"/axs.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1205; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ax-admin.cgi access"; flow:to_server,established; content:"/ax-admin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1204; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP search.vts access"; flow:to_server,established; content:"/search.vts"; http_uri; metadata:ruleset community, service http; reference:bugtraq,162; classtype:attempted-recon; sid:1202; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"SERVER-WEBAPP Compaq Insight directory traversal"; flow:to_server,established; content:"../"; metadata:ruleset community; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-usr-prop"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:web-application-attack; sid:1198; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum code access"; flow:to_server,established; content:"/code.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1197; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SGI InfoSearch fname attempt"; flow:to_server,established; content:"/infosrch.cgi?"; fast_pattern; nocase; http_uri; content:"fname="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1031; reference:cve,2000-0207; reference:nessus,10128; classtype:web-application-attack; sid:1196; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sojourn.cgi access"; flow:to_server,established; content:"/sojourn.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-activity; sid:1195; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sojourn.cgi File attempt"; flow:to_server,established; content:"/sojourn.cgi?"; nocase; http_uri; content:"cat="; distance:0; nocase; http_uri; content:"%00"; nocase; metadata:ruleset community, service http; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-attack; sid:1194; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP oracle web arbitrary command execution attempt"; flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro OfficeScan access"; flow:to_server,established; content:"/officescan/cgi/jdkRqNotify.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-html-rend"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1191; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-uncheckout"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1190; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-stop-ver"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1189; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-start-ver"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1188; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SalesLogix Eviewer web command attempt"; flow:to_server,established; content:"/slxweb.dll/admin?command="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; reference:nessus,10361; classtype:web-application-attack; sid:1187; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-ver-diff"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1186; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bizdbsearch attempt"; flow:to_server,established; content:"/bizdb1-search.cgi"; fast_pattern; nocase; http_uri; content:"mail"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-attack; sid:1185; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-ver-info"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1184; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-cs-dump"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1183; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Annex Terminal DOS attempt"; flow:to_server,established; content:"/ping?query="; http_uri; metadata:ruleset community, service http; reference:cve,1999-1070; reference:nessus,10017; classtype:attempted-dos; sid:1181; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP get32.exe access"; flow:to_server,established; content:"/get32.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1485; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10011; classtype:attempted-recon; sid:1180; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum violation access"; flow:to_server,established; content:"/violation.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2272; reference:cve,2000-1234; classtype:attempted-recon; sid:1179; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum read access"; flow:to_server,established; content:"/read.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1178; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-verify-link"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1177; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wwwboard.pl access"; flow:to_server,established; content:"/wwwboard.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1795; reference:bugtraq,649; reference:cve,1999-0930; reference:cve,1999-0954; classtype:attempted-recon; sid:1175; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-bin/jj access"; flow:to_server,established; content:"/cgi-bin/jj"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2002; reference:cve,1999-0260; reference:nessus,10131; classtype:web-application-activity; sid:1174; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP architext_query.pl access"; flow:to_server,established; content:"/ews/architext_query.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2248; reference:cve,1999-0279; reference:nessus,10064; reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt; classtype:attempted-recon; sid:1173; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bigconf.cgi access"; flow:to_server,established; content:"/bigconf.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,778; reference:cve,1999-1550; reference:nessus,10027; classtype:web-application-activity; sid:1172; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mall log order access"; flow:to_server,established; content:"/mall_log_files/order.log"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2266; reference:cve,1999-0606; classtype:attempted-recon; sid:1168; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rpm_query access"; flow:to_server,established; content:"/rpm_query"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1036; reference:cve,2000-0192; reference:nessus,10340; classtype:attempted-recon; sid:1167; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ws_ftp.ini access"; flow:to_server,established; content:"/ws_ftp.ini"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; metadata:ruleset community, service http; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP shopping cart access"; flow:to_server,established; content:"/quikstore.cfg"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607; reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webdist.cgi access"; flow:to_server,established; content:"/webdist.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-activity; sid:1163; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cart 32 AdminPwd access"; flow:to_server,established; content:"/c32web.exe/ChangeAdminPassword"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1153; reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP piranha passwd.php3 access"; flow:to_server,established; content:"/passwd.php3"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape dir index wp"; flow:to_server,established; content:"?wp-"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1160; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webplus access"; flow:to_server,established; content:"/webplus?script"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon; sid:1159; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP windmail.exe access"; flow:to_server,established; content:"/windmail.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape PublishingXpert access"; flow:to_server,established; content:"/PSUser/PSCOErrPage.htm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2000-1196; reference:nessus,10364; classtype:web-application-activity; sid:1157; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP apache directory disclosure attempt"; flow:to_server,established; content:"////////"; fast_pattern:only; content:"////////"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2503; reference:cve,2001-0925; classtype:attempted-dos; sid:1156; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce checks.txt access"; flow:to_server,established; content:"/orders/checks.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2281; classtype:attempted-recon; sid:1155; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino names.nsf access"; flow:to_server,established; content:"/names.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1154; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino log.nsf access"; flow:to_server,established; content:"/log.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1153; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino domlog.nsf access"; flow:to_server,established; content:"/domlog.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1152; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino domcfg.nsf access"; flow:to_server,established; content:"/domcfg.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1151; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino catalog.nsf access"; flow:to_server,established; content:"/catalog.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1150; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP count.cgi access"; flow:to_server,established; content:"/count.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,128; reference:cve,1999-0021; reference:nessus,10049; classtype:web-application-activity; sid:1149; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; content:"/orders/import.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1148; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; content:"/config/import.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1146; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP root access"; flow:to_server,established; content:"/~root"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1145; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /.... access"; flow:to_server,established; content:"/...."; metadata:ruleset community, service http; classtype:attempted-recon; sid:1142; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP handler access"; flow:to_server,established; content:"/handler"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-activity; sid:1141; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP guestbook.pl access"; flow:to_server,established; content:"/guestbook.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053; reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; metadata:ruleset community, service http; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2274; reference:cve,2000-1230; classtype:attempted-recon; sid:1137; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cd.."; flow:to_server,established; content:"cd.."; nocase; metadata:ruleset community, service http; classtype:attempted-recon; sid:1136; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum admin access"; flow:to_server,established; content:"/admin.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2271; reference:cve,2000-1228; classtype:attempted-recon; sid:1134; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"SERVER-WEBAPP Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; metadata:ruleset community; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; content:".www_acl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1131; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; content:".wwwacl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1130; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htaccess access"; flow:to_server,established; content:".htaccess"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1170; classtype:attempted-recon; sid:1129; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cpshost.dll access"; flow:to_server,established; content:"/scripts/cpshost.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1811; reference:bugtraq,4002; reference:cve,1999-0360; classtype:attempted-recon; sid:1128; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP convert.bas access"; flow:to_server,established; content:"/scripts/convert.bas"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AuthChangeUrl access"; flow:to_server,established; content:"_AuthChangeUrl?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:attempted-recon; sid:1126; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webcart access"; flow:to_server,established; content:"/webcart/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon; sid:1125; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce check.txt access"; flow:to_server,established; content:"/config/check.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1124; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ?PageServices access"; flow:to_server,established; content:"?PageServices"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_server,established; content:"/etc/passwd"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:1122; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mylog.phtml access"; flow:to_server,established; content:"/mylog.phtml"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mlog.phtml access"; flow:to_server,established; content:"/mlog.phtml"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1119; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ls 20-l"; flow:to_server,established; content:"ls%20-l"; nocase; metadata:ruleset community, service http; classtype:attempted-recon; sid:1118; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus EditDoc attempt"; flow:to_server,established; content:"?EditDocument"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.securiteam.com/exploits/5NP080A1RE.html; classtype:attempted-recon; sid:1117; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus DelDoc attempt"; flow:to_server,established; content:"?DeleteDocument"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1116; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ICQ webserver DOS"; flow:to_server,established; content:".html/......"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0474; reference:url,www.securiteam.com/exploits/2ZUQ1QAQOG.html; classtype:attempted-dos; sid:1115; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP apache source.asp file access"; flow:to_server,established; content:"/site/eg/source.asp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:1110; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ROXEN directory list attempt"; flow:to_server,established; content:"/%00"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1510; reference:cve,2000-0671; reference:nessus,10479; classtype:attempted-recon; sid:1109; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ftp.pl access"; flow:to_server,established; content:"/ftp.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-activity; sid:1107; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Poll-it access"; flow:to_server,established; content:"/pollit/Poll_It_SSI_v2.0.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1431; reference:cve,2000-0590; reference:nessus,10459; classtype:web-application-activity; sid:1106; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BigBrother access"; flow:to_server,established; content:"/bb-hostsvc.sh?"; nocase; http_uri; content:"HOSTSVC"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:attempted-recon; sid:1105; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape admin passwd"; flow:to_server,established; content:"/admin-serv/config/admpw"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1579; reference:nessus,10468; classtype:web-application-attack; sid:1103; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nessus 1.X 404 probe"; flow:to_server,established; content:"/nessus_is_probing_you_"; depth:32; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1102; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cybercop scan"; flow:to_server,established; content:"/cybercop"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1099; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SmartWin CyberOffice Shopping Cart access"; flow:to_server,established; content:"_private/shopping_cart.mdb"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1734; reference:cve,2000-0925; classtype:web-application-attack; sid:1098; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Talentsoft Web+ exploit attempt"; flow:to_server,established; content:"/webplus.cgi?"; nocase; http_uri; content:"Script=/webplus/webping/webping.wml"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1725; classtype:web-application-attack; sid:1097; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Talentsoft Web+ internal IP Address access"; flow:to_server,established; content:"/webplus.exe?"; nocase; http_uri; content:"about"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1720; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-activity; sid:1096; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Talentsoft Web+ Source Code view access"; flow:to_server,established; content:"/webplus.exe?"; nocase; http_uri; content:"script=test.wml"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1722; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-attack; sid:1095; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; content:"/cached_feed.cgi"; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Armada Style Master Index directory traversal"; flow:to_server,established; content:"/search.cgi?"; nocase; http_uri; content:"keys"; distance:0; nocase; http_uri; content:"catigory=../"; nocase; metadata:ruleset community, service http; reference:bugtraq,1772; reference:cve,2000-0924; reference:nessus,10562; reference:url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt; classtype:web-application-attack; sid:1092; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ICQ Webfront HTTP DOS"; flow:to_server,established; content:"??????????"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1463; reference:cve,2000-1078; classtype:web-application-attack; sid:1091; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Allaire Pro Web Shell attempt"; flow:to_server,established; content:"/authenticate.cgi?PASSWORD"; fast_pattern; nocase; http_uri; content:"config.ini"; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; classtype:web-application-attack; sid:1090; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP shopping cart directory traversal"; flow:to_server,established; content:"/shop.cgi"; http_uri; content:"page=../"; metadata:ruleset community, service http; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-application-attack; sid:1089; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP eXtropia webstore directory traversal"; flow:to_server,established; content:"/web_store.cgi"; http_uri; content:"page=../"; metadata:ruleset community, service http; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-attack; sid:1088; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP strings overflow"; flow:to_server,established; content:"?STRENGUR"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; metadata:ruleset community, service http; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Allaire JRUN DOS attempt"; flow:to_server,established; content:"servlet/......."; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2337; reference:cve,2000-1049; classtype:web-application-attack; sid:1084; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP unify eWave ServletExec DOS"; flow:to_server,established; content:"/servlet/ServletExec"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-activity; sid:1083; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP amazon 1-click cookie theft"; flow:to_server,established; content:"ref%3Cscript%20language%3D%22Javascript"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1194; reference:cve,2000-0439; classtype:web-application-attack; sid:1082; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Servers suite DOS"; flow:to_server,established; content:"/dsgw/bin/search?context="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-attack; sid:1081; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP unify eWave ServletExec upload"; flow:to_server,established; content:"/servlet/com.unify.servletexec.UploadServlet"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1868; reference:bugtraq,1876; reference:cve,2000-1024; reference:cve,2000-1025; reference:nessus,10570; classtype:web-application-attack; sid:1080; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webhits.exe access"; flow:to_server,established; content:"/scripts/samples/search/webhits.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1073; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus Domino directory traversal"; flow:to_server,established; content:".nsf/"; http_uri; content:"../"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2173; reference:cve,2001-0009; reference:nessus,12248; classtype:web-application-attack; sid:1072; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htpasswd access"; flow:to_server,established; content:".htpasswd"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1071; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebDAV search access"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; metadata:ruleset community, service http; reference:bugtraq,1756; reference:cve,2000-0951; classtype:web-application-activity; sid:1070; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tftp attempt"; flow:to_server,established; content:"tftp.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1068; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP net attempt"; flow:to_server,established; content:"net.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1067; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP telnet attempt"; flow:to_server,established; content:"telnet.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1066; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rcmd attempt"; flow:to_server,established; content:"rcmd.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1065; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wsh attempt"; flow:to_server,established; content:"wsh.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1064; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nc.exe attempt"; flow:to_server,established; content:"nc.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1062; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP weblogic/tomcat .jsp view source attempt"; flow:to_server,established; content:".jsp"; nocase; http_uri; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi"; metadata:ruleset community, service http; reference:bugtraq,2527; classtype:web-application-attack; sid:1054; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ads.cgi command execution attempt"; flow:to_server,established; content:"/ads.cgi"; fast_pattern; nocase; http_uri; content:"file="; nocase; content:"../../"; http_raw_uri; content:"|7C|"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-attack; sid:1053; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP technote print.cgi directory traversal attempt"; flow:to_server,established; content:"/technote/print.cgi"; fast_pattern; nocase; http_uri; content:"board="; nocase; content:"../../"; http_raw_uri; content:"%00"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1052; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP iPlanet GETPROPERTIES attempt"; flow:to_server,established; content:"GETPROPERTIES"; depth:13; metadata:ruleset community, service http; reference:bugtraq,2732; reference:cve,2001-0746; classtype:web-application-attack; sid:1050; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise directory listing attempt"; flow:to_server,established; content:"INDEX "; depth:6; metadata:ruleset community, service http; reference:bugtraq,2285; reference:cve,2001-0250; reference:nessus,10691; classtype:web-application-attack; sid:1048; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise DOS"; flow:to_server,established; content:"REVLOG / "; depth:9; metadata:ruleset community, service http; reference:bugtraq,2294; reference:cve,2001-0251; classtype:web-application-attack; sid:1047; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP carbo.dll access"; flow:to_server,established; content:"/carbo.dll"; http_uri; content:"icatcommand="; nocase; metadata:ruleset community, service http; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .bat? access"; flow:to_server,established; content:".bat?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2023; reference:bugtraq,4335; reference:cve,1999-0233; reference:cve,2002-0061; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tstisapi.dll access"; flow:to_server,established; content:"tstisapi.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webspirs.cgi access"; flow:to_server,established; content:"/webspirs.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webspirs.cgi directory traversal attempt"; flow:to_server,established; content:"/webspirs.cgi"; fast_pattern; nocase; http_uri; content:"../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; content:"/sendtemp.pl"; fast_pattern:only; http_uri; content:"templ="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2504; reference:cve,2001-0272; reference:nessus,10614; classtype:web-application-attack; sid:899; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP commerce.cgi access"; flow:to_server,established; content:"/commerce.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pals-cgi access"; flow:to_server,established; content:"/pals-cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP way-board access"; flow:to_server,established; content:"/way-board"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP redirect access"; flow:to_server,established; content:"/redirect"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-hist.sh access"; flow:to_server,established; content:"/bb-hist.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AnyForm2 access"; flow:to_server,established; content:"/AnyForm2"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,719; reference:cve,1999-0066; reference:nessus,10277; classtype:attempted-recon; sid:892; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP upload.pl access"; flow:to_server,established; content:"/upload.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:891; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sendform.cgi access"; flow:to_server,established; content:"/sendform.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ppdscgi.exe access"; flow:to_server,established; content:"/ppdscgi.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,491; reference:nessus,10187; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wwwadmin.pl access"; flow:to_server,established; content:"/wwwadmin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:888; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP www-sql access"; flow:to_server,established; content:"/www-sql"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bash access"; flow:to_server,established; content:"/bash"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP flexform access"; flow:to_server,established; content:"/flexform"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar access"; flow:to_server,established; content:"/calendar"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:882; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP archie access"; flow:to_server,established; content:"/archie"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:881; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP LWGate access"; flow:to_server,established; content:"/LWGate"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admin.pl access"; flow:to_server,established; content:"/admin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3839; reference:cve,2002-1748; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP w3tvars.pm access"; flow:to_server,established; content:"/w3tvars.pm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:878; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rksh access"; flow:to_server,established; content:"/rksh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP win-c-sample.exe access"; flow:to_server,established; content:"/win-c-sample.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tcsh access"; flow:to_server,established; content:"/tcsh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP survey.cgi access"; flow:to_server,established; content:"/survey.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP snorkerz.cmd access"; flow:to_server,established; content:"/snorkerz.cmd"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:870; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dumpenv.pl access"; flow:to_server,established; content:"/dumpenv.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rsh access"; flow:to_server,established; content:"/rsh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP visadmin.exe access"; flow:to_server,established; content:"/visadmin.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1808; reference:cve,1999-0970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP post-query access"; flow:to_server,established; content:"/post-query"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ksh access"; flow:to_server,established; content:"/ksh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP day5datanotifier.cgi access"; flow:to_server,established; content:"/day5datanotifier.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP day5datacopier.cgi access"; flow:to_server,established; content:"/day5datacopier.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csh access"; flow:to_server,established; content:"/csh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP w3-msql access"; flow:to_server,established; content:"/w3-msql/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP snork.bat access"; flow:to_server,established; content:"/snork.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2023; reference:cve,1999-0233; classtype:attempted-recon; sid:860; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP man.sh access"; flow:to_server,established; content:"/man.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2276; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP filemail access"; flow:to_server,established; content:"/filemail.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP environ.cgi access"; flow:to_server,established; content:"/environ.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:856; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP classifieds.cgi access"; flow:to_server,established; content:"/classifieds.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon; sid:854; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wrap access"; flow:to_server,established; content:"/wrap"; http_uri; metadata:ruleset community, service http; reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317; classtype:attempted-recon; sid:853; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wguest.exe access"; flow:to_server,established; content:"/wguest.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP files.pl access"; flow:to_server,established; content:"/files.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wais.pl access"; flow:to_server,established; content:"/wais.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:850; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP view-source access"; flow:to_server,established; content:"/view-source"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:attempted-recon; sid:849; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP view-source directory traversal"; flow:to_server,established; content:"/view-source"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack; sid:848; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP campas access"; flow:to_server,established; content:"/campas"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:attempted-recon; sid:847; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bnbform.cgi access"; flow:to_server,established; content:"/bnbform.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon; sid:846; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AT-admin.cgi access"; flow:to_server,established; content:"/AT-admin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP args.bat access"; flow:to_server,established; content:"/args.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:844; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP anform2 access"; flow:to_server,established; content:"/AnForm2"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP aglimpse access"; flow:to_server,established; content:"/aglimpse"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:842; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perlshop.cgi access"; flow:to_server,established; content:"/perlshop.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP finger access"; flow:to_server,established; content:"/finger"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webgais access"; flow:to_server,established; content:"/webgais"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2058; reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon; sid:838; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP uploader.exe access"; flow:to_server,established; content:"/uploader.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1611; reference:cve,1999-0177; reference:cve,2000-0769; reference:nessus,10291; classtype:attempted-recon; sid:837; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP textcounter.pl access"; flow:to_server,established; content:"/textcounter.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2265; reference:cve,1999-1479; reference:nessus,11451; classtype:attempted-recon; sid:836; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rwwwshell.pl access"; flow:to_server,established; content:"/rwwwshell.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rguest.exe access"; flow:to_server,established; content:"/rguest.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2024; reference:cve,1999-0287; classtype:attempted-recon; sid:833; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl.exe access"; flow:to_server,established; content:"/perl.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nph-test-cgi access"; flow:to_server,established; content:"/nph-test-cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP maillist.pl access"; flow:to_server,established; content:"/maillist.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:828; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP info2www access"; flow:to_server,established; content:"/info2www"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htmlscript access"; flow:to_server,established; content:"/htmlscript"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:attempted-recon; sid:826; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP glimpse access"; flow:to_server,established; content:"/glimpse"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:825; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP php.cgi access"; flow:to_server,established; content:"/php.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0058; reference:cve,1999-0238; reference:nessus,10178; classtype:attempted-recon; sid:824; rev:27;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cvsweb.cgi access"; flow:to_server,established; content:"/cvsweb.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1469; reference:cve,2000-0670; reference:nessus,10465; classtype:attempted-recon; sid:823; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP imagemap.exe overflow attempt"; flow:to_server,established; content:"/imagemap.exe?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-attack; sid:821; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP anaconda directory traversal attempt"; flow:to_server,established; content:"/apexec.pl"; http_uri; content:"template=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2338; reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308; reference:nessus,10536; classtype:web-application-attack; sid:820; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mmstdod.cgi access"; flow:to_server,established; content:"/mmstdod.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2063; reference:cve,2001-0021; reference:nessus,10566; classtype:attempted-recon; sid:819; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dcforum.cgi access"; flow:to_server,established; content:"/dcforum.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:818; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dcboard.cgi invalid user addition attempt"; flow:to_server,established; content:"/dcboard.cgi"; http_uri; content:"command=register"; content:"%7cadmin"; metadata:ruleset community, service http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack; sid:817; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP websendmail access"; flow:to_server,established; content:"/websendmail"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301; classtype:attempted-recon; sid:815; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webplus directory traversal"; flow:to_server,established; content:"/webplus?script"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1102; reference:cve,2000-0282; reference:nessus,10367; classtype:web-application-attack; sid:813; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webplus version access"; flow:to_server,established; content:"/webplus?about"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP websitepro path access"; flow:to_server,established; content:" /HTTP/1."; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,932; reference:cve,2000-0066; reference:nessus,10303; classtype:attempted-recon; sid:811; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP whois_raw.cgi access"; flow:to_server,established; content:"/whois_raw.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/whois_raw.cgi?"; http_uri; content:"|0A|"; metadata:ruleset community, service http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; reference:url,attack.mitre.org/techniques/T1065; classtype:web-application-attack; sid:809; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webdriver access"; flow:to_server,established; content:"/webdriver"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /wwwboard/passwd.txt access"; flow:to_server,established; content:"/wwwboard/passwd.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP yabb directory traversal attempt"; flow:to_server,established; content:"/YaBB"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1668; reference:cve,2000-0853; reference:nessus,10512; classtype:attempted-recon; sid:806; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Progress webspeed access"; flow:to_server,established; content:"/wsisa.dll/WService="; fast_pattern; nocase; http_uri; content:"WSMadmin"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,969; reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SWSoft ASPSeek Overflow attempt"; flow:to_server,established; content:"/s.cgi"; fast_pattern; nocase; http_uri; content:"tmpl="; http_uri; metadata:ruleset community, service http; reference:bugtraq,2492; reference:cve,2001-0476; classtype:web-application-attack; sid:804; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; content:"/hsx.cgi"; http_uri; content:"../../"; http_raw_uri; content:"%00"; distance:1; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-attack; sid:803; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc"; depth:36; nocase; metadata:ruleset community, service http; reference:bugtraq,1557; reference:cve,2000-0707; reference:nessus,10783; classtype:web-application-attack; sid:509; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3443 (msg:"SERVER-WEBAPP HP OpenView Network Node Manager URI rping stack buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/webappmon.exe"; http_uri; content:"act=rping"; nocase; http_client_body; content:"sel="; http_client_body; pcre:"/sel\x3d[^\x26\x0a]{73}/Pi"; metadata:service http; reference:bugtraq,35267; reference:cve,2009-1420; classtype:attempted-user; sid:27006; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Outlook Web Access Login URL Redirection attempt"; flow:to_server,established; content:"/auth/owalogon.asp?url=http"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2005-0420; classtype:web-application-activity; sid:26993; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt"; flow:to_server,established; content:"wp-comments-post.php"; nocase; http_uri; content:"mclude"; fast_pattern:only; http_client_body; metadata:service http; reference:bugtraq,59316; reference:cve,2013-2010; classtype:attempted-admin; sid:26992; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt"; flow:to_server,established; content:"wp-comments-post.php"; nocase; http_uri; content:"dynamic-cached-content"; fast_pattern:only; http_client_body; metadata:service http; reference:bugtraq,59316; reference:cve,2013-2010; classtype:attempted-admin; sid:26991; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Super Cache & W3 Total Cache remote code execution attempt"; flow:to_server,established; content:"wp-comments-post.php"; nocase; http_uri; content:"mfunc"; fast_pattern:only; http_client_body; metadata:service http; reference:bugtraq,59316; reference:cve,2013-2010; classtype:attempted-admin; sid:26990; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dasdec unauthenticated information disclosure vulnerability"; flow:to_server,established; content:"/dasdec/weblogs/"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.ioactive.com/pdfs/IOActive_DASDEC_vulnerabilities.pdf; reference:url,www.kb.cert.org/vuls/id/662676; classtype:web-application-activity; sid:27164; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dasdec unauthenticated information disclosure vulnerability"; flow:to_server,established; content:"/dasdec/op_logs/"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.ioactive.com/pdfs/IOActive_DASDEC_vulnerabilities.pdf; reference:url,www.kb.cert.org/vuls/id/662676; classtype:web-application-activity; sid:27163; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dasdec unauthenticated information disclosure vulnerability"; flow:to_server,established; content:"/dasdec/forwarded_events/"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.ioactive.com/pdfs/IOActive_DASDEC_vulnerabilities.pdf; reference:url,www.kb.cert.org/vuls/id/662676; classtype:web-application-activity; sid:27162; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dasdec unauthenticated information disclosure vulnerability"; flow:to_server,established; content:"/dasdec/cap_recv_events/"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.ioactive.com/pdfs/IOActive_DASDEC_vulnerabilities.pdf; reference:url,www.kb.cert.org/vuls/id/662676; classtype:web-application-activity; sid:27161; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Themescript remote file include in CheckUpload.php Language"; flow:to_server,established; content:"loadadminpage"; fast_pattern:only; http_uri; pcre:"/loadadminpage=(https?|ftps?)/Ui"; metadata:service http; reference:bugtraq,31959; reference:cve,2008-5066; classtype:web-application-attack; sid:27218; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenEngine filepool.php remote file include attempt"; flow:to_server,established; content:"POST"; http_method; content:"/filepool.php?oe_classpath="; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,31423; reference:cve,2008-4791; reference:url,www.exploit-db.com/exploits/6585/; classtype:web-application-attack; sid:27196; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DM Albums album.php remote file include attempt"; flow:to_server,established; content:"/template/album.php?"; fast_pattern:only; http_uri; content:"SECURITY_FILE="; nocase; http_uri; pcre:"/\/template\/album.php\?SECURITY_FILE=(ftps?|https?|php)\:/Ui"; metadata:service http; reference:bugtraq,35521; reference:cve,2009-2399; classtype:web-application-attack; sid:27192; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Pragyan CMS form.lib.php remove file include attempt"; flow:to_server,established; content:"form.lib.php?"; http_uri; content:"sourceFolder="; distance:0; http_uri; pcre:"/sourceFolder\x3D(https?|ftps?|php)\x3A/U"; metadata:service http; reference:bugtraq,30235; reference:cve,2008-3207; classtype:attempted-user; sid:27230; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP txtSQL startup.php remote file include attempt"; flow:to_server,established; content:"startup.php?"; http_uri; content:"CFG[txtsql][class]="; http_uri; pcre:"/CFG\x5Btxtsql\x5D\x5Bclass\x5D\x3D(https?|ftps?|php)\x3A/U"; metadata:service http; reference:bugtraq,30625; reference:cve,2008-3595; classtype:attempted-user; sid:27227; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DokuWiki PHP file inclusion attempt"; flow:to_server,established; content:"/doku.php?"; nocase; http_uri; content:"config_cascade[main][default][]="; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,35095; reference:cve,2009-1960; classtype:web-application-attack; sid:27226; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DuWare DuClassmate default.asp iCity sql injection attempt"; flow:to_server,established; content:"/default.asp?"; nocase; http_uri; content:"iCity="; fast_pattern:only; http_uri; pcre:"/iCity=((UNION|DELETE|ASCII)?\s*SELECT.*?FROM|UPDATE.*?SET)/Ui"; metadata:service http; reference:cve,2006-6355; reference:url,attack.mitre.org/techniques/T1190; reference:url,doc.emergingthreats.net/2006706; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; classtype:web-application-attack; sid:27286; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Gazi Download Portal down_indir.asp SQL injection attempt"; flow:to_server,established; content:"/down_indir.asp?"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/id=((UNION|DELETE|ASCII)?\s*SELECT.*?FROM|UPDATE.*?SET)/Ui"; metadata:service http; reference:bugtraq,23714; reference:cve,2007-2810; classtype:web-application-attack; sid:27285; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SezHoo remote file include in SezHooTabsAndActions.php"; flow:to_server,established; content:"SezHooTabsAndActions.php"; fast_pattern:only; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=(https?|ftps?)/Ui"; metadata:service http; reference:bugtraq,31756; classtype:web-application-attack; sid:27284; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Secure Backup Admin Server command injection attempt"; flow:to_server,established; content:"login.php?"; http_uri; content:"uname="; http_uri; content:"|0A|"; http_uri; metadata:service http; reference:bugtraq,48752; reference:cve,2011-2261; classtype:web-application-attack; sid:27598; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Hedgehog-CMS Directory traversal attempt"; flow:to_server,established; content:"/includes/header.php"; http_uri; content:"c_temp_path"; fast_pattern:only; http_uri; content:"../"; http_uri; metadata:service http; reference:bugtraq,33710; reference:cve,2008-2898; classtype:web-application-attack; sid:27638; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla media.php file.upload direct administrator access attempt"; flow:to_server,established; content:"POST"; depth:4; nocase; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_media&task=file.upload&tmpl=component&"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,61582; reference:cve,2013-5576; reference:url,developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads; reference:url,joomlacode.org/gf/project/joomla/tracker/action=TrackerItemEdit&tracker_item_id=31626; classtype:attempted-admin; sid:27667; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mxBB MX Faq module_root_path file inclusion attempt"; flow:to_server,established; content:"/faq.php?"; nocase; http_uri; content:"module_root_path="; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,23758; reference:cve,2007-2493; classtype:web-application-attack; sid:27688; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ASPMForum SQL injection attempt"; flow:to_server,established; content:"/forum.asp?"; nocase; http_uri; content:"baslik="; nocase; http_uri; pcre:"/baslik=((UNION\s*|DELETE\s*\|ASCII\s*)?SELECT.*?FROM|UPDATE.*?SET)/Ui"; metadata:service http; reference:bugtraq,21113; reference:cve,2006-6270; classtype:web-application-attack; sid:27687; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ASPMForum SQL injection attempt"; flow:to_server,established; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"harf="; nocase; http_uri; pcre:"/harf=((UNION\s*|DELETE\s*\|ASCII\s*)?SELECT.*?FROM|UPDATE.*?SET)/Ui"; metadata:service http; reference:bugtraq,21113; reference:cve,2006-6270; classtype:web-application-attack; sid:27686; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ASPMForum SQL injection attempt"; flow:to_server,established; content:"/mesajkutum.asp?"; nocase; http_uri; content:"mesajno="; nocase; http_uri; pcre:"/mesajno=[^&]*?(SELECT[^&]*?FROM|UPDATE[^&]*?SET)/Ui"; metadata:service http; reference:bugtraq,21113; reference:cve,2006-6270; classtype:web-application-attack; sid:27685; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ASPMForum SQL injection attempt"; flow:to_server,established; content:"/giris.asp?"; nocase; http_uri; content:"kullaniciadi="; nocase; http_uri; pcre:"/kullaniciadi=((UNION\s*|DELETE\s*\|ASCII\s*)?SELECT.*?FROM|UPDATE.*?SET)/Ui"; metadata:service http; reference:bugtraq,21113; reference:cve,2006-6270; classtype:web-application-attack; sid:27684; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ASPMForum SQL injection attempt"; flow:to_server,established; content:"/aramayap.asp?"; nocase; http_uri; content:"kelimeler="; nocase; http_uri; pcre:"/kelimeler=((UNION\s*|DELETE\s*\|ASCII\s*)?SELECT.*?FROM|UPDATE.*?SET)/Ui"; metadata:service http; reference:bugtraq,21113; reference:cve,2006-6270; classtype:web-application-attack; sid:27683; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ASPMForum SQL injection attempt"; flow:to_server,established; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"ak="; nocase; http_uri; pcre:"/ak=((UNION\s*|DELETE\s*\|ASCII\s*)?SELECT.*?FROM|UPDATE.*?SET)/Ui"; metadata:service http; reference:bugtraq,21113; reference:cve,2006-6270; classtype:web-application-attack; sid:27682; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ASPMForum SQL injection attempt"; flow:to_server,established; content:"/forum2.asp?"; nocase; http_uri; content:"soruid="; nocase; http_uri; pcre:"/soruid=((UNION\s*|DELETE\s*\|ASCII\s*)?SELECT.*?FROM|UPDATE.*?SET)/Ui"; metadata:service http; reference:bugtraq,21113; reference:cve,2006-6270; classtype:web-application-attack; sid:27681; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP RedHat Piranha Virtual Server Package default passwd and arbitrary command execution attempt"; flow:to_server,established; content:"/piranha/secure/passwd.php3"; fast_pattern:only; http_uri; content:"passwd=ACCEPT"; nocase; http_uri; metadata:service http; reference:bugtraq,1148; reference:bugtraq,1149; reference:cve,2000-0248; reference:cve,2000-0322; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-admin; sid:27756; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Click N Print Coupons coupon_detail.asp SQL injection attempt"; flow:to_server,established; content:"/coupon_detail.asp?"; nocase; http_uri; content:"key="; within:4; nocase; http_uri; pcre:"/(select|union|insert|delete|ascii|update)/Ui"; metadata:service http; reference:bugtraq,21824; reference:cve,2006-6859; reference:url,www.websitedesignsforless.com; classtype:web-application-attack; sid:27753; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Neocrome Land Down Under profile.inc.php SQL injection attempt"; flow:to_server,established; content:"/users.php?"; nocase; http_uri; content:"m=profile&"; within:10; nocase; http_uri; content:"a=avatarselect&"; within:15; nocase; http_uri; content:"id="; within:20; nocase; http_uri; pcre:"/id\s?=\s?.*?(select|union|insert|delete|ascii|update)/Ui"; metadata:service http; reference:bugtraq,21227; reference:cve,2006-6268; reference:url,www.securityfocus.com/archive/1/452259; classtype:attempted-user; sid:27752; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Outfront Spooky Login a_register.asp SQL injection attempt"; flow:to_server,established; content:"/includes/a_register.asp?"; fast_pattern:only; http_uri; pcre:"/(select|union|insert|delete|ascii|update)/Ui"; metadata:service http; reference:bugtraq,21822; reference:cve,2006-6861; reference:url,www.securityfocus.com/archive/1/archive/1/455603/100/0/threaded; classtype:web-application-attack; sid:27749; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Outfront Spooky Login register.asp SQL injection attempt"; flow:to_server,established; content:"/login/register.asp?"; nocase; http_uri; content:"UserUpdate="; within:11; nocase; http_uri; pcre:"/(select|union|insert|delete|ascii|update)/Ui"; metadata:service http; reference:bugtraq,21822; reference:cve,2006-6861; reference:url,www.securityfocus.com/archive/1/archive/1/455603/100/0/threaded; classtype:web-application-attack; sid:27748; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA Total Defense Suite UNCWS UnassignFunctionalRoles stored procedure SQL injection attempt"; flow:to_server,established; content:"/UNCWS/Management.asmx"; fast_pattern:only; http_uri; content:"UnAssignFunctionalUsers"; nocase; http_client_body; pcre:"/modifiedData\s*>[^<]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Psmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1653; classtype:attempted-admin; sid:27797; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA Total Defense Suite UNCWS UnassignFunctionalRoles stored procedure POST SQL injection attempt"; flow:to_server,established; content:"/UNCWS/Management.asmx"; fast_pattern:only; http_uri; content:"/UnAssignFunctionalUsers"; nocase; http_uri; pcre:"/(^|&)modifiedData=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1653; classtype:attempted-admin; sid:27796; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint self cross site scripting attempt"; flow:to_server,established; content:"__CALLBACKID"; fast_pattern:only; http_uri; pcre:"/__CALLBACKID=([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2013-3180; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-067; classtype:web-application-attack; sid:27828; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint self cross site scripting attempt"; flow:to_server,established; content:"_wzSelected"; fast_pattern:only; http_uri; pcre:"/_wzSelected=([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2013-3180; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-067; classtype:web-application-attack; sid:27827; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint self cross site scripting attempt"; flow:to_server,established; content:"_wpSelected"; fast_pattern:only; http_uri; pcre:"/_wpSelected=([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2013-3180; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-067; classtype:web-application-attack; sid:27826; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint malicious serialized viewstate evaluation attempt"; flow:to_server,established; content:"/_layouts/viewlists.aspx?"; fast_pattern:only; http_uri; content:"BaseType=0"; nocase; http_uri; content:"__VIEWSTATE="; nocase; http_uri; base64_decode:bytes 150,offset 17,relative; base64_data; content:"System.IO.FileInfo|02 00 00 00 0C|OriginalPath|08|FullPath"; nocase; content:"|5C 5C|"; distance:0; nocase; content:"|5C 5C|"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-1330; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-067; classtype:attempted-admin; sid:27823; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ektron CMS XSLT transform remote code execution attempt"; flow:to_server,established; content:"/cms400min/WorkArea/ContentDesigner/ekajaxtransform.aspx"; fast_pattern:only; http_uri; content:"System.Runtime.InteropServices.DllImport"; nocase; http_client_body; content:"System.Runtime.InteropServices.Marshal.Copy"; nocase; http_client_body; content:"VirtualAlloc"; nocase; http_client_body; metadata:service http; reference:bugtraq,56816; reference:cve,2012-5357; reference:url,technet.microsoft.com/en-us/security/msvr/msvr12-016; classtype:attempted-admin; sid:27863; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sophos Web Protection Appliance sblistpack arbitrary command execution attempt"; flow:to_server,established; content:"c=blocked"; fast_pattern:only; http_uri; content:"action=continue"; nocase; http_uri; content:"domain="; nocase; http_client_body; pcre:"/domain=[^&]*?([\x3b\x60]|\x24\x28|%3b|%60|%24%28)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,62263; reference:bugtraq,62265; reference:cve,2013-4983; reference:cve,2013-4984; reference:url,www.sophos.com/en-us/support/knowledgebase/119773.aspx; classtype:attempted-admin; sid:27942; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Django web framework oversized password denial of service attempt"; flow:to_server,established; content:"csrfmiddlewaretoken="; fast_pattern:only; http_client_body; content:"password="; nocase; http_client_body; pcre:"/password=[^\x26]{1024}/smiP"; metadata:service http; reference:cve,2013-1443; reference:url,www.djangoproject.com/weblog/2013/sep/15/security/; classtype:attempted-dos; sid:27940; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys WRT110 ping.cgi remote command execution attempt"; flow:to_server,established; content:"/ping.cgi"; depth:9; nocase; http_uri; content:"pingstr="; nocase; http_client_body; pcre:"/(^|&)pingstr=[^&]*?(\x60|\x24\x28|%60|%24%28|%26)/Pmi"; metadata:service http; reference:bugtraq,61151; reference:cve,2013-3568; classtype:attempted-admin; sid:28052; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GLPI install.php arbitrary code injection attempt"; flow:to_server,established; content:"/glpi/install/install.php"; fast_pattern:only; http_uri; content:"databasename="; nocase; http_client_body; pcre:"/(^|&)databasename=[^&]*?(\x27|%27)[^&]*?(\x3b|%3b)/Pmi"; metadata:service http; reference:cve,2013-5696; reference:url,www.glpi-project.org/spip.php?page=annonce&id_breve=308; classtype:attempted-admin; sid:28051; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GLPI install.php arbitrary code injection attempt"; flow:to_server,established; content:"/glpi/install/install.php"; fast_pattern:only; http_uri; content:"pass="; nocase; http_client_body; pcre:"/(^|&)db(_|%5f)pass=[^&]*?(\x27|%27)[^&]*?(\x3b|%3b)/Pmi"; metadata:service http; reference:cve,2013-5696; reference:url,www.glpi-project.org/spip.php?page=annonce&id_breve=308; classtype:attempted-admin; sid:28050; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GLPI install.php arbitrary code injection attempt"; flow:to_server,established; content:"/glpi/install/install.php"; fast_pattern:only; http_uri; content:"user="; nocase; http_client_body; pcre:"/(^|&)db(_|%5f)user=[^&]*?(\x27|%27)[^&]*?(\x3b|%3b)/Pmi"; metadata:service http; reference:cve,2013-5696; reference:url,www.glpi-project.org/spip.php?page=annonce&id_breve=308; classtype:attempted-admin; sid:28049; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GLPI install.php arbitrary code injection attempt"; flow:to_server,established; content:"/glpi/install/install.php"; fast_pattern:only; http_uri; content:"host="; nocase; http_client_body; pcre:"/(^|&)db(_|%5f)host=[^&]*?(\x27|%27)[^&]*?(\x3b|%3b)/Pmi"; metadata:service http; reference:cve,2013-5696; reference:url,www.glpi-project.org/spip.php?page=annonce&id_breve=308; classtype:attempted-admin; sid:28048; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP RaidSonic Multiple Products arbitrary command injection attempt"; flow:to_server,established; content:"/cgi/time/timeHandler.cgi"; fast_pattern:only; http_uri; content:"timeZone="; nocase; http_client_body; pcre:"/(^|&)timeZone=[^&]*?(\x60|\x24\x28|%60|%24%28)/Pmi"; metadata:service http; reference:bugtraq,57958; classtype:attempted-admin; sid:28047; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital Arkeia Appliance directory traversal attempt"; flow:to_server,established; content:"%00"; fast_pattern:only; content:"%00"; http_cookie; content:"lang="; nocase; http_cookie; pcre:"/lang=[^\s\x3b\x2c]*?(\x2e\x2e|%2e%2e)(\x2f|%2f)/Cmi"; metadata:service http; reference:bugtraq,62444; classtype:attempted-admin; sid:28093; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000B setup.cgi cross site scripting attempt"; flow:to_server,established; content:"/setup.cgi"; fast_pattern:only; http_uri; pcre:"/\/setup.cgi.*?(?<=[?&])(?>service_name|device|ssid_num|cfKeyWord_Domain|h_skeyword)=[^&$]*?\x3e/iU"; metadata:service http; reference:bugtraq,57836; classtype:web-application-attack; sid:28083; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Drupal Core OpenID information disclosure attempt"; flow:to_client,established; file_data; content:"<?xml"; content:"!DOCTYPE"; content:"xrds:XRDS"; fast_pattern:only; content:"openid.net"; metadata:service http; reference:cve,2012-4554; classtype:web-application-attack; sid:28076; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenEMR information disclosure attempt"; flow:to_server,established; content:"openemr/interface/new/new_comprehensive_save.php"; fast_pattern:only; http_uri; content:"form_pubpid="; depth:12; http_client_body; content:"|27| AND |28|"; within:15; http_client_body; metadata:service http; classtype:web-application-attack; sid:28145; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Python Pickle remote code execution attempt"; flow:to_server,established; content:"cposix|0A|system|0A|p"; content:"|0A 28|S'"; within:4; distance:1; metadata:service http; reference:bugtraq,61894; reference:cve,2013-5093; classtype:attempted-user; sid:28139; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP vBulletin upgrade.php exploit attempt"; flow:to_server, established; content:"install/upgrade.php"; fast_pattern:only; http_uri; content:"firstrun=false"; http_client_body; content:"&customerid="; http_client_body; content:"username%5d="; http_client_body; content:"password%5d="; http_client_body; metadata:ruleset community, service http; reference:url,www.net-security.org/secworld.php?id=15743; classtype:attempted-admin; sid:28215; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Microsoft Interactive Training buffer overflow attempt"; flow:to_client,established; file_data; content:"[Microsoft Interactive Training]"; fast_pattern:only; content:"Syllabus="; isdataat:64,relative; content:!"|0D 0A|"; within:64; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13944; reference:cve,2005-1212; reference:cve,2006-3448; reference:nessus,18492; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-031; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-005; classtype:attempted-user; sid:28228; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zabbix httpmon.php SQL injection attempt"; flow:to_server,established; content:"/zabbix/httpmon.php"; fast_pattern:only; http_uri; content:"applications="; nocase; http_uri; pcre:"/[?&]applications=[^&]*?([\x27\x28]|\x2f\x2a)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,62794; reference:cve,2013-5743; reference:url,support.zabbix.com/browse/ZBX-7091; classtype:web-application-attack; sid:28251; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WHMCS SQL injection attempt"; flow:to_server,established; content:"TABLEJOIN"; nocase; http_client_body; pcre:"/TABLEJOIN.*?(SELECT.*?FROM|UPDATE.*?SET)/Psi"; metadata:service http; reference:url,localhost.re/p/whmcs-528-vulnerability; classtype:web-application-attack; sid:28299; rev:1;)
alert udp $HOME_NET any -> $HOME_NET 7329 (msg:"SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt"; flow:to_server; content:"w302r_mfg|00|1"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.medialinkproducts.com/wirelessRouter.php; classtype:attempted-admin; sid:28290; rev:3;)
alert udp $HOME_NET any -> $HOME_NET 7329 (msg:"SERVER-WEBAPP Tenda W302R root remote code execution attempt"; flow:to_server; content:"w302r_mfg|00|x"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.medialinkproducts.com/wirelessRouter.php; classtype:attempted-admin; sid:28289; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebTester install2.php arbitrary command execution attempt"; flow:to_server,established; content:"/webtester5/install2.php"; fast_pattern:only; http_uri; content:"cpanel=yes"; nocase; http_client_body; content:"createdb=yes"; nocase; http_client_body; pcre:"/(^|&)(db(username|password|)|cp(username|password|domain))=[^&]*?(\x27|%27)[^&]*?([\x3b\x60]|\x24\x28|%3b|%60|%24%28)/Pmi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,sourceforge.net/p/webtesteronline/bugs/3/; classtype:attempted-admin; sid:28288; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ProcessMaker neoclassic skin arbitrary code execution attempt"; flow:to_server,established; content:"/sysworkflow/"; nocase; http_uri; content:"/neoclassic/"; fast_pattern:only; http_uri; content:"action="; nocase; http_client_body; content:"params="; nocase; http_client_body; pcre:"/action=[^&]*?(exec|passthru|system|eval)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,bugs.processmaker.com/view.php?id=13436; classtype:attempted-admin; sid:28409; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ProcessMaker neoclassic skin arbitrary code execution attempt"; flow:to_server,established; content:"/sysworkflow/"; nocase; http_uri; content:"/neoclassic/"; fast_pattern:only; http_uri; content:"action="; nocase; http_uri; content:"params="; nocase; http_uri; pcre:"/action=[^&]*?(exec|passthru|system|eval)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,bugs.processmaker.com/view.php?id=13436; classtype:attempted-admin; sid:28408; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center BIMS bimsDownload directory traversal attempt"; flow:to_server,established; content:"/imc/bimsDownload?"; fast_pattern:only; http_uri; content:"../"; http_uri; pcre:"/[?&](fileName|path)=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,62897; reference:cve,2013-4823; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943425; classtype:attempted-recon; sid:28448; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress XMLRPC potential port-scan attempt"; flow:established,to_server,only_stream; content:"POST"; nocase; http_method; content:"/xmlrpc.php"; fast_pattern:only; http_uri; content:"methodCall"; nocase; http_client_body; content:"pingback.ping"; nocase; http_client_body; detection_filter:track by_src, count 5, seconds 30; metadata:service http; reference:bugtraq,57554; reference:cve,2013-0235; reference:url,github.com/FireFart/WordpressPingbackPortScanner/; reference:url,www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/; classtype:web-application-attack; sid:28849; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla simple RSS reader admin.rssreader.php remote file include attempt"; flow:to_server,established; content:"admin.rssreader.php"; fast_pattern:only; http_uri; content:"mosConfig_live_site="; nocase; http_uri; pcre:"/[?&]mosConfig_live_site=(https?|ftps?|php)\x3a\x2f/Ui"; metadata:service http; reference:bugtraq,32265; reference:cve,2008-5053; classtype:web-application-attack; sid:28912; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP mcRefer install.php arbitrary PHP code injection attempt"; flow:to_server,established; content:"nomsite="; fast_pattern:only; http_client_body; content:"pass="; nocase; http_client_body; content:"verif="; nocase; http_client_body; content:"submit="; nocase; http_client_body; pcre:"/(^|&)(bgcolor|tablecolor|tdcolor|fontface|fontcolor|fontsize|font|nomsite|url|email|pass)=[^&]*?(\x3c\x3f|%3c%3f)/Pmi"; metadata:service http; reference:cve,2007-1073; classtype:web-application-attack; sid:28910; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OTManager ADM_Pagina.php remote file include attempt"; flow:to_server,established; content:"ADM_Pagina.php"; fast_pattern:only; http_uri; content:"Tipo="; nocase; http_uri; pcre:"/[?&]Tipo=(https?|ftps?|php)\x3a\x2f/Ui"; metadata:service http; reference:bugtraq,32235; reference:cve,2008-5063; classtype:web-application-attack; sid:28909; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Fortinet FortiAnalyzer cross-site request forgery attempt. "; flow:to_server,established; content:"sysmanager/admin/SYSAdminUserDialog"; fast_pattern:only; http_uri; content:"csrf_token="; http_client_body; isdataat:!1,relative; metadata:service http; classtype:attempted-admin; sid:28971; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Fortinet FortiAnalyzer cross-site request forgery attempt. "; flow:to_server,established; content:"sysmanager/admin/SYSAdminUserDialog"; fast_pattern:only; http_uri; content:"csrf_token=&"; http_client_body; metadata:service http; classtype:attempted-admin; sid:28970; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP RSS-aggregator display.php remote file include attempt"; flow:to_server,established; content:"/display.php|3F|"; nocase; http_uri; content:"path|3D|"; within:50; nocase; http_uri; pcre:"/path\x3d\s*?(https?|ftps?|php)/Ui"; metadata:service http; reference:bugtraq,29873; reference:cve,2008-2884; classtype:attempted-user; sid:28957; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Zenworks configuration management umaninv information disclosure attempt"; flow:to_server,established; content:"/zenworks-unmaninv/"; http_raw_uri; content:"action=GetFile"; distance:0; http_raw_uri; content:"Filename="; http_raw_uri; content:"../"; within:28; http_raw_uri; metadata:service http; reference:cve,2013-1084; classtype:attempted-user; sid:28956; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Microsoft Sharepoint server callback function cross-site scripting attempt"; flow:to_client,established; content:"/_layouts/filter.aspx"; pcre:"/^#[^\s\x22\x27]*?CallbackFn=[^\s\x22\x27]*?CallbackParam=/Rims"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,58371; reference:cve,2013-0080; classtype:attempted-user; sid:28946; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BoonEx Dolphin 6.1.2 remote file include attempt"; flow:to_server,established; content:"/Dolphin-v.6.1.2"; fast_pattern:only; http_uri; content:"content.inc.php|3F|"; nocase; http_uri; content:"sIncPath|3D|"; within:50; nocase; http_uri; pcre:"/sIncPath\x3d\s*?(https?|ftps?|php)/Ui"; metadata:service http; reference:bugtraq,30136; reference:cve,2008-3167; classtype:attempted-user; sid:28944; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BoonEx Dolphin 6.1.2 remote file include attempt"; flow:to_server,established; content:"/Dolphin-v.6.1.2"; fast_pattern:only; http_uri; content:"safehtml.php|3F|"; nocase; http_uri; content:"dir|5B|plugins|5D 3D|"; within:50; nocase; http_uri; pcre:"/dir\x5bplugins\x5d\x3d\s*?(https?|ftps?|php)/Ui"; metadata:service http; reference:bugtraq,30136; reference:cve,2008-3167; classtype:attempted-user; sid:28943; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BoonEx Dolphin 6.1.2 remote file include attempt"; flow:to_server,established; content:"/Dolphin-v.6.1.2"; fast_pattern:only; http_uri; content:"HTMLSax3.php|3F|"; nocase; http_uri; content:"dir|5B|plugins|5D 3D|"; within:50; nocase; http_uri; pcre:"/dir\x5bplugins\x5d\x3d\s*?(https?|ftps?|php)/Ui"; metadata:service http; reference:bugtraq,30136; reference:cve,2008-3167; classtype:attempted-user; sid:28942; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Horde groupware webmail edition ingo filter cross-site request forgery attempt"; flow:to_server,established; content:"/ingo/basic.php"; nocase; http_uri; content:"page=rule"; within:56; nocase; http_uri; pcre:"/POST \/(?P<uri>.*?) HTTP((?!\r\n\r\n).)*?Host: (?P<host>[^\r\n]*?)((?!\r\n\r\n).)*?Referer: https?:\/\/((?!(?P=host))|[^\/]*?\/(?!(?P=uri)))/ims"; metadata:service http; reference:cve,2013-6275; classtype:attempted-user; sid:28936; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 15050 (msg:"SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt"; flow:to_server,established; content:"soapenv|3A|"; content:"<|2F|"; isdataat:800,relative; content:!">"; within:800; reference:cve,2013-5387; classtype:attempted-user; sid:29005; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco EPC3925 cross site request forgery attempt"; flow:to_server,established; content:"/goform/Quick_setup"; fast_pattern:only; http_uri; content:"Password"; nocase; http_client_body; content:"PasswordReEnter"; within:75; nocase; http_client_body; content:"save"; within:75; nocase; http_client_body; content:"Save Settings"; within:25; nocase; http_client_body; metadata:service http; reference:url,cisco.com/web/consumer/support/modem_DPC3925.html; classtype:attempted-user; sid:29000; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WhatsUp Gold ExportViewer.asp diretory traversal attempt"; flow:to_server,established; content:"/ExportViewer.asp"; fast_pattern:only; http_uri; content:".."; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,52745; classtype:web-application-attack; sid:29046; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Groupwise Messenger Server process memory information disclosure attempt"; flow:to_server,established; content:"/getdetails"; fast_pattern:only; http_uri; content:"tag=NM_A_SZ_DN"; depth:512; metadata:service http; reference:cve,2011-3179; classtype:attempted-user; sid:29118; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Messaging Gateway save.do cross site request forgery attempt"; flow:to_server,established; content:"/brightmail/admin/administrator/save.do"; nocase; http_uri; content:"&fullAdminRole=true&statusRole=true"; distance:0; nocase; http_uri; metadata:service http; reference:cve,2012-0308; classtype:attempted-user; sid:29110; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP NetWeaver internet sales module directory traversal attempt"; flow:to_server,established; content:"/b2b/admin/log"; fast_pattern:only; http_uri; content:"../"; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,service.sap.com/sap/support/notes/1585527; classtype:web-application-attack; sid:29170; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP The Bug Genie openid_identifier cross site scripting attempt"; flow:established,to_server; content:"/thebuggenie/do/login"; fast_pattern:only; http_uri; pcre:"/[?&]openid_identifier=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,64004; classtype:web-application-attack; sid:29160; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP The Bug Genie openid_identifier cross site scripting attempt"; flow:established,to_server; content:"/thebuggenie/do/login"; fast_pattern:only; http_uri; pcre:"/[?&]openid_identifier=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,64004; classtype:web-application-attack; sid:29159; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosQL hostdependencies.php cross site scripting attempt"; flow:established,to_server; content:"hostdependencies.php"; fast_pattern:only; http_uri; pcre:"/[?&]txtSearch=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2013/Dec/30; classtype:web-application-attack; sid:29158; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosQL hostdependencies.php cross site scripting attempt"; flow:established,to_server; content:"hostdependencies.php"; fast_pattern:only; http_uri; pcre:"/[?&]txtSearch=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2013/Dec/30; classtype:web-application-attack; sid:29157; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Red Hat CloudForms agent controller filename directory traversal attempt"; flow:to_server,established; content:"/agent/"; depth:7; fast_pattern; nocase; http_uri; content:"data="; nocase; http_uri; content:"filename="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,62745; reference:cve,2013-2068; reference:url,rhn.redhat.com/errata/RHSA-2013-1206.html; classtype:attempted-admin; sid:29297; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Red Hat CloudForms agent controller filename directory traversal attempt"; flow:to_server,established; content:"/agent/"; depth:7; fast_pattern; nocase; http_uri; content:"data="; nocase; http_client_body; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pmi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,62745; reference:cve,2013-2068; reference:url,rhn.redhat.com/errata/RHSA-2013-1206.html; classtype:attempted-admin; sid:29296; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios3 statuswml.cgi remote command execution attempt"; flow:to_server,established; content:"/cgi-bin/statuswml.cgi"; fast_pattern:only; http_uri; pcre:"/[?&](traceroute|ping)=[^&]*?(%3b|\x3b)/Ui"; metadata:service http; reference:cve,2009-2288; classtype:attempted-admin; sid:29267; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Avaya IP Office Customer Call Reporter cross site scripting attempt"; flow:to_server,established; content:"/CCRWebClient/Help/"; http_raw_uri; content:"index.htm?//"; distance:0; http_raw_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,websecurity.com.au/6717; classtype:web-application-attack; sid:29346; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology DiskStation Manager SLICEUPLOAD remote command execution attempt"; flow:to_server,established; content:"/webman/imageSelector.cgi"; fast_pattern:only; http_uri; content:"X-TYPE-NAME|3A|"; nocase; http_header; content:"SLICEUPLOAD"; distance:0; nocase; http_header; content:"X-TMP-FILE|3A|"; nocase; http_header; content:".cgi"; distance:0; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,64516; reference:cve,2013-6955; classtype:attempted-admin; sid:29387; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios process_cgivars off-by-one memory access denial of service attempt"; flow:to_server,established; urilen:>1044,norm; content:"/cgi-bin/"; fast_pattern:only; http_uri; content:".cgi?"; nocase; http_uri; content:"="; http_uri; pcre:"/[?&]\w+=[^&]{1023}/Ui"; metadata:service http; reference:bugtraq,64363; reference:cve,2013-7108; reference:url,sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/; classtype:attempted-dos; sid:29375; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios process_cgivars off-by-one memory access denial of service attempt"; flow:to_server,established; content:"/cgi-bin/"; fast_pattern:only; http_uri; content:"form-urlencoded"; http_header; content:"="; http_client_body; isdataat:1023,relative; content:!"&"; within:1023; http_client_body; pcre:"/(^|&)\w+=[^&]{1023}/Pmi"; metadata:service http; reference:bugtraq,64363; reference:cve,2013-7108; reference:url,sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/; classtype:attempted-dos; sid:29374; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000B setup.cgi cross site scripting attempt"; flow:to_server,established; content:"/setup.cgi"; fast_pattern:only; http_uri; pcre:"/(?<=[?&])(?>service_name|device|ssid_num|cfKeyWord_Domain|h_skeyword)=[^&]*?[\x3c\x3e]/iP"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,57836; classtype:web-application-attack; sid:29403; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000B setup.cgi parameter code execution attempt"; flow:to_server,established; content:"/setup.cgi"; nocase; http_uri; content:"TimeToLive="; fast_pattern:only; http_client_body; pcre:"/TimeToLive=[^&]*?(%60|\x60)/iP"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,57836; classtype:attempted-user; sid:29402; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000B setup.cgi parameter code execution attempt"; flow:to_server,established; content:"/setup.cgi"; nocase; http_uri; content:"TimeToLive="; fast_pattern:only; http_uri; pcre:"/\/setup.cgi.*?TimeToLive=[^&]*?(%60|\x60)/iU"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,57836; classtype:attempted-user; sid:29401; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP vTiger CRM AddEmailAttachment directory traversal attempt"; flow:to_server,established; content:"/vtiger"; fast_pattern:only; http_uri; content:"AddEmailAttachment"; nocase; http_client_body; content:"<filename"; nocase; http_client_body; pcre:"/<filename[^>]*?>[^<]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,61558; reference:cve,2013-3214; reference:url,www.vtiger.com/blogs/?p=1467; classtype:attempted-admin; sid:29400; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center sdFileDownload information disclosure attempt"; flow:to_server,established; content:"/servicedesk/fileDownload"; fast_pattern:only; http_uri; content:"OperType="; nocase; http_uri; content:"filePath="; nocase; http_uri; base64_decode:bytes 50,offset 0,relative; base64_data; content:"..|5C|"; distance:0; metadata:service http; reference:bugtraq,62898; reference:cve,2013-4826; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03943547; classtype:attempted-recon; sid:29499; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center sdFileDownload information disclosure attempt"; flow:to_server,established; content:"/servicedesk/fileDownload"; fast_pattern:only; http_uri; content:"OperType="; nocase; http_uri; content:"filePath=Yz"; nocase; http_uri; metadata:service http; reference:bugtraq,62898; reference:cve,2013-4826; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03943547; classtype:attempted-recon; sid:29498; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center information disclosure attempt"; flow:to_server,established; content:"/imc/tmp/download"; fast_pattern:only; http_uri; content:"fileName="; http_uri; content:".."; distance:0; http_uri; metadata:service http; reference:cve,2012-5208; classtype:web-application-attack; sid:29583; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability attempt"; flow:to_server,established; content:"/fp/servlet/RequestAccessController"; fast_pattern:only; http_uri; content:"file=/"; http_client_body; content:"conf"; distance:0; http_client_body; content:".xml"; distance:2; http_client_body; pcre:"/file\=\/.{0,30}?conf.{0,30}?\.xml/P"; metadata:service http; reference:cve,2013-5397; reference:cve,2013-5398; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21654471; classtype:attempted-user; sid:29548; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability attempt"; flow:to_server,established; content:"/fp/servlet/RequestAccessController?"; fast_pattern:only; http_uri; content:"file=/"; http_uri; content:"conf"; distance:0; http_uri; content:".xml"; distance:2; http_uri; pcre:"/^\/fp\/servlet\/RequestAccessController\?.{0,60}?file\=\/.{0,30}?conf.{0,30}?\.xml/U"; metadata:service http; reference:cve,2013-5397; reference:cve,2013-5398; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21654471; classtype:attempted-user; sid:29547; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope APIMonitorImpl information disclosure attempt"; flow:to_server,established; content:"POST"; http_method; content:"/APIMonitorImpl"; http_uri; content:"impl:loadFileContent"; fast_pattern:only; http_client_body; metadata:policy security-ips drop, service http; reference:bugtraq,55269; reference:cve,2012-3259; classtype:web-application-activity; sid:29537; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Alcatel-Lucent OmniPCX Office remote code execution attempt"; flow:to_server,established; content:"/cgi-bin/FastJSData.cgi"; fast_pattern:only; http_uri; content:"|7C|"; http_uri; metadata:service http; reference:bugtraq,25758; reference:cve,2008-1331; classtype:attempted-user; sid:29522; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM jovgraph.exe CGI hostname parameter bugger overflow attempt"; flow:to_server,established; content:"/OvCgi/jovgraph.exe"; fast_pattern:only; http_uri; content:"MaxAge="; nocase; http_client_body; pcre:"/MaxAge=[^\x26\x3F\x3B\x0D\x0A]{300}/i"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1555; classtype:attempted-user; sid:29511; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"-textFile+"; http_raw_uri; content:"/OvCgi/"; fast_pattern:only; http_uri; pcre:"/\/OvCgi\/(jovgraph|webappmon)\.exe.*?-textFile\+[^+]{201}/iI"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1551; reference:cve,2010-1552; reference:cve,2010-1553; reference:cve,2010-1554; reference:cve,2010-1555; reference:cve,2010-1961; reference:cve,2011-3167; classtype:attempted-user; sid:29502; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Data Protector LogClientInstallation SQL Injection attempt"; flow:to_server,established; content:"/dpnepolicyservice/DPNECentral.asmx"; fast_pattern:only; http_uri; content:"<LogClientInstallation"; http_client_body; content:"<userid>"; distance:0; content:"|3B|"; within:125; pcre:"/<LogClientInstallation.*?<userid>[^<]*?\x3b.*?<\/userid/Ps"; metadata:service http; reference:cve,2011-3156; classtype:attempted-user; sid:29584; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt"; flow:to_server,established; content:"/SiteScope/services/APIPreferenceImpl"; fast_pattern:only; http_uri; content:"<impl"; http_client_body; content:":update"; within:10; http_client_body; content:">SSAdministratorInstancePreferences</in0>"; distance:0; nocase; http_client_body; metadata:policy security-ips drop, service smtp; reference:bugtraq,55269; reference:cve,2012-3261; classtype:web-application-attack; sid:29601; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt"; flow:to_server,established; content:"/SiteScope/services/APIPreferenceImpl"; fast_pattern:only; http_uri; content:"<impl"; http_client_body; content:":create"; within:10; http_client_body; content:">UserInstancePreferences</in0>"; distance:0; nocase; http_client_body; metadata:policy security-ips drop, service smtp; reference:bugtraq,55269; reference:cve,2012-3261; classtype:web-application-attack; sid:29600; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt"; flow:to_server,established; content:"/SiteScope/services/APIPreferenceImpl"; fast_pattern:only; http_uri; content:"<ns"; http_client_body; content:":update"; within:10; http_client_body; content:">SSAdministratorInstancePreferences</in0>"; distance:0; nocase; http_client_body; metadata:policy security-ips drop, service smtp; reference:bugtraq,55269; reference:cve,2012-3261; classtype:web-application-attack; sid:29599; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt"; flow:to_server,established; content:"/SiteScope/services/APIPreferenceImpl"; fast_pattern:only; http_uri; content:"<ns"; http_client_body; content:":create"; within:10; http_client_body; content:">UserInstancePreferences</in0>"; distance:0; nocase; http_client_body; metadata:policy security-ips drop, service smtp; reference:bugtraq,55269; reference:cve,2012-3261; classtype:web-application-attack; sid:29598; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Airlive IP Camera directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/admin"; fast_pattern:only; content:"/cgi-bin/admin"; http_raw_uri; content:"filePath"; distance:0; nocase; http_raw_uri; content:"../"; distance:0; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,60549; reference:cve,2013-3541; classtype:web-application-attack; sid:29595; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Airlive IP Camera information leak attempt"; flow:to_server,established; content:"/cgi-bin/operator/param"; fast_pattern:only; http_uri; content:"group=General.UserID"; nocase; http_uri; content:"action=list"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,60550; reference:cve,2013-3686; classtype:attempted-user; sid:29594; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Airlive IP Camera CSRF attempt"; flow:to_server,established; content:"/cgi-bin/admin/usrgrp.cgi"; fast_pattern:only; http_uri; content:"user="; http_uri; content:"pwd="; http_uri; content:"grp=administrator"; http_uri; content:"sgrp=ptz"; http_uri; content:"action=add"; http_uri; content:"redirect="; http_uri; metadata:service http; reference:bugtraq,60547; reference:cve,2013-3540; classtype:policy-violation; sid:29593; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP McAfee ePO DisplayMSAPropsDetail.do sql injection attempt"; flow:to_server,established; content:"/EPOAGENTMETA/DisplayMSAPropsDetail.do"; depth:38; fast_pattern; http_uri; content:"uid|3D|"; pcre:"/uid\x3D\d{0,10}?[A-Za-z\x3B\x25]/"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,www.securityfocus.com/archive/1/527228; classtype:attempted-admin; sid:29609; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP McAfee ePO showRegisteredTypeDetails.do sql injection attempt"; flow:to_server,established; content:"/core/showRegisteredTypeDetails.do"; depth:34; fast_pattern; http_uri; content:"uid|3D|"; pcre:"/uid\x3D\d{0,10}?[A-Za-z\x3B\x25]/"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,www.securityfocus.com/archive/1/527228; classtype:attempted-admin; sid:29608; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Novell GroupWise Client activex GenerateSummaryPage untrusted pointer dereference"; flow:to_client,established; file_data; content:"54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF"; fast_pattern:only; content:"GenerateSummaryPage"; metadata:policy security-ips drop, service http; reference:bugtraq,57657; reference:cve,2013-0804; classtype:attempted-user; sid:29619; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Novell GroupWise Client activex InvokeContact untrusted pointer dereference"; flow:to_client,established; file_data; content:"54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF"; fast_pattern:only; content:"InvokeContact"; metadata:policy security-ips drop, service http; reference:bugtraq,57657; reference:cve,2013-0804; classtype:attempted-user; sid:29618; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"action=send"; fast_pattern:only; http_client_body; pcre:"/(^|&)(name|email|subject|message)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,65129; reference:cve,2014-1683; classtype:web-application-attack; sid:29646; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Nagios XI alert cloud cross site scripting attempt"; flow:to_client,established; file_data; content:"/includes/components/alertcloud/index.php"; content:"%22"; within:15; nocase; pcre:"/\x2falertcloud\x2findex\.php[^\n\s]*?[?&](height|width)(?!%26)[^&\n\s]*?%22(\x7d\x7d|%7D%7D)(\x3b|%3b)/i"; metadata:service http; classtype:attempted-user; sid:29808; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt"; flow:to_server,established; content:"/pages/writeuser.php"; fast_pattern:only; http_uri; content:"userid=-1"; http_client_body; content:"UserAccessLevel=2"; http_client_body; content:"UserName="; nocase; http_client_body; metadata:service http; reference:url,itsecuritysolutions.org/2012-07-01-CuteFlow-2.11.2-multiple-security-vulnerabilities; classtype:attempted-admin; sid:29799; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt"; flow:to_server,established; content:"/pages/writeuser.php"; fast_pattern:only; http_uri; content:"UserName="; nocase; http_uri; content:"UserAccessLevel=2"; http_uri; content:"userid=-1"; http_uri; metadata:service http; reference:url,itsecuritysolutions.org/2012-07-01-CuteFlow-2.11.2-multiple-security-vulnerabilities; classtype:attempted-admin; sid:29798; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Datalife Engine preview.php Remote Code Execution attempt"; flow:to_server,established; content:"/engine/preview.php"; fast_pattern:only; http_uri; content:"catlist"; http_client_body; pcre:"/(^|&)(not-)?catlist(\x5b|%5b)\d?(\x5d|%5d)=[^&]*?(\x27|%27)(\x29|%29)[\x7c(%7c)]{2}/iP"; metadata:service http; reference:cve,2013-1412; reference:url,www.exploit-db.com/exploits/24438/; classtype:attempted-user; sid:29757; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"SERVER-WEBAPP Novell Groupwise Messenger parameter memory corruption attempt"; flow:to_server,established; content:"POST"; http_method; content:"/createsearch"; fast_pattern:only; http_uri; content:"cmd=0"; nocase; http_client_body; content:"val="; nocase; http_client_body; content:"type=9"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,aluigi.altervista.org/adv/nmma_3-adv.txt; classtype:attempted-admin; sid:29753; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center SOM authentication bypass attempt"; flow:to_server,established; content:"POST"; http_method; content:"/servicedesk/servicedesk/accountSerivce.gwtsvc"; fast_pattern:only; http_uri; flowbits:set,hplogin; flowbits:noalert; metadata:service http; reference:bugtraq,62902; reference:cve,2013-4824; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943547; classtype:attempted-user; sid:29752; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center SOM authentication bypass attempt"; flow:to_server,established; content:"/servicedesk/servicedesk/accountSerivce.gwtsvc"; http_uri; content:"java.lang.String/2004016611|7C|msf"; fast_pattern:only; http_client_body; metadata:service http; reference:bugtraq,62902; reference:cve,2013-4824; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943547; classtype:attempted-user; sid:29751; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center SOM authentication bypass attempt"; flow:to_server,established; flowbits:isset,hplogin; content:!"/servicedesk/servicedesk/loginService.gwtsvc"; http_uri; content:"java.lang.String/2004016611|7C|"; http_client_body; content:"|7C|authType|7C|"; within:50; fast_pattern; http_client_body; metadata:service http; reference:bugtraq,62902; reference:cve,2013-4824; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943547; classtype:attempted-user; sid:29750; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Web Gateway languagetest.php language parameter directory traversal attempt"; flow:to_server,established; content:"/spywall/languageTest.php?"; fast_pattern:only; http_uri; content:"language="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]language=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,54429; reference:cve,2012-2957; classtype:attempted-admin; sid:29746; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kloxo webcommand.php SQL injection attempt"; flow:to_server,established; content:"/lbin/webcommand.php"; fast_pattern:only; http_uri; content:"login-"; nocase; http_uri; pcre:"/[?&]login-(name|class)=[^&]*?[\x22\x27][^&]*?select/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/lxcenter/kloxo/commit/0af5f8dd36d9ee831d170fc56f3a44725619b0e2; classtype:attempted-admin; sid:29815; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt"; flow:established,to_server; content:"/tmUnblock.cgi"; fast_pattern:only; http_uri; content:"ttcp_ip"; http_client_body; pcre:"/ttcp_ip=.*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630; classtype:attempted-admin; sid:29831; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt"; flow:established,to_server; content:"/tmUnblock.cgi"; fast_pattern:only; http_uri; content:"%74%74%63%70%5f%69%70"; http_client_body; pcre:"/%74%74%63%70%5f%69%70%3d.*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630; classtype:attempted-admin; sid:29830; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HNAP remote code execution attempt"; flow:established,to_server; urilen:6; content:"/HNAP1"; fast_pattern:only; http_uri; content:"Authorization: Basic YWRtaW46"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633; classtype:attempted-admin; sid:29829; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Quick-Post Widget POST request cross-site scripting"; flow:to_server,established; content:"|22|></script><script>"; fast_pattern:only; http_client_body; content:"POST"; http_method; urilen:11; content:"/wordpress/"; depth:11; http_uri; metadata:service http; reference:cve,2012-4226; classtype:attempted-user; sid:29956; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting"; flow:to_server,established; content:"/wordpress/|3F 22|><"; fast_pattern:only; http_uri; content:"<body"; nocase; http_uri; content:"onload"; distance:0; nocase; http_uri; metadata:service http; reference:cve,2012-4226; classtype:attempted-user; sid:29955; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebCalendar index.php form_single_user_login parameter command injection"; flow:to_server,established; content:"/install/index.php"; http_uri; content:"form_single_user_login="; http_client_body; content:"*/"; distance:0; http_client_body; metadata:policy security-ips drop, service http; reference:bugtraq,53207; reference:cve,2012-1495; classtype:web-application-attack; sid:29949; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys WRT120N tmUnblock.cgi TM_Block_URL parameter fprintf stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/tmUnblock.cgi"; fast_pattern:only; http_uri; content:"URL="; nocase; http_client_body; pcre:"/(^|&)TM(\x5f|%5f)Block(\x5f|%5f)URL=[^&]{246}/Pmi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.devttys0.com/2014/02/wrt120n-fprintf-stack-overflow; classtype:attempted-admin; sid:29992; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebCalendar index.php form_readonly login parameter command injection"; flow:to_server,established; content:"/install/index.php"; fast_pattern:only; http_uri; content:"form_readonly="; http_client_body; content:"*/"; distance:0; http_client_body; metadata:policy security-ips drop, service http; reference:bugtraq,53207; reference:cve,2012-1495; classtype:web-application-attack; sid:30042; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ESF pfSense webConfigurator invalid input attempt"; flow:to_server,established; content:"/firewall_aliases_edit.php"; fast_pattern:only; http_uri; content:"address"; http_client_body; content:"="; within:6; distance:1; http_client_body; pcre:"/address\d{1,5}\x3D[^\x26]*(\x22|\x2522)/smiP"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/pfsense/pfsense/commit/1eb03024fe15fcd8cdd20f32a9ba7c7f1fb75821; classtype:attempted-admin; sid:30033; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt"; flow:to_server,established; content:"/webadmin.nsf"; fast_pattern:only; http_uri; content:"__Click=0"; http_client_body; content:"tHPRAgentName="; distance:0; http_client_body; isdataat:128,relative; content:!"&"; within:128; http_client_body; metadata:service http; reference:bugtraq,49705; reference:cve,2011-3575; classtype:web-application-attack; sid:30031; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ESF pfSense Snort log view remote file inclusion attempt"; flow:to_server,established; content:"/snort/snort_log_view.php?"; fast_pattern:only; http_uri; content:"logfile="; http_uri; pcre:"/^\x2Fsnort\x2Fsnort_log_view.php\x3F.*logfile\x3D(?!\/var\/log)|([\x2F]?\x2e\x2e)/smiU"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,65181; classtype:attempted-admin; sid:30013; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ESF pfSense Snort log view remote file inclusion attempt"; flow:to_server,established; content:"/snort/snort_log_view.php?"; fast_pattern:only; http_uri; content:"logfile="; http_client_body; pcre:"/^.*logfile\x3D(?!\/var\/log)|([\x2F]?\x2e\x2e)/smiP"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,65181; classtype:attempted-admin; sid:30012; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GE Proficy CIMPLICITY CimWebServer remote code execution attempt"; flow:to_server,established; content:"/CimWeb/gefebt.exe"; fast_pattern:only; http_uri; content:".bcl"; nocase; http_uri; content:"|5C 5C|"; http_raw_uri; metadata:service http; reference:bugtraq,65124; reference:cve,2014-0750; reference:url,support.ge-ip.com/support/index?page=kbchannel&id=KB15939; classtype:attempted-admin; sid:30011; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Camel XSLT unauthorized code execution"; flow:to_server,established; content:"CamelXsltResourceUri|3A 20|"; http_header; content:!"apache.org"; within:30; http_header; metadata:service http; reference:cve,2014-0003; reference:url,camel.apache.org/security-advisories.data/CVE-2014-0003.txt.asc; classtype:attempted-user; sid:30194; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Forefront Unified Access Gateway null session cookie denial of service"; flow:to_server,established; content:"|3D 3B|NLSession"; fast_pattern:only; content:"Cookie|3A 20|"; http_header; content:"NLSession"; http_cookie; content:"|3D 3B|NLSession"; within:50; distance:1; http_cookie; metadata:service http; reference:cve,2011-2012; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-079; classtype:attempted-user; sid:30209; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP DateInterval heap buffer overread denial of service attempt"; flow:to_server,established; content:"interval="; fast_pattern:only; http_uri; pcre:"/interval=(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z\x2F|)P\d{13}/Ui"; metadata:service http; reference:bugtraq,64018; reference:cve,2013-6712; reference:url,bugs.php.net/bug.php?id=66060; classtype:attempted-dos; sid:30200; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP DateInterval heap buffer overread denial of service attempt"; flow:to_server,established; content:"interval"; fast_pattern:only; http_client_body; pcre:"/interval\s?=\s?(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z\x2F|)P\w{13}/Pi"; metadata:service http; reference:bugtraq,64018; reference:cve,2013-6712; reference:url,bugs.php.net/bug.php?id=66060; classtype:attempted-dos; sid:30199; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Embedded php in Exif data upload attempt"; flow:to_server,established; content:"|FF D8 FF E0|"; http_client_body; content:"|FF E1|"; distance:0; http_client_body; byte_extract:2,0,exifLen,relative; content:"eval|28|base64_decode|28|"; within:exifLen; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ab85eb33605f3013989f4e8a9bfd5e89dd82d1f80231d4e4a2ceb82744bf287c/analysis/1381324711/; classtype:attempted-admin; sid:30249; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX config.php remote code execution attempt"; flow:to_server,established; content:"/admin/config.php"; fast_pattern:only; http_uri; content:"handler=api"; nocase; http_uri; content:"function="; nocase; http_uri; content:"args="; nocase; http_uri; pcre:"/[?&]function=(eval|exec|passthru|proc_open|shell_exec|system)/Ui"; metadata:service http; reference:bugtraq,65509; reference:cve,2014-1903; reference:url,issues.freepbx.org/browse/FREEPBX-7123; classtype:attempted-admin; sid:30280; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LifeSize UVC remote code execution attempt"; flow:to_server,established; content:"/server-admin/operations/diagnose/ping"; fast_pattern:only; http_uri; content:"destination_ip="; nocase; http_client_body; pcre:"/(^|&)destination_ip=[^&]*?(\x60|\x24\x28|%60|%24%28)/Pmi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/32437; classtype:attempted-admin; sid:30274; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EMC Connectrix Manager FileUploadController directory traversal attempt"; flow:to_server,established; content:"/FileUploadController"; fast_pattern:only; http_uri; content:"FILELOCATION|3A|"; nocase; http_header; content:"..|2F|"; distance:0; http_header; pcre:"/^FILELOCATION\x3a[^\r\n]*?\x2e\x2e\x2f/Hmi"; metadata:service http; reference:bugtraq,66308; reference:cve,2014-2276; classtype:attempted-recon; sid:30307; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Horde Framework variables.php unserialize PHP code execution attempt"; flow:to_server,established; content:"_formvars="; nocase; http_client_body; content:"Horde_Kolab_Server_Decorator_Clean"; distance:0; http_client_body; content:"Horde_Prefs_Identity"; distance:0; http_client_body; pcre:"/Horde_Prefs_Identity(%22|\x22).*?(eval|exec|passthru|proc_open|shell_exec|system)/Pi"; metadata:service http; reference:bugtraq,65200; reference:cve,2014-1691; classtype:attempted-admin; sid:30305; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Katello update_roles method privilege escalation attempt"; flow:to_server,established; content:"_katello_session="; fast_pattern:only; content:"_katello_session="; nocase; http_cookie; content:"/update_roles"; nocase; http_uri; content:"role_ids"; nocase; pcre:"/user(%20|\s)*?(%5b|\x5b)(%20|\s)*?role_ids(%20|\s)*?(%5d|\x5d)[^=]+?=(%20|\s)*?1/i"; metadata:service http; reference:bugtraq,66434; reference:cve,2013-2143; classtype:attempted-admin; sid:30297; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SePortal staticpages.php SQL injection attempt"; flow:to_server,established; content:"/staticpages.php"; fast_pattern:only; http_uri; content:"sp_id="; nocase; http_uri; content:"|27|"; distance:0; http_uri; content:"sessionid="; nocase; http_cookie; pcre:"/sp_id=[^&]*?\x27/Ui"; metadata:service http; reference:cve,2008-5191; classtype:web-application-attack; sid:30296; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SePortal print.php SQL injection attempt"; flow:to_server,established; content:"/print.php"; nocase; http_uri; content:"mode=staticpage"; fast_pattern:only; http_uri; content:"sp_id="; nocase; http_uri; content:"|27|"; distance:0; http_uri; content:"sessionid="; nocase; http_cookie; pcre:"/sp_id=[^&]*?\x27/Ui"; metadata:service http; reference:cve,2008-5191; classtype:web-application-attack; sid:30295; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SePortal poll.php SQL injection attempt"; flow:to_server,established; content:"/poll.php"; fast_pattern:only; http_uri; content:"poll_id="; nocase; http_uri; content:"|27|"; distance:0; http_uri; content:"sessionid="; nocase; http_cookie; pcre:"/poll_id=[^&]*?\x27/Ui"; metadata:service http; reference:cve,2008-5191; classtype:web-application-attack; sid:30294; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8088] (msg:"SERVER-WEBAPP Digium Asterisk cookie stack buffer overflow attempt"; flow:to_server,established; content:"/rawman"; fast_pattern:only; http_uri; content:"Cookie|3A 20|"; http_raw_header; isdataat:3000,relative; content:!"|0A|"; within:3000; http_raw_header; content:"Cookie|3A 20|"; distance:3000; http_raw_header; metadata:service http; reference:bugtraq,66093; reference:cve,2014-2286; classtype:attempted-dos; sid:30293; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8088] (msg:"SERVER-WEBAPP Digium Asterisk cookie stack buffer overflow attempt"; flow:to_server,established; content:"/mxml"; fast_pattern:only; http_uri; content:"Cookie|3A 20|"; http_raw_header; isdataat:3000,relative; content:!"|0A|"; within:3000; http_raw_header; content:"Cookie|3A 20|"; distance:3000; http_raw_header; metadata:service http; reference:bugtraq,66093; reference:cve,2014-2286; classtype:attempted-dos; sid:30292; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8088] (msg:"SERVER-WEBAPP Digium Asterisk cookie stack buffer overflow attempt"; flow:to_server,established; content:"/manager"; fast_pattern:only; http_uri; content:"Cookie|3A 20|"; http_raw_header; isdataat:3000,relative; content:!"|0A|"; within:3000; http_raw_header; content:"Cookie|3A 20|"; distance:3000; http_raw_header; metadata:service http; reference:bugtraq,66093; reference:cve,2014-2286; classtype:attempted-dos; sid:30291; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla weblinks-categories SQL injection attempt"; flow:to_server,established; content:"/index.php/weblinks-categories"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; content:"|29|"; distance:0; http_uri; pcre:"/[?&]id=[^&]*?\x29/Ui"; metadata:service http; reference:bugtraq,65410; reference:url,developer.joomla.org/security/578-20140301-core-sql-injection.html; classtype:web-application-attack; sid:30343; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco IOS HTTP server denial of service attempt"; flow:to_server,established; content:"?/"; http_uri; pcre:"/\w*?\?\/$/U"; metadata:service http; reference:bugtraq,10014; reference:bugtraq,1838; reference:url,www.cisco.com/en/US/products/hw/routers/ps295/products_security_notice09186a008020ce3f.html; classtype:attempted-dos; sid:30342; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco CatOS CiscoView HTTP server buffer overflow attempt"; flow:to_server,established; urilen:100; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.cisco.com/en/US/products/hw/routers/ps295/products_security_notice09186a008020ce3f.html; classtype:attempted-dos; sid:30341; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco 675 web administration denial of service attempt"; flow:to_server,established; content:" ? HTTP/"; depth:15; urilen:1; content:"?"; http_uri; metadata:service http; reference:bugtraq,2012; reference:url,seclists.org/bugtraq/2000/Nov/392; reference:url,www.cisco.com/en/US/products/hw/routers/ps295/products_security_notice09186a008020ce3f.html; classtype:attempted-dos; sid:30340; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla komento extension cross site scripting attempt"; flow:to_server,established; content:"option=com_komento"; fast_pattern:only; http_uri; content:"latitude="; nocase; http_client_body; pcre:"/(^|&)latitude=[^&]*?([\x22\x27\x3C\x3E\x28\x29]|script|onload|src)/Pi"; metadata:service http; reference:bugtraq,64659; reference:cve,2014-0793; classtype:attempted-user; sid:30527; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla komento extension cross site scripting attempt"; flow:to_server,established; content:"option=com_komento"; fast_pattern:only; http_uri; content:"website="; nocase; http_client_body; pcre:"/(^|&)website=[^&]*?([\x22\x27\x3C\x3E\x28\x29]|script|onload|src)/Pi"; metadata:service http; reference:bugtraq,64659; reference:cve,2014-0793; classtype:attempted-user; sid:30526; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Splunk collect file parameter directory traversal attempt"; flow:to_server,established; content:"/app/search/flashtimeline"; fast_pattern:only; http_uri; content:"q="; nocase; http_uri; content:"collect"; distance:0; nocase; http_uri; content:"file="; distance:0; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/collect[^&]+?file=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,62632; reference:cve,2013-6771; reference:url,www.splunk.com/view/SP-CAAAH76; classtype:web-application-attack; sid:30774; rev:2;)
# alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Acunetix web vulnerability scanner fake URL exploit attempt"; flow:to_client,established; flowbits:isset,acunetix-scan; file_data; content:"http://"; nocase; isdataat:268,relative; pcre:"/https?\x3a\x2f\x2f[^>\x22\x27]{268}/smi"; metadata:service http; reference:url,an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html; classtype:attempted-admin; sid:30789; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal VideoWhisper Webcam plugin XSS attempt"; flow:to_server,established; content:"/index.php?q=vwrooms/logout"; fast_pattern:only; http_uri; pcre:"/^\x2Findex\x2Ephp\x3Fq=vwrooms\x2Flogout[^\x3E]*?\x26module=[^\x26]+(script|onload|onmouseover|\x27|\x22|\x3c|\x3e|src)/Usmi"; metadata:service http; reference:cve,2014-2715; reference:url,securityfocus.com/archive/1/531935; classtype:web-application-attack; sid:30911; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal VideoWhisper Webcam plugin XSS attempt"; flow:to_server,established; content:"/index.php?q=vwrooms/logout"; fast_pattern:only; http_uri; pcre:"/^\x2Findex\x2Ephp\x3Fq=vwrooms\x2Flogout[^\x3E]*?\x26message=[^\x26]+(script|onload|onmouseover|\x27|\x22|\x3c|\x3e|src)/Usmi"; metadata:service http; reference:cve,2014-2715; reference:url,securityfocus.com/archive/1/531935; classtype:web-application-attack; sid:30910; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Sharepoint ThemeOverride XSS Attempt"; flow:to_server,established; content:"ThemeOverride|3D|"; fast_pattern:only; http_uri; pcre:"/ThemeOverride\x3D[^&]*(\x2F\x3E|\x7D\x3B)/U"; metadata:service http; reference:cve,2014-1754; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-022; classtype:attempted-user; sid:30951; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess ChartThemeConfig SQL injection attempt"; flow:to_server,established; content:"/BEMS/Services/ChartThemeConfig.svc"; fast_pattern:only; http_uri; content:"SOAPAction:"; nocase; http_header; content:"<userName>"; nocase; http_client_body; pcre:"/\<userName\>[a-z&\x3B]+?\s?(select|union|insert|delete|ascii|update)/Pi"; metadata:service http; reference:bugtraq,66740; reference:cve,2014-0763; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-admin; sid:31067; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Web Terria remote command execution attempt"; flow:to_server, established; content:"books.cgi?"; fast_pattern:only; http_uri; content:"file="; nocase; http_uri; pcre:"/file=[\x7c\x27]/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/33494; classtype:attempted-admin; sid:31094; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA ERwin Web Portal ConfigServiceProvider directory traversal attempt"; flow:to_server,established; content:"/MIMBWebServices/configuration"; fast_pattern:only; http_uri; content:"SaveUserPreferencesRequest"; nocase; http_client_body; content:"userId"; distance:0; nocase; http_client_body; pcre:"/userId\s*?=[^>]*?(\x2e|%2e){2}([\x5c\x2f]|%5c|%2f)/Pi"; metadata:service http; reference:bugtraq,66644; reference:cve,2014-2210; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7B7F968A14-7407-4BCF-9EB1-EFE9F0E6D663%7D; classtype:attempted-admin; sid:31143; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt"; flow:to_server,established; content:"/Silverlight/GetPermissions.asp"; fast_pattern:only; http_uri; content:"username="; nocase; http_uri; pcre:"/[?&]username=[^&]*?\x22[^&]*?\x29/Ui"; metadata:service http; reference:bugtraq,67486; reference:cve,2014-3789; classtype:attempted-admin; sid:31160; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt"; flow:to_server,established; content:"/Silverlight/GetPermissions.asp"; fast_pattern:only; http_uri; content:"username="; nocase; http_client_body; pcre:"/(^|&)username=[^&]*?(\x22|%22)[^&]*?(\x29|%29)/Pi"; metadata:service http; reference:bugtraq,67486; reference:cve,2014-3789; classtype:attempted-admin; sid:31159; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt"; flow:to_server,established; content:"/Silverlight/GetPermissions.asp"; fast_pattern:only; http_uri; content:"password="; nocase; http_uri; pcre:"/[?&]password=[^&]*?\x22[^&]*?\x29/Ui"; metadata:service http; reference:bugtraq,67486; reference:cve,2014-3789; classtype:attempted-admin; sid:31158; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cogent DataHub getpermissions.asp command injection attempt"; flow:to_server,established; content:"/Silverlight/GetPermissions.asp"; fast_pattern:only; http_uri; content:"password="; nocase; http_client_body; pcre:"/(^|&)password=[^&]*?(\x22|%22)[^&]*?(\x29|%29)/Pi"; metadata:service http; reference:bugtraq,67486; reference:cve,2014-3789; classtype:attempted-admin; sid:31157; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt"; flow:to_server,established; content:"/cgi/login.cgi"; fast_pattern:only; http_uri; content:"pwd="; nocase; http_client_body; isdataat:24,relative; content:!"&"; within:24; http_client_body; metadata:service http; reference:cve,2013-3621; classtype:attempted-admin; sid:31149; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Supermicro Intelligent Management Controller login.cgi buffer overflow attempt"; flow:to_server,established; content:"/cgi/login.cgi"; fast_pattern:only; http_uri; content:"name="; nocase; http_client_body; isdataat:128,relative; content:!"&"; within:128; http_client_body; metadata:service http; reference:cve,2013-3621; classtype:attempted-admin; sid:31148; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Supermicro Intelligent Management Controller close_window.cgi buffer overflow attempt"; flow:to_server,established; content:"/cgi/close_window.cgi"; fast_pattern:only; http_uri; content:"sess_sid="; nocase; http_client_body; isdataat:20,relative; content:!"&"; within:20; http_client_body; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,63775; reference:cve,2013-3623; classtype:attempted-admin; sid:31211; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Supermicro Intelligent Management Controller close_window.cgi buffer overflow attempt"; flow:to_server,established; content:"/cgi/close_window.cgi"; fast_pattern:only; http_uri; content:"ACT="; nocase; http_client_body; isdataat:20,relative; content:!"&"; within:20; http_client_body; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,63775; reference:cve,2013-3623; classtype:attempted-admin; sid:31210; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP VMTurbo Operations Manager directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/help/doIt.cgi"; fast_pattern:only; http_uri; content:"xml_path="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]xml_path=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,67292; reference:cve,2014-3806; classtype:attempted-admin; sid:31195; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Supermicro Intelligent Management Controller url_redirect.cgi directory traversal attempt"; flow:to_server,established; content:"/cgi/url_redirect.cgi"; fast_pattern:only; http_uri; content:"url_name="; nocase; http_uri; content:"../"; distance:0; http_uri; content:"SID="; nocase; http_cookie; pcre:"/[?&]url_name=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; classtype:attempted-recon; sid:31259; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rocket Servergraph Admin Center fileRequestor directory traversal attempt"; flow:to_server,established; content:"/SGPAdmin/fileRequest"; fast_pattern:only; http_uri; content:"cmd="; nocase; http_client_body; pcre:"/(^|&)(source|query)=[^&]*?(\x2e|%2e){2}([\x5c\x2f]|%5c|%2f)/Pi"; metadata:policy security-ips drop, service http; reference:bugtraq,67779; reference:cve,2014-3914; classtype:attempted-admin; sid:31305; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PocketPAD brute-force login attempt"; flow:to_server,established,only_stream; content:"POST"; nocase; http_method; content:"/cgi-bin/config.cgi"; fast_pattern:only; http_uri; content:"Authorization: Basic"; detection_filter:track by_src, count 10, seconds 60; metadata:service http; classtype:suspicious-login; sid:31304; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VMWare vSphere API SOAP request RetrieveProperties remote denial of service attempt"; flow:to_server,established; file_data; content:"RetrieveProperties"; fast_pattern:only; pcre:"/RetrieveProperties.*?<(\x5F|\w+\x3A\x5F)/smi"; metadata:service http; reference:bugtraq,56571; reference:cve,2012-5703; reference:url,www.vmware.com/security/advisories/VMSA-2012-0016.html; classtype:attempted-dos; sid:31297; rev:2;)
alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_client, established; file_data; content:"root:x:0:0:root:/root:/"; fast_pattern:only; content:!"html"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1087; reference:url,www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html; classtype:attempted-admin; sid:31289; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"SERVER-WEBAPP Supermicro Intelligent Management Controller password file disclosure attempt"; flow:to_server,established; content:"GET /wsman/simple_auth.passwd"; depth:29; nocase; byte_test:1,<,0x21,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras; classtype:attempted-recon; sid:31342; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"SERVER-WEBAPP Supermicro Intelligent Management Controller password file disclosure attempt"; flow:to_server,established; content:"GET /PSBlock"; depth:12; nocase; byte_test:1,<,0x21,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras; classtype:attempted-recon; sid:31341; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"SERVER-WEBAPP Supermicro Intelligent Management Controller information disclosure attempt"; flow:to_server,established; content:"GET /PSStore"; depth:12; nocase; byte_test:1,<,0x21,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras; classtype:attempted-recon; sid:31340; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"SERVER-WEBAPP Supermicro Intelligent Management Controller information disclosure attempt"; flow:to_server,established; content:"GET /PMConfig.dat"; depth:17; nocase; byte_test:1,<,0x21,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras; classtype:attempted-recon; sid:31339; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AlienVault OSSIM av-centerd update_system_info_debian_package command injection attempt"; flow:to_server,established; content:"AV/CC/Util"; nocase; http_client_body; content:"<update_system_info_debian_package"; nocase; http_client_body; content:"xsd:string"; distance:0; nocase; http_client_body; content:"&amp|3B|&amp|3B|"; distance:0; nocase; http_client_body; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,67312; reference:cve,2014-3804; reference:url,forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower; classtype:attempted-admin; sid:31330; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress timthumb.php webshot source attack attempt"; flow:to_server,established; content:"webshot=1"; fast_pattern:only; http_uri; content:"src=http"; nocase; http_uri; pcre:"/src=https?\x3a\x2f[^\x26\x20]*?(\x24\x28|%24%28)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,cxsecurity.com/issue/WLB-2014060134; classtype:web-application-attack; sid:31356; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP include parameter remote file include attempt"; flow:to_server,established; content:".php"; nocase; http_uri; content:"include|3D|"; distance:0; nocase; http_uri; content:"http|3A|"; distance:0; nocase; http_uri; metadata:service http; reference:bugtraq,3388; reference:bugtraq,3393; reference:bugtraq,3397; reference:cve,2001-1049; reference:cve,2001-1054; reference:cve,2001-1234; reference:cve,2001-1237; classtype:attempted-user; sid:31360; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WebBBS arbitrary system command execution attempt"; flow:to_server,established; content:"/cgi-bin/webbbs/webbbs_config.pl"; fast_pattern:only; http_uri; content:"followup="; http_uri; content:"|7C|"; distance:0; http_uri; pcre:"/cgi-bin\/webbbs\/webbbs_config\.pl\?.*?followup=[^\x26]*?\x7C/U"; metadata:service http; reference:bugtraq,5048; reference:cve,2002-1993; classtype:attempted-admin; sid:31368; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Power Manager remote code execution attempt"; flow:to_server,established; urilen:>426; content:"/goform/formLogin"; fast_pattern:only; http_uri; content:"Login="; nocase; http_raw_uri; isdataat:426,relative; content:!"&"; within:426; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36933; reference:cve,2009-2685; reference:cve,2010-4113; classtype:attempted-admin; sid:31365; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FlashGameScript index.php func parameter PHP remote file include attempt"; flow:to_server,established; content:"/cgi-bin/index.php"; nocase; http_uri; content:"func="; distance:0; fast_pattern; nocase; http_uri; pcre:"/[?&]func=[^&]*?(https?|ftps?|php)/Ui"; metadata:service http; reference:bugtraq,22646; reference:cve,2007-1078; classtype:web-application-attack; sid:31364; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MF Piadas admin.php page parameter PHP remote file include attempt"; flow:to_server,established; content:"/admin/admin.php"; fast_pattern:only; http_uri; content:"page="; nocase; http_uri; pcre:"/[?&]page=[^&]*?(https?|ftps?|php)/Ui"; metadata:service http; reference:bugtraq,18679; reference:cve,2006-3323; classtype:web-application-attack; sid:31363; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MiniBB PHP arbitrary remote code execution attempt"; flow:to_server,established; content:"minibb"; fast_pattern; nocase; http_uri; content:".php"; distance:0; nocase; http_uri; content:"absolute_path|3D|"; distance:0; nocase; http_uri; content:"|3A 2F|"; within:10; http_uri; metadata:service http; reference:bugtraq,18998; reference:cve,2006-3690; classtype:attempted-user; sid:31362; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Hp OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/webappmon.exe"; fast_pattern:only; http_uri; urilen:>1018; metadata:service http; reference:cve,2011-3166; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052; classtype:attempted-user; sid:31375; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM ovwebsnmpsrv.exe command line argument buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/jovgraph.exe"; fast_pattern:only; http_uri; content:"arg="; nocase; http_raw_uri; isdataat:1024,relative; content:!"&"; within:1024; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40873; reference:bugtraq,45762; reference:cve,2010-1960; reference:cve,2010-1964; reference:cve,2011-0261; classtype:attempted-admin; sid:31373; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP includedir parameter remote file include attempt"; flow:to_server,established; content:".php"; nocase; http_uri; content:"dir="; fast_pattern:only; http_uri; pcre:"/include.?dir\x3D/Ui"; metadata:service http; reference:bugtraq,3388; reference:bugtraq,3395; reference:bugtraq,3397; reference:cve,2001-1049; reference:cve,2001-1054; reference:cve,2001-1234; reference:cve,2001-1235; reference:cve,2006-4373; reference:cve,2007-5014; classtype:web-application-attack; sid:31377; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Microsoft Sharepoint server callback function cross-site scripting attempt"; flow:to_client,established; content:"/_layout/filter.aspx"; fast_pattern:only; file_data; content:"CallbackFn"; content:"CallbackParam"; distance:2; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,58371; reference:cve,2013-0080; classtype:attempted-user; sid:31429; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Jevontech PHPenpals PersonalID SQL injection attempt"; flow:to_server,established; urilen:>110; content:"/profile.php?personalID="; fast_pattern:only; http_uri; pcre:"/personalID=\d+?[^\d]/Ui"; metadata:service http; reference:bugtraq,16109; reference:cve,2006-0074; classtype:attempted-admin; sid:31426; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP Simple Shop abs_path parameter PHP remote file include attempt"; flow:to_server,established; content:"/phpsimpleshop/"; fast_pattern:only; http_uri; content:"abs_path="; nocase; http_uri; pcre:"/[?&]abs_path=[^&]*?(https?|ftps?|php)/Ui"; metadata:service http; reference:cve,2006-4052; reference:url,www.securityfocus.com/archive/1/archive/1/442422/100/100/threaded; classtype:web-application-attack; sid:31425; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHPMyAdmin file inclusion arbitrary command execution attempt"; flow:to_server,established; content:"php?goto="; fast_pattern:only; http_uri; pcre:"/php\?goto=(https?|ftps?|php)/Ui"; metadata:service http; reference:bugtraq,2642; reference:cve,2001-0478; classtype:web-application-attack; sid:31419; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ActiveState ActivePerl perlIIS.dll server URI buffer overflow attempt"; flow:to_server,established; urilen:>360; content:"/cgi-bin/"; nocase; http_uri; content:!"|2F|"; within:360; http_uri; pcre:"/^\x2fcgi-bin\x2f[^\x2f]{360,}\.(plx?|cgi)$/Ui"; metadata:service http; reference:bugtraq,3526; reference:cve,2001-0815; reference:url,bugs.activestate.com/show_bug.cgi?id=18062; classtype:attempted-admin; sid:31443; rev:2;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"SERVER-WEBAPP PHP DNS parsing heap overflow attempt"; flow:to_client; content:"|00 10 00 01 C0 0C 00 10 00 01|"; byte_extract:2,4,num,relative; byte_test:1,>,num,0,relative; metadata:service dns; reference:cve,2014-4049; reference:url,bugs.php.net/bug.php?id=67432; classtype:web-application-attack; sid:31460; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AlienVault OSSIM av-centerd get_log_line command injection attempt"; flow:to_server,established; content:"AV/CC/Util"; nocase; http_client_body; content:"<get_log_line"; fast_pattern; nocase; http_client_body; content:"xsd:string"; distance:0; nocase; http_client_body; pcre:"/xsd\x3astring[^>]*?>[^<]*?([\x3b\x7c\x26]|\x24\x28|%3b|%7c|%26|%24%28)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,67998; reference:cve,2014-3805; reference:url,forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower; classtype:attempted-admin; sid:31506; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AlienVault OSSIM av-centerd get_license command injection attempt"; flow:to_server,established; content:"AV/CC/Util"; nocase; http_client_body; content:"<get_license"; fast_pattern; nocase; http_client_body; content:"xsd:string"; distance:0; nocase; http_client_body; pcre:"/xsd\x3astring[^>]*?>[^<]*?([\x3b\x7c\x26]|\x24\x28|%3b|%7c|%26|%24%28)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,67998; reference:cve,2014-3805; reference:url,forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower; classtype:attempted-admin; sid:31505; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Event Processing FileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"multipart/form-data"; http_header; content:"filename"; nocase; http_client_body; pcre:"/filename\s*?=\s*?[\x22\x27]?[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,66871; reference:cve,2014-2424; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-admin; sid:31498; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Event Processing FileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"form-urlencoded"; http_header; content:"filename="; nocase; http_client_body; pcre:"/filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,66871; reference:cve,2014-2424; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html; classtype:attempted-admin; sid:31497; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ultimate PHP Board admin_iplog remote code execution attempt"; flow:to_server,established; content:".php"; http_uri; content:"User-Agent:"; nocase; http_header; content:"<?"; distance:0; fast_pattern; http_header; content:"?>"; distance:0; http_header; metadata:service http; reference:bugtraq,7678; reference:cve,2003-0395; classtype:attempted-user; sid:31546; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link Multiple Products info.cgi request buffer overflow attempt"; flow:to_server,established; content:"/common/info.cgi"; depth:16; nocase; http_uri; content:"storage_path="; fast_pattern:only; http_client_body; content:"Content-Length|3A|"; http_raw_header; byte_test:10,>,477450,0,relative,string,dec; metadata:service http; reference:url,www.devttys0.com/2014/05/hacking-the-dspw215-again/; classtype:attempted-admin; sid:31542; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Tiki Wiki 8.3 unserialize PHP remote code execution attempt"; flow:to_server,established; content:".php"; nocase; http_uri; content:"printpages="; nocase; http_client_body; content:"Zend_Pdf_ElementFactory_Proxy"; fast_pattern:only; http_client_body; metadata:service http; reference:bugtraq,54298; reference:cve,2012-0911; classtype:web-application-attack; sid:31569; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Invsionix Roaming System remote file include attempt"; flow:to_server,established; content:"/system/includes/pageheaderdefault.inc.php"; fast_pattern:only; http_uri; content:"_sysSessionPath="; nocase; http_uri; pcre:"/_sysSessionPath=(https?|ftps?|php)/Ui"; metadata:service http; reference:cve,2006-4237; classtype:web-application-attack; sid:31568; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Gitlist remote command injection attempt"; flow:to_server,established; content:"/gitlist/"; fast_pattern:only; http_uri; pcre:"/\x2fgitlist\x2f[^\r\n]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:service http; reference:bugtraq,68253; reference:bugtraq,68888; reference:cve,2013-7392; reference:cve,2014-4511; classtype:attempted-admin; sid:31567; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Flashchat aedatingCMS.php remote file include attempt"; flow:to_server,established; content:"/aedatingCMS.php"; fast_pattern:only; http_uri; content:"dir[inc]="; nocase; http_uri; pcre:"/\x2FaedatingCMS\.php?[^\r\n]*?dir\[inc\]=(https?|ftps?)/Ui"; metadata:service http; reference:bugtraq,19826; reference:cve,2006-4583; classtype:web-application-activity; sid:31566; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Flashchat aedatingCMS2.php remote file include attempt"; flow:to_server,established; content:"/aedatingCMS2.php"; fast_pattern:only; http_uri; content:"dir[inc]="; nocase; http_uri; pcre:"/\x2FaedatingCMS2\.php?[^\r\n]*?dir\[inc\]=(https?|ftps?)/Ui"; metadata:service http; reference:bugtraq,19826; reference:cve,2006-4583; classtype:web-application-activity; sid:31565; rev:2;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP Wordpress MailPoet plugin successful theme file upload detected"; flow:to_client,established; content:"Location|3A| admin.php?page=wysija_campaigns&action=themes&reload=1&redirect=1"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:cve,2014-4725; reference:url,blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html; classtype:successful-user; sid:31561; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress MailPoet plugin theme file upload attempt"; flow:to_server,established; content:"page=wysija_campaigns"; fast_pattern:only; http_uri; content:"/wp-admin/admin-post.php?"; http_uri; content:"action=themes"; http_uri; content:"|0D 0A|PK"; http_client_body; metadata:service http; reference:cve,2014-4725; reference:url,blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html; classtype:attempted-user; sid:31560; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link Multiple Products hedwig.cgi cookie buffer overflow attempt"; flow:to_server,established; content:"/hedwig.cgi"; fast_pattern:only; http_uri; content:"uid="; nocase; http_cookie; content:"uid="; nocase; http_raw_header; isdataat:970,relative; content:!"|0A|"; within:970; http_raw_header; content:!"|3B|"; within:970; http_raw_header; metadata:service http; classtype:attempted-admin; sid:31588; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AVM FritzBox webcm command injection attempt"; flow:to_server,established; content:"/cgi-bin/webcm"; fast_pattern:only; http_uri; content:"var|3A|lang="; nocase; http_uri; pcre:"/[?&]var\x3alang=[^&]*?([\x3b\x60]|\x24\x28)/Ui"; metadata:service http; reference:bugtraq,65520; classtype:attempted-admin; sid:31648; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AVM FritzBox webcm command injection attempt"; flow:to_server,established; content:"/cgi-bin/webcm"; fast_pattern:only; http_uri; content:"lang="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]var(\x3A|%3A)lang=[^&]*?%26/Ii"; metadata:service http; reference:bugtraq,65520; classtype:attempted-admin; sid:31647; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Voodoo Chat index.php remote include path attempt"; flow:to_server,established; content:"index.php"; nocase; http_uri; content:"file_path="; fast_pattern:only; http_uri; pcre:"/file_path=(https?|ftps?|php)/Ui"; metadata:service http; reference:bugtraq,19277; reference:cve,2006-3991; classtype:web-application-attack; sid:31638; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ad Fundum Integrateable News Script remote include path attempt"; flow:to_server,established; content:"ains_main.php"; nocase; http_uri; content:"ains_path="; fast_pattern:only; http_uri; pcre:"/ains_path=(https?|ftps?|php)/Ui"; metadata:service http; reference:bugtraq,22259; reference:cve,2007-0570; classtype:web-application-attack; sid:31637; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8880 (msg:"SERVER-WEBAPP Parallels Plesk Panel HTTP_AUTH_LOGIN SQL injection attempt"; flow:to_server,established; content:"/enterprise/control/agent.php"; fast_pattern:only; content:"HTTP_AUTH_LOGIN|3A|"; pcre:"/HTTP_AUTH_LOGIN\x3A\s*?\x27/"; metadata:service http; reference:bugtraq,52267; reference:cve,2012-1557; reference:url,esecforte.com/exploring-plesks-unspecified-vulnerability/; classtype:web-application-attack; sid:31636; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/vmtadmin.cgi"; fast_pattern:only; http_uri; content:"callType=DOWN"; nocase; http_uri; content:"fileDate="; nocase; http_uri; pcre:"/[?&]fileDate=[^&]*?([\x3b\x60]|\x24\x28)/Ui"; metadata:service http; reference:bugtraq,69225; reference:cve,2014-5073; classtype:attempted-admin; sid:31652; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP VMTurbo Operations Manager vmtadmin.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/vmtadmin.cgi"; fast_pattern:only; http_uri; content:"callType=DOWN"; nocase; http_uri; content:"fileDate="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]fileDate=[^&]*?%26/Ii"; metadata:service http; reference:bugtraq,69225; reference:cve,2014-5073; classtype:attempted-admin; sid:31651; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Jira Issue Collector Plugin directory traversal attempt"; flow:to_server,established; content:"/rest/collectors/"; fast_pattern:only; http_uri; content:"multipart/form-data"; http_header; content:"filename"; nocase; http_client_body; pcre:"/filename\s*?=\s*?[\x22\x27]?[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,65849; reference:cve,2014-2314; classtype:web-application-attack; sid:31698; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Jira Issue Collector Plugin directory traversal attempt"; flow:to_server,established; content:"/rest/collectors/"; fast_pattern:only; http_uri; content:"form-urlencoded"; http_header; content:"filename"; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,65849; reference:cve,2014-2314; classtype:web-application-attack; sid:31697; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Jira Issue Collector Plugin directory traversal attempt"; flow:to_server,established; content:"/rest/collectors/"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,65849; reference:cve,2014-2314; classtype:web-application-attack; sid:31696; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Web Gateway dbutils.php SQL injection attempt"; flow:to_server,established; content:"/spywall/"; depth:9; fast_pattern; nocase; http_uri; content:".php"; distance:0; nocase; http_uri; content:"hostname="; nocase; http_client_body; pcre:"/(^|&)hostname=[^&]*?(\x27|%27)/Pi"; metadata:service http; reference:bugtraq,67754; reference:cve,2014-1651; classtype:web-application-attack; sid:31731; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Web Gateway dbutils.php SQL injection attempt"; flow:to_server,established; content:"/spywall/"; depth:9; fast_pattern; nocase; http_uri; content:".php"; distance:0; nocase; http_uri; content:"hostname="; distance:0; nocase; http_uri; content:"|27|"; distance:0; http_uri; pcre:"/[?&]hostname=[^&]*?\x27/Ui"; metadata:service http; reference:bugtraq,67754; reference:cve,2014-1651; classtype:web-application-attack; sid:31730; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Password Manager MetadataServlet SQL injection attempt"; flow:to_server,established; content:"/MetadataServlet.dat"; fast_pattern:only; http_uri; content:"sv="; nocase; http_uri; pcre:"/[?&]sv=[^&]*?[\x22\x27]/Ui"; metadata:service http; reference:bugtraq,69303; reference:cve,2014-3997; classtype:web-application-attack; sid:31729; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Desktop Central LinkViewFetchServlet SQL injection attempt"; flow:to_server,established; content:"/LinkViewFetchServlet.dat"; fast_pattern:only; http_uri; content:"sv="; nocase; http_uri; pcre:"/[?&]sv=[^&]*?[\x22\x27]/Ui"; metadata:service http; reference:bugtraq,69305; reference:cve,2014-3996; classtype:web-application-attack; sid:31728; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Gitlab ssh key upload command injection attempt"; flow:to_server,established; content:"/keys"; nocase; http_uri; content:"_gitlab_session"; fast_pattern:only; content:"_gitlab_session"; nocase; http_cookie; content:"key"; nocase; http_client_body; pcre:"/(^|&)key(\x5b|%5b)key(\x5d|%5d)=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pi"; metadata:service http; reference:bugtraq,63513; reference:cve,2013-4490; classtype:attempted-admin; sid:31747; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP vTiger CRM install module command injection attempt"; flow:to_server,established; content:"mode=Step5"; fast_pattern:only; http_uri; content:"module=Install"; nocase; http_uri; content:"X-REQUESTED-WITH|3A|"; nocase; http_header; pcre:"/[?&]\w+?=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:service http; reference:bugtraq,66758; reference:cve,2014-2268; classtype:attempted-admin; sid:31745; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress WPTouch file upload remote code execution attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"wp_nonce"; nocase; http_client_body; content:"filename"; nocase; http_client_body; pcre:"/filename\s*?=\s*?[\x22\x27]?[^\r\n]*?\x2ephp/Pi"; metadata:service http; reference:bugtraq,68654; classtype:attempted-admin; sid:31743; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [5466] (msg:"SERVER-WEBAPP Wing FTP Server admin interface remote code execution attempt"; flow:to_server,established; content:"POST /admin_lua_script.html"; fast_pattern:only; content:"POST"; depth:4; content:"UIDADMIN"; content:"os.execute"; nocase; metadata:service http; reference:url,www.wftpserver.com/serverhistory.htm; classtype:attempted-admin; sid:31742; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [9000] (msg:"SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt"; flow:to_server,established; content:"/jsp/ProcessFileUpload.jsp"; fast_pattern:only; http_uri; pcre:"/(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Ii"; metadata:service http; reference:bugtraq,75515; reference:cve,2015-5371; classtype:web-application-attack; sid:31771; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Network Virtualization storedNtxFile directory traversal attempt"; flow:to_server,established; content:"/shunra/ntx-cache/files/"; fast_pattern:only; content:"/shunra/ntx-cache/files/"; nocase; http_raw_uri; pcre:"/(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Ii"; metadata:policy security-ips drop, service http; reference:bugtraq,68849; reference:cve,2014-2625; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04374202; classtype:web-application-attack; sid:31798; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt"; flow:to_server,established; content:"/agentUpload"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, service http; reference:bugtraq,69482; reference:cve,2014-6037; classtype:web-application-attack; sid:31838; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AlienVault OSSIM remote_task command injection attempt"; flow:to_server,established; content:"AV/CC/Util"; nocase; http_client_body; content:"<remote_task"; fast_pattern; nocase; http_client_body; content:"xsd:string"; distance:0; nocase; http_client_body; pcre:"/xsd\x3astring[^>]*?>[^<]*?([\x3b\x7c\x26\x60]|\x24\x28)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,69239; reference:cve,2014-5210; reference:url,forums.alienvault.com/discussion/2690/security-advisory-alienvault-v4-7-0-addresses-several-vulnerabilities; classtype:attempted-admin; sid:31823; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Network Virtualization toServerObject directory traversal attempt"; flow:to_server,established; content:"/shunra/api/networkeditor/savefile"; fast_pattern:only; content:"/shunra/api/networkeditor/savefile"; nocase; http_raw_uri; pcre:"/(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Ii"; metadata:policy security-ips drop, service http; reference:bugtraq,68851; reference:cve,2014-2626; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04374202; classtype:web-application-attack; sid:31819; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine DesktopCentral statusUpdate servlet directory traversal attempt"; flow:to_server,established; content:"actionToCall="; fast_pattern:only; http_uri; content:"/statusUpdate"; nocase; http_uri; content:"../"; http_uri; metadata:service http; reference:bugtraq,69494; reference:cve,2014-5005; classtype:web-application-attack; sid:31818; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope UploadFilesHandler directory traversal attempt"; flow:to_server,established; content:"REMOTE_HANDLER_KEY=UploadFilesHandler"; fast_pattern:only; http_uri; content:"UploadFilesHandler.file.name="; http_uri; content:"&UploadFilesHandler.dir.name=C|3A|"; within:100; http_uri; metadata:service http; reference:bugtraq,55273; reference:cve,2012-3264; classtype:web-application-activity; sid:31906; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope DownloadFilesHandler directory traversal attempt"; flow:to_server,established; content:"REMOTE_HANDLER_KEY=DownloadFilesHandler"; fast_pattern:only; http_uri; content:"DownloadFilesHandler.file.name="; http_uri; content:"&DownloadFilesHandler.dir.name=C|3A|"; within:100; http_uri; metadata:service http; reference:bugtraq,55273; reference:cve,2012-3264; classtype:web-application-activity; sid:31905; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HybridAuth install.php code injection attempt"; flow:to_server,established; content:"/hybridauth/install.php"; fast_pattern:only; http_uri; content:"|2F 2A|"; http_client_body; pcre:"/(^|&)\w+?=[^&]*?(eval|exec|passthru|proc_open|shell_exec|system)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,69043; classtype:web-application-attack; sid:31892; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WebEdition captchaMemory.class PHP code injection attempt"; flow:to_server,established; content:"|27 3B|"; http_header; content:"|2F 2F 0D 0A|"; distance:0; fast_pattern; http_header; pcre:"/\x27\x3b[^\r\n]*?(eval|exec|passthru|proc_open|shell_exec|system)/Hi"; metadata:service http; reference:url,sektioneins.de/en/blog/14-09-05-webedition-captcha-code-execution-vulnerability.html; classtype:web-application-attack; sid:31886; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Railo thumbnail.cfm remote file include attempt"; flow:to_server,established; content:"/railo-context/admin/thumbnail.cfm"; fast_pattern:only; http_uri; content:"img="; nocase; http_uri; pcre:"/[?&]img=[^&]*?(http|ftp)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,69761; reference:cve,2014-5468; classtype:web-application-attack; sid:31873; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft ASP.NET null byte injection attempt"; flow:to_server,established; content:"%00"; fast_pattern:only; content:"%00"; http_raw_uri; content:".aspx?"; nocase; http_uri; metadata:service http; reference:bugtraq,24791; reference:cve,2007-0042; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-040; classtype:web-application-attack; sid:31914; rev:1;)
# alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP cPanel 9.01 multiple URI parameters cross site scripting attempt"; flow:to_server,established; content:"/cgi-bin/frontend/x"; nocase; http_uri; content:"<"; distance:0; http_uri; metadata:service http; reference:cve,2004-1875; classtype:web-application-attack; sid:31912; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rejetto HttpFileServer command injection attempt"; flow:to_server,established; content:"%00"; fast_pattern:only; content:"%00"; http_raw_uri; content:"|7B|."; http_uri; content:".|7D|"; distance:0; http_uri; metadata:service http; reference:bugtraq,69782; reference:cve,2014-6287; classtype:web-application-attack; sid:31956; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PhpWiki Ploticus plugin command injection attempt"; flow:to_server,established; content:"Ploticus"; fast_pattern:only; http_client_body; content:"device"; nocase; http_client_body; content:"action=edit"; nocase; http_client_body; pcre:"/device(\x3d|%3d)(\x22|%22)((?!(\x22|%22)).)*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Pi"; metadata:service http; reference:bugtraq,69444; reference:cve,2014-5519; classtype:web-application-attack; sid:31945; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope EmailServlet directory traversal attempt"; flow:to_server,established; content:"/SiteScope/EmailServlet?"; fast_pattern:only; http_uri; content:"webinfra_emailFileName="; content:"..|2F|"; within:50; metadata:service http; reference:cve,2014-2614; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04355129; classtype:web-application-activity; sid:31943; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell GroupWise Admin Service FileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/gwadmin-console/gwAdminConsole/fileUpload"; fast_pattern:only; http_uri; content:"poLibMaintenanceFileSave"; nocase; http_client_body; pcre:"/name\s*?=\s*?[\x22\x27]?poLibMaintenanceFileSave[^\x3b]+?(?:^(\x2f|%2f)|(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)|C(\x3a|%3a)(\x5c|%5c))/Pim"; metadata:service http; reference:bugtraq,69424; reference:cve,2014-0600; reference:url,www.novell.com/support/kb/doc.php?id=7015566; classtype:web-application-attack; sid:31942; rev:3;)
# alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP password sent via URL parameter"; flow:to_server,established; content:"password="; fast_pattern:only; http_uri; metadata:service http; classtype:policy-violation; sid:31940; rev:1;)
# alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP password sent via POST parameter"; flow:to_server,established; content:"password="; fast_pattern:only; http_client_body; metadata:service http; classtype:policy-violation; sid:31939; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope UploadFilesHandler unauthorized file upload attempt"; flow:to_server,established; content:"REMOTE_HANDLER_KEY=UploadFilesHandler"; fast_pattern:only; http_uri; content:"UploadFilesHandler.file.name=|26|"; metadata:service http; reference:bugtraq,55273; reference:cve,2012-3264; classtype:web-application-activity; sid:32007; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal xmlrp internal entity expansion denial of service attempt"; flow:to_server,established; content:"/xmlrpc.php"; fast_pattern:only; http_uri; content:"<!DOCTYPE|20|"; http_client_body; content:"<!ENTITY|20|"; distance:0; http_client_body; content:"|20 27|"; within:50; http_client_body; isdataat:1024,relative; content:!"|27|"; within:1024; http_client_body; metadata:service http; reference:cve,2014-5265; reference:url,www.breaksec.com/?p=6362; classtype:attempted-dos; sid:32004; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal xmlrp internal entity expansion denial of service attempt"; flow:to_server,established; content:"/xmlrpc.php"; fast_pattern:only; http_uri; content:"<!DOCTYPE|20|"; http_client_body; content:"<!ENTITY|20|"; distance:0; http_client_body; content:"|20 22|"; within:50; http_client_body; isdataat:1024,relative; content:!"|22|"; within:1024; http_client_body; metadata:service http; reference:cve,2014-5265; reference:url,www.breaksec.com/?p=6362; classtype:attempted-dos; sid:32003; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GetSimpleCMS arbitrary PHP code execution attempt"; flow:to_server,established; content:"/admin/upload.php"; nocase; http_uri; content:"GS_ADMIN_USERNAME"; fast_pattern:only; content:"GS_ADMIN_USERNAME"; http_cookie; content:"<?"; http_client_body; pcre:"/<\x3f[^>]*?(eval|exec|passthru|proc_open|shell_exec|system)/Pi"; metadata:service http; classtype:attempted-admin; sid:32014; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt"; flow:to_server,established; content:"/servlet"; nocase; http_uri; content:"multipartRequest"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,70172; reference:cve,2014-6036; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix; classtype:attempted-admin; sid:32057; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt"; flow:to_server,established; content:"/servlet"; nocase; http_uri; content:"FileCollector"; fast_pattern:only; http_uri; content:"../"; http_uri; pcre:"/[?&](filename|regionID)=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,70167; reference:bugtraq,70169; reference:cve,2014-6034; reference:cve,2014-6035; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix; classtype:attempted-admin; sid:32056; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt"; flow:to_server,established; content:"/agentUpload"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, service http; reference:bugtraq,69482; reference:cve,2014-6037; classtype:web-application-attack; sid:32044; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Easy File Management stack buffer overflow attempt"; flow:to_server,established; content:"/vfolder.ghp"; fast_pattern:only; http_uri; content:"UserID="; nocase; http_cookie; content:"UserID="; nocase; http_raw_header; isdataat:80,relative; content:!"|0A|"; within:80; http_raw_header; content:!"|3B|"; within:80; http_raw_header; metadata:service http; reference:bugtraq,67542; classtype:attempted-admin; sid:32109; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP PineApp Mail-SeCure livelog.htmlcommand injection attempt"; flow:to_server,established; content:"/livelog.html"; fast_pattern:only; content:"cmd="; pcre:"/cmd=.*?(pinghost|pingtimes|resolve|tracehost|nstype|hostip|nsserver).*?[\x3B\x60\x7C\x24]/si"; metadata:service http; reference:bugtraq,61473; classtype:attempted-admin; sid:32127; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt"; flow:to_server,established; content:"/cgi-bin/conflivelog.pl"; fast_pattern:only; content:"log_sub="; pcre:"/log_sub=[^&]*[\x3B\x60\x7C\x24]/"; metadata:service http; reference:bugtraq,61472; classtype:attempted-admin; sid:32261; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Infusionsoft Gravity Forms Plugin arbitrary code execution attempt"; flow:to_server,established; content:"/wp-content/plugins/infusionsoft/Infusionsoft/utilities/code_generator.php"; fast_pattern:only; http_uri; content:"fileTemplate"; nocase; http_client_body; metadata:service http; reference:bugtraq,70317; reference:cve,2014-6446; classtype:attempted-admin; sid:32276; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt"; flow:to_server,established; content:"/admin/confpremenu.php"; fast_pattern:only; content:"confcode="; content:"newkey="; pcre:"/newkey=[^&]*[\x3B\x60\x7C\x24]/"; metadata:service http; reference:bugtraq,61475; classtype:attempted-admin; sid:32269; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt"; flow:to_server,established; content:"/admin/confpremenu.php"; fast_pattern:only; content:"confcode="; content:"newkey="; pcre:"/confcode=[^&]*[\x3B\x60\x7C\x24]/"; metadata:service http; reference:bugtraq,61475; classtype:attempted-admin; sid:32268; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Custom Contact Forms plugin arbitrary SQL execution attempt"; flow:to_server,established; content:"/wp-admin/admin-post.php"; fast_pattern:only; http_uri; content:"ccf_merge_import"; nocase; http_client_body; content:".sql"; nocase; http_client_body; metadata:service http; classtype:attempted-admin; sid:32324; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Custom Contact Forms plugin SQL export attempt"; flow:to_server,established; content:"/wp-admin/admin-post.php"; fast_pattern:only; http_uri; content:"ccf_export"; nocase; http_client_body; metadata:service http; classtype:attempted-recon; sid:32323; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Centreon displayServiceStatus.php command injection attempt"; flow:to_server,established; content:"/centreon/"; nocase; http_uri; content:"displayServiceStatus.php"; fast_pattern:only; http_uri; pcre:"/[?&](template_id|session_id|index)=[^&]*?[\x27\x3b]/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,70648; reference:bugtraq,70649; reference:cve,2014-3828; reference:cve,2014-3829; classtype:attempted-admin; sid:32352; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt"; flow:to_server,established; content:"/servlet"; nocase; http_uri; content:"multipartRequest"; fast_pattern:only; http_uri; content:"urlencoded"; http_header; content:"filename"; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,70172; reference:cve,2014-6036; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix; classtype:attempted-admin; sid:32351; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt"; flow:to_server,established; content:"/servlet"; nocase; http_uri; content:"multipartRequest"; fast_pattern:only; http_uri; content:"multipart"; http_header; content:"filename"; nocase; http_client_body; pcre:"/filename\s*?=\s*?[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,70172; reference:cve,2014-6036; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix; classtype:attempted-admin; sid:32350; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt"; flow:to_server,established; content:"/servlet"; nocase; http_uri; content:"FileCollector"; fast_pattern:only; http_uri; content:"urlencoded"; http_header; pcre:"/(^|&)(filename|regionID)=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,70167; reference:bugtraq,70169; reference:cve,2014-6034; reference:cve,2014-6035; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix; classtype:attempted-admin; sid:32349; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt"; flow:to_server,established; content:"/servlet"; nocase; http_uri; content:"FileCollector"; fast_pattern:only; http_uri; content:"multipart"; http_header; content:"regionID"; nocase; http_client_body; pcre:"/name\s*?=\s*?[\x22\x27]?regionID[^\x3b]+?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,70167; reference:cve,2014-6034; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix; classtype:attempted-admin; sid:32348; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt"; flow:to_server,established; content:"/servlet"; nocase; http_uri; content:"FileCollector"; fast_pattern:only; http_uri; content:"multipart"; http_header; content:"filename"; nocase; http_client_body; pcre:"/filename\s*?=\s*?[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,70169; reference:cve,2014-6035; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix; classtype:attempted-admin; sid:32347; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin Multiple Devices buffer overflow attempt"; flow:to_server,established; content:"/login.cgi"; nocase; http_uri; content:"jump="; fast_pattern; nocase; http_client_body; isdataat:1024,relative; content:!"&"; within:1024; http_client_body; metadata:service http; reference:cve,2014-1635; classtype:attempted-admin; sid:32462; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt"; flow:to_server,established; content:"!ENTITY%20%25%20remote%20SYSTEM%20%22http"; http_client_body; metadata:service http; reference:cve,2014-6032; classtype:attempted-user; sid:32547; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP F5 BIG-IP Enterprise Manager XML entity injection attempt"; flow:to_server,established; content:"!ENTITY % remote SYSTEM |22|http"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2014-6032; classtype:attempted-user; sid:32546; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt"; flow:to_server,established; content:"/Developer/fileUpload.jsp"; fast_pattern:only; http_uri; content:"urlencoded"; http_header; content:"path"; nocase; http_client_body; pcre:"/(^|&)path=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy security-ips drop, service http; reference:bugtraq,70895; reference:cve,2014-8516; classtype:attempted-admin; sid:32528; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Visual Mining NetCharts directory traversal attempt"; flow:to_server,established; content:"/Developer/fileUpload.jsp"; fast_pattern:only; http_uri; content:"multipart"; http_header; content:"path"; nocase; http_client_body; pcre:"/name\s*?=\s*?[\x22\x27]?path[^\x3b]+?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy security-ips drop, service http; reference:bugtraq,70895; reference:cve,2014-8516; classtype:attempted-admin; sid:32527; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Visual Mining NetCharts arbitrary file upload attempt"; flow:to_server,established; content:"/Admin/archive/upload.jsp"; fast_pattern:only; http_uri; content:"multipart"; http_header; content:"filename"; nocase; http_client_body; pcre:"/filename\s*?=\s*?[^\r\n]*?\x00/Pi"; metadata:policy security-ips drop, service http; reference:bugtraq,70895; reference:cve,2014-8516; classtype:attempted-admin; sid:32563; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Mantis Bug Tracker XmlImportExport plugin PHP code injection attempt"; flow:to_server,established; content:"/plugin.php"; nocase; http_uri; content:"page=XmlImportExport"; fast_pattern:only; http_uri; content:"issuelink"; nocase; http_client_body; pcre:"/issuelink\s*?=\s*?[\x22\x27][^\x22\x27]*?(eval|exec|passthru|proc_open|shell_exec|system)/Pi"; metadata:service http; reference:bugtraq,70993; reference:cve,2014-7146; classtype:attempted-admin; sid:32582; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Mantis Bug Tracker XmlImportExport plugin PHP code injection attempt"; flow:to_server,established; content:"/plugin.php"; nocase; http_uri; content:"page=XmlImportExport"; fast_pattern:only; http_uri; content:"<description"; nocase; http_client_body; pcre:"/<description[^>]*?>[^<]*?(eval|exec|passthru|proc_open|shell_exec|system)/Pi"; metadata:service http; reference:bugtraq,70993; reference:cve,2014-7146; classtype:attempted-admin; sid:32581; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Reflected file download attempt"; flow:to_server,established; content:"|3B 2F|"; http_uri; content:".bat"; distance:0; nocase; http_uri; pcre:"/\x2ebat(\x3b|$)/smiU"; metadata:service http; reference:url,blog.spiderlabs.com/2014/10/reflected-file-download-the-white-paper.html; classtype:web-application-attack; sid:32580; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Reflected file download attempt"; flow:to_server,established; content:"|3B 2F|"; http_uri; content:".cmd"; distance:0; nocase; http_uri; pcre:"/\x2ecmd(\x3b|$)/smiU"; metadata:service http; reference:url,blog.spiderlabs.com/2014/10/reflected-file-download-the-white-paper.html; classtype:web-application-attack; sid:32579; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpMemcachedAdmin path traversal attempt"; flow:to_server,established; content:"live_stats_id"; fast_pattern:only; content:"live_stats_id"; http_cookie; content:"="; within:1; distance:32; http_cookie; content:"../"; distance:0; http_cookie; metadata:policy security-ips drop, service http; reference:cve,2014-8731; reference:url,securityfocus.com/archive/1/533968; classtype:web-application-attack; sid:32611; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP Microsoft Outlook Web Access parameter cross site scripting attempt"; flow:to_server,established; file_data; content:"/owa/?#viewmodel="; fast_pattern:only; pcre:"/owa\x2F\x3F\x23viewmodel\x3D[^&\r\n]+?([\x28\x22\x27]|%22|%27|%28)/smi"; metadata:service smtp; reference:cve,2014-6325; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-075; classtype:attempted-user; sid:32682; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Microsoft Outlook Web Access parameter cross site scripting attempt"; flow:to_client,established; file_data; content:"/owa/?#viewmodel="; fast_pattern:only ; pcre:"/owa\x2F\x3F\x23viewmodel\x3D[^&\r\n]+?([\x28\x22\x27]|%22|%27|%28)/smi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-6325; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-075; classtype:attempted-user; sid:32681; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec messaging gateway management console cross-site scripting attempt"; flow:to_server, established; content:"DlpConnectFlow$view.flo?"; fast_pattern:only; http_uri; content:"displayTab="; http_uri; pcre:"/displayTab=[^&]*([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2014-1648; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140422_00; classtype:attempted-user; sid:32773; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP dBlog CMS m parameter SQL injection attempt"; flow:to_server,established; content:"/dblog/storico.asp"; depth:18; http_uri; content:"m="; distance:0; http_uri; pcre:"/[?&]m=[^&]+([\x22\x27]|SELECT|UPDATE|INSERT)/iU"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62146; classtype:web-application-attack; sid:32761; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX Framework Asterisk recording interface PHP unserialize code execution attempt"; flow:to_server,established; content:"/recordings/index.php"; nocase; http_uri; content:"ari_auth"; nocase; content:"%3BO%3A6%3A%22Backup%22"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,70188; reference:cve,2014-7235; classtype:attempted-admin; sid:32753; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress OptimizePress plugin theme upload attempt"; flow:to_server,established; content:"/wp-content/themes/OptimizePress/lib/admin/media-upload.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:service http; reference:cve,2013-7102; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-user; sid:32746; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine NetFlow Analyzer information disclosure attempt"; flow:to_server,established; content:"/netflow/servlet"; fast_pattern:only; http_uri; content:"schFilePath="; nocase; http_uri; pcre:"/[?&]schFilePath=((c\x3a)?\x2f|[^&]*?\x2e\x2e\x2f)/Ui"; metadata:service http; reference:bugtraq,71404; reference:cve,2014-5445; classtype:attempted-recon; sid:32745; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine NetFlow Analyzer DisplayChartPDF directory traversal attempt"; flow:to_server,established; content:"/netflow/servlet/DisplayChartPDF"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,71404; reference:cve,2014-5446; classtype:attempted-recon; sid:32744; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Arris VAP2500 tools_command.php command execution attempt"; flow:to_server,established; content:"/tools_command.php"; fast_pattern:only; http_uri; content:"cmb_header="; nocase; http_client_body; content:"txt_command="; nocase; http_client_body; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,71299; reference:cve,2014-8423; classtype:attempted-admin; sid:32742; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ActualScripts ActualAnalyzer aa.php command injection attempt"; flow:to_server,established; content:"/aa.php"; fast_pattern:only; http_uri; content:"|60|"; http_cookie; pcre:"/an[tmw1]=[^\x3b\s]*?\x60/Ci"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:32887; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Enalean Tuleap PHP unserialize code execution attempt"; flow:to_server,established; content:"/project/register.php"; nocase; http_uri; content:"Transition_PostAction_FieldFactory"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,71335; reference:cve,2014-8791; classtype:attempted-admin; sid:32886; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Enalean Tuleap PHP unserialize code execution attempt"; flow:to_server,established; content:"/project/register.php"; nocase; http_uri; content:"Transition_PostAction_FieldFactory"; fast_pattern:only; http_client_body; metadata:service http; reference:bugtraq,71335; reference:cve,2014-8791; classtype:attempted-admin; sid:32885; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark MarkVision Enterprise GfdFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/gfd"; fast_pattern:only; http_uri; content:"urlencoded"; http_header; content:"filename"; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71623; reference:cve,2014-8741; reference:url,support.lexmark.com/index?page=content&id=TE666; classtype:attempted-admin; sid:32964; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark MarkVision Enterprise GfdFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/gfd"; fast_pattern:only; http_uri; content:"multipart"; http_header; content:"filename"; nocase; http_client_body; pcre:"/filename\s*?=\s*?[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71623; reference:cve,2014-8741; reference:url,support.lexmark.com/index?page=content&id=TE666; classtype:attempted-admin; sid:32963; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark MarkVision Enterprise GfdFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/gfd"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71623; reference:cve,2014-8741; reference:url,support.lexmark.com/index?page=content&id=TE666; classtype:attempted-admin; sid:32962; rev:3;)
# alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP iCloud Apple ID brute-force login attempt"; flow:to_server,established,only_stream; content:"POST"; nocase; http_method; content:"/setup/iosbuddy/loginDelegates"; fast_pattern:only; http_uri; content:"Host|3A| setup.icloud.com"; nocase; http_header; content:"apple-id"; nocase; http_client_body; content:"password"; nocase; http_client_body; detection_filter:track by_src, count 500, seconds 60; metadata:service http; classtype:suspicious-login; sid:32952; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress XSS Clean and Simple Contact Form plugin cross-site scripting attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"cscf"; http_client_body; content:"name"; within:7; http_client_body; pcre:"/(^|&)cscf(\x5B|%5B)name(\x5D|%5D)=[A-Z0-9+]*[^A-Z0-9+&]/Pi"; metadata:service http; reference:cve,2014-8955; classtype:attempted-user; sid:32939; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt"; flow:to_server,established; content:"/tmui/Control"; fast_pattern:only; http_uri; content:"urlencoded"; http_header; content:"name"; nocase; http_client_body; pcre:"/(^|&)name=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,71063; reference:cve,2014-8727; classtype:web-application-attack; sid:32970; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt"; flow:to_server,established; content:"/tmui/Control"; fast_pattern:only; http_uri; content:"name="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]name=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,71063; reference:cve,2014-8727; classtype:web-application-attack; sid:32969; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt"; flow:to_server,established; content:"/tmui/Control"; fast_pattern:only; http_uri; content:"multipart"; http_header; content:"name"; nocase; http_client_body; pcre:"/name\s*?=\s*?[\x22\x27]?name[^\x3b]+?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,71063; reference:cve,2014-8727; classtype:web-application-attack; sid:32968; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Multiple Products WsDiscoveryServlet directory traversal attempt"; flow:to_server,established; content:"/discoveryServlet/WsDiscoveryServlet"; fast_pattern:only; http_uri; content:"urlencoded"; http_header; content:"Name="; nocase; http_client_body; pcre:"/(^|&)(?:computer|device)Name=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-5302; classtype:web-application-attack; sid:33076; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Multiple Products WsDiscoveryServlet directory traversal attempt"; flow:to_server,established; content:"/discoveryServlet/WsDiscoveryServlet"; fast_pattern:only; http_uri; content:"multipart"; http_header; content:"Name"; nocase; http_client_body; pcre:"/name\s*?=\s*?[\x22\x27]?(?:computer|device)Name[^\x3b]+?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-5302; classtype:web-application-attack; sid:33075; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Multiple Products WsDiscoveryServlet directory traversal attempt"; flow:to_server,established; content:"/discoveryServlet/WsDiscoveryServlet"; fast_pattern:only; http_uri; content:"Name="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&](?:computer|device)Name=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-5302; classtype:web-application-attack; sid:33074; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP System Management Homepage cross site scripting attempt"; flow:to_server,established; content:"red2301"; fast_pattern:only; http_uri; content:"Redirect"; nocase; http_uri; pcre:"/[?&]Redirect(?:Url|QueryString)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,70206; reference:cve,2014-2640; reference:url,h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322; classtype:attempted-user; sid:33114; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell eDirectory IMONITOR cross site scripting attempt"; flow:to_server,established; content:"/nds/search/data"; fast_pattern:only; http_uri; content:"rdn="; nocase; http_uri; pcre:"/[?&]rdn=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,71741; reference:cve,2014-5212; classtype:attempted-user; sid:33113; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Multiple Products directory traversal attempt"; flow:to_server,established; content:"Attachment.jsp"; fast_pattern:only; http_uri; content:"module"; nocase; http_client_body; content:"name"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?module((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-5301; classtype:web-application-attack; sid:33104; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Samsung AllShare Cast command injection attempt"; flow:to_server,established; content:"/cgi-bin/configure-external-ap.sh"; fast_pattern:only; http_uri; content:"UEnvEXT_AP_SSID"; nocase; http_client_body; content:"urlencoded"; nocase; http_header; pcre:"/(^|&)UEnvEXT_AP_SSID=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,0x00string.com/hacktionary/index.php?title=AllShare_Cast; classtype:attempted-admin; sid:33190; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Samsung AllShare Cast command injection attempt"; flow:to_server,established; content:"/cgi-bin/configure-external-ap.sh"; fast_pattern:only; http_uri; content:"UEnvEXT_AP_SSID"; nocase; http_client_body; content:"multipart"; nocase; http_header; pcre:"/name\s*?=\s*?[\x22\x27]?UEnvEXT_AP_SSID((?!form-data).)*?[\r\n]{2,}[^\r\n]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Psi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,0x00string.com/hacktionary/index.php?title=AllShare_Cast; classtype:attempted-admin; sid:33189; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP McAfee ePolicy Orchestrator XML external entity injection attempt"; flow:to_server,established; content:"/core/orionUpdateTableFilter.do"; fast_pattern:only; http_uri; content:"conditionXML"; nocase; http_client_body; content:"ENTITY"; nocase; http_client_body; pcre:"/(\x21|%21)ENTITY((?!\x3e|%3e).)*?(SYSTEM|PUBLIC)/Pi"; metadata:service http; reference:bugtraq,71881; reference:cve,2015-0921; classtype:web-application-attack; sid:33279; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt"; flow:to_server,established; content:"/ossim/ossec/data/agents/ajax/a_deployment.php"; fast_pattern:only; http_uri; pcre:"/[?&](?:user|pass)=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securityfocus.com/archive/1/534488/30/0/threaded; classtype:attempted-admin; sid:33278; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt"; flow:to_server,established; content:"/ossim/ossec/data/agents/ajax/a_deployment.php"; fast_pattern:only; http_uri; content:"urlencoded"; nocase; http_header; pcre:"/(^|&)(?:user|pass)=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securityfocus.com/archive/1/534488/30/0/threaded; classtype:attempted-admin; sid:33277; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt"; flow:to_server,established; content:"/ossim/ossec/data/agents/ajax/a_deployment.php"; fast_pattern:only; http_uri; content:"multipart"; nocase; http_header; pcre:"/name\s*?=\s*?[\x22\x27]?(?:user|pass)(?:(?!^--).)*?[\r\n]{2,}(?:(?!^--).)*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securityfocus.com/archive/1/534488/30/0/threaded; classtype:attempted-admin; sid:33276; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress pingback gethostbyname heap buffer overflow attempt"; flow:to_server,established; content:"/xmlrpc.php"; fast_pattern:only; http_uri; content:"pingback.ping"; nocase; http_client_body; content:"://"; http_client_body; isdataat:500,relative; content:!"/"; within:500; http_client_body; pcre:"/\x3a\x2f\x2f\d[\d\x2e]{500}/P"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72325; reference:cve,2015-0235; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:web-application-attack; sid:33275; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpBB viewtopic double URL encoding attempt"; flow:to_server,established; content:"viewtopic.php"; content:"highlight="; distance:0; content:"%25"; distance:0; metadata:service http; reference:cve,2004-1315; classtype:web-application-attack; sid:33294; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpBB viewtopic double URL encoding attempt"; flow:to_server,established; content:"viewtopic.php"; content:"highlight="; distance:0; content:"%25"; distance:0; reference:cve,2004-1315; classtype:web-application-attack; sid:33293; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Encryption Management Server command injection attempt"; flow:to_server,established; content:"/omc/uploadBackup.event"; fast_pattern:only; http_uri; content:"urlencoded"; nocase; http_header; content:"filename"; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Pi"; metadata:policy security-ips drop, service http; reference:bugtraq,72308; reference:cve,2014-7288; classtype:web-application-attack; sid:33448; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Encryption Management Server command injection attempt"; flow:to_server,established; content:"/omc/uploadBackup.event"; fast_pattern:only; http_uri; content:"multipart"; nocase; http_header; content:"filename"; nocase; http_client_body; pcre:"/filename\s*?=\s*?\x22[^\x22]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Pi"; metadata:policy security-ips drop, service http; reference:bugtraq,72308; reference:cve,2014-7288; classtype:web-application-attack; sid:33447; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Encryption Management Server command injection attempt"; flow:to_server,established; content:"/omc/uploadBackup.event"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; pcre:"/[?&]filename=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,72308; reference:cve,2014-7288; classtype:web-application-attack; sid:33446; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress EasyCart PHP code execution attempt"; flow:to_server,established; content:"/inc/amfphp/administration/banneruploaderscript.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:service http; reference:bugtraq,71983; reference:cve,2014-9308; classtype:web-application-attack; sid:33440; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Photo Gallery PHP code execution attempt"; flow:to_server,established; content:"bwg_UploadHandler"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:".php"; within:filename_len; distance:2; nocase; metadata:service http; reference:cve,2014-9312; classtype:attempted-admin; sid:33514; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nginx URI processing security bypass attempt"; flow:to_server,established; content:" /../"; depth:40; offset:5; metadata:service http; reference:bugtraq,63814; reference:cve,2013-4547; classtype:attempted-user; sid:33581; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Multiple Products FailOverHelperServlet information disclosure attempt"; flow:to_server,established; content:"FailOverHelperServlet"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; pcre:"/[?&]fileName=((c\x3a)?\x2f|[^&]*?\x2e\x2e\x2f)/Ui"; metadata:policy security-ips drop, service http; reference:cve,2014-7863; classtype:attempted-recon; sid:33574; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Multiple Products FailOverHelperServlet information disclosure attempt"; flow:to_server,established; content:"FailOverHelperServlet"; fast_pattern:only; http_uri; content:"fileName"; nocase; http_client_body; pcre:"/(^|&)fileName=((c(\x3a|%3a))?(\x2f|%2f)|[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c))/Pi"; metadata:policy security-ips drop, service http; reference:cve,2014-7863; classtype:attempted-recon; sid:33573; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP xmlrpc.php command injection attempt"; flow:to_server,established; content:"POST"; depth:4; nocase; content:"/xmlrpc.php"; within:50; fast_pattern; nocase; content:"<methodCall><methodName>"; within:500; nocase; content:"<params><param><value>"; within:100; nocase; content:"echo"; within:500; nocase; content:"|60|"; within:100; metadata:service http; reference:bugtraq,14088; reference:cve,2005-1921; classtype:attempted-admin; sid:33632; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP caucho-status access"; flow:to_server,established; content:"caucho-status"; fast_pattern:only; http_uri; metadata:service http; classtype:web-application-activity; sid:33614; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP stronghold-info access"; flow:to_server,established; content:"stronghold-info"; fast_pattern:only; http_uri; metadata:service http; classtype:web-application-activity; sid:33613; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP stronghold-status access"; flow:to_server,established; content:"stronghold-status"; fast_pattern:only; http_uri; metadata:service http; classtype:web-application-activity; sid:33612; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP httpd.conf access"; flow:to_server,established; content:"httpd.conf"; fast_pattern:only; http_uri; metadata:service http; classtype:web-application-activity; sid:33611; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .wwwgroup access"; flow:to_server,established; content:".wwwgroup"; fast_pattern:only; http_uri; metadata:service http; classtype:web-application-activity; sid:33610; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .wwwpasswd access"; flow:to_server,established; content:".wwwpasswd"; fast_pattern:only; http_uri; metadata:service http; classtype:web-application-activity; sid:33609; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bin access"; flow:to_server,established; content:"/~bin"; fast_pattern:only; http_uri; metadata:service http; classtype:attempted-recon; sid:33608; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cron access"; flow:to_server,established; content:"/~cron"; fast_pattern:only; http_uri; metadata:service http; classtype:attempted-recon; sid:33607; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Desktop Central MSP StatusUpdateServlet directory traversal attempt"; flow:to_server,established; content:"actionToCall=LFU"; fast_pattern:only; http_uri; content:"/statusUpdate"; nocase; http_uri; content:"urlencoded"; nocase; http_header; pcre:"/(^|&)(?:computerName|configDataID|applicationName|fileName|customerId)=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy security-ips drop, service http; reference:bugtraq,71910; reference:cve,2014-9404; classtype:web-application-attack; sid:33599; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Desktop Central MSP StatusUpdateServlet directory traversal attempt"; flow:to_server,established; content:"actionToCall=LFU"; fast_pattern:only; http_uri; content:"/statusUpdate"; nocase; http_uri; content:"multipart"; nocase; http_header; pcre:"/name\s*=\s*[\x22\x27]?(?:computerName|configDataID|applicationName|fileName|customerId)(?:(?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy security-ips drop, service http; reference:bugtraq,71910; reference:cve,2014-9404; classtype:web-application-attack; sid:33598; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Desktop Central MSP StatusUpdateServlet directory traversal attempt"; flow:to_server,established; content:"actionToCall=LFU"; fast_pattern:only; http_uri; content:"/statusUpdate"; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&](?:computerName|configDataID|applicationName|fileName|customerId)=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,71910; reference:cve,2014-9404; classtype:web-application-attack; sid:33597; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell ScriptLogic Asset Manager SQL injection attempt"; flow:to_server,established; content:"/SLAMClientRequestHandler"; fast_pattern:only; http_uri; content:"Package.aspx"; nocase; http_uri; content:"ID="; nocase; http_client_body; pcre:"/(^|&)ID=[^&]*?(\x3b|%3b)/Pim"; metadata:service http; reference:bugtraq,72697; reference:cve,2015-1605; classtype:web-application-attack; sid:33659; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell ScriptLogic Asset Manager SQL injection attempt"; flow:to_server,established; content:"/SLAMClientRequestHandler"; fast_pattern:only; http_uri; content:"Package.aspx"; nocase; http_uri; content:"name"; nocase; http_client_body; content:"ID"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?ID(?:(?!^--).)*?[\r\n]{2,}(?:(?!^--).)*?\x3b/Psim"; metadata:service http; reference:bugtraq,72697; reference:cve,2015-1605; classtype:web-application-attack; sid:33658; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell ScriptLogic Asset Manager SQL injection attempt"; flow:to_server,established; content:"/SLAMClientRequestHandler"; fast_pattern:only; http_uri; content:"Package.aspx"; nocase; http_uri; content:"ID="; nocase; http_uri; pcre:"/[?&]ID=[^&]*?\x3b/Ui"; metadata:service http; reference:bugtraq,72697; reference:cve,2015-1605; classtype:web-application-attack; sid:33657; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt"; flow:to_server,established; content:"/Orion/Services/AccountManagement.asmx/GetAccount"; fast_pattern:only; http_uri; pcre:"/[?&](dir|sort)=[^&]*?\x3b/Ui"; metadata:service http; reference:cve,2014-9566; classtype:web-application-attack; sid:33653; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt"; flow:to_server,established; content:"/Orion/Services/AccountManagement.asmx/GetAccount"; fast_pattern:only; http_uri; pcre:"/(^|&)(dir|sort)=[^&]*?(\x3b|%3b)/Pim"; metadata:service http; reference:cve,2014-9566; classtype:web-application-attack; sid:33652; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Solarwinds Orion AccountManagement SQL injection attempt"; flow:to_server,established; content:"/Orion/Services/AccountManagement.asmx/GetAccount"; fast_pattern:only; http_uri; content:"name"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(dir|sort)((?!^--).)*?[\r\n]{2,}((?!^--).)*?\x3b/Psim"; metadata:service http; reference:cve,2014-9566; classtype:web-application-attack; sid:33651; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Web Gateway restore.php command injection attempt"; flow:to_server,established; content:"/spywall/restore.php"; fast_pattern:only; http_uri; content:"multipart"; nocase; http_header; content:"filename"; nocase; http_client_body; pcre:"/filename\s*=\s*\x22[^\x22]*([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Pi"; metadata:service http; reference:bugtraq,71620; reference:cve,2014-7285; classtype:web-application-attack; sid:33676; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Outlook WebAccess msgParam cross site scripting attempt"; flow:to_server,established; content:"/owa/auth/errorfe.aspx"; fast_pattern:only; http_uri; content:"msgParam="; nocase; http_uri; pcre:"/[?&]msgParam=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2015-1632; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-026; classtype:attempted-user; sid:33762; rev:2;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP Eclipse Foundation Jetty HttpParser information disclosure attempt"; flow:to_client,established; content:"400"; http_stat_code; content:"Illegal character 0x"; fast_pattern:only; content:"Illegal character 0x"; depth:20; http_stat_msg; content:"Server|3A| Jetty"; nocase; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72768; reference:cve,2015-2080; classtype:attempted-recon; sid:33813; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Seagate NAS remote code execution attempt"; flow:to_server,established; content:"/index.php/mv_system/set_general_setup"; fast_pattern:only; http_uri; content:"ci_session"; nocase; content:"description"; nocase; http_client_body; content:"%26lt%3b%3f"; distance:0; nocase; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,72831; reference:cve,2014-8687; classtype:attempted-admin; sid:33812; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Holding Pattern theme file upload attempt"; flow:to_server,established; content:"/themes/holding_pattern/admin/upload-file.php"; fast_pattern:only; http_uri; content:"<?php"; http_client_body; metadata:service http; reference:bugtraq,72546; reference:cve,2015-1172; classtype:attempted-admin; sid:33856; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Ultimate CSV Importer auth bypass export attempt"; flow:to_server,established; content:"/wp-ultimate-csv-importer/modules/export/templates/export.php"; fast_pattern:only; http_uri; content:"export="; http_client_body; metadata:service http; reference:url,wpvulndb.com/vulnerabilities/7778; classtype:attempted-admin; sid:33855; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link multiple products ping.ccp command injection attempt"; flow:to_server,established; content:"/ping.ccp"; fast_pattern:only; http_uri; content:"ping_addr="; nocase; http_client_body; pcre:"/(^|&)ping_addr=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pi"; metadata:service http; reference:bugtraq,72848; reference:cve,2015-1187; classtype:attempted-admin; sid:33853; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Seagate BlackArmor NAS getAlias.php command injection attempt"; flow:to_server,established; content:"/backupmgt/getAlias.php"; fast_pattern:only; http_uri; content:"ip="; nocase; http_uri; pcre:"/[?&]ip=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,64655; reference:cve,2013-6924; classtype:web-application-attack; sid:33832; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8980 (msg:"SERVER-WEBAPP OpenNMS XML external entity injection attempt"; flow:to_server,established; content:"POST /opennms/rtc/post"; depth:22; nocase; content:"ENTITY"; nocase; pcre:"/(\x21|%21)ENTITY((?!\x3e|%3e).)*?(SYSTEM|PUBLIC)/i"; metadata:service http; reference:cve,2015-0975; classtype:web-application-attack; sid:33896; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt"; flow:to_server,established; content:"/do/view/"; nocase; http_uri; content:"debugenableplugins="; nocase; http_uri; content:"|3B|"; distance:0; http_uri; pcre:"/[?&]debugenableplugins=[^&]*?\x3b/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,70372; reference:cve,2014-7236; classtype:web-application-attack; sid:33895; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TWiki debugenableplugins arbitrary perl code injection attempt"; flow:to_server,established; content:"/do/view/"; nocase; http_uri; content:"debugenableplugins="; fast_pattern:only; http_client_body; pcre:"/(^|&)debugenableplugins=[^&]*?(\x3b|%3b)/Pi"; metadata:policy security-ips drop, service http; reference:bugtraq,70372; reference:cve,2014-7236; classtype:web-application-attack; sid:33894; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt"; flow:to_server,established; content:"/appmng/servlet/CommandLineServlet"; fast_pattern:only; http_uri; content:"command="; nocase; http_uri; pcre:"/[?&]\w+=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2015/Mar/104; classtype:web-application-attack; sid:33890; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Websense Triton CommandLineServlet command injection attempt"; flow:to_server,established; content:"/appmng/servlet/CommandLineServlet"; fast_pattern:only; http_uri; content:"command="; nocase; http_client_body; pcre:"/(^|&)\w+=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2015/Mar/104; classtype:web-application-attack; sid:33889; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt"; flow:to_server,established; content:"/config/xen_hotfix"; fast_pattern:only; http_uri; content:"object="; nocase; http_uri; pcre:"/[?&]object=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2015/Mar/129; classtype:web-application-attack; sid:33888; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix NetScaler xen_hotfix object parameter command injection attempt"; flow:to_server,established; content:"/config/xen_hotfix"; fast_pattern:only; http_uri; content:"object="; nocase; http_client_body; pcre:"/(^|&)object=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2015/Mar/129; classtype:web-application-attack; sid:33887; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress arbitrary web script injection attempt"; flow:to_server,established; content:"/wp-comments-post.php"; fast_pattern:only; http_uri; content:"author="; depth:7; http_client_body; content:"&comment="; distance:0; http_client_body; content:"onmouseover"; distance:0; nocase; http_client_body; pcre:"/&comment=[^&]*?(%5D|\])(%22|\")(%3E|\>)[^&]*?onmouseover/iP"; metadata:service http; reference:cve,2014-9031; classtype:attempted-user; sid:33922; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP ArcSight Logger directory traversal attempt"; flow:to_server,established; content:"/logger/import_content_config_upload.ftl"; fast_pattern:only; http_uri; content:"urlencoded"; nocase; http_header; content:"filename"; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy security-ips drop, service http; reference:bugtraq,73071; reference:cve,2014-7884; classtype:web-application-attack; sid:33917; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP ArcSight Logger directory traversal attempt"; flow:to_server,established; content:"/logger/import_content_config_upload.ftl"; fast_pattern:only; http_uri; content:"multipart"; nocase; http_header; content:"filename"; nocase; http_client_body; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy security-ips drop, service http; reference:bugtraq,73071; reference:cve,2014-7884; classtype:web-application-attack; sid:33916; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP ArcSight Logger directory traversal attempt"; flow:to_server,established; content:"/logger/import_content_config_upload.ftl"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,73071; reference:cve,2014-7884; classtype:web-application-attack; sid:33915; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Seagate BlackArmor NAS send_test_email command injection attempt"; flow:to_server,established; content:"/mv_system/send_test_email"; fast_pattern:only; http_uri; content:"ci_session"; nocase; http_cookie; content:"email_recipients="; nocase; http_client_body; pcre:"/(^|&)email_recipients=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Pi"; metadata:policy security-ips drop, service http; reference:cve,2014-2701; classtype:web-application-attack; sid:33938; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TRENDnet TN200 Network Storage System command injection attempt"; flow:to_server,established; content:"/cgi-bin/system_mgr.cgi"; fast_pattern:only; http_uri; content:"f_ip="; nocase; http_client_body; pcre:"/(^|&)f_ip=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Pi"; metadata:policy security-ips drop, service http; reference:cve,2014-1628; classtype:web-application-attack; sid:33937; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TRENDnet TN200 Network Storage System command injection attempt"; flow:to_server,established; content:"/cgi-bin/remote_backup.cgi"; fast_pattern:only; http_uri; content:"ip="; nocase; http_client_body; pcre:"/(^|&)ip=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Pi"; metadata:policy security-ips drop, service http; reference:cve,2014-1628; classtype:web-application-attack; sid:33936; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress WP Marketplace plugin privilege escalation attempt"; flow:to_server,established; content:"action=wpmp_pp_ajax_call"; nocase; http_client_body; content:"execute=wp_insert_user"; nocase; http_client_body; content:"role=administrator"; fast_pattern:only; http_client_body; metadata:policy security-ips drop, service http; reference:cve,2014-9013; classtype:attempted-admin; sid:33935; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress WP Marketplace plugin directory traversal attempt"; flow:to_server,established; content:"post_type=wpmarketplace"; fast_pattern:only; http_client_body; content:"wpmp_list"; nocase; http_client_body; pcre:"/(^|&)wpmp_list(%5b|\x5b)file(%5d|\x5d)(%5b|\x5b)(%5d|\x5d)=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy security-ips drop, service http; reference:cve,2014-9014; classtype:attempted-recon; sid:33934; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Berta Content Management System PHP code execution attempt"; flow:to_server,established; content:"/engine/upload.php"; fast_pattern:only; http_uri; content:"mediafolder="; nocase; http_uri; content:"Filedata"; nocase; http_client_body; content:".php"; nocase; http_client_body; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-2780; classtype:attempted-admin; sid:34000; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DNS-345 Network Storage System system_mgr.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/system_mgr.cgi"; fast_pattern:only; http_uri; content:"f_sender="; nocase; http_client_body; pcre:"/(^|&)f_sender=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Pi"; metadata:policy security-ips drop, service http; reference:cve,2014-2691; classtype:web-application-attack; sid:33984; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34056; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34055; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP PHP php_date.c DateTimeZone data user after free attempt"; flow:to_server,established; file_data; content:"DateTimeZone"; fast_pattern; nocase; content:"timezone_type"; within:30; nocase; content:"{"; distance:0; content:"R:"; within:10; nocase; content:"unserialize"; metadata:service smtp; reference:bugtraq,72701; reference:cve,2015-0273; reference:url,bugs.php.net/bug.php?id=68942; classtype:web-application-attack; sid:34124; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP PHP php_date.c DateTimeZone data user after free attempt"; flow:to_client,established; file_data; content:"DateTimeZone"; fast_pattern; nocase; content:"timezone_type"; within:30; nocase; content:"{"; distance:0; content:"R:"; within:10; nocase; content:"unserialize"; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,72701; reference:cve,2015-0273; reference:url,bugs.php.net/bug.php?id=68942; classtype:web-application-attack; sid:34123; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Configuration Management directory traversal attempt"; flow:to_server,established; content:"/zenworks/UploadServlet"; fast_pattern:only; http_uri; content:"uid="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]uid=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-0779; classtype:web-application-attack; sid:34106; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Configuration Management directory traversal attempt"; flow:to_server,established; content:"/zenworks/UploadServlet"; fast_pattern:only; http_uri; content:"uid"; nocase; http_client_body; pcre:"/(^|&)uid=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-0779; classtype:web-application-attack; sid:34105; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Configuration Management directory traversal attempt"; flow:to_server,established; content:"/zenworks/UploadServlet"; fast_pattern:only; http_uri; content:"uid"; nocase; http_client_body; content:"name"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?uid((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-0779; classtype:web-application-attack; sid:34104; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ESF pfSense status_captiveportal cross site scripting attempt"; flow:to_server,established; content:"/status_captiveportal.php"; fast_pattern:only; http_uri; content:"zone="; nocase; http_uri; pcre:"/[?&]zone=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,73344; reference:cve,2015-2294; classtype:attempted-user; sid:34185; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ESF pfSense services_unbound_acls cross site scripting attempt"; flow:to_server,established; content:"/services_unbound_acls.php"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,73344; reference:cve,2015-2294; classtype:attempted-user; sid:34184; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP RevSlider information disclosure attempt"; flow:to_server,established; content:"/admin-ajax.php?"; nocase; http_uri; content:"action=revslider_show_image"; fast_pattern:only; http_uri; content:"img="; nocase; http_uri; content:".."; within:20; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-9734; reference:url,www.exploit-db.com/exploits/36554/; classtype:web-application-attack; sid:34194; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt"; flow:to_server,established; content:"/index.cgi"; nocase; http_uri; content:"UPDATE_new_external_server_username="; fast_pattern:only; http_uri; pcre:"/[?&]UPDATE_new_external_server_username=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:34222; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt"; flow:to_server,established; content:"/index.cgi"; nocase; http_uri; content:"UPDATE_new_external_server_username="; fast_pattern:only; http_client_body; pcre:"/(^|&)UPDATE_new_external_server_username=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:34221; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Barracuda Networks Web Filter index.cgi command injection attempt"; flow:to_server,established; content:"/index.cgi"; nocase; http_uri; content:"UPDATE_new_external_server_username"; fast_pattern:only; http_client_body; content:"name"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?UPDATE_new_external_server_username((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:34220; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ESF pfSense diag_logs_filter cross site scripting attempt"; flow:to_server,established; content:"/diag_logs_filter.php"; fast_pattern:only; http_uri; content:"filterlogentries_"; nocase; http_uri; pcre:"/[?&]filterlogentries_[^=]*?=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,73344; reference:cve,2015-2294; classtype:attempted-user; sid:34215; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress overly large password class-phpass.php denial of service attempt"; flow:to_server,established,only_stream; content:"POST"; http_method; content:"/wp-login.php"; http_uri; content:"name="; depth:5; http_client_body; content:"&pass="; within:100; http_client_body; isdataat:1000,relative; detection_filter:track by_src, count 125, seconds 40; metadata:service http; reference:cve,2014-9034; classtype:attempted-dos; sid:34213; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Subversion HTTP excessive REPORT requests denial of service attempt"; flow:to_server,established,only_stream; content:"REPORT"; nocase; http_method; content:"svn"; nocase; http_uri; detection_filter:track by_dst, count 10, seconds 1; metadata:service http; reference:cve,2015-0202; reference:url,subversion.apache.org/security/CVE-2015-0202-advisory.txt; classtype:attempted-dos; sid:34306; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link multiple products HNAP SOAPAction header command injection attempt"; flow:to_server,established; content:"/HNAP1"; nocase; http_uri; content:"SOAPAction"; nocase; http_header; content:"http|3A|//purenetworks.com/HNAP1/GetDeviceSettings"; fast_pattern:only; http_header; pcre:"/^SOAPAction[^\n]*([\x60\x3b\x7c\x26]|\x24\x28)/Hmi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-2051; classtype:attempted-admin; sid:34300; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP vBulletin XSS redirect attempt"; flow:to_server,established; content:"/misc.php?v="; http_uri; content:"&js=js"; within:12; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/url/6a7664105f1f144930f51e71dd0fec728607b4c9e33037d376cd7bf8351273a9/analysis/1430224991/; classtype:web-application-attack; sid:34287; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ESF pfSense firewall_shaper cross site scripting attempt"; flow:to_server,established; content:"/firewall_shaper.php"; fast_pattern:only; http_uri; content:"queue="; nocase; http_uri; pcre:"/[?&]queue=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,73344; reference:cve,2015-2294; classtype:attempted-user; sid:34285; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ESF pfSense firewall_rules cross site scripting attempt"; flow:to_server,established; content:"/firewall_rules.php"; fast_pattern:only; http_uri; pcre:"/[?&](if|dragtable\x5b\x5d)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,73344; reference:cve,2015-2294; classtype:attempted-user; sid:34284; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress comment field stored XSS attempt"; flow:to_server,established; content:"/wp-comments-post.php"; fast_pattern:only; content:"comment="; isdataat:2000; content:!"&submit="; within:2000; metadata:service http; reference:cve,2015-3440; reference:url,klikki.fi/adv/wordpress2.html; classtype:attempted-user; sid:34328; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Magento remote code execution attempt"; flow:to_server,established; content:"/Adminhtml_"; http_uri; content:"forwarded="; distance:0; http_uri; metadata:ruleset community, service http; reference:cve,2015-1398; classtype:attempted-admin; sid:34365; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt"; flow:to_server,established; content:"/zenworks/rtr"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; pcre:"/filename\s*=\s*[^\r\n]*?(\x3a|%3a|(\x2e|%2e){2})([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74291; reference:bugtraq,74292; reference:cve,2015-0781; reference:cve,2015-0783; classtype:web-application-attack; sid:34364; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Configuration Management GetStoredResult.class SQL injection attempt"; flow:to_server,established; content:"/zenworks"; nocase; http_uri; content:"act=wcreports.GetStoredResult"; fast_pattern:only; http_uri; content:"ent="; nocase; http_uri; content:"|3B|"; distance:0; http_uri; pcre:"/[?&]ent=[^&]*?\x3b/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74284; reference:cve,2015-0780; classtype:web-application-attack; sid:34363; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ESF pfSense deletefile directory traversal attempt"; flow:to_server,established; content:"/system_firmware_restorefullbackup.php"; fast_pattern:only; http_uri; content:"deletefile="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]deletefile=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,73344; reference:cve,2015-2295; classtype:web-application-attack; sid:34361; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ESF pfSense deletefile directory traversal attempt"; flow:to_server,established; content:"/system_firmware_restorefullbackup.php"; fast_pattern:only; http_uri; content:"deletefile"; nocase; http_client_body; pcre:"/(^|&)deletefile=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:bugtraq,73344; reference:cve,2015-2295; classtype:web-application-attack; sid:34360; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ESF pfSense deletefile directory traversal attempt"; flow:to_server,established; content:"/system_firmware_restorefullbackup.php"; fast_pattern:only; http_uri; content:"deletefile"; nocase; http_client_body; content:"name"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?deletefile((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:bugtraq,73344; reference:cve,2015-2295; classtype:web-application-attack; sid:34359; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWALL SonicOS macIpSpoofView cross site scripting attempt"; flow:to_server,established; content:"/macIpSpoofView"; fast_pattern:only; http_uri; content:"searchSpoof"; nocase; http_uri; pcre:"/[?&]searchSpoof(IpDet)?=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2015-3447; classtype:attempted-user; sid:34358; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Wordpress username enumeration attempt"; flow:to_client,established,only_stream; content:"?author="; fast_pattern:only; http_uri; detection_filter:track by_src,count 100, seconds 2; metadata:service http; reference:url,www.acunetix.com/blog/web-security-zone/wordpress-username-enumeration-using-http-fuzzer/; classtype:attempted-recon; sid:34475; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Critical System Protection SQL injection attempt"; flow:to_server,established; content:"/sis-ui/authenticate"; fast_pattern:only; http_uri; content:"properties"; nocase; http_client_body; pcre:"/^un\s*=\s*[^\r\n]*?\x3b/Pim"; metadata:service http; reference:bugtraq,72092; reference:cve,2014-7289; classtype:attempted-admin; sid:34472; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Critical System Protection directory traversal attempt"; flow:to_server,established; content:"/sis-agent/bulk-log"; fast_pattern:only; http_uri; content:"file.name"; nocase; http_client_body; content:".."; distance:0; http_client_body; pcre:"/file\.name\s*=\s*[^\r\n]*?\x2e\x2e[\x2f\x5c]/Pi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,72091; reference:cve,2014-3440; classtype:attempted-admin; sid:34471; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt"; flow:to_server,established; content:"/csamc60/agent"; fast_pattern:only; http_uri; content:"%2E%2E"; nocase; http_client_body; pcre:"/([\x5c\x2f]|%2F|%5C)(%2E){2}/iP"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46420; reference:cve,2011-0364; classtype:web-application-attack; sid:33025; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt"; flow:to_server,established; content:"/csamc60/agent"; fast_pattern:only; http_uri; content:".."; http_client_body; pcre:"/([\x5c\x2f]|%2F|%5C)[\x2e]{2}/iP"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46420; reference:cve,2011-0364; classtype:web-application-attack; sid:33024; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt"; flow:to_server,established; file_data; content:"3A24F97F-25F7-4A6B-B1FF-213399A11D5B"; fast_pattern:only; content:"UserName"; nocase; content:"Array("; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,66733; reference:cve,2014-0770; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33012; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt"; flow:to_server,established; file_data; content:"WEBVACT.WEBVACTCtrl"; fast_pattern:only; content:"UserName"; nocase; content:"Array("; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,66733; reference:cve,2014-0770; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33011; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt"; flow:to_client,established; file_data; content:"3A24F97F-25F7-4A6B-B1FF-213399A11D5B"; fast_pattern:only; content:"UserName"; nocase; content:"Array("; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66733; reference:cve,2014-0770; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33010; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt"; flow:to_client,established; file_data; content:"WEBVACT.WEBVACTCtrl"; fast_pattern:only; content:"UserName"; nocase; content:"Array("; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66733; reference:cve,2014-0770; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33009; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt"; flow:to_server,established; file_data; content:"3A24F97F-25F7-4A6B-B1FF-213399A11D5B"; fast_pattern:only; content:"NodeName"; nocase; content:"Array("; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,66718; reference:cve,2014-0764; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33008; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt"; flow:to_server,established; file_data; content:"WEBVACT.WEBVACTCtrl"; fast_pattern:only; content:"NodeName"; nocase; content:"Array("; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,66718; reference:cve,2014-0764; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33007; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt"; flow:to_client,established; file_data; content:"3A24F97F-25F7-4A6B-B1FF-213399A11D5B"; fast_pattern:only; content:"NodeName"; nocase; content:"Array("; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66718; reference:cve,2014-0764; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33006; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt"; flow:to_client,established; file_data; content:"WEBVACT.WEBVACTCtrl"; fast_pattern:only; content:"NodeName"; nocase; content:"Array("; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66718; reference:cve,2014-0764; reference:url,ics-cert.us-cert.gov/advisories/ICSA-14-079-03; classtype:attempted-user; sid:33005; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt"; flow:to_server,established; content:"/proxy/DataValidation"; fast_pattern:only; http_uri; content:"iprestrlist="; nocase; http_uri; isdataat:68,relative; pcre:"/[?&]iprestrlist=[^&]{68}/iU"; metadata:policy max-detect-ips drop, service http; reference:cve,2013-2362; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-df3d68cc03364ce78f1987b83b; classtype:attempted-admin; sid:32971; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt"; flow:to_server,established; content:"/admin/ldapsyncnow.php"; fast_pattern; content:"shell"; distance:0; content:"command="; within:11; metadata:policy max-detect-ips drop, service http; reference:bugtraq,61474; reference:url,exploit-db.com/exploits/27294/; classtype:attempted-admin; sid:32203; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt"; flow:to_server,established; content:"/admin/confpremenu.php"; fast_pattern:only; content:"logdir="; pcre:"/logdir=[^&]*[\x3B\x60\x7C\x24]/si"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,61476; classtype:attempted-admin; sid:32128; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,8443] (msg:"SERVER-WEBAPP Symantec Endpoint Protection Manager Unauthenticated XML External Entity Injection attempt"; flow:to_server,established; content:"/servlet/ConsoleServlet"; fast_pattern:only; http_uri; content:"ENTITY"; nocase; http_client_body; pcre:"/(\x21|%21)ENTITY((?!\x3e|%3e).)*?(SYSTEM|PUBLIC)/Pi"; metadata:policy max-detect-ips drop, service http; reference:cve,2013-5014; reference:cve,2013-5015; classtype:attempted-user; sid:29979; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/tpmx/register.do"; http_uri; content:"|25|2c"; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0199; reference:url,attack.mitre.org/techniques/T1190; classtype:attempted-admin; sid:29756; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope soap request code execution attempt"; flow:to_server,established; content:"SiteScope/services/APIBSMIntegrationImpl"; fast_pattern:only; http_uri; content:"runOMAgentCommand"; http_client_body; content:"OVCONFGET"; http_client_body; content:"omHost"; http_client_body; pcre:"/<value[^>]*?\>.*?[\x21\x7c\x3a\x40\x24\x23\x25\x5e\x26\x2a\x28\x29].*?<\/value>/iP"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,61506; reference:cve,2013-2367; classtype:attempted-user; sid:29597; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope soap request code execution attempt"; flow:to_server,established; content:"SiteScope/services/APIBSMIntegrationImpl"; fast_pattern:only; http_uri; content:"runOMAgentCommand"; http_client_body; content:"OPCACTIVATE"; http_client_body; content:"omHost"; http_client_body; pcre:"/<value[^>]*?\>.*?[\x21\x7c\x3a\x40\x24\x23\x25\x5e\x26\x2a\x28\x29].*?<\/value>/iP"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,61506; reference:cve,2013-2367; classtype:attempted-user; sid:29596; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [7080,7443] (msg:"SERVER-WEBAPP PineApp Mail-SeCure test_li_connection.php command injection"; flow:to_server,established; content:"/admin/test_li_connection.php|3F|"; fast_pattern:only; content:"iptest|3D|"; offset:34; pcre:"/iptest\=(\d{1,3}\.){3}\d{1,3}(\x3B|\x253b)/i"; metadata:policy max-detect-ips drop, service http; reference:url,packetstormsecurity.com/files/122591/PineApp-Mail-SeCure-test_li_connection.php-Arbitrary-Command-Execution.html; classtype:attempted-admin; sid:29549; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EMC Connectrix Manager ManualBootImageUpload directory traversal attempt"; flow:to_server,established; content:"/inmservlets/ManualBootImageUpload"; fast_pattern:only; http_uri; content:"type="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&][hs]wtype=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,64242; reference:cve,2013-6810; classtype:attempted-admin; sid:29488; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EMC Connectrix Manager ManualBootImageUpload directory traversal attempt"; flow:to_server,established; content:"/inmservlets/ManualBootImageUpload"; fast_pattern:only; http_uri; content:"type="; nocase; http_client_body; pcre:"/(^|&)[hs]wtype=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pmi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,64242; reference:cve,2013-6810; classtype:attempted-admin; sid:29487; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EMC Connectrix Manager ManualBootImageUpload directory traversal attempt"; flow:to_server,established; content:"/inmservlets/ManualBootImageUpload"; fast_pattern:only; http_uri; content:"file="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]file=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,64242; reference:cve,2013-6810; classtype:attempted-admin; sid:29486; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EMC Connectrix Manager ManualBootImageUpload directory traversal attempt"; flow:to_server,established; content:"/inmservlets/ManualBootImageUpload"; fast_pattern:only; http_uri; content:"file="; nocase; http_client_body; pcre:"/(^|&)file=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pmi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,64242; reference:cve,2013-6810; classtype:attempted-admin; sid:29485; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EMC Connectrix Manager FileUploadController directory traversal attempt"; flow:to_server,established; content:"/FileUploadController"; fast_pattern:only; http_uri; content:"multipart/form-data"; http_header; content:"filename"; nocase; http_client_body; pcre:"/filename\s*?=\s*?[\x22\x27]?[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,64242; reference:cve,2013-6810; classtype:attempted-admin; sid:29392; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EMC Connectrix Manager FileUploadController directory traversal attempt"; flow:to_server,established; content:"/FileUploadController"; fast_pattern:only; http_uri; content:"form-urlencoded"; http_header; content:"filename="; nocase; http_client_body; pcre:"/filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,64242; reference:cve,2013-6810; classtype:attempted-admin; sid:29391; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EMC Connectrix Manager FileUploadController directory traversal attempt"; flow:to_server,established; content:"/HttpFileUpload/FileUploadController.do"; fast_pattern:only; http_uri; content:"driverFolderName|3A|"; nocase; http_header; pcre:"/^driverFolderName\x3a[^\r\n]*?\x2e\x2e[\x2f\x5c]/Hmi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,64242; reference:cve,2013-6810; classtype:attempted-admin; sid:29390; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zimbra remote code execution attempt"; flow:to_server,established; content:"/messages/"; fast_pattern:only; http_uri; content:"skin="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]skin=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,64149; reference:cve,2013-7091; classtype:attempted-admin; sid:29193; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zimbra remote code execution attempt"; flow:to_server,established; content:"/keys/"; fast_pattern:only; http_uri; content:"skin="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]skin=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,64149; reference:cve,2013-7091; classtype:attempted-admin; sid:29192; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Data Center Network Manager FileUploadServlet arbitrary file upload attempt"; flow:to_server,established; content:"/fileUpload"; depth:11; nocase; http_uri; content:"multipart/form-data"; http_header; content:"file_system"; fast_pattern:only; http_client_body; content:"uploadDir"; nocase; http_client_body; pcre:"/name\s*?=\s*?[\x22\x27]?uploadDir[^\x3b]+?(?:(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)|C(\x3a|%3a)(\x5c|%5c))/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62484; reference:cve,2013-5486; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm; classtype:attempted-admin; sid:29142; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Data Center Network Manager FileUploadServlet arbitrary file upload attempt"; flow:to_server,established; content:"/fileUpload"; depth:11; nocase; http_uri; content:"action=file_system"; fast_pattern:only; http_client_body; content:"task=upload"; nocase; http_client_body; content:"uploadDir="; nocase; http_client_body; pcre:"/(^|&)uploadDir=[^&]*?(?:(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)|C(\x3a|%3a)(\x5c|%5c))/Pmi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62484; reference:cve,2013-5486; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm; classtype:attempted-admin; sid:29141; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine DesktopCentral agentLogUploader servlet directory traversal attempt"; flow:to_server,established; content:"LogUploader"; fast_pattern:only; http_uri; content:".."; http_uri; pcre:"/[?&](filename|customerid|computerName|domainName)=[^&]*?\x2e\x2e/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,63784; reference:bugtraq,69491; reference:bugtraq,69493; reference:cve,2013-7390; reference:cve,2014-5006; reference:cve,2014-5007; classtype:web-application-attack; sid:29105; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Data Center Network Manager processImageSave.jsp directory traversal attempt"; flow:to_server,established; content:"/cues_utility/charts/processImageSave.jsp"; fast_pattern:only; http_uri; content:"chartid="; nocase; http_uri; content:"../"; distance:0; nocase; http_uri; pcre:"/[?&]chartid=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62484; reference:cve,2013-5486; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm; classtype:attempted-admin; sid:29042; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Data Center Network Manager processImageSave.jsp directory traversal attempt"; flow:to_server,established; content:"/cues_utility/charts/processImageSave.jsp"; fast_pattern:only; http_uri; content:"chartid="; nocase; http_client_body; pcre:"/(^|&)chartid=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62484; reference:cve,2013-5486; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm; classtype:attempted-admin; sid:29041; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zimbra remote code execution attempt"; flow:to_server,established; content:"/res/"; fast_pattern:only; http_uri; content:"skin="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]skin=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,64149; reference:cve,2013-7091; classtype:attempted-admin; sid:29040; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7071 (msg:"SERVER-WEBAPP Zimbra remote code execution attempt"; flow:to_server,established; content:"/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/30085/; classtype:attempted-admin; sid:29027; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP LoadRunner Virtual User Generator EmulationAdmin directory traversal attempt"; flow:to_server,established; content:"/ServiceEmulation/services/EmulationAdmin"; fast_pattern:only; http_uri; content:"FilePath"; nocase; http_client_body; pcre:"/<FilePath[^>]*?>[^<]*?(\x2e|%2e){2}([\x5c\x2f]|%5c|%2f)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,63476; reference:cve,2013-4838; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03969437; classtype:attempted-admin; sid:29019; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP LoadRunner Virtual User Generator EmulationAdmin getReport SQL injection attempt"; flow:to_server,established; content:"/ServiceEmulation/services/EmulationAdmin"; fast_pattern:only; http_uri; content:"|3A|getReport"; nocase; http_client_body; pcre:"/<in[^>]*?>[^<]*?(\x3b|(\x2d|%2d){2}|%3b)/Pi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,63477; reference:cve,2013-4839; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03969437; classtype:attempted-admin; sid:29018; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP LoadRunner Virtual User Generator EmulationAdmin directory traversal attempt"; flow:to_server,established; content:"/ServiceEmulation/services/EmulationAdmin"; fast_pattern:only; http_uri; content:"|3A|string"; nocase; http_client_body; pcre:"/\x3astring[^>]*?>[^<]*?(\x2e|%2e){2}([\x5c\x2f]|%5c|%2f)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,63475; reference:cve,2013-4837; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03969437; classtype:attempted-admin; sid:29017; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope issuesiebelcmd soap request code execution attempt"; flow:to_server,established; content:"/SiteScope/services/APISiteScopeImpl"; fast_pattern:only; http_uri; content:"issueSiebelCmd"; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2013-4835; classtype:attempted-user; sid:28937; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000: (msg:"SERVER-WEBAPP SAP NetWeaver SXPG_CALL_SYSTEM remote code execution attempt"; flow:to_server,established; content:"/sap/bc/soap/rfc"; fast_pattern:only; content:":SXPG_CALL_SYSTEM"; nocase; pcre:"/<ADDITIONAL_PARAMETERS>.*(&amp\;|&#38\;|\!|&#33\;).*?<COMMANDNAME>(LIST_DB2DUMP|DBMCLI)<\/COMMANDNAME>/s"; metadata:policy max-detect-ips drop, service http; reference:url,cwe.mitre.org/data/definitions/77.html; classtype:attempted-user; sid:28746; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center BIMS UploadServlet arbitrary file upload attempt"; flow:to_server,established; content:"PUT"; http_method; content:"/upload/upload?"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; pcre:"/[?&]fileName=[^&]*?(\x2e\x2e\x2f|\x2ejsp)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62895; reference:cve,2013-4822; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943425; classtype:attempted-admin; sid:28407; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Tivoli Provisioning Manager express user.updateUserValue sql injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/tpmx/register.do"; http_uri; content:","; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0199; reference:url,attack.mitre.org/techniques/T1190; classtype:attempted-admin; sid:28278; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt"; flow:to_server,established; content:"/CCRWebClient/Wallboard/ImageUpload.ashx"; fast_pattern:only; http_uri; content:"RadUAG_fileName"; nocase; http_client_body; content:!"multipart/form-data"; http_header; pcre:"/RadUAG_fileName=[^&]+?\.(asa|ascx|ashx|asmx|aspx|axd|config|dll|htm|shtm|asp|bat|com|exe|jsp|php|sys|txt|vbs|virus)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54225; reference:cve,2012-3811; reference:url,downloads.avaya.com/css/P8/documents/100164021; classtype:attempted-admin; sid:27862; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP System Management arbitrary command injection attempt"; flow:to_server,established; content:"/smhutil/snmpchp/"; fast_pattern:only; http_uri; content:"|3B|"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,60471; reference:cve,2013-3576; classtype:attempted-admin; sid:27105; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP System Management arbitrary command injection attempt"; flow:to_server,established; content:"/smhutil/snmpchp/"; fast_pattern:only; http_uri; content:"&&"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,60471; reference:cve,2013-3576; classtype:attempted-admin; sid:27104; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Mobile Management mdm.php directory traversal attempt"; flow:to_server,established; content:"/mdm.php"; fast_pattern:only; http_uri; content:"language="; nocase; http_client_body; content:"../"; distance:0; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,58402; reference:cve,2013-1081; reference:url,www.novell.com/support/kb/doc.php?id=7011895; classtype:attempted-admin; sid:27030; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Mobile Management mdm.php directory traversal attempt"; flow:to_server,established; content:"/mdm.php"; fast_pattern:only; http_uri; content:"language="; nocase; http_client_body; content:"..|5C|"; distance:0; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,58402; reference:cve,2013-1081; reference:url,www.novell.com/support/kb/doc.php?id=7011895; classtype:attempted-admin; sid:27029; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Mobile Management mdm.php directory traversal attempt"; flow:to_server,established; content:"/mdm.php?"; fast_pattern:only; http_uri; content:"language="; nocase; http_uri; content:"../"; distance:0; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,58402; reference:cve,2013-1081; reference:url,www.novell.com/support/kb/doc.php?id=7011895; classtype:attempted-admin; sid:27028; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt"; flow:to_server,established; content:"/dusap.php"; fast_pattern:only; http_uri; content:"language="; nocase; http_client_body; content:"../"; distance:0; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,60179; reference:cve,2013-1082; reference:url,www.novell.com/support/kb/doc.php?id=7011896; classtype:attempted-admin; sid:27020; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt"; flow:to_server,established; content:"/dusap.php"; fast_pattern:only; http_uri; content:"language="; nocase; http_client_body; content:"..|5C|"; distance:0; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,60179; reference:cve,2013-1082; reference:url,www.novell.com/support/kb/doc.php?id=7011896; classtype:attempted-admin; sid:27019; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Mobile Management dusap.php directory traversal attempt"; flow:to_server,established; content:"/dusap.php?"; fast_pattern:only; http_uri; content:"language="; nocase; http_uri; content:"../"; distance:0; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,60179; reference:cve,2013-1082; reference:url,www.novell.com/support/kb/doc.php?id=7011896; classtype:attempted-admin; sid:27018; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory traversal attempt"; flow:to_server,established; content:"POST"; http_method; content:"/WSVulnerabilityCore/VulCore.asmx"; fast_pattern:only; http_uri; content:"<SetTaskLogByFile"; nocase; http_client_body; content:"<filename"; within:200; nocase; http_client_body; content:"../"; within:4; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,52023; reference:cve,2012-1195; reference:cve,2012-1196; classtype:attempted-user; sid:26704; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM webappmon.exe buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/webappmon.exe"; fast_pattern:only; http_uri; content:"sel="; nocase; http_uri; isdataat:1023,relative; content:!"&"; within:1023; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41829; reference:cve,2010-2703; classtype:attempted-admin; sid:26548; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpMyAdmin preg_replace remote code execution attempt"; flow:to_server,established; content:"/db_structure.php"; fast_pattern:only; http_uri; content:"prefix="; nocase; http_client_body; pcre:"/from(%5f|_)prefix=[^&]*?(%2f|\/)[^&]*?e[^&]*?(%00|\x00)/iP"; metadata:policy max-detect-ips drop, service http; reference:cve,2013-3238; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2013-2.php; classtype:attempted-admin; sid:26547; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt"; flow:to_server,established; content:"/proxy/DataValidation"; fast_pattern:only; http_uri; content:"iprange="; nocase; http_uri; isdataat:68,relative; pcre:"/[?&]iprange=[^&]{68}/iU"; metadata:policy max-detect-ips drop, service http; reference:cve,2013-2362; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-df3d68cc03364ce78f1987b83b; classtype:attempted-admin; sid:26418; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center mibFileUpload servlet arbitrary file upload attempt"; flow:to_server,established; content:"/imc/webdm/mibbrowser/mibFileUpload"; fast_pattern:only; http_uri; content:"..|5C|..|5C|..|5C|..|5C|"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58385; reference:cve,2012-5201; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; classtype:attempted-admin; sid:26417; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center mibFileUpload servlet arbitrary file upload attempt"; flow:to_server,established; content:"/imc/webdm/mibbrowser/mibFileUpload"; fast_pattern:only; http_uri; content:"../../../../"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,58385; reference:cve,2012-5201; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; classtype:attempted-admin; sid:26416; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress wp-banners-lite plugin cross site scripting attempt"; flow:to_server,established; content:"wpbanners_show.php"; nocase; http_uri; content:"cid="; distance:0; http_uri; pcre:"/wpbanners_show\.php.*?[?&]cid=[^&]*?([^\x26]*[\x22\x27\x3C\x3E\x28\x29\x3B]|script|src|location|document)/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,seclists.org/fulldisclosure/2013/Mar/209; classtype:web-application-attack; sid:26263; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios Core get_history buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/history.cgi"; fast_pattern:only; http_uri; content:"/nagios"; nocase; http_uri; urilen:>1024; content:"host="; nocase; http_uri; pcre:"/host=[^&]{1024}/iU"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,56879; reference:cve,2012-6096; classtype:attempted-admin; sid:25586; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sonicwall Global Management System authentication bypass attempt"; flow:to_server,established; content:"/appliance/applianceMainPage"; http_uri; content:"skipSessionCheck=1"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,57445; reference:cve,2013-1359; classtype:attempted-admin; sid:25534; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec IM Manager Web interface arbitrary command execution attempt"; flow:to_server,established; content:"IMManager|2F|rdProcess.aspx"; fast_pattern:only; http_uri; pcre:"/[?&]rdProcess\=(\x5c\x5c|%5c%5c)/iI"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49742; reference:cve,2011-0554; classtype:attempted-user; sid:25345; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4322 (msg:"SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt"; flow:to_server,established; content:"..|5C|..|5C|..|5C|"; depth:9; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,50675; reference:cve,2011-4051; classtype:attempted-admin; sid:25319; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4322 (msg:"SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt"; flow:to_server,established; content:"C|3A 5C|"; depth:3; offset:6; metadata:policy max-detect-ips drop; reference:bugtraq,50675; reference:cve,2011-4051; classtype:attempted-admin; sid:25318; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt"; flow:to_server,established; content:".php"; http_uri; content:"&#"; fast_pattern:only; http_uri; pcre:"/&#x?[0-9a-f]{40}/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51860; reference:url,bugs.php.net/bug.php?id=60965; classtype:attempted-admin; sid:25063; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/"; depth:7; http_uri; content:".exe"; nocase; http_uri; content:"arg="; nocase; http_client_body; pcre:"/[?&]arg=(?![^&]*?-)[^&]{190}/iP"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40638; reference:cve,2010-1961; classtype:attempted-user; sid:24914; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 A0|"; depth:12; offset:12; http_client_body; byte_jump:2,8,relative; byte_jump:2,0,relative; byte_jump:2,0,relative; byte_jump:2,0,relative; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24836; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 A0|"; depth:12; offset:12; http_client_body; byte_jump:2,8,relative; byte_jump:2,0,relative; byte_jump:2,0,relative; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24835; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 A0|"; depth:12; offset:12; http_client_body; byte_jump:2,8,relative; byte_jump:2,0,relative; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24834; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 A0|"; depth:12; offset:12; http_client_body; byte_jump:2,8,relative; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24833; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 A0|"; depth:12; offset:12; http_client_body; byte_test:2,>,1024,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24832; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 96|"; depth:12; offset:12; http_client_body; byte_jump:2,8,relative,post_offset 12; byte_jump:2,0,relative; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24831; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 96|"; depth:12; offset:12; http_client_body; byte_jump:2,8,relative,post_offset 12; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24830; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 96|"; depth:12; offset:12; http_client_body; byte_test:2,>,1024,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24829; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 8C|"; depth:12; offset:12; http_client_body; byte_jump:2,8,relative,post_offset 12; byte_jump:2,0,relative; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24828; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 8C|"; depth:12; offset:12; http_client_body; byte_jump:2,8,relative,post_offset 12; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24827; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Tivoli Provisioning Manager Express asset.getmimetype sql injection attempt"; flow:to_server,established; content:"/tpmx/getAttachment"; fast_pattern:only; http_uri; pcre:"/^.*?\/tpmx\/getAttachment.*?file(Type|Name)=[^&$]*?\x27/iU"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0199; reference:url,attack.mitre.org/techniques/T1190; classtype:attempted-user; sid:24801; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Netop Remote Control dws file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.dws; file_data; pcre:"/[^\x0d\x0a]{520}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,47631; classtype:attempted-user; sid:24706; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/UNCWS/Management.asmx"; fast_pattern:only; http_uri; content:"SOAP"; nocase; http_header; pcre:"/<SelectedID>[^<]+?(\x3B|%3B)/miP"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,47355; reference:cve,2011-1653; reference:url,attack.mitre.org/techniques/T1190; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={CD065CEC-AFE2-4D9D-8E0B-BE7F6E345866}; classtype:attempted-admin; sid:24705; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA Total Defense management.asmx sql injection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/UNCWS/Management.asmx"; fast_pattern:only; http_uri; content:!"SOAP"; nocase; http_header; pcre:"/(^|&)SelectedID=[^&]+?(\x3B|%3B)/miP"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,47355; reference:cve,2011-1653; reference:url,attack.mitre.org/techniques/T1190; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={CD065CEC-AFE2-4D9D-8E0B-BE7F6E345866}; classtype:attempted-admin; sid:24704; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/OvCgi/"; http_uri; pcre:"/\/OvCgi\/(jovgraph|webappmon)\.exe/iU"; content:"-textfile+"; nocase; http_client_body; isdataat:201; content:!"+"; within:201; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1551; reference:cve,2010-1552; reference:cve,2010-1553; reference:cve,2010-1554; reference:cve,2010-1555; reference:cve,2010-1960; reference:cve,2010-1961; reference:cve,2011-3167; classtype:attempted-user; sid:24693; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Avaya IP Office Customer Call Reporter invalid file upload attempt"; flow:to_server,established; content:"/CCRWebClient/Wallboard/ImageUpload.ashx"; fast_pattern:only; http_uri; content:"RadUAG_fileName"; nocase; http_client_body; content:"multipart/form-data"; http_header; pcre:"/name=[\x22\x27]RadUAG_fileName[\x22\x27][\x0d\x0a]+?[^\x0d\x0a\x20]+?\.(asa|ascx|ashx|asmx|aspx|axd|config|dll|htm|shtm|asp|bat|com|exe|jsp|php|sys|txt|vbs|virus)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54225; reference:cve,2012-3811; reference:url,downloads.avaya.com/css/P8/documents/100164021; classtype:attempted-admin; sid:24520; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt"; flow:to_server,established; content:"/rtrlet/rtr"; fast_pattern:only; http_uri; content:"username=ivanhoe"; nocase; http_uri; content:"password=scott"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2012-4933; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.kb.cert.org/vuls/id/332412; classtype:attempted-admin; sid:24436; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Asset Management default admin credentials function call attempt"; flow:to_server,established; content:"/rtrlet/rtr"; fast_pattern:only; http_uri; content:"username=ivanhoe"; nocase; http_client_body; content:"password=scott"; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2012-4933; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.kb.cert.org/vuls/id/332412; classtype:attempted-admin; sid:24435; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP XML entity parsing information disclosure attempt"; flow:to_server,established; content:"<!DOCTYPE "; nocase; http_client_body; content:"<!ENTITY"; distance:0; nocase; http_client_body; pcre:"/<!ENTITY[^>]*?(SYSTEM|PUBLIC)/Pi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,65051; reference:cve,2010-2076; reference:cve,2012-3363; reference:cve,2013-4152; reference:cve,2013-5014; reference:cve,2013-6447; reference:cve,2015-1818; reference:cve,2015-6662; reference:cve,2017-5644; classtype:attempted-recon; sid:24339; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 8C|"; depth:12; offset:12; http_client_body; byte_test:2,>,1024,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24320; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 82|"; depth:12; offset:12; http_client_body; byte_jump:2,12,relative; byte_jump:2,0,relative; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24319; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 82|"; depth:12; offset:12; http_client_body; byte_jump:2,12,relative; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24318; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 82|"; depth:12; offset:12; http_client_body; byte_test:2,>,1024,12,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24317; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 78|"; depth:12; offset:12; http_client_body; byte_jump:2,12,relative; byte_jump:2,0,relative; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24316; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|00 00 00 78|"; depth:12; offset:12; http_client_body; byte_jump:2,12,relative; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:24315; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent request attempt"; flow:to_server,established; content:"/Hewlett-Packard/OpenView/Coda"; fast_pattern:only; http_uri; flowbits:set,hp_openview_coda; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2012-2019; reference:cve,2012-2020; classtype:misc-activity; sid:24313; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope APISiteScopeImpl information disclosure attempt"; flow:to_server,established; content:"POST"; http_method; content:"/APISiteScopeImpl"; http_uri; content:"impl:getFileInternal"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,55269; reference:cve,2012-3259; classtype:web-application-activity; sid:24292; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP SiteScope APISiteScopeImpl information disclosure attempt"; flow:to_server,established; content:"POST"; http_method; content:"/APISiteScopeImpl"; http_uri; content:"impl:getSiteScopeConfiguration"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,55269; reference:cve,2012-3259; classtype:web-application-activity; sid:24291; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9850 (msg:"SERVER-WEBAPP Novell GroupWise Internet Agent content-length integer overflow attempt"; flow:to_server,established; content:"Content-Length: -"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,55551; reference:cve,2012-0271; classtype:attempted-admin; sid:24239; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP socket_connect buffer overflow attempt"; flow:to_server,established; file_data; content:"$padd = str_repeat(|22|A|22|, 196)"; content:"$evil = $padd.$payload"; distance:0; fast_pattern; content:"socket_create(AF_UNIX, SOCK_STREAM, 1)"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49241; reference:cve,2011-1938; classtype:attempted-user; sid:24195; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1128,50013] (msg:"SERVER-WEBAPP SAP NetWeaver SOAP interface command injection attempt"; flow:to_server,established; content:"<sapsess|3A|Session"; fast_pattern; nocase; content:"<SOAP-ENV|3A|Body>"; distance:0; nocase; content:"<mKey>Database/Name</mKey>"; distance:0; nocase; content:"<mValue"; distance:0; nocase; pcre:"/^>[^<]+?[\r\n]+?\x21/R"; metadata:policy max-detect-ips drop, service http; reference:url,securitytracker.com/id?1027406; classtype:attempted-admin; sid:24091; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|0D 0A|"; depth:5; offset:3; http_client_body; pcre:"/^\w+\r?\n.{12}\x00{3}[\x32\x34\x6e\xaa\xac].{8}/P"; byte_jump:2,24,relative,post_offset 8; byte_jump:2,0,relative; byte_jump:2,0,relative; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:23961; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|0D 0A|"; depth:5; offset:3; http_client_body; pcre:"/^\w+\r?\n.{12}\x00{3}[\x32\x34\x6e\xaa\xac].{8}/P"; byte_jump:2,24,relative,post_offset 8; byte_jump:2,0,relative; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54362; reference:cve,2012-2019; reference:cve,2012-2020; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03397769; classtype:attempted-admin; sid:23960; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|0D 0A|"; depth:5; offset:3; http_client_body; pcre:"/^\w+\r?\n.{12}\x00{3}[\x32\x34\x6e\xaa\xac].{8}/P"; byte_jump:2,24,relative,post_offset 8; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-2019; reference:cve,2012-2020; classtype:attempted-admin; sid:23959; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_coda; content:"|0D 0A|"; depth:5; offset:3; http_client_body; pcre:"/^\w+\r?\n.{12}\x00{3}([\x32\x34\x6e\xaa\xac].{8}|[\x78\x82].{12}|[\x8c\x96].{8}|\xa0.{8})[\x04-\xff]/P"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-2019; reference:cve,2012-2020; classtype:attempted-admin; sid:23958; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Web Gateway blocked.php blind sql injection attempt"; flow:to_server,established; content:"/blocked.php"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[\x3f\x26]id=\d*?[\x28\x29\x22\x27]/isU"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,54424; reference:cve,2012-2574; reference:url,attack.mitre.org/techniques/T1190; classtype:attempted-user; sid:23934; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Web Gateway pbcontrol.php filename parameter command injection attempt"; flow:to_server,established; content:"/spywall/pbcontrol.php"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; pcre:"/[?&]filename=[^&]*?[\x22\x27][^&]*?\x3B/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,54426; reference:cve,2012-2953; classtype:attempted-admin; sid:23783; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish server REST interface cross site request forgery attempt"; flow:to_server,established; content:"POST"; http_method; content:"/management/domain/applications/application"; fast_pattern:only; http_uri; content:"Content-Disposition:"; http_client_body; content:".war"; http_client_body; pcre:"/Content-Disposition\x3a[^\n]+filename\s*=\s*[\x22\x27][^\x22\x27]*?\.war[\x22\x27]/iP"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0550; classtype:attempted-user; sid:23401; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt"; flow:to_server,established; content:"/login"; nocase; http_uri; content:"tag=NM_A_PARM1"; fast_pattern:only; content:"type=12"; nocase; content:"cmd="; nocase; content:"val="; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,52056; reference:url,aluigi.altervista.org/adv/nmma_1-adv.txt; classtype:attempted-admin; sid:23385; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"SERVER-WEBAPP Novell Groupwise Messenger parameter memory corruption attempt"; flow:to_server,established; content:"POST /createsearch HTTP/1.0"; depth:27; content:"|0D 0A 0D 0A|"; within:4; content:"cmd=0"; distance:0; nocase; content:"val="; nocase; content:"type=9"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,aluigi.altervista.org/adv/nmma_3-adv.txt; classtype:attempted-admin; sid:23384; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell iManager buffer overflow attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nps/servlet/webacc"; nocase; http_uri; content:"EnteredAttrName="; fast_pattern:only; http_client_body; pcre:"/EnteredAttrName=[^&]{32}/iP"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-4188; reference:url,novell.com/support/kb/doc.php?id=7002971; classtype:attempted-admin; sid:23354; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LANDesk Thinkmanagement Suite ServerSetup directory traversal attempt"; flow:to_server,established; content:"POST"; http_method; content:"/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx"; fast_pattern:only; http_uri; content:"<RunAMTCommand"; nocase; http_client_body; content:"-PutUpdateFileCore"; distance:0; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,52023; reference:cve,2012-1195; reference:cve,2012-1196; classtype:attempted-user; sid:23258; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Web Gateway timer.php cross site scripting attempt"; flow:established,to_server; content:"/spywall/timer.php"; fast_pattern:only; http_uri; pcre:"/\/spywall\/timer\.php\?[^\s]*?(<|&lt)/U"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,53396; reference:cve,2012-0296; classtype:web-application-attack; sid:23177; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Enterprise server cross site scripting attempt"; flow:to_server,established; content:"/common/appServer/pswdAliasNew|2E|jsf"; fast_pattern:only; http_uri; pcre:"/aliasNameNew=[^\x26]+(script|onload|onmouseover|\x27|\x22|\x3c|\x3e|src)/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0551; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html; classtype:web-application-attack; sid:23047; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Enterprise server cross site scripting attempt"; flow:to_server,established; content:"/management/domain/create-password-alias"; fast_pattern:only; http_uri; pcre:"/id=[^\x26]+(script|onload|onmouseover|\x27|\x22|\x3c|\x3e|src)/i"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0551; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html; classtype:web-application-attack; sid:23046; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EXIF header parsing integer overflow attempt big endian"; flow:to_server,established; content:"Exif|00 00 4D 4D 00 2A 00 00 00 08|"; http_client_body; content:"|90 03 00 02|"; distance:0; http_client_body; byte_test:4,>,2048,0,relative; metadata:policy max-detect-ips drop, service http; reference:cve,2011-4566; classtype:web-application-attack; sid:22950; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP JBoss JMX console access attempt"; flow:to_server,established; content:"/jmx-console/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-1036; reference:cve,2013-2185; reference:url,docs.jboss.org/jbossas/6/Admin_Console_Guide/en-US/pdf/Admin_Console_Guide.pdf; classtype:attempted-recon; sid:21516; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec IM Manager Administrator console site injection attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/IMMAnager/User/IMUserEditKeywordAction.asp?action="; fast_pattern:only; http_uri; content:"KeywordValue="; http_client_body; pcre:"/KeywordValue=[^\x26\s]*[\x2F\x5C\x5E\x24\x2A\x2B\x3F\x28\x29\x2E\x7C\x5B\x5D\x7E\x3E\x3C]/iP"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0554; classtype:attempted-user; sid:21060; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8093,8094] (msg:"SERVER-WEBAPP SyBase MBusiness xml closing tag overflow attempt"; flow:to_server,established; content:"SOAP-ENV"; fast_pattern:only; nocase; content:"<|2F|"; nocase; isdataat:500,relative; content:!"|3E|"; within:500; metadata:policy max-detect-ips drop, service http; reference:bugtraq,47775; classtype:attempted-user; sid:20764; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Data Protector GetPolicies SQL Injection attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/dpnepolicyservice/DPNECentral.asmx"; nocase; http_uri; content:"GetPolicies"; nocase; http_client_body; content:"clientVersion"; distance:0; nocase; http_client_body; content:"|3B|"; distance:0; http_client_body; content:"/clientVersion"; distance:0; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3157; reference:url,h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03058866&ac.admitted=1321285525395.876444892.492883150; classtype:attempted-user; sid:20635; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Data Protector FinishedCopy SQL Injection attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/dpnepolicyservice/DPNECentral.asmx"; nocase; http_uri; content:"FinishedCopy"; nocase; http_client_body; content:"<type"; distance:0; nocase; http_client_body; content:"|3B|"; distance:0; http_client_body; content:"</type"; distance:0; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3162; reference:url,h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03058866&ac.admitted=1321285525395.876444892.492883150; classtype:attempted-user; sid:20628; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-WEBAPP HP OpenView Storage Data Protector get file buffer overflow attempt"; flow:to_server,established; content:"|32 00 00 00|"; depth:5; offset:6; content:"1|00|7|00 00|"; distance:0; isdataat:514,relative; content:!"|00|"; within:514; distance:1; metadata:policy max-detect-ips drop; reference:cve,2011-1729; classtype:attempted-user; sid:20532; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt"; flow:to_server,established; content:"|2E 00 5C 00 2E 00 2E 00 5C 00|"; content:"|32 00 00 00|"; depth:4; offset:6; content:"1|00|7|00 00 00|"; distance:0; metadata:policy max-detect-ips drop; reference:cve,2011-1736; classtype:attempted-recon; sid:20531; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt"; flow:to_server,established; content:"|2E 00 2F 00 2E 00 2E 00 2F 00|"; content:"|32 00 00 00|"; depth:4; offset:6; content:"1|00|7|00 00 00|"; distance:0; metadata:policy max-detect-ips drop; reference:cve,2011-1736; classtype:attempted-recon; sid:20530; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server default credentials login attempt"; flow:to_server,established; content:"j_security_check"; fast_pattern:only; http_uri; content:"j_username=admin"; http_client_body; pcre:"/j_password=(&|$|adminadmin)/P"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,47438; reference:bugtraq,53136; reference:cve,2011-0807; reference:cve,2012-0551; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-admin; sid:20158; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt"; flow:to_server,established; content:"|FF FE 32 00 00 00|"; depth:6; offset:4; isdataat:255; pcre:"/\x20\x00([^\x00].|.[^\x00]){255}/Osmi"; metadata:policy max-detect-ips drop; reference:bugtraq,48486; reference:cve,2011-1865; classtype:attempted-admin; sid:20134; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Power Manager remote code execution attempt"; flow:to_server,established; content:"/goform/formLogin"; fast_pattern:only; http_uri; content:"Login="; nocase; http_client_body; isdataat:426,relative; content:!"&"; within:426; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36933; reference:cve,2009-2685; reference:cve,2010-4113; classtype:attempted-admin; sid:19826; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3037 (msg:"SERVER-WEBAPP Novell File Reporter Agent XMLK parsing stack bugger overflow attempt"; flow:to_server,established; content:"|3C|NAME|3E|"; isdataat:41; pcre:"/^[^\x3c\x2f]{41}/R"; metadata:policy max-detect-ips drop; reference:bugtraq,47144; reference:cve,2011-0994; classtype:attempted-admin; sid:19813; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP cross-site scripting attempt via form data attempt"; flow:to_server,established; content:"%3Cscript"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2007-2847; reference:cve,2007-2865; reference:cve,2013-2618; classtype:attempted-user; sid:19645; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Virtual Server Agent command injection attempt"; flow:to_server,established; content:"/RPC2"; fast_pattern; nocase; http_uri; content:"<?xml"; http_client_body; content:"params"; distance:0; pcre:"/\x3C\s*param\s*\x3E\s*\x3C\s*value\s*\x3E\s*\x3C\s*string\s*\x3E[^\x3C]*[\x2C\x3B]/smiR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,44031; reference:cve,2010-3582; reference:cve,2010-3585; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html; classtype:attempted-admin; sid:19441; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Secure Backup Administration preauth variable command injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"button=Remove"; nocase; http_uri; content:"op=Preauth"; nocase; http_uri; content:"preauth="; nocase; http_uri; pcre:"/preauth\x3d[\x26\x7c]/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41597; reference:cve,2010-0906; classtype:attempted-admin; sid:19228; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 (msg:"SERVER-WEBAPP Symantec Alert Management System modem string buffer overflow attempt"; flow:to_server,established; content:"|FF FF FF FF|"; depth:4; content:"PAGE"; depth:4; offset:30; content:"ModemString|00|"; distance:0; byte_test:2,>,32,0,relative,little; metadata:policy max-detect-ips drop; reference:cve,2010-0110; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00; classtype:attempted-user; sid:19209; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4150 (msg:"SERVER-WEBAPP Oracle GoldenGate Veridata Server soap request overflow attempt"; flow:to_server,established; content:"POST /veridata "; fast_pattern:only; content:"<soapenv:"; nocase; content:"<ns"; distance:0; nocase; isdataat:256,relative; content:!">"; within:256; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45868; reference:cve,2010-4416; classtype:attempted-admin; sid:19168; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP HP Data Protector Media Operations SignInName Parameter overflow attempt"; flow:to_server,established; content:"/4daction/wHandleURLs/handleSignIn"; fast_pattern:only; content:"SignInName="; nocase; isdataat:256,relative; content:!"&"; within:256; metadata:policy max-detect-ips drop, service http; reference:bugtraq,44381; classtype:attempted-admin; sid:19155; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec IM Manager IMAdminScheduleReport.asp SQL injection attempt"; flow:to_server,established; content:"/IMManager/admin/IMAdminScheduleReport.asp"; fast_pattern; nocase; http_uri; content:"&email="; distance:0; nocase; pcre:"/&email=[^\x26]*(%3b|\x3b)/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,44299; reference:cve,2010-0112; classtype:web-application-attack; sid:19142; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/snmpviewer.exe"; fast_pattern:only; http_uri; content:"app="; nocase; http_client_body; isdataat:300,relative; content:!"&"; within:300; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1552; classtype:attempted-user; sid:19140; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI MaxAge parameter buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/getnnmdata|2E|exe"; fast_pattern:only; http_uri; content:"MaxAge|3D|"; nocase; isdataat:300,relative; pcre:"/MaxAge\x3D[^\x26\x3F\x3B\x0D\x0A]{300}/i"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1553; classtype:attempted-user; sid:19139; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI hostname parameter buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/getnnmdata.exe"; fast_pattern:only; http_uri; content:"hostname="; nocase; http_client_body; isdataat:300,relative; content:!"&"; within:300; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40072; reference:cve,2010-1555; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379; classtype:attempted-admin; sid:19138; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI ICount parameter buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/"; depth:7; nocase; http_uri; content:"|2E|exe"; distance:1; nocase; http_uri; content:"ICount|3D|"; nocase; isdataat:300,relative; pcre:"/ICount\x3D[^\x26\x3F\x3B\x0D\x0A\s]{300}/i"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1554; classtype:attempted-user; sid:19137; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CA XOsoft Multiple Products entry_point.aspx buffer overflow attempt"; flow:to_server,established; content:"/entry_point.aspx"; nocase; http_uri; content:"txt_user_name_p|3D|"; nocase; http_client_body; isdataat:300,relative; pcre:"/txt_user_name_p\x3D[^\x26\x3F\x3B]{300}/Pi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39238; reference:cve,2010-1223; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869; classtype:attempted-user; sid:19136; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"SERVER-WEBAPP IBM Rational Quality Manager and Test Lab Manager policy bypass attempt"; flow:to_server,established; content:"/manager"; nocase; http_uri; content:"Authorization|3A 20|Basic|20|QURNSU46QURNSU4="; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,44172; reference:cve,2010-4094; classtype:default-login-attempt; sid:19110; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM webappmon.exe buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/webappmon.exe"; fast_pattern:only; http_uri; content:"sel="; nocase; http_client_body; isdataat:1023,relative; content:!"&"; within:1023; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41829; reference:cve,2010-2703; classtype:attempted-admin; sid:18999; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM ovwebsnmpsrv.exe command line argument buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/jovgraph.exe"; fast_pattern:only; http_uri; content:"arg="; nocase; http_client_body; isdataat:1024,relative; content:!"&"; within:1024; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40873; reference:bugtraq,45762; reference:cve,2010-1960; reference:cve,2010-1964; reference:cve,2011-0261; classtype:attempted-admin; sid:18998; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [7100,7101] (msg:"SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt"; flow:to_server,established; content:"Host|3A|"; nocase; isdataat:500,relative; content:!"|0A|"; within:500; metadata:policy max-detect-ips drop; reference:bugtraq,44732; reference:cve,2010-4714; classtype:attempted-admin; sid:18960; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP VMware SpringSource Spring Framework class.classloader remote code execution attempt"; flow:to_server,established; content:"class|2E|classLoader"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40954; reference:cve,2010-1622; classtype:attempted-admin; sid:18959; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager nnmRptConfig.exe Template format string code execution attempt"; flow:to_server,established; content:"/OvCgi/nnmRptConfig.exe"; fast_pattern:only; http_uri; content:"Action=Create"; nocase; pcre:"/Template\x3D[^\x26]*?\x25\d*[xsdn]/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45762; reference:cve,2011-0270; classtype:attempted-user; sid:18930; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Teaming ajaxUploadImageFile remote code execution attempt"; flow:to_server,established; content:"|2F|ssf|2F|a|2F|do"; nocase; http_uri; content:"operation=upload_image_file"; nocase; http_uri; content:"action=__ajax_request"; nocase; http_uri; content:"Content-Disposition"; nocase; http_client_body; content:"filename"; http_client_body; pcre:"/Content-Disposition[^\r\n]+?filename\s*\x3D[^\r\n]*?\x2F(\x2E{2}\x5C|\x5C\x2E{2})/iP"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41795; reference:cve,2010-2773; classtype:attempted-admin; sid:18902; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-WEBAPP OpenLDAP Modrdn utf-8 string code execution attempt"; flow:to_server,established; content:"|30|"; depth:1; content:"|6C|"; within:20; content:"cn="; pcre:"/cn=[^\x00]*\x23[^\x00]*\x01\x01\x00/i"; metadata:policy max-detect-ips drop, service ldap; reference:bugtraq,41770; reference:cve,2010-0211; classtype:attempted-admin; sid:18804; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Oracle Java Runtime CMM readMabCurveData buffer overflow attempt"; flow:to_client,established; file_data; content:"curv|00 00 00 00|"; byte_test:4,>,0x1015,0,relative; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39069; reference:cve,2010-0838; classtype:attempted-user; sid:18803; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Power Manager formExportDataLogs directory traversal attempt"; flow:to_server,established; content:"/goform/formExportDataLogs"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_client_body; pcre:"/fileName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,37866; reference:cve,2009-4000; classtype:web-application-attack; sid:18802; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Secure Backup Administration property_box.php other variable command execution attempt"; flow:to_server,established; content:"/property_box.php"; fast_pattern; nocase; http_uri; content:"type=ListAttachment"; nocase; http_uri; content:"other="; nocase; http_uri; pcre:"/other=[^\x26]*(%26|%7c)/siI"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41616; reference:cve,2010-0899; classtype:attempted-admin; sid:18797; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell iManager ClassName handling overflow attempt"; flow:to_server,established; content:"/nps/servlet/webacc"; nocase; http_uri; content:"ClassName="; fast_pattern; nocase; http_client_body; pcre:"/^[^\x26]{512}/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40480; reference:cve,2010-1929; classtype:attempted-admin; sid:18796; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovet_demandpoll.exe format string execution attempt"; flow:to_server,established; content:"/OvCgi/webappmon.exe"; fast_pattern:only; http_uri; content:"sel="; http_client_body; pcre:"/^[^\x26]*?\x25/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40065; reference:cve,2010-1550; classtype:attempted-admin; sid:18795; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Configuration Management fileupload code execution attempt"; flow:to_server,established; content:"/zenworks-fileupload/"; fast_pattern:only; http_uri; pcre:"/[?&](filename|type)=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39914; reference:cve,2010-4229; reference:cve,2010-5324; reference:url,www.novell.com/support/viewContent.do?externalId=7005573; classtype:attempted-admin; sid:18793; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Configuration Management UploadServlet code execution attempt"; flow:to_server,established; content:"/zenworks/UploadServlet"; fast_pattern:only; http_uri; content:"../"; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39914; reference:url,www.novell.com/support/viewContent.do?externalId=7005573; classtype:attempted-admin; sid:18792; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager nnmRptConfig.exe multiple parameters buffer overflow attempt"; flow:to_server,established; content:"nnmRptConfig.exe"; fast_pattern:only; http_uri; pcre:"/(data_select1|nameParams|schdParams|text1|schd_select1)=[^\x26]{512}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45762; reference:cve,2011-0265; reference:cve,2011-0266; reference:cve,2011-0267; reference:cve,2011-0268; reference:cve,2011-0269; classtype:attempted-user; sid:18764; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe displayWidth buffer overflow attempt - GET"; flow:to_server,established; content:"|2F|OvCgi|2F|jovgraph.exe"; nocase; http_uri; content:"displayWidth"; distance:0; nocase; http_uri; pcre:"/displayWidth[\x2b\x20]\d[^\x2b\s\n]{128}/siU"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45762; reference:cve,2011-0262; classtype:attempted-user; sid:18760; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovwebsnmpsrv.exe displayWidth buffer overflow attempt - POST"; flow:to_server,established; content:"|2F|OvCgi|2F|jovgraph.exe"; nocase; http_uri; content:"displayWidth"; nocase; http_client_body; pcre:"/displayWidth[\x2b\x20]\d[^\x2b\s\n]{128}/siP"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45762; reference:cve,2011-0262; classtype:attempted-user; sid:18759; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Java Web Server WebDAV Stack Buffer Overflow attempt"; flow:to_server,established; content:"PROPPATCH"; depth:9; urilen:>200; metadata:policy max-detect-ips drop, service http; reference:bugtraq,37874; reference:cve,2003-0109; reference:cve,2010-0361; classtype:attempted-admin; sid:18613; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Java Web Server WebDAV Stack Buffer Overflow attempt"; flow:to_server,established; content:"PROPFIND"; depth:8; urilen:>200; metadata:policy max-detect-ips drop, service http; reference:bugtraq,37874; reference:cve,2003-0109; reference:cve,2010-0361; classtype:attempted-admin; sid:18612; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Java Web Server WebDAV Stack Buffer Overflow attempt"; flow:to_server,established; content:"OPTIONS"; fast_pattern:only; content:"OPTIONS"; http_method; urilen:>200; metadata:policy max-detect-ips drop, service http; reference:bugtraq,37874; reference:cve,2010-0361; classtype:attempted-admin; sid:18611; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Performance Insight Server backdoor account code execution attempt"; flow:to_server,established; content:"/services"; nocase; http_uri; content:"aGNoOTA4djp6NnQwaiQraQ=="; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46079; reference:cve,2011-0276; classtype:attempted-admin; sid:18560; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,8083,8084] (msg:"SERVER-WEBAPP HP OpenView Performance Insight Server backdoor account code execution attempt"; flow:to_server,established; content:"Authorization: Basic aGNoOTA4djp6NnQwaiQraQ=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,46079; reference:cve,2011-0276; classtype:attempted-admin; sid:18559; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec IM manager IMAdminReportTrendFormRun.asp sql injection attempt"; flow:to_server,established; content:"|2F|IMManager|2F|admin|2F|IMAdminReportTrendFormRun|2E|asp|3F|"; nocase; http_uri; pcre:"/groupList\x3d[^\x26]*\x3b/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,44299; reference:cve,2010-0112; reference:url,attack.mitre.org/techniques/T1190; classtype:attempted-user; sid:18556; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX recording interface file upload code execution attempt"; flow:to_server,established; content:"config.php"; nocase; http_uri; content:"Content-Disposition"; nocase; content:"name=|22|ivrfile|22 3B|"; distance:0; fast_pattern; nocase; content:"filename=|22|"; distance:0; nocase; pcre:!"/^\w+\.(wav|alaw|ulaw|sln|gsm)\x22/Ri"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43454; reference:cve,2010-3490; classtype:attempted-admin; sid:18465; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Adobe ColdFusion locale directory traversal attempt"; flow:to_server,established; content:"CFIDE"; fast_pattern; http_uri; content:"locale="; nocase; content:"../../../"; distance:0; content:"%00"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42342; reference:cve,2010-2861; classtype:attempted-admin; sid:18464; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 (msg:"SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt"; flow:to_server,established; content:"|FF FF FF FF|"; depth:4; content:"PAGE"; depth:4; offset:30; nocase; content:"PinNumber|00|"; distance:0; byte_test:2,>,0x100,0,little,relative; metadata:policy max-detect-ips drop; reference:cve,2010-0110; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00; classtype:attempted-user; sid:18460; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell iManager getMultiPartParameters arbitrary file upload attempt"; flow:to_server,established; content:"/nps/servlet/modulemanager"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/filename\s*?=[^\x3b\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43635; reference:url,www.novell.com/support/kb/doc.php?id=7006515; classtype:attempted-admin; sid:18311; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Secure Backup login.php uname variable based command injection attempt"; flow:to_server,established; content:"login.php"; http_uri; content:"attempt="; http_uri; content:"uname="; http_uri; content:"%26"; http_raw_uri; pcre:"/uname=[^&]*%26/I"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-5449; classtype:attempted-admin; sid:18293; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8082 (msg:"SERVER-WEBAPP Microsoft Office SharePoint document conversion remote code excution attempt"; flow:to_server,established; content:"Microsoft.HtmlTrans.IDocumentConversionsLauncher/Microsoft.HtmlTrans.Interface"; fast_pattern:only; content:"<i2|3A|ConvertFile"; content:"<convert"; distance:0; pcre:"/^(To|From)[^\x3e]*?\x3e[a-z0-9]*[^a-z0-9][^\x3c]*?\x3c\x2fconvert(To|From)/isR"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-3964; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-104; classtype:attempted-admin; sid:18238; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Java Web Server WebDAV Stack Buffer Overflow attempt"; flow:to_server,established; content:"COPY"; fast_pattern:only; content:"COPY"; http_method; urilen:>200; metadata:policy max-detect-ips drop, service http; reference:bugtraq,37874; reference:cve,2010-0361; classtype:attempted-admin; sid:17609; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8081 (msg:"SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt"; flow:to_server,established; content:"/cgiablogon.exe"; fast_pattern:only; content:"CRYPT"; nocase; isdataat:512,relative; pcre:"/pwd=(\!|\%21)CRYPT(\!|\%21)[^\r\n&]{513}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28020; reference:cve,2008-1365; reference:url,secunia.com/advisories/29124; classtype:web-application-attack; sid:17605; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TikiWiki jhot.php script file upload attempt"; flow:to_server,established; content:"/jhot.php"; nocase; http_uri; content:"Content-Disposition|3A|"; nocase; content:"filename="; nocase; pcre:"/^Content-Disposition\x3A[^\r\n]*filename=(?P<q1>\x22|\x27|)[^\r\n]*?\x2Ephp(?P=q1)/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,19819; reference:cve,2006-4602; reference:url,tikiwiki.org/tiki-read_article.php?articleid=136; classtype:attempted-user; sid:17597; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP generic server HTTP Auth Header buffer overflow attempt"; flow:to_server,established; content:"Authorization|3A 20|Basic"; nocase; isdataat:256,relative; content:!"|0D 0A|"; within:256; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33554; reference:cve,2006-5478; reference:cve,2008-0871; reference:cve,2009-0183; classtype:attempted-user; sid:17536; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Adobe RoboHelp Server Arbitrary File Upload and Execute"; flow:to_server,established; content:"/robohelp/robo/reserved/web/"; nocase; http_uri; content:".jsp"; distance:0; nocase; http_uri; pcre:"/\x2frobohelp\x2frobo\x2freserved\x2fweb\x2f[^\r\n]{0,60}\x2Ejsp/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35282; reference:cve,2009-1855; classtype:attempted-user; sid:17529; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP nginx URI parsing buffer overflow attempt"; flow:to_server,established; content:"GET |2F 25|23|2E 2E|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36384; reference:cve,2009-2629; classtype:attempted-admin; sid:17528; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Control Manager Chunked overflow attempt"; flow:to_server,established; isdataat:1420; content:"isaNVWRequest.dll"; nocase; http_uri; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked"; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,15865; reference:cve,2005-1929; classtype:attempted-admin; sid:17486; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-WEBAPP CommuniGate Systems CommuniGate Pro LDAP Server buffer overflow attempt"; flow:to_server,established; content:"|80|"; content:"|FF FF FF FF|"; within:8; distance:1; pcre:"/\x80(\x84|\x85\x00|\x86\x00\x00|\x87\x00\x00\x00)\xFF\xFF\xFF\xFF/smi"; metadata:policy max-detect-ips drop, service ldap; reference:bugtraq,16407; reference:cve,2006-0468; reference:url,www.gleg.net/cg_advisory.txt; classtype:attempted-user; sid:17450; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks patch management SQL injection attempt"; flow:to_server,established; content:"/packages/default.asp?"; nocase; http_uri; pcre:"/sort\x3d[^\s]*\x3b+/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,15220; reference:cve,2005-3315; classtype:web-application-attack; sid:17449; rev:12;)
# alert tcp $EXTERNAL_NET 70 -> $HOME_NET any (msg:"SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt"; flow:to_client,established; content:"|30 41 73 09 30 2F 61 61 61 61 61 61 61 61 61 61 61 61 61 61|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,12276; reference:cve,2005-0094; classtype:attempted-dos; sid:17432; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Citrix Program Neighborhood Agent Buffer Overflow attempt"; flow:to_client,established; file_data; content:"|3C|AppData|3E|"; nocase; content:"|3C|InName|3E|"; pcre:"/InName\x3E[^\x3C]{100}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13373; reference:cve,2004-1078; classtype:attempted-user; sid:17423; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Citrix Program Neighborhood Agent Arbitrary Shortcut Creation attempt"; flow:to_client,established; file_data; content:"|3C|AppData|3E|"; nocase; content:"|3C|AppInStartmenu|20|value|3D 22|True|22|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13379; reference:cve,2004-1077; classtype:attempted-user; sid:17420; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP IBM Lotus Expeditor cai URI handler command execution attempt"; flow:to_client,established; file_data; content:"cai|3A|"; nocase; content:"-launcher"; distance:0; nocase; pcre:"/cai\x3a[^\x3e]*?(\x22|\x2522)[^\x3e\x22]*?-launcher/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-1965; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21303813; classtype:attempted-user; sid:17376; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SERVER-WEBAPP Squid authentication headers handling denial of service attempt"; flow:to_server,established; flowbits:isset,ntlm_authentication; content:"Proxy-Authorization: "; content:!"NTLM"; within:4; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14977; reference:cve,2005-2917; classtype:attempted-dos; sid:17371; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SERVER-WEBAPP Squid authentication headers handling denial of service attempt"; flow:to_server,established; content:"Proxy-Authorization: NTLM"; fast_pattern:only; flowbits:set,ntlm_authentication; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14977; reference:cve,2005-2917; classtype:protocol-command-decode; sid:17370; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro OfficeScan Console authentication buffer overflow attempt"; flow:to_server,established; content:"/officescan/console"; fast_pattern; http_uri; content:"session="; http_cookie; pcre:"/session=[^\s\x3b&]{520}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24641; reference:bugtraq,24935; reference:cve,2007-3454; reference:cve,2007-3455; classtype:attempted-admin; sid:17295; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco IOS HTTP service HTML injection attempt"; flow:to_server,established; content:"href|3D 22 2E 2F 2E 2E 2F 2E 2F 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,15602; reference:cve,2005-3921; classtype:attempted-dos; sid:17287; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8022 (msg:"SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt"; flow:to_server,established; content:"|2E 2E 2F 2E 2E 2F 2E 2E 2F|"; depth:100; pcre:"/^(GET|POST)\h+[^\n]*?\x2E\x2E\x2F\x2E\x2E\x2F\x2E\x2E\x2F[^\n]*?HTTP/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,15291; reference:cve,2005-1939; classtype:attempted-user; sid:17279; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center database credentials information disclosure attempt - 3"; flow:to_server,established; content:"/imc/reportscript/oracle/deploypara.properties"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:attempted-user; sid:17159; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center database credentials information disclosure attempt - 2"; flow:to_server,established; content:"/rpt/reportscript/sqlserver/deploypara.properties"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:attempted-user; sid:17158; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center database credentials information disclosure attempt - 1"; flow:to_server,established; content:"/imc/reportscript/sqlserver/deploypara.properties"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:attempted-user; sid:17157; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenView Network Node Manager cookie buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/webappmon.exe"; fast_pattern:only; http_uri; pcre:"/(OvJavaScript|OvTitleFrame|OvHelpWindow|OvMap|OvSession|OvJavaLocale|OvOSLocale|OvLogin|OvDebug|OvDeveloper|OvTreeControl|OvJavaScript|OvProduct|OvPort|OvLocale|OvWebSession)\s*\x3D[^\x3B\x2C]{1024}/iC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42154; reference:cve,2010-2709; classtype:attempted-user; sid:17140; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center information disclosure attempt"; flow:to_server,established; content:"/imc/report/DownloadReportSource"; nocase; http_uri; content:"fileName"; http_uri; pcre:"/fileName=.*?\x2E\x2E(\x2F|\x5C)/sI"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40298; reference:url,secunia.com/advisories/39891; classtype:misc-attack; sid:17137; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"SERVER-WEBAPP VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|2F|requests|2F|status.xml"; nocase; http_uri; content:"smb"; http_uri; pcre:"/^GET\s+.*\x2Frequests\x2Fstatus\.xml\x3F.*smb\x3A\x2F\x2F[^\s\x0A\x0D]{251}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35500; reference:cve,2009-2484; classtype:attempted-user; sid:16753; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"-textFile+"; fast_pattern:only; http_uri; content:"/OvCgi/"; http_uri; pcre:"/\/OvCgi\/(jovgraph|webappmon)\.exe.*?-textFile\+[^+]{201}/iU"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1551; reference:cve,2010-1552; reference:cve,2010-1553; reference:cve,2010-1554; reference:cve,2010-1555; reference:cve,2010-1961; reference:cve,2011-3167; classtype:attempted-user; sid:16674; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-WEBAPP Microsoft Office SharePoint Server 2007 help.aspx denial of service attempt"; flow:established, to_server; content:"_layouts/help.aspx?"; nocase; http_uri; pcre:"/tid=[^&]/Usmi"; pcre:!"/cid=[^&]/Usmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-039; classtype:attempted-dos; sid:16660; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint XSS attempt"; flow:to_server,established; content:"_layouts/help.aspx?"; nocase; http_uri; content:"cid0="; distance:0; nocase; http_uri; pcre:"/\x5flayouts\x2fhelp\x2easpx\x3f.*?cid0\x3d[A-Za-z\x5c\x2e0-9]*[^A-Za-z\x5c\x2f\x2e\x26\x3d0-9\s]/Usi"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0817; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-039; classtype:attempted-user; sid:16560; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Openview Network Node Manager OvAcceptLang overflow attempt"; flow:to_server,established; content:"/OVCgi/Toolbar.exe"; fast_pattern:only; http_uri; pcre:"/OvAcceptLang\s*\x3d\s*[^\x3b\n]{300}/ismC"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34134; reference:cve,2009-0921; classtype:attempted-user; sid:16555; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Java System Web Server 7.0u7 authorization digest heap overflow"; flow:to_server,established; content:!"GET"; nocase; http_method; content:!"POST"; nocase; http_method; content:"Authorization"; nocase; content:"Digest"; distance:0; fast_pattern; nocase; pcre:"/^Authorization\s*\x3A\s*Digest\s+([^\n\x2C]*\x2C){15}/im"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,37896; reference:cve,2010-0387; classtype:attempted-user; sid:16392; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3057 (msg:"SERVER-WEBAPP Borland StarTeam Multicast Service buffer overflow attempt"; flow:to_server,established; content:"GET"; fast_pattern:only; content:"GET"; http_method; urilen:>256; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28602; reference:cve,2008-0311; classtype:attempted-admin; sid:16283; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"SERVER-WEBAPP MIT Kerberos V% KAdminD klog_vsyslog server overflow attempt"; flow:to_server,established; content:"|90|D|FA A0 B1|^C|07|m'|1C|m|08 02 D0 C7 C0|q|EE|q|E3|R|B3 1C|}K|DE D2 C1 F8 5C|{"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,23285; reference:cve,2007-0957; reference:url,attack.mitre.org/techniques/T1097; classtype:attempted-user; sid:16207; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HTTP request with negative Content-Length attempt"; flow:to_server,established; content:"Content-Length: -"; fast_pattern:only; http_header; pcre:"/^Content-Length\s*\x3A\s*-\d{1,10}/mi"; metadata:policy max-detect-ips drop, service http; reference:cve,2004-0095; reference:cve,2008-4478; reference:cve,2014-9192; reference:cve,2017-1000470; reference:url,aluigi.altervista.org/adv/winccflex_1-adv.txt; classtype:attempted-user; sid:16195; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP uselang code injection"; flow:to_server,established; content:"/wiki"; nocase; http_uri; content:"?uselang="; fast_pattern; nocase; http_uri; pcre:"/\x2fwiki[^\n]*\x3fuselang=[^\n\x26\x3f]{2,}[a-zA-Z\x2d]/Usmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,15703; reference:cve,2005-4031; classtype:web-application-attack; sid:16079; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple Vendor server file disclosure attempt"; flow:to_server,established; content:".jsp"; http_uri; pcre:"/^[^\x3b]*\x3b.*\x2ejsp/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,11245; reference:bugtraq,19106; reference:cve,2004-0928; reference:cve,2006-3853; classtype:web-application-attack; sid:15990; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sybase EAServer WebConsole overflow attempt"; flow:to_server,established; content:"/WebConsole/Login.jsp|3B EA EA EA EA EA EA EA EA|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14287; reference:cve,2005-2297; classtype:attempted-user; sid:15962; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Trend Micro OfficeScan multiple CGI modules HTTP form processing buffer overflow attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/officescan/cgi/cgi"; nocase; http_uri; content:"multipart/form-data"; nocase; content:"|0A|--"; distance:0; isdataat:270; content:!"|0A|--"; within:270; metadata:policy max-detect-ips drop, service http; reference:cve,2008-3862; classtype:attempted-admin; sid:15908; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle BEA WebLogic overlong JESSIONID buffer overflow attempt"; flow:to_server,established; content:"JSESSIONID="; isdataat:300,relative; pcre:"/JSESSIONID=[^\s\x26\x3a\x22\x27\x3b]{300}/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-5457; classtype:misc-attack; sid:15477; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8008,8028] (msg:"SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt"; flow:to_server,established; content:"/nds"; fast_pattern; nocase; http_uri; content:"Accept-Language"; distance:0; nocase; content:"|3A|"; distance:0; isdataat:19,relative; pcre:"/^\s*Accept-Language\s*\x3a\s*([^\r\n]*?\x2c){20}/mi"; metadata:policy max-detect-ips drop; reference:bugtraq,31553; reference:cve,2008-5094; reference:url,download.novell.com/Download?buildid=Cf15mVyA3GI~; classtype:attempted-admin; sid:15446; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt"; flow:to_server,established; content:"/OVCgi/Toolbar.exe"; nocase; http_uri; content:"OvOSLocale"; nocase; http_cookie; pcre:"/OvOSLocale\s*\x3d\s*[^\x3b\s]{249}/Cmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34134; reference:cve,2008-0067; reference:cve,2009-0920; classtype:attempted-user; sid:15434; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 17000 (msg:"SERVER-WEBAPP Oracle TimesTen In-Memory Database evtdump CGI module format string exploit attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; content:"evtdump?"; distance:0; nocase; pcre:"/evtdump\x3f.*?\x2525[^\x20]*?\x20HTTP/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33177; reference:cve,2008-5440; classtype:attempted-admin; sid:15264; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 808 (msg:"SERVER-WEBAPP Youngzsoft CCProxy CONNECT Request buffer overflow attempt"; flow:to_server,established; content:"CONNECT "; nocase; isdataat:1024,relative; pcre:"/^CONNECT\s[^\s]{1024}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31416; reference:cve,2008-6415; classtype:attempted-user; sid:15190; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint Server elevation of privilege exploit attempt"; flow:to_server,established; content:!"/ssp/admin/_layouts"; http_uri; content:"mode=ssp"; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2008-4032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-077; classtype:attempted-admin; sid:15108; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8889 (msg:"SERVER-WEBAPP Openwsman HTTP basic authentication buffer overflow attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; content:"Basic"; nocase; isdataat:256,relative; pcre:"/^Authorization\x3a\s*Basic[^\n]{256}/mi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30694; reference:cve,2008-2234; classtype:attempted-user; sid:14992; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8030,8028,8008,8010] (msg:"SERVER-WEBAPP Novell eDirectory SOAP Accept Language header overflow attempt"; flow:to_server,established; content:"/SOAP"; fast_pattern; nocase; http_uri; content:"Accept-Language|3A|"; nocase; pcre:"/^Accept\x2dLanguage\x3a\s*(\w{1,36}\s*(\x2e|\x2d|\x3b|\x3d|\x2c)\s*)*[^\x2d\x3b\x2c\x3d\n]{37}/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-4479; classtype:attempted-user; sid:14989; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1521,5560] (msg:"SERVER-WEBAPP Oracle Database Server buffer overflow attempt"; flow:to_server,established; content:"DBMS_AQELM"; pcre:"/SET_(SENDFROM|MAILHOST)\x28\x27[^\x27]{256}/i"; metadata:policy max-detect-ips drop; reference:bugtraq,30177; reference:cve,2008-2607; classtype:misc-attack; sid:13951; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt"; flow:to_server,established; content:"/Help_Errors.asp"; fast_pattern:only; http_uri; pcre:"/(^|&)r\d=[^&]*?([\x27\x22\x3b\x23\x28]|%27|%22|%3b|%23|%28|(\x2f|%2f)(\x2a|%2a)|(\x2d|%2d){2})/Pim"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30137; reference:cve,2008-2991; reference:url,adobe.com/support/security/bulletins/apsb08-16.html; classtype:web-application-attack; sid:13929; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt"; flow:to_server,established; content:"/Help_Errors.asp"; fast_pattern:only; http_uri; pcre:"/[?&]r\d=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30137; reference:cve,2008-2991; reference:url,adobe.com/support/security/bulletins/apsb08-16.html; classtype:web-application-attack; sid:13928; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Alt-N SecurityGateway username buffer overflow attempt"; flow:to_server,established; content:"/SecurityGateway.dll"; fast_pattern:only; http_uri; content:"username="; nocase; http_client_body; isdataat:450,relative; content:!"&"; within:450; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29457; reference:cve,2008-4193; reference:url,files.altn.com/securitygateway/release/relnotes_en.htm; classtype:attempted-admin; sid:13916; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Lotus Domino Web Server Accept-Language header buffer overflow attempt"; flow:to_server,established; content:".nsf"; fast_pattern:only; http_uri; content:"Accept-Language|3A| "; http_header; content:!"|2C|"; within:32; http_header; content:!"|0D 0A|"; within:34; http_header; pcre:"/[\x80-\xff]/U"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29310; reference:cve,2008-2240; classtype:attempted-admin; sid:13819; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 (msg:"SERVER-WEBAPP HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; content:"/topology/home"; fast_pattern:only; http_uri; urilen:>184; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:13715; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Secure Access Control Server UCP Application CSuserCGI.exe buffer overflow attempt"; flow:to_server,established; content:"/CSuserCGI.exe?"; nocase; http_uri; content:"Logout"; distance:0; nocase; http_uri; pcre:"/\x2FCSuserCGI\x2Eexe\x3F.*?Logout.[^&]{96}/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28222; reference:cve,2008-0532; reference:url,www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml; classtype:attempted-admin; sid:13656; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint cross site scripting attempt"; flow:to_server,established; content:".aspx"; http_uri; content:"|22 29 3B|"; fast_pattern; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,23832; reference:cve,2007-2581; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-059; classtype:web-application-attack; sid:12629; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SERVER-WEBAPP Oracle Java web proxy sockd buffer overflow attempt"; flow:to_server,established; content:"|05 01|"; depth:2; content:"|03|"; within:1; distance:1; byte_test:1,>,136,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,24165; reference:cve,2007-2881; classtype:attempted-admin; sid:11680; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"SERVER-WEBAPP Novell eDirectory HTTP redirection buffer overflow attempt"; flow:to_server,established; content:"Host|3A|"; nocase; isdataat:63,relative; content:!"|0A|"; within:63; pcre:"/^(GET|POST)\s+[^\s]*(\x2fnds|\x2fdhost)[^\n]*\nHost\x3a\s*[^\n]{63}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20655; reference:cve,2006-5478; classtype:attempted-admin; sid:8711; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"SERVER-WEBAPP McAfee header buffer overflow attempt"; flow:to_server,established; content:"/spipe/pkg"; fast_pattern:only; http_uri; content:"AgentGuid="; http_header; content:"Source="; http_header; pcre:"/AgentGuid\x3D[^\x3f\x26\x0D\x0A]{63}.*?Source\x3D[^\x3f\x26\x0D\x0A]{50}/Hs"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20288; reference:cve,2006-5156; classtype:attempted-admin; sid:8441; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager freeIPaddrs.ovpl command injection attempt"; flow:to_server,established; content:"/OvCgi/freeIPaddrs.ovpl"; fast_pattern:only; http_uri; content:"netid="; nocase; http_uri; pcre:"/[?&]netid=[^&]*?([\x60\x3b\x7c\x3c\x3e]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14662; reference:cve,2005-2773; classtype:attempted-admin; sid:8090; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager cdpView.ovpl command injection attempt"; flow:to_server,established; content:"/OvCgi/cdpView.ovpl"; fast_pattern:only; http_uri; content:"cdpnode="; nocase; http_uri; pcre:"/[?&]cdpnode=[^&]*?([\x60\x3b\x7c\x3c\x3e]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14662; reference:cve,2005-2773; classtype:attempted-admin; sid:8089; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager connectedNodes.ovpl command injection attempt"; flow:to_server,established; content:"/OvCgi/connectedNodes.ovpl"; fast_pattern:only; http_uri; content:"node="; nocase; http_uri; pcre:"/[?&]node=[^&]*?([\x60\x3b\x7c\x3c\x3e]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14662; reference:cve,2005-2773; classtype:attempted-admin; sid:8088; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager freeIPaddrs.ovpl command injection attempt"; flow:to_server,established; content:"/OvCgi/freeIPaddrs.ovpl"; fast_pattern:only; http_uri; content:"netid="; nocase; http_raw_uri; content:"%26"; distance:0; nocase; http_raw_uri; pcre:"/[?&]netid=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14662; reference:cve,2005-2773; classtype:attempted-admin; sid:8087; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager cdpView.ovpl command injection attempt"; flow:to_server,established; content:"/OvCgi/cdpView.ovpl"; fast_pattern:only; http_uri; content:"cdpnode="; nocase; http_raw_uri; content:"%26"; distance:0; nocase; http_raw_uri; pcre:"/[?&]cdpnode=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14662; reference:cve,2005-2773; classtype:attempted-admin; sid:8086; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager connectedNodes.ovpl command injection attempt"; flow:to_server,established; content:"/OvCgi/connectedNodes.ovpl"; fast_pattern:only; http_uri; content:"node="; nocase; http_raw_uri; content:"%26"; distance:0; nocase; http_raw_uri; pcre:"/[?&]node=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14662; reference:cve,2005-2773; classtype:attempted-admin; sid:8085; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"SERVER-WEBAPP Novell GroupWise Messenger Accept-Language header buffer overflow attempt"; flow:to_server,established; content:"Accept-Language"; nocase; http_header; content:!"|0A|"; within:17; http_header; content:!"|0D|"; within:17; http_header; content:!"|2C|"; within:17; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17503; reference:cve,2006-0992; classtype:attempted-admin; sid:6414; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Twiki rdiff rev command injection attempt"; flow:to_server,established; content:"/rdiff/"; nocase; http_uri; content:"twiki"; distance:0; nocase; http_uri; content:"|7C|"; distance:0; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14834; reference:cve,2005-2877; classtype:attempted-admin; sid:4985; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt"; flow:to_server,established; content:"Content-Length|3A| -1"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,15001; reference:cve,2005-2758; classtype:attempted-admin; sid:4681; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Squid content length cache poisoning attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; http_header; content:"Content-Length|3A|"; nocase; http_header; pcre:"/^Content-Length\x3a(?!\x0d\x0a\x0d\x0a).*?^Content-Length\x3a/smiH"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12412; reference:bugtraq,13956; reference:cve,2005-0174; reference:cve,2005-1215; classtype:misc-attack; sid:3694; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IBM WebSphere j_security_check overflow attempt"; flow:to_server,established; content:"POST"; content:"/admin/j_security_check"; nocase; isdataat:256,relative; pcre:"/j_(username|password)=[^\n&]{256,}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13853; reference:cve,2005-1872; classtype:attempted-admin; sid:3693; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP invalid HTTP version string"; flow:to_server,established; content:" HTTP/"; depth:300; nocase; isdataat:5,relative; content:!"0.9"; within:3; content:!"1.0"; within:3; content:!"1.1"; within:3; pcre:!"/^[^\n]* HTTP\x2f(0\.9|1\.[01])\s*\n/i"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,34240; reference:bugtraq,9809; reference:cve,2009-0478; reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HTTP request with negative Content-Length attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; byte_test:10,>,0x7FFFFFFF,1,relative,string,dec; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,16354; reference:bugtraq,17879; reference:bugtraq,9098; reference:bugtraq,9476; reference:bugtraq,9576; reference:cve,2004-0095; reference:cve,2005-3653; reference:cve,2006-2162; reference:cve,2006-3655; reference:cve,2014-9192; reference:cve,2015-5343; reference:cve,2017-1000470; classtype:misc-attack; sid:2278; rev:33;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phf arbitrary command execution attempt"; flow:to_server,established; content:"/phf"; fast_pattern; nocase; http_uri; content:"QALIAS"; nocase; content:"%0a"; nocase; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack; sid:1762; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test-cgi attempt"; flow:to_server,established; content:"/test-cgi/*?*"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:web-application-attack; sid:1644; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ExAir access"; flow:to_server,established; content:"/exair/search/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,193; reference:cve,1999-0449; reference:nessus,10002; reference:nessus,10003; reference:nessus,10004; classtype:web-application-activity; sid:1500; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cat_ access"; flow:to_server,established; content:"cat "; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phf access"; flow:to_server,established; content:"/phf"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:28;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP faxsurvey access"; flow:to_server,established; content:"/faxsurvey"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-activity; sid:857; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test-cgi access"; flow:to_server,established; content:"/test-cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Creative Contact Form arbitrary PHP file upload attempt"; flow:to_server,established; content:"/sexy-contact-form/includes/fileupload/index.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy security-ips drop, service http; reference:bugtraq,70723; reference:cve,2014-8739; classtype:attempted-admin; sid:34569; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Gravity Forms gf_page arbitrary file upload attempt"; flow:to_server,established; content:"gf_page=upload"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:service http; reference:url,gravityhelp.com/gravity-forms-v1-8-20-released/; classtype:attempted-user; sid:34568; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP unserialize function integer overflow attempt"; flow:to_server,established; content:"|3D 43 25 33 41|"; http_client_body; content:"|25 33 41|"; distance:0; http_client_body; content:"|25 33 41|"; distance:0; http_client_body; byte_test:10,>,1000000,0,relative,string; metadata:service http; reference:cve,2014-3669; reference:url,bugs.php.net/bug.php?id=68044; classtype:attempted-admin; sid:34623; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt"; flow:to_server,established; content:"/zenworks/rtr"; fast_pattern:only; http_uri; content:"dirname="; nocase; http_uri; pcre:"/[?&]dirname=[^&]*?(\x3a|\x2e\x2e)\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74288; reference:cve,2015-0785; classtype:web-application-attack; sid:34621; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt"; flow:to_server,established; content:"/zenworks/rtr"; fast_pattern:only; http_uri; content:"dirname="; nocase; http_client_body; pcre:"/(^|&)dirname=[^&]*?(\x3a|%3a|(\x2e|%2e){2})([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74288; reference:cve,2015-0785; classtype:web-application-attack; sid:34620; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt"; flow:to_server,established; content:"/zenworks/rtr"; fast_pattern:only; http_uri; content:"dirname"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?dirname((?!^--).)*?(\x3a|\x2e\x2e)[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74288; reference:cve,2015-0785; classtype:web-application-attack; sid:34619; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Photo Station exif description command injection attempt"; flow:to_server,established; content:"/photo/webapi/photo.php"; fast_pattern:only; http_uri; content:"description="; nocase; http_uri; pcre:"/[?&]description=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securityfocus.com/archive/1/535605/30/0/threaded; classtype:web-application-attack; sid:34618; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Photo Station exif description command injection attempt"; flow:to_server,established; content:"/photo/webapi/photo.php"; fast_pattern:only; http_uri; content:"description="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]description=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securityfocus.com/archive/1/535605/30/0/threaded; classtype:web-application-attack; sid:34617; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Photo Station exif description command injection attempt"; flow:to_server,established; content:"/photo/webapi/photo.php"; fast_pattern:only; http_uri; content:"description="; nocase; http_client_body; pcre:"/(^|&)description=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securityfocus.com/archive/1/535605/30/0/threaded; classtype:web-application-attack; sid:34616; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Photo Station exif description command injection attempt"; flow:to_server,established; content:"/photo/webapi/photo.php"; fast_pattern:only; http_uri; content:"description"; nocase; http_client_body; content:"name"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?description((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.securityfocus.com/archive/1/535605/30/0/threaded; classtype:web-application-attack; sid:34615; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt"; flow:to_server,established; content:"/Developer/saveFile.jsp"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74792; reference:cve,2015-4031; classtype:web-application-attack; sid:34606; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt"; flow:to_server,established; content:"/Developer/saveFile.jsp"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74792; reference:cve,2015-4031; classtype:web-application-attack; sid:34605; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Visual Mining NetCharts saveFile.jsp directory traversal attempt"; flow:to_server,established; content:"/Developer/saveFile.jsp"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74792; reference:cve,2015-4031; classtype:web-application-attack; sid:34604; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Configuration Management rtrlet.class directory traversal attempt"; flow:to_server,established; content:"/zenworks/rtr"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; pcre:"/[?&]filename=[^&]*?(\x3a|\x2e\x2e)\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74292; reference:cve,2015-0783; classtype:web-application-attack; sid:34602; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt"; flow:to_server,established; content:"rds_file_upload"; fast_pattern:only; pcre:"/(^|&)(computerName|checkSumvalue|connectionId)=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-8249; classtype:web-application-attack; sid:34718; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt"; flow:to_server,established; content:"rds_file_upload"; fast_pattern:only; content:"name"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(computerName|checkSumvalue|connectionId)((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-8249; classtype:web-application-attack; sid:34717; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Desktop Central FileUploadServlet directory traversal attempt"; flow:to_server,established; content:"rds_file_upload"; fast_pattern:only; content:"../"; http_uri; pcre:"/[?&](computerName|checkSumvalue|connectionId)=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-8249; classtype:web-application-attack; sid:34716; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt"; flow:to_server,established; content:"/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet"; fast_pattern:only; http_uri; content:"name"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(customerName|serverRole)((?!^--).)*?[\r\n]{2,}((?!^--).)*?[\x27\x29\x3b]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet; classtype:web-application-attack; sid:34648; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt"; flow:to_server,established; content:"/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet"; fast_pattern:only; http_uri; pcre:"/(^|&)(customerName|serverRole)=[^&]*?([\x27\x29\x3b]|%27|%29|%3b)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet; classtype:web-application-attack; sid:34647; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZOHO ManageEngine OpManager SQL injection attempt"; flow:to_server,established; content:"/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet"; fast_pattern:only; http_uri; pcre:"/[?&](customerName|serverRole)=[^&]*?[\x27\x29\x3b]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet; classtype:web-application-attack; sid:34646; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt"; flow:to_server,established; content:"/developer/projectContents.jsp"; fast_pattern:only; http_uri; content:"project="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]project=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74788; reference:cve,2015-4032; classtype:web-application-attack; sid:34635; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt"; flow:to_server,established; content:"/developer/projectContents.jsp"; fast_pattern:only; http_uri; content:"project="; nocase; http_client_body; pcre:"/(^|&)project=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74788; reference:cve,2015-4032; classtype:web-application-attack; sid:34634; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Visual Mining NetCharts projectContents.jsp directory traversal attempt"; flow:to_server,established; content:"/developer/projectContents.jsp"; fast_pattern:only; http_uri; content:"project"; nocase; http_client_body; content:"name"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?project((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74788; reference:cve,2015-4032; classtype:web-application-attack; sid:34633; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [52869,49152] (msg:"SERVER-WEBAPP UPnP AddPortMapping SOAP action command injection attempt"; flow:to_server,established; content:"AddPortMapping"; nocase; content:"<NewInternalClient"; distance:0; nocase; pcre:"/<NewInternalClient[^>]*?>[^<]*?([\x60\x3b\x7c\x26]|\x24\x28)/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,74330; reference:cve,2014-8361; classtype:attempted-admin; sid:34799; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Arcserve Unified Data Protection reportFileServlet directory traversal attempt"; flow:to_server,established; content:"/service/reportFileServlet"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fileName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74845; reference:cve,2015-4068; classtype:web-application-attack; sid:34883; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Arcserve Unified Data Protection reportFileServlet directory traversal attempt"; flow:to_server,established; content:"/service/reportFileServlet"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_client_body; pcre:"/(^|&)fileName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74845; reference:cve,2015-4068; classtype:web-application-attack; sid:34882; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Arcserve Unified Data Protection reportFileServlet directory traversal attempt"; flow:to_server,established; content:"/service/reportFileServlet"; fast_pattern:only; http_uri; content:"fileName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?fileName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74845; reference:cve,2015-4068; classtype:web-application-attack; sid:34881; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt"; flow:to_server,established; content:"logExportZipFile"; fast_pattern:only; content:"/export"; nocase; http_uri; content:"fileName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fileName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74845; reference:cve,2015-4068; classtype:web-application-attack; sid:34880; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt"; flow:to_server,established; content:"logExportZipFile"; fast_pattern:only; content:"/export"; nocase; http_uri; content:"fileName="; nocase; http_client_body; pcre:"/(^|&)fileName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74845; reference:cve,2015-4068; classtype:web-application-attack; sid:34879; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Arcserve Unified Data Protection export servlet directory traversal attempt"; flow:to_server,established; content:"logExportZipFile"; fast_pattern:only; content:"/export"; nocase; http_uri; content:"fileName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?fileName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74845; reference:cve,2015-4068; classtype:web-application-attack; sid:34878; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8400 (msg:"SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt"; flow:to_server,established; content:"/event/userManagementForm.do"; fast_pattern:only; content:"Referer|3A|"; content:!"/event/index2.do"; within:100; content:"&userType=Administrator"; distance:0; metadata:service http; reference:cve,2014-4930; reference:url,bugtraq,74743; classtype:attempted-user; sid:34875; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt"; flow:to_server,established; content:"/sysaid/rdslogs"; fast_pattern:only; http_uri; content:"rdsName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]rdsName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,75038; reference:cve,2015-2995; classtype:web-application-attack; sid:34962; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt"; flow:to_server,established; content:"/sysaid/rdslogs"; fast_pattern:only; http_uri; content:"rdsName="; nocase; http_client_body; pcre:"/(^|&)rdsName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:bugtraq,75038; reference:cve,2015-2995; classtype:web-application-attack; sid:34961; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt"; flow:to_server,established; content:"/sysaid/rdslogs"; fast_pattern:only; http_uri; content:"rdsName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?rdsName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:bugtraq,75038; reference:cve,2015-2995; classtype:web-application-attack; sid:34960; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt"; flow:to_server,established; content:"/SGPAdmin/tsmRequest"; fast_pattern:only; http_uri; content:"cmd=dataonly:"; nocase; http_uri; content:"query="; nocase; http_uri; pcre:"/[?&]query=[^\x3a]*?([\x60\x3b\x7c\x23\x26]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-3915; classtype:web-application-attack; sid:34949; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt"; flow:to_server,established; content:"/SGPAdmin/userRequest"; fast_pattern:only; http_uri; content:"cmd="; nocase; http_uri; content:!"runasync"; http_uri; content:"query="; nocase; http_uri; pcre:"/[?&]query=[^\x3a]*?([\x60\x3b\x7c\x23\x26]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-3915; classtype:web-application-attack; sid:34948; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP SoapClient __call method type confusion attempt"; flow:to_server,established; content:"17:|22|__default_headers"; fast_pattern:only; http_client_body; metadata:service http; reference:cve,2015-4147; reference:url,bugs.php.net/bug.php?id=69085; classtype:attempted-user; sid:34983; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SysAid Help Desk getAgentLogFile directory traversal attempt"; flow:to_server,established; content:"/sysaid/getAgentLogFile"; fast_pattern:only; http_uri; content:"accountId="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]accountId=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,75038; reference:cve,2015-2997; classtype:web-application-attack; sid:34981; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SysAid Help Desk getAgentLogFile directory traversal attempt"; flow:to_server,established; content:"/sysaid/getAgentLogFile"; fast_pattern:only; http_uri; content:"accountId="; nocase; http_client_body; pcre:"/(^|&)accountId=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:bugtraq,75038; reference:cve,2015-2997; classtype:web-application-attack; sid:34980; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SysAid Help Desk getAgentLogFile directory traversal attempt"; flow:to_server,established; content:"/sysaid/getAgentLogFile"; fast_pattern:only; http_uri; content:"accountId"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?accountId((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:bugtraq,75038; reference:cve,2015-2997; classtype:web-application-attack; sid:34979; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SysAid Help Desk getGfiUpgradeFile directory traversal attempt"; flow:to_server,established; content:"/sysaid/getGfiUpgradeFile"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fileName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,75038; reference:cve,2015-2996; classtype:web-application-attack; sid:34978; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SysAid Help Desk getGfiUpgradeFile directory traversal attempt"; flow:to_server,established; content:"/sysaid/getGfiUpgradeFile"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_client_body; pcre:"/(^|&)fileName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,75038; reference:cve,2015-2996; classtype:web-application-attack; sid:34977; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SysAid Help Desk getGfiUpgradeFile directory traversal attempt"; flow:to_server,established; content:"/sysaid/getGfiUpgradeFile"; fast_pattern:only; http_uri; content:"fileName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?fileName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,75038; reference:cve,2015-2996; classtype:web-application-attack; sid:34976; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Configuration Management queryid SQL injection attempt"; flow:to_server,established; content:"act=schedule.ScheduleQuery"; fast_pattern:only; http_uri; content:"/zenworks/rtr"; nocase; http_uri; content:"queryid="; nocase; http_uri; content:"|3B|"; distance:0; http_uri; pcre:"/[?&]queryid=[^&]*?\x3b/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72808; reference:cve,2015-0782; classtype:web-application-attack; sid:35000; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell ZENworks Configuration Management queryid SQL injection attempt"; flow:to_server,established; content:"act=schedule.ScheduleQuery"; fast_pattern:only; content:"/zenworks/rtr"; nocase; http_uri; content:"queryid="; nocase; http_client_body; pcre:"/(^|&)queryid=[^&]*?(\x3b|%3b)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72808; reference:cve,2015-0782; classtype:web-application-attack; sid:34999; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Centreon makeXML_ListMetrics.php SQL injection attempt"; flow:to_server,established; content:"/centreon/"; nocase; http_uri; content:"makeXML_ListMetrics.php"; fast_pattern:only; http_uri; content:"index_id="; nocase; http_uri; pcre:"/[?&]index_id=[^&]*?[\x27\x3b]/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,70648; reference:cve,2014-3828; classtype:web-application-attack; sid:35017; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Centreon cmdGetExample.php SQL injection attempt"; flow:to_server,established; content:"/centreon/"; nocase; http_uri; content:"cmdGetExample.php"; fast_pattern:only; http_uri; content:"index="; nocase; http_client_body; pcre:"/(^|&)index=[^&]*?([\x27\x3b]|%27|%3b)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,70648; reference:cve,2014-3828; classtype:web-application-attack; sid:35016; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Centreon GetXmlTree.php SQL injection attempt"; flow:to_server,established; content:"/centreon/"; nocase; http_uri; content:"GetXmlTree.php"; fast_pattern:only; http_uri; content:"sid="; nocase; http_uri; pcre:"/[?&]sid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,70648; reference:bugtraq,75602; reference:cve,2014-3828; reference:cve,2015-1560; classtype:web-application-attack; sid:35015; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Centreon GetXMLTrapsForVendor.php SQL injection attempt"; flow:to_server,established; content:"/centreon/"; nocase; http_uri; content:"GetXMLTrapsForVendor.php"; fast_pattern:only; http_uri; content:"mnftr_id="; nocase; http_client_body; pcre:"/(^|&)mnftr_id=[^&]*?([\x27\x3b]|%27|%3b)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,70648; reference:cve,2014-3828; classtype:web-application-attack; sid:35014; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt"; flow:to_server,established; content:"x:i:"; content:"|3B|m:i"; within:100; fast_pattern; metadata:service http; reference:cve,2014-3515; classtype:attempted-user; sid:35011; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt"; flow:to_server,established; content:"x:i:"; content:"|3B|m:s"; within:100; fast_pattern; metadata:service http; reference:cve,2014-3515; classtype:attempted-user; sid:35010; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt"; flow:to_server,established; file_data; content:"x:i:"; content:"|3B|m:i"; within:100; fast_pattern; metadata:service smtp; reference:cve,2014-3515; classtype:attempted-user; sid:35009; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt"; flow:to_client,established; file_data; content:"x:i:"; content:"|3B|m:i"; within:100; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-3515; classtype:attempted-user; sid:35008; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt"; flow:to_server,established; file_data; content:"x:i:"; content:"|3B|m:s"; within:100; fast_pattern; metadata:service smtp; reference:cve,2014-3515; classtype:attempted-user; sid:35007; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt"; flow:to_client,established; file_data; content:"x:i:"; content:"|3B|m:s"; within:100; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-3515; classtype:attempted-user; sid:35006; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt"; flow:to_server,established; flowbits:isset,file.tar; file_data; content:"__HALT_COMPILER()|3B|"; fast_pattern:only; content:"ustar|00|00"; depth:8; offset:257; content:"00000000000|00|"; depth:12; offset:124; metadata:service smtp; reference:cve,2015-3307; classtype:attempted-dos; sid:35041; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt"; flow:to_client,established; flowbits:isset,file.tar; file_data; content:"__HALT_COMPILER()|3B|"; fast_pattern:only; content:"ustar|00|00"; depth:8; offset:257; content:"00000000000|00|"; depth:12; offset:124; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-3307; classtype:attempted-dos; sid:35040; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LANDesk Management Suite remote file include attempt"; flow:to_server,established; content:"/remote/frm_coremainfrm.aspx"; fast_pattern:only; http_uri; content:"d="; nocase; http_uri; pcre:"/[?&]d=[^&]*?(http|ftp)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,74190; reference:cve,2014-5362; classtype:web-application-attack; sid:35033; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LANDesk Management Suite remote file include attempt"; flow:to_server,established; content:"/ldms/sm_actionfrm.asp"; fast_pattern:only; http_uri; content:"d="; nocase; http_uri; pcre:"/[?&]d=[^&]*?(http|ftp)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,74190; reference:cve,2014-5362; classtype:web-application-attack; sid:35032; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt"; flow:to_server,established; content:"/ADMIN/mailqueue.spl"; fast_pattern:only; http_uri; content:"sid"; nocase; http_cookie; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:web-application-attack; sid:35026; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt"; flow:to_server,established; content:"/ADMIN/mailqueue.spl"; fast_pattern:only; http_uri; content:"sid"; nocase; http_cookie; content:"id="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]id=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:web-application-attack; sid:35025; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt"; flow:to_server,established; content:"/ADMIN/mailqueue.spl"; fast_pattern:only; http_uri; content:"sid"; nocase; http_cookie; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:web-application-attack; sid:35024; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt"; flow:to_server,established; content:"/ApmAdminServices/ListMonitorGroups"; fast_pattern:only; http_uri; content:"groupId="; nocase; http_uri; pcre:"/[?&]groupId=[^&]*?\x3b/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35079; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt"; flow:to_server,established; content:"/ApmAdminServices/ListMonitorGroups"; fast_pattern:only; http_uri; content:"groupId="; nocase; http_client_body; pcre:"/(^|&)groupId=[^&]*?(\x3b|%3b)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35078; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt"; flow:to_server,established; content:"/ApmAdminServices/ListMonitorGroups"; fast_pattern:only; http_uri; content:"groupId"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?groupId((?!^--).)*?[\r\n]{2,}((?!^--).)*?\x3b/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35077; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt"; flow:to_server,established; content:"/ApmAdminServices/"; fast_pattern:only; http_uri; content:"haid="; nocase; http_uri; pcre:"/[?&](to)?haid=[^&]*?\x3b/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35281; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt"; flow:to_server,established; content:"/ApmAdminServices/"; fast_pattern:only; http_uri; content:"haid="; nocase; http_client_body; pcre:"/(^|&)(to)?haid=[^&]*?(\x3b|%3b)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35280; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt"; flow:to_server,established; content:"/ApmAdminServices/"; fast_pattern:only; http_uri; content:"haid"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(to)?haid((?!^--).)*?[\r\n]{2,}((?!^--).)*?\x3b/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35279; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Accellion FTA verify_oauth_token command injection attempt"; flow:to_server,established; content:"/tws/getStatus"; fast_pattern:only; http_uri; content:"oauth_token="; nocase; http_uri; pcre:"/[?&]oauth_token=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-2857; classtype:web-application-attack; sid:35260; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Accellion FTA verify_oauth_token command injection attempt"; flow:to_server,established; content:"/tws/getStatus"; fast_pattern:only; http_uri; content:"oauth_token="; nocase; http_client_body; pcre:"/(^|&)oauth_token=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-2857; classtype:web-application-attack; sid:35259; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Accellion FTA verify_oauth_token command injection attempt"; flow:to_server,established; content:"/seos/"; nocase; http_uri; content:".api"; nocase; http_uri; content:"oauth_token="; fast_pattern:only; http_uri; pcre:"/[?&]oauth_token=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-2857; classtype:web-application-attack; sid:35258; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Accellion FTA verify_oauth_token command injection attempt"; flow:to_server,established; content:"/seos/"; nocase; http_uri; content:".api"; nocase; http_uri; content:"oauth_token="; fast_pattern:only; http_client_body; pcre:"/(^|&)oauth_token=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-2857; classtype:web-application-attack; sid:35257; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt"; flow:to_server,established; content:"/tws/setStatus"; fast_pattern:only; http_uri; content:"aid="; nocase; http_client_body; pcre:"/(^|&)aid=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35246; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt"; flow:to_server,established; content:"/tws/setStatus"; fast_pattern:only; http_uri; content:"aid="; nocase; http_client_body; content:"name"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?aid=((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35245; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt"; flow:to_server,established; content:"/tws/setStatus"; fast_pattern:only; http_uri; content:"aid="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]aid=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35244; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Accellion Secure File Sharing Appliance command injection attempt"; flow:to_server,established; content:"/tws/setStatus"; fast_pattern:only; http_uri; content:"aid="; nocase; http_uri; pcre:"/[?&]aid=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35243; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Accellion FTA arbitrary file read attempt"; flow:to_server,established; content:"/courier/intermediate_login"; fast_pattern:only; http_uri; content:"statecode"; nocase; http_cookie; content:"%00"; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-2856; classtype:attempted-recon; sid:35302; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Centreon getStats.php command injection attempt"; flow:to_server,established; content:"/centreon/"; nocase; http_uri; content:"getStats.php"; fast_pattern:only; http_uri; pcre:"/[?&](ns_id|end)=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:service http; reference:bugtraq,75605; reference:cve,2015-1561; classtype:web-application-attack; sid:35311; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Centreon getStats.php command injection attempt"; flow:to_server,established; content:"/centreon/"; nocase; http_uri; content:"getStats.php"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](ns_id|end)=[^&]*?%26/Ii"; metadata:service http; reference:bugtraq,75605; reference:cve,2015-1561; classtype:web-application-attack; sid:35310; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WebUI mainfile.php command injection attempt"; flow:to_server,established; content:"/mainfile.php"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(username|password|Logon)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:35375; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WebUI mainfile.php command injection attempt"; flow:to_server,established; content:"/mainfile.php"; fast_pattern:only; http_uri; pcre:"/(^|&)(username|password|Logon)=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:35374; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WebUI mainfile.php command injection attempt"; flow:to_server,established; content:"/mainfile.php"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](username|password|Logon)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:35373; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WebUI mainfile.php command injection attempt"; flow:to_server,established; content:"/mainfile.php"; fast_pattern:only; http_uri; pcre:"/[?&](username|password|Logon)=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:35372; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cacti selected_items SQL injection attempt"; flow:to_server,established; content:"/cacti/"; nocase; http_uri; content:".php"; nocase; http_uri; content:"selected_items="; nocase; http_client_body; pcre:"/(^|&)selected_items=[^&]*?(\x27|%27)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,bugs.cacti.net/view.php?id=2582; classtype:web-application-attack; sid:35359; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress RightNow theme file upload attempt"; flow:to_server,established; content:"/wp-content/themes/RightNow/includes/uploadify/upload_settings_image.php"; fast_pattern:only; http_uri; content:"filename="; http_client_body; metadata:service http; classtype:web-application-attack; sid:35358; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AirLink101 SkyIPCam snwrite.cgi command injection attempt"; flow:to_server,established; content:"/maker/snwrite.cgi"; fast_pattern:only; http_uri; content:"mac="; nocase; http_uri; pcre:"/[?&]mac=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,75597; reference:cve,2015-2280; classtype:web-application-attack; sid:35357; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AirLink101 SkyIPCam snwrite.cgi command injection attempt"; flow:to_server,established; content:"/maker/snwrite.cgi"; fast_pattern:only; http_uri; content:"mac="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]mac=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,75597; reference:cve,2015-2280; classtype:web-application-attack; sid:35356; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cacti graphs local_graph_id SQL injection attempt"; flow:to_server,established; content:"/cacti/graphs"; fast_pattern:only; http_uri; content:"local_graph_id="; nocase; http_client_body; pcre:"/(^|&)local_graph_id=[^&]*?([\x27\x3b\x28\x29]|%27|%3b|%28|%29)/Pim"; metadata:service http; reference:bugtraq,75984; reference:cve,2015-4634; classtype:web-application-attack; sid:35354; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress MailChimp Subscribe Forms PHP Code Execution command injection attempt"; flow:to_server,established; content:"/wp-content/plugins/mailchimp-subscribe-sm/data.php"; fast_pattern:only; http_uri; content:"sm_email="; nocase; http_client_body; pcre:"/(^|&)sm_email=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:service http; classtype:web-application-attack; sid:35399; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt"; flow:to_server,established; content:"/ApmAdminServices/CustomerMgmt"; fast_pattern:only; http_uri; content:"customerName="; nocase; http_uri; pcre:"/[?&]customerName=[^&]*?[\x27\x3b]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35429; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt"; flow:to_server,established; content:"/ApmAdminServices/CustomerMgmt"; fast_pattern:only; http_uri; content:"customerName="; nocase; http_client_body; pcre:"/(^|&)customerName=[^&]*?([\x27\x3b]|%27|%3b)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35428; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt"; flow:to_server,established; content:"/ApmAdminServices/CustomerMgmt"; fast_pattern:only; http_uri; content:"customerName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?customerName((?!^--).)*?[\r\n]{2,}((?!^--).)*?[\x27\x3b]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35427; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt"; flow:to_server,established; content:"/servlet/BSIntegInfoHandler"; fast_pattern:only; http_uri; content:"resIds="; nocase; http_uri; pcre:"/[?&]resIds=[^&]*?[\x29\x3b]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35535; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt"; flow:to_server,established; content:"/servlet/BSIntegInfoHandler"; fast_pattern:only; http_uri; content:"resIds="; nocase; http_client_body; pcre:"/(^|&)resIds=[^&]*?([\x29\x3b]|%29|%3b)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35534; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt"; flow:to_server,established; content:"/servlet/BSIntegInfoHandler"; fast_pattern:only; http_uri; content:"resIds"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?resIds((?!^--).)*?[\r\n]{2,}((?!^--).)*?[\x29\x3b]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35533; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt"; flow:to_client,established; content:"2"; depth:1; http_stat_code; content:"Location:|0D 0A|"; fast_pattern:only; http_header; metadata:service http, service ssl; reference:bugtraq,69248; reference:cve,2013-4352; reference:url,cwe.mitre.org/data/definitions/476.html; reference:url,httpd.apache.org/security/vulnerabilities_24.html; classtype:attempted-dos; sid:35532; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt"; flow:to_client,established; content:"2"; depth:1; http_stat_code; content:"Content-Location:|0D 0A|"; fast_pattern:only; http_header; metadata:service http, service ssl; reference:bugtraq,69248; reference:cve,2013-4352; reference:url,cwe.mitre.org/data/definitions/476.html; reference:url,httpd.apache.org/security/vulnerabilities_24.html; classtype:attempted-dos; sid:35531; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Endpoint Protection directory traversal attempt"; flow:to_server,established; content:"/servlet/ConsoleServlet"; fast_pattern:only; http_uri; content:"PackageFile"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?PackageFile((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:cve,2015-1487; reference:cve,2015-1488; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20150730_00; classtype:web-application-attack; sid:35613; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Endpoint Protection directory traversal attempt"; flow:to_server,established; content:"/servlet/ConsoleServlet"; fast_pattern:only; http_uri; content:"PackageFile="; nocase; http_client_body; pcre:"/(^|&)PackageFile=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2015-1487; reference:cve,2015-1488; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20150730_00; classtype:web-application-attack; sid:35612; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Endpoint Protection directory traversal attempt"; flow:to_server,established; content:"/servlet/ConsoleServlet"; fast_pattern:only; http_uri; content:"PackageFile="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]PackageFile=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2015-1487; reference:cve,2015-1488; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20150730_00; classtype:web-application-attack; sid:35611; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Websense Triton Content Manager handle_debug_network stack buffer overflow attempt"; flow:to_server,established; content:"/submit_net_debug.cgi"; fast_pattern:only; http_uri; content:"cmd_param="; nocase; http_client_body; isdataat:500,relative; content:!"&"; within:500; http_client_body; metadata:service http; reference:bugtraq,75160; reference:cve,2015-5718; classtype:attempted-admin; sid:35594; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt"; flow:to_server,established; content:"/borderpost/imp/compose.php"; fast_pattern:only; http_uri; content:"sid="; nocase; http_raw_cookie; content:"%3B"; distance:0; nocase; http_raw_cookie; pcre:"/sid=[^\x3b]*?%3B/Ki"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:attempted-admin; sid:35573; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Maarch LetterBox arbitrary PHP file upload attempt"; flow:to_server,established; content:"/file_to_index.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:service http; reference:bugtraq,72621; reference:cve,2015-1587; classtype:attempted-admin; sid:35704; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt"; flow:to_server,established; content:"/AgentActionServlet"; fast_pattern:only; http_uri; content:"agentKey="; nocase; http_uri; pcre:"/[?&]agentKey=[^&]*?\x3b/Ui"; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:35703; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt"; flow:to_server,established; content:"/AgentActionServlet"; fast_pattern:only; http_uri; content:"agentKey="; nocase; http_client_body; pcre:"/(^|&)agentKey=[^&]*?(\x3b|%3b)/Pim"; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:35702; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt"; flow:to_server,established; content:"/AgentActionServlet"; fast_pattern:only; http_uri; content:"agentKey"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?agentKey((?!^--).)*?[\r\n]{2,}((?!^--).)*?\x3b/Psim"; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:35701; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Semantec Endpoint Protection Manager server elevated privilege code execution attempt"; flow:to_server,established; content:"com.sygate.scm.server.util"; nocase; content:"SemLaunchService.getInstance().execute("; within:500; fast_pattern; content:"CommonCMD"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-1489; classtype:attempted-admin; sid:35687; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt"; flow:to_server,established; content:"/service/kbot_upload.php"; fast_pattern:only; http_uri; content:"machineId="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]machineId=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35684; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt"; flow:to_server,established; content:"/service/kbot_upload.php"; fast_pattern:only; http_uri; content:"machineId="; nocase; http_client_body; pcre:"/(^|&)machineId=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35683; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell KACE Appliance kbot_upload.php directory traversal attempt"; flow:to_server,established; content:"/service/kbot_upload.php"; fast_pattern:only; http_uri; content:"machineId"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?machineId((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35682; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell KACE Appliance kbot_upload.php authentication bypass attempt"; flow:to_server,established; content:"/service/kbot_upload.php"; fast_pattern:only; http_uri; content:"checksum=SCRAMBLE"; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35681; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt"; flow:to_server,established; content:"/userui/downloadpxy.php"; fast_pattern:only; http_uri; content:"DOWNLOAD_FILE="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]DOWNLOAD_FILE=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35680; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt"; flow:to_server,established; content:"/userui/downloadpxy.php"; fast_pattern:only; http_uri; content:"DOWNLOAD_FILE="; nocase; http_client_body; pcre:"/(^|&)DOWNLOAD_FILE=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35679; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell KACE Appliance downloadpxy.php directory traversal attempt"; flow:to_server,established; content:"/userui/downloadpxy.php"; fast_pattern:only; http_uri; content:"DOWNLOAD_FILE"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?DOWNLOAD_FILE((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:35678; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell KACE Appliance KSudoClient privilege escalation attempt"; flow:to_server,established; content:"KSudoClient.class.php"; fast_pattern:only; http_client_body; content:"RunCommandWait"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:35677; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP Novell GroupWise WebAccess cross-site scripting attempt"; flow:to_server,established; file_data; content:"<html>"; content:"onload"; fast_pattern:only; pcre:"/\x3C[^>]*?[\x22\x27]onload\s*=/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-0611; classtype:attempted-user; sid:35669; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Novell GroupWise WebAccess cross-site scripting attempt"; flow:to_client,established; file_data; content:"<html>"; content:"onload"; fast_pattern:only; pcre:"/\x3C[^>]*?[\x22\x27]onload\s*=/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0611; classtype:attempted-user; sid:35668; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNDR4700 and R6200 admin interface authentication bypass attempt"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,59406; reference:cve,2013-3071; classtype:attempted-admin; sid:35734; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Pimcore CMS add-asset-compatibility directory traversal attempt"; flow:to_server,established; content:"/admin/asset/add-asset-compatibility"; fast_pattern:only; http_uri; content:"dir="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]dir=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,75729; reference:cve,2015-4425; classtype:web-application-attack; sid:35709; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Pimcore CMS add-asset-compatibility directory traversal attempt"; flow:to_server,established; content:"/admin/asset/add-asset-compatibility"; fast_pattern:only; http_uri; content:"dir="; nocase; http_client_body; pcre:"/(^|&)dir=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:bugtraq,75729; reference:cve,2015-4425; classtype:web-application-attack; sid:35708; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Pimcore CMS add-asset-compatibility directory traversal attempt"; flow:to_server,established; content:"/admin/asset/add-asset-compatibility"; fast_pattern:only; http_uri; content:"dir"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?dir((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:bugtraq,75729; reference:cve,2015-4425; classtype:web-application-attack; sid:35707; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt"; flow:to_server,established; content:"/clover/webservice"; fast_pattern:only; http_uri; content:"RenameFile"; nocase; http_client_body; content:"<path"; nocase; http_client_body; pcre:"/<path[^>]*?>[^<]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,75758; reference:cve,2015-2606; classtype:attempted-admin; sid:35818; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt"; flow:to_server,established; content:"/clover/webservice"; fast_pattern:only; http_uri; content:"RenameFile"; nocase; http_client_body; content:"<newName"; nocase; http_client_body; pcre:"/<newName[^>]*?>[^<]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,75758; reference:cve,2015-2606; classtype:attempted-admin; sid:35817; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Endeca server directory traversal attempt"; flow:to_server,established; content:"/clover/webservice"; fast_pattern:only; http_uri; content:"Path"; nocase; http_client_body; pcre:"/Path[^>]*?>[^<]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,75750; reference:bugtraq,75755; reference:bugtraq,75756; reference:bugtraq,75757; reference:bugtraq,75758; reference:cve,2015-2602; reference:cve,2015-2604; reference:cve,2015-2605; reference:cve,2015-2606; reference:cve,2015-4745; classtype:attempted-admin; sid:35847; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Navis DocumentCloud WordPress plugin window.php cross site scripting attempt"; flow:to_server,established; content:"/wp-content/plugins/navis-documentcloud/js/window.php"; fast_pattern:only; http_uri; content:"wpbase="; nocase; http_uri; pcre:"/[?&]wpbase=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2015-2807; classtype:attempted-user; sid:35846; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt"; flow:to_server,established; content:"/clover/webservice"; fast_pattern:only; http_uri; content:"MoveFile"; nocase; http_client_body; content:"<targetPath"; nocase; http_client_body; pcre:"/<targetPath[^>]*?>[^<]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,75756; reference:cve,2015-2605; classtype:attempted-admin; sid:35844; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt"; flow:to_server,established; content:"/clover/webservice"; fast_pattern:only; http_uri; content:"MoveFile"; nocase; http_client_body; content:"<sourcePath"; nocase; http_client_body; pcre:"/<sourcePath[^>]*?>[^<]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:bugtraq,75756; reference:cve,2015-2605; classtype:attempted-admin; sid:35843; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP exif_ifd_make_value thumbnail heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; content:"MM|00 2A|"; distance:0; content:"|0C|"; within:100; byte_test:4,>=,8,0,relative,big; metadata:service http; reference:cve,2014-3670; classtype:attempted-dos; sid:35856; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP exif_ifd_make_value thumbnail heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; content:"MM|00 2A|"; distance:0; content:"|0B|"; within:100; byte_test:4,>=,8,0,relative,big; metadata:service http; reference:cve,2014-3670; classtype:attempted-dos; sid:35855; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP exif_ifd_make_value thumbnail heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; content:"II|2A 00|"; distance:0; content:"|0C|"; within:100; byte_test:4,>=,8,0,relative,little; metadata:service http; reference:cve,2014-3670; classtype:attempted-dos; sid:35854; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP exif_ifd_make_value thumbnail heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|FF D8 FF E1|"; depth:4; content:"II|2A 00|"; distance:0; content:"|0B|"; within:100; byte_test:4,>=,8,0,relative,little; metadata:service http; reference:cve,2014-3670; classtype:attempted-dos; sid:35853; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-WEBAPP Qualcomm WorldMail IMAP append directory traversal attempt"; flow:to_server,established; content:"APPEND"; fast_pattern:only; pcre:"/\sAPPEND[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:web-application-attack; sid:35934; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-WEBAPP Qualcomm WorldMail IMAP select directory traversal attempt"; flow:to_server,established; content:"SELECT"; fast_pattern:only; pcre:"/\sSELECT[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:web-application-attack; sid:35933; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP phar_parse_tarfile method integer overflow attempt"; flow:to_server,established; file_data; content:"ustar"; depth:5; offset:257; fast_pattern; content:"|00|"; depth:1; metadata:service http; reference:bugtraq,74700; reference:cve,2015-4021; reference:url,php.net/ChangeLog-5.php|23|5.6.9; classtype:attempted-user; sid:35940; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt"; flow:to_server,established; content:"/script/NEI_ModuleDispatch.php"; fast_pattern:only; http_uri; content:"name="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]name=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.csoonline.com/article/2980937/vulnerabilities/researcher-discloses-zero-day-vulnerability-in-fireeye.html; classtype:web-application-attack; sid:36024; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt"; flow:to_server,established; content:"/script/NEI_ModuleDispatch.php"; fast_pattern:only; http_uri; content:"name="; nocase; http_client_body; pcre:"/(^|&)name=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.csoonline.com/article/2980937/vulnerabilities/researcher-discloses-zero-day-vulnerability-in-fireeye.html; classtype:web-application-attack; sid:36023; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt"; flow:to_server,established; content:"/script/NEI_ModuleDispatch.php"; fast_pattern:only; http_uri; content:"name"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?name((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.csoonline.com/article/2980937/vulnerabilities/researcher-discloses-zero-day-vulnerability-in-fireeye.html; classtype:web-application-attack; sid:36022; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt"; flow:to_server,established; content:"/webapi/VideoStation/subtitle.cgi"; fast_pattern:only; http_uri; content:"subtitle_codepage="; nocase; http_uri; pcre:"/[?&]subtitle_codepage=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.synology.com/en-us/releaseNote/VideoStation; classtype:web-application-attack; sid:36033; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt"; flow:to_server,established; content:"/webapi/VideoStation/subtitle.cgi"; fast_pattern:only; http_uri; content:"subtitle_codepage="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]subtitle_codepage=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.synology.com/en-us/releaseNote/VideoStation; classtype:web-application-attack; sid:36032; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt"; flow:to_server,established; content:"/webapi/VideoStation/subtitle.cgi"; fast_pattern:only; http_uri; content:"subtitle_codepage="; nocase; http_client_body; pcre:"/(^|&)subtitle_codepage=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.synology.com/en-us/releaseNote/VideoStation; classtype:web-application-attack; sid:36031; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt"; flow:to_server,established; content:"/webapi/VideoStation/subtitle.cgi"; fast_pattern:only; http_uri; content:"subtitle_codepage"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?subtitle_codepage((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.synology.com/en-us/releaseNote/VideoStation; classtype:web-application-attack; sid:36030; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Silver Peak VXOA snmp JSON interface command injection attempt"; flow:to_server,established; content:"/rest/json/snmp"; fast_pattern:only; http_uri; content:"|22|auth_key|22|"; nocase; http_client_body; pcre:"/\x22auth_key\x22[\s\r\n]*\x3a[\s\r\n]*\x22[^\x22]*?([\x60\x3b\x7c\x26]|\x24\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.silver-peak.com/support/security-advisories; classtype:attempted-admin; sid:36053; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Silver Peak VXOA JSON interface hidden credentials authentication attempt"; flow:to_server,established; content:"/rest/json/login"; fast_pattern:only; http_uri; content:"spsadmin"; nocase; http_client_body; content:"Silverpeak123"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.silver-peak.com/support/security-advisories; classtype:attempted-admin; sid:36052; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt"; flow:to_server,established; content:"/webapi/VideoStation/audiotrack.cgi"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?[\x3b\x28\x29\x3d]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.synology.com/en-us/releaseNote/VideoStation; classtype:web-application-attack; sid:36051; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt"; flow:to_server,established; content:"/webapi/VideoStation/audiotrack.cgi"; fast_pattern:only; http_uri; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?([\x3b\x28\x29\x3d]|%3b|%28|%29|%3d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.synology.com/en-us/releaseNote/VideoStation; classtype:web-application-attack; sid:36050; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt"; flow:to_server,established; content:"/webapi/VideoStation/audiotrack.cgi"; fast_pattern:only; http_uri; content:"id"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?id((?!^--).)*?[\r\n]{2,}((?!^--).)*?[\x3b\x28\x29\x3d]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.synology.com/en-us/releaseNote/VideoStation; classtype:web-application-attack; sid:36049; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt"; flow:to_server,established; content:"/webapi/VideoStation/watchstatus.cgi"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?[\x3b\x28\x29\x3d]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.synology.com/en-us/releaseNote/VideoStation; classtype:web-application-attack; sid:36043; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt"; flow:to_server,established; content:"/webapi/VideoStation/watchstatus.cgi"; fast_pattern:only; http_uri; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?([\x3b\x28\x29\x3d]|%3b|%28|%29|%3d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.synology.com/en-us/releaseNote/VideoStation; classtype:web-application-attack; sid:36042; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt"; flow:to_server,established; content:"/webapi/VideoStation/watchstatus.cgi"; fast_pattern:only; http_uri; content:"id"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?id((?!^--).)*?[\r\n]{2,}((?!^--).)*?[\x3b\x28\x29\x3d]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.synology.com/en-us/releaseNote/VideoStation; classtype:web-application-attack; sid:36041; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"domain="; fast_pattern:only; http_client_body; pcre:"/domain=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|onclick|onfocus)/P"; metadata:policy max-detect-ips drop, service http; reference:url,securitytracker.com/id?1032576; classtype:attempted-user; sid:36040; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt"; flow:to_server,established; content:"/index.php?"; http_uri; content:"domain="; fast_pattern:only; http_uri; pcre:"/[?&]domain=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|onclick|onfocus)/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,securitytracker.com/id?1032576; classtype:attempted-user; sid:36039; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"username="; fast_pattern:only; http_client_body; pcre:"/username=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|onclick|onfocus)/P"; metadata:policy max-detect-ips drop, service http; reference:url,securitytracker.com/id?1032576; classtype:attempted-user; sid:36038; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt"; flow:to_server,established; content:"/index.php?"; http_uri; content:"username="; fast_pattern:only; http_uri; pcre:"/[?&]username=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|onclick|onfocus)/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,securitytracker.com/id?1032576; classtype:attempted-user; sid:36037; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP CDF file handling infinite loop dos attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|E0 85 9F F2 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9|"; content:"|1F 10 00 00 00 00|"; within:150; metadata:service http; reference:bugtraq,67765; reference:cve,2014-0238; reference:url,php.net/ChangeLog-5.php|23|5.4.29; classtype:attempted-dos; sid:36059; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache ActiveMQ directory traversal attempt"; flow:to_server,established; content:"Destination|3A|"; fast_pattern:only; http_header; content:"MOVE"; depth:4; http_method; pcre:"/Destination\x3a[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Hi"; metadata:policy max-detect-ips drop, service http; reference:cve,2015-1830; classtype:web-application-attack; sid:36057; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Silver Peak VXOA configdb_file.php arbitrary PHP file upload attempt"; flow:to_server,established; content:"/php/configdb_file.php"; fast_pattern:only; http_uri; content:"userfile"; nocase; http_client_body; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.silver-peak.com/support/security-advisories; classtype:attempted-admin; sid:36104; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36102; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36101; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt"; flow:to_server,established; content:"/jsp/Login.do"; nocase; http_uri; content:"userName=IntegrationUser"; fast_pattern:only; http_client_body; content:"password=plugin"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-7765; reference:url,attack.mitre.org/techniques/T1078; reference:url,seclists.org/fulldisclosure/2015/Sep/66; classtype:attempted-admin; sid:36100; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt"; flow:to_server,established; content:"/admin/SubmitQuery"; fast_pattern:only; http_uri; content:"query="; nocase; http_uri; pcre:"/[?&]query=[^&]*?\x2f\x2a/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-7766; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability; classtype:web-application-attack; sid:36099; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt"; flow:to_server,established; content:"/admin/SubmitQuery"; fast_pattern:only; http_uri; content:"query="; nocase; http_client_body; pcre:"/(^|&)query=[^&]*?(\x2f|%2f)(\x2a|%2a)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-7766; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability; classtype:web-application-attack; sid:36098; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt"; flow:to_server,established; content:"/admin/SubmitQuery"; fast_pattern:only; http_uri; content:"query"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?query((?!^--).)*?[\r\n]{2,}((?!^--).)*?\x2f\x2a/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-7766; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability; classtype:web-application-attack; sid:36097; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt"; flow:to_server,established; file_data; dsize:>10; content:"STARTTLS|0D 0A|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-3556; reference:url,mailman.nginx.org/pipermail/nginx-announce/2014/000144.html; classtype:attempted-user; sid:36197; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt"; flow:to_server,established; content:"/goform/activate_"; fast_pattern:only; content:"akey="; nocase; isdataat:987,relative; content:!"&"; within:987; reference:url,zerodayinitiative.com/advisories/ZDI-15-414/; classtype:attempted-user; sid:36196; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt"; flow:to_server,established; content:"/goform/activate_"; fast_pattern:only; content:"actserver="; nocase; isdataat:982,relative; content:!"&"; within:982; reference:url,zerodayinitiative.com/advisories/ZDI-15-414/; classtype:attempted-user; sid:36195; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ignite Realtime Openfire group-summary cross site scripting attempt"; flow:to_server,established; content:"/group-summary.jsp?"; fast_pattern:only; http_uri; content:"search="; nocase; http_uri; pcre:"/[?&]search=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2015-6972; classtype:attempted-user; sid:36184; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ignite Realtime Openfire create-bookmark cross site scripting attempt"; flow:to_server,established; content:"/plugins/clientcontrol/create-bookmark.jsp"; fast_pattern:only; http_uri; pcre:"/[?&](urlName|groupchatName)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2015-6972; classtype:attempted-user; sid:36183; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ignite Realtime Openfire server-session-details cross site scripting attempt"; flow:to_server,established; content:"/server-session-details.jsp"; fast_pattern:only; http_uri; content:"hostname="; nocase; http_uri; pcre:"/[?&]hostname=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt; classtype:attempted-user; sid:36182; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10443 (msg:"SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/chpasswd.cgi"; fast_pattern:only; content:"NEW_PASSWORD_"; nocase; pcre:"/NEW_PASSWORD_[12]=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5082; classtype:web-application-attack; sid:36181; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10443 (msg:"SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/chpasswd.cgi"; fast_pattern:only; content:"Content-Disposition"; nocase; content:"NEW_PASSWORD_"; nocase; pcre:"/name\s*=\s*[\x22\x27]?NEW_PASSWORD_[12]((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/sim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5082; classtype:web-application-attack; sid:36178; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LANDesk Management Suite frm_splitfrm remote file include attempt"; flow:to_server,established; content:"/remote/frm_splitfrm.aspx"; fast_pattern:only; http_uri; content:"top="; nocase; http_uri; pcre:"/[?&]top=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:cve,2014-5362; reference:url,securityfocus.com/archive/1/535286; classtype:web-application-attack; sid:36243; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"SERVER-WEBAPP Reprise License Manager edit_lf_get_data directory traversal attempt"; flow:to_server,established; content:"/goform/edit_lf_get_data"; fast_pattern:only; content:"lf="; nocase; pcre:"/(^|&)lf=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/im"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,zerodayinitiative.com/advisories/ZDI-15-417/; classtype:web-application-attack; sid:36242; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GE MDS PulseNet hidden credentials authentication attempt"; flow:to_server,established; content:"Pu1seNET"; fast_pattern:only; http_client_body; content:"ge_support"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,76756; reference:cve,2015-6456; reference:url,www.gedigitalenergy.com/app/resources.aspx?prod=pulsenet&type=9; classtype:attempted-admin; sid:36272; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Centreon main.php command injection attempt"; flow:to_server,established; content:"/centreon/main.php"; fast_pattern:only; http_uri; content:"persistant="; nocase; http_client_body; pcre:"/(^|&)persistant=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5265.php; classtype:web-application-attack; sid:36270; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP fileinfo cdf_read_property_info denial of service attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|FE FF|"; content:"|E0 85 9F F2 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9|"; within:26; distance:16; fast_pattern; byte_test:4,>,0,16,relative,little; byte_test:4,<,8,16,relative,little; metadata:service http; reference:bugtraq,69325; reference:cve,2014-3587; reference:url,php.net/ChangeLog-5.php|23|5.6.0; classtype:attempted-dos; sid:36262; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP fileinfo cdf_read_property_info denial of service attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"|FE FF|"; content:"|E0 85 9F F2 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9|"; within:26; distance:16; fast_pattern; byte_test:1,&,0x80,19,relative; metadata:service http; reference:bugtraq,69325; reference:cve,2014-3587; reference:url,php.net/ChangeLog-5.php|23|5.6.0; classtype:attempted-dos; sid:36261; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability attempt"; flow:to_server,established; content:"/fp/servlet/Login"; fast_pattern:only; http_uri; content:"file=/"; http_client_body; content:"conf"; distance:0; http_client_body; content:".xml"; distance:2; http_client_body; pcre:"/file\=\/.{0,30}?conf.{0,30}?\.xml/P"; metadata:service http; reference:cve,2013-5397; reference:cve,2013-5398; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21654471; classtype:attempted-user; sid:36255; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability attempt"; flow:to_server,established; content:"/fp/servlet/Login?"; fast_pattern:only; http_uri; content:"file=/"; http_uri; content:"conf"; distance:0; http_uri; content:".xml"; distance:2; http_uri; pcre:"/^\/fp\/servlet\/Login\?.{0,60}?file\=\/.{0,30}?conf.{0,30}?\.xml/U"; metadata:service http; reference:cve,2013-5397; reference:cve,2013-5398; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21654471; classtype:attempted-user; sid:36254; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt"; flow:to_server,established; content:"/servlet/APMAlertHandler"; fast_pattern:only; http_uri; content:"source="; nocase; http_uri; pcre:"/[?&]source=[^&]*?\x3b/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/network-monitoring/service-packs.html; classtype:web-application-attack; sid:36285; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt"; flow:to_server,established; content:"/servlet/APMAlertHandler"; fast_pattern:only; http_uri; content:"source="; nocase; http_client_body; pcre:"/(^|&)source=[^&]*?(\x3b|%3b)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/network-monitoring/service-packs.html; classtype:web-application-attack; sid:36284; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt"; flow:to_server,established; content:"/servlet/APMAlertHandler"; fast_pattern:only; http_uri; content:"source"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?source((?!^--).)*?[\r\n]{2,}((?!^--).)*?\x3b/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/network-monitoring/service-packs.html; classtype:web-application-attack; sid:36283; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaseya VSA uploader.aspx PathData directory traversal attempt"; flow:to_server,established; content:"/ConfigTab/uploader.aspx"; fast_pattern:only; http_uri; content:"PathData="; nocase; http_uri; pcre:"/[?&]PathData=[^&]*?(\x3a|\x2e\x2e)\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6922; classtype:web-application-attack; sid:36330; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Borland AccuRev SaveContentServiceImpl servlet directory traversal attempt"; flow:to_server,established; content:"/accurev/webgui/savecontent"; fast_pattern:only; http_uri; content:"fname="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fname=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.borland.com/en-gb/support; classtype:web-application-attack; sid:36380; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Typo3 CMS index cross site scripting attempt"; flow:to_server,established; content:"/typo3/index.php?"; fast_pattern:only; http_uri; content:"=data:text/html"; nocase; http_client_body; pcre:"/(returnUrl|redirect_url)=data:text\x2fhtml\x3b[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|base64,PHNjcmlwdD)/Pi"; metadata:policy max-detect-ips drop, service http; reference:cve,2015-5956; reference:url,typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-009/; classtype:attempted-user; sid:36366; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Typo3 CMS show_rechis cross site scripting attempt"; flow:to_server,established; content:"/typo3/show_rechis.php?"; fast_pattern:only; http_uri; content:"=data:text/html"; nocase; http_client_body; pcre:"/(returnUrl|redirect_url)=data:text\x2fhtml\x3b[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|base64,PHNjcmlwdD)/Pi"; metadata:policy max-detect-ips drop, service http; reference:cve,2015-5956; reference:url,typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-009/; classtype:attempted-user; sid:36365; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Typo3 CMS index cross site scripting attempt"; flow:to_server,established; content:"/typo3/index.php?"; fast_pattern:only; http_uri; content:"=data:text/html"; nocase; http_uri; pcre:"/[?&](returnUrl|redirect_url)=data:text\x2fhtml\x3b[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|base64,PHNjcmlwdD)/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2015-5956; reference:url,typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-009/; classtype:attempted-user; sid:36364; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Typo3 CMS show_rechis cross site scripting attempt"; flow:to_server,established; content:"/typo3/show_rechis.php?"; fast_pattern:only; http_uri; content:"=data:text/html"; nocase; http_uri; pcre:"/[?&](returnUrl|redirect_url)=data:text\x2fhtml\x3b[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|base64,PHNjcmlwdD)/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2015-5956; reference:url,typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-009/; classtype:attempted-user; sid:36363; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-WEBAPP pfSense WebGui Zone Parameter cross-site scripting attempt"; flow:to_server,established; content:"/services_captiveportal_zones.php?"; fast_pattern:only; content:"zone="; nocase; pcre:"/[?&]zone=[^&\r\n]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:service http; reference:cve,2015-4029; reference:url,www.pfsense.org/security/advisories/pfSense-SA-15_06.webgui.asc; classtype:attempted-user; sid:36359; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt"; flow:to_server,established; content:"/plugins/clientcontrol/permitted-clients.jsp?"; fast_pattern:only; http_uri; content:"Referer:"; nocase; http_header; content:!"/plugins/clientcontrol/permitted-clients.jsp?"; nocase; http_header; content:"all="; nocase; http_client_body; content:"other="; within:30; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2015-6973; classtype:attempted-user; sid:36337; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt"; flow:to_server,established; content:"/server-props.jsp"; fast_pattern:only; http_uri; content:"Referer:"; nocase; http_header; content:!"/server-props.jsp?"; nocase; http_header; content:"serverName="; nocase; http_client_body; content:"save="; within:180; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2015-6973; classtype:attempted-user; sid:36336; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt"; flow:to_server,established; content:"/user-create.jsp?"; fast_pattern:only; http_uri; content:"Referer:"; nocase; http_header; content:!"/user-create.jsp?"; nocase; http_header; content:"password="; within:100; nocase; http_uri; content:"create="; within:150; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2015-6973; classtype:attempted-user; sid:36335; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt"; flow:to_server,established; content:"/user-password.jsp"; fast_pattern:only; http_uri; content:"Referer:"; nocase; http_header; content:!"/user-password.jsp"; nocase; http_header; content:"username="; nocase; http_client_body; content:"password="; nocase; http_client_body; content:"update="; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2015-6973; classtype:attempted-user; sid:36334; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GE MDS PulseNET FileDownloadServlet directory traversal attempt"; flow:to_server,established; content:"/foglight-sl/download"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,76756; reference:cve,2015-6459; classtype:web-application-attack; sid:36333; rev:2;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP Wordpress xmlrpc.php multiple failed authentication response"; flow:to_client,established; file_data; content:"xmlrpc.php"; fast_pattern:only; content:"Incorrect username or password"; nocase; content:"Incorrect username or password"; within:100; nocase; content:"Incorrect username or password"; within:100; nocase; content:"Incorrect username or password"; within:100; nocase; metadata:service http; classtype:web-application-attack; sid:36449; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenDocMan redirection parameter cross site scripting attempt"; flow:to_server,established; content:"/opendocman/index.php"; fast_pattern:only; http_uri; content:"redirection="; nocase; http_uri; pcre:"/[?&]redirection=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,76627; reference:cve,2015-5625; reference:url,opendocman.com/opendocman-v1-3-4-released/; classtype:attempted-user; sid:36400; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt"; flow:to_server,established; content:"/server-props.jsp"; fast_pattern:only; http_uri; content:"Referer:"; nocase; http_header; content:!"/server-props.jsp?"; nocase; http_header; content:"serverName="; nocase; http_uri; content:"save="; within:50; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2015-6973; classtype:attempted-user; sid:36511; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP pChart script parameter directory traversal attempt"; flow:to_server,established; content:"/pChart2/"; fast_pattern:only; http_uri; content:"Script="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]Script=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:36544; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 (msg:"SERVER-WEBAPP HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; content:"GET http|3A 2F 2F|"; depth:11; nocase; content:"|3A|7510/topology/home HTTP/1.1|0D 0A|"; offset:512; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:36542; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt"; flow:to_server,established; content:"/openemr/"; fast_pattern:only; http_uri; content:"ignoreAuth"; nocase; http_client_body; metadata:service http; reference:bugtraq,75299; reference:cve,2015-4453; reference:url,open-emr.org/wiki/index.php/OpenEMR_Patches; classtype:attempted-user; sid:36595; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt"; flow:to_server,established; content:"/openemr/"; fast_pattern:only; http_uri; content:"ignoreAuth"; nocase; http_uri; metadata:service http; reference:bugtraq,75299; reference:cve,2015-4453; reference:url,open-emr.org/wiki/index.php/OpenEMR_Patches; classtype:attempted-user; sid:36594; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt"; flow:to_server,established; content:"option=com_contenthistory"; fast_pattern:only; http_uri; content:"list[select]="; nocase; http_uri; pcre:"/[?&]list\x5bselect\x5d=[^&]*?\x28/Ui"; metadata:service http; reference:bugtraq,77295; reference:cve,2015-7297; reference:cve,2015-7857; reference:cve,2015-7858; classtype:web-application-attack; sid:36617; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt"; flow:to_server,established; content:"option=com_contenthistory"; fast_pattern:only; content:"list"; nocase; http_client_body; pcre:"/(^|&)list(\x5b|%5b)select(\x5d|%5d)=[^&]*?(\x28|%28)/Pim"; metadata:service http; reference:bugtraq,77295; reference:cve,2015-7297; reference:cve,2015-7857; reference:cve,2015-7858; classtype:web-application-attack; sid:36616; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt"; flow:to_server,established; content:"com_contenthistory"; fast_pattern:only; content:"list[select]"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?list\x5bselect\x5d((?!^--).)*?[\r\n]{2,}((?!^--).)*?\x28/Psim"; metadata:service http; reference:bugtraq,77295; reference:cve,2015-7297; reference:cve,2015-7857; reference:cve,2015-7858; classtype:web-application-attack; sid:36615; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8443 (msg:"SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt"; flow:to_server,established; content:"|44 2A 51 F3 8C D2 B5 D6 63 5A 56 CB 00 C8 3D 5E 6F 1C 10 5C B3 EF 44 E3 5F D3 87 C8 DD 3C 2D 20|"; fast_pattern:only; reference:bugtraq,66181; reference:cve,2014-2536; classtype:web-application-attack; sid:36614; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8443 (msg:"SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt"; flow:to_server,established; content:"GET /ext/"; depth:9; pcre:"/GET\x20\x2fext\x2f(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/i"; reference:bugtraq,66181; reference:cve,2014-2536; classtype:web-application-attack; sid:36613; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Font Plugin AjaxProxy.php absolute path traversal attempt"; flow:to_server,established; content:"/wp-content/plugins/font/AjaxProxy.php"; fast_pattern:only; http_uri; content:"action=cross_domain_request"; nocase; http_client_body; content:"url="; nocase; http_client_body; pcre:"/(^|&)url=([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2015-7683; classtype:attempted-recon; sid:36638; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP vBulletin decodeArguments PHP object injection attempt"; flow:to_server,established; content:"/ajax/api/hook/decodeArguments"; fast_pattern:only; http_uri; content:"arguments="; nocase; http_uri; pcre:"/[?&]arguments=[^&]*?O\x3a/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-7808; classtype:attempted-admin; sid:36763; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla com_realestatemanager module SQL injection attempt"; flow:to_server,established; content:"option=com_realestatemanager"; fast_pattern:only; http_uri; content:"order_"; nocase; http_uri; pcre:"/[?&]order_(direction|field)=[^&]*?\x28/Ui"; metadata:service http; reference:url,ordasoft.com/real-estate-manager-software-joomla.html; classtype:web-application-attack; sid:36657; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla com_realestatemanager module SQL injection attempt"; flow:to_server,established; content:"option=com_realestatemanager"; fast_pattern:only; content:"order_"; nocase; http_client_body; pcre:"/(^|&)order_(direction|field)=[^&]*?(\x28|%28)/Pim"; metadata:service http; reference:url,ordasoft.com/real-estate-manager-software-joomla.html; classtype:web-application-attack; sid:36656; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla com_realestatemanager module SQL injection attempt"; flow:to_server,established; content:"com_realestatemanager"; fast_pattern:only; content:"order_"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?order_(direction|field)((?!^--).)*?[\r\n]{2,}((?!^--).)*?\x28/Psim"; metadata:service http; reference:url,ordasoft.com/real-estate-manager-software-joomla.html; classtype:web-application-attack; sid:36655; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt"; flow:to_server,established; content:"/iControl/iControlPortal.cgi"; fast_pattern:only; http_uri; content:"iCall/Script"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-3628; reference:url,support.f5.com/kb/en-us/solutions/public/16000/700/sol16728.html; classtype:attempted-admin; sid:36778; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt"; flow:to_server,established; content:"/voice-servlet/prompt-qa/playAudioFile.jsp"; fast_pattern:only; http_uri; content:"sess="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]sess=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html; classtype:web-application-attack; sid:36795; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt"; flow:to_server,established; content:"/voice-servlet/prompt-qa/playAudioFile.jsp"; fast_pattern:only; http_uri; content:"sess="; nocase; http_client_body; pcre:"/(^|&)sess=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html; classtype:web-application-attack; sid:36794; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt"; flow:to_server,established; content:"/voice-servlet/prompt-qa/playAudioFile.jsp"; fast_pattern:only; http_uri; content:"sess"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?sess((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html; classtype:web-application-attack; sid:36793; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt"; flow:to_server,established; content:"/voice-servlet/prompt-qa/showRecxml.jsp"; fast_pattern:only; http_uri; content:"recxml="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]recxml=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,45854; reference:cve,2010-4417; classtype:web-application-attack; sid:36902; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt"; flow:to_server,established; content:"/voice-servlet/prompt-qa/showRecxml.jsp"; fast_pattern:only; http_uri; content:"recxml="; nocase; http_client_body; pcre:"/(^|&)recxml=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy security-ips drop, service http; reference:bugtraq,45854; reference:cve,2010-4417; classtype:web-application-attack; sid:36901; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt"; flow:to_server,established; content:"/voice-servlet/prompt-qa/showRecxml.jsp"; fast_pattern:only; http_uri; content:"recxml"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?recxml((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy security-ips drop, service http; reference:bugtraq,45854; reference:cve,2010-4417; classtype:web-application-attack; sid:36900; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt"; flow:to_server,established; content:"E|00|N|00|T|00|I|00|T|00|Y"; nocase; http_client_body; content:"S|00|Y|00|S|00|T|00|E|00|M"; within:50; fast_pattern; nocase; http_client_body; pcre:"/(\x00\x21\x00|\x00%\x002\x001\x00)E\x00N\x00T\x00I\x00T\x00Y((?!\x00\x3e\x00|\x00%\x003\x00e\x00).)*?S\x00Y\x00S\x00T\x00E\x00M/Pi"; metadata:service http; reference:bugtraq,76117; reference:cve,2015-5161; classtype:web-application-attack; sid:36895; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt"; flow:to_server,established; content:"E|00|N|00|T|00|I|00|T|00|Y"; nocase; http_client_body; content:"P|00|U|00|B|00|L|00|I|00|C"; within:50; fast_pattern; nocase; http_client_body; pcre:"/(\x00\x21\x00|\x00%\x002\x001\x00)E\x00N\x00T\x00I\x00T\x00Y((?!\x00\x3e\x00|\x00%\x003\x00e\x00).)*?P\x00U\x00B\x00L\x00I\x00C/Pi"; metadata:service http; reference:bugtraq,76117; reference:cve,2015-5161; classtype:web-application-attack; sid:36894; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component com_gmaps SQL injection attempt"; flow:to_server,established; content:"view_news.php?"; fast_pattern:only; http_uri; content:"news_id="; nocase; http_uri; pcre:"/[?&]news_id=[^&]*?[\x2f\x2a\x2a\x2f]/Ui"; metadata:service http; reference:bugtraq,25146; reference:cve,2007-4128; classtype:web-application-attack; sid:37099; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component com_gmaps SQL injection attempt"; flow:to_server,established; content:"view_events.php?"; fast_pattern:only; http_uri; content:"cat_id="; nocase; http_uri; pcre:"/[?&]cat_id=[^&]*?[\x2f\x2a\x2a\x2f]/Ui"; metadata:service http; reference:bugtraq,25146; reference:cve,2007-4128; classtype:web-application-attack; sid:37098; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component com_gmaps SQL injection attempt"; flow:to_server,established; content:"video_gallery.php?"; fast_pattern:only; http_uri; content:"member_id="; nocase; http_uri; pcre:"/[?&]member_id=[^&]*?[\x2f\x2a\x2a\x2f]/Ui"; metadata:service http; reference:bugtraq,25146; reference:cve,2007-4128; classtype:web-application-attack; sid:37097; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component com_gmaps SQL injection attempt"; flow:to_server,established; content:"index.php?option=com_gmaps"; fast_pattern:only; http_uri; content:"mapId="; nocase; http_uri; pcre:"/[?&]mapId=[^&]*?[\x2f\x2a\x2a\x2f]/Ui"; metadata:service http; reference:bugtraq,25146; reference:cve,2007-4128; classtype:web-application-attack; sid:37096; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt"; flow:to_server,established; content:"X-Forwarded-For|3A|"; nocase; http_header; content:"|7C|O|3A|"; distance:0; fast_pattern; http_header; pcre:"/^X-Forwarded-For\x3A[^\r\n]*?(?-i)\x7CO\x3A/Him"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-8562; reference:url,developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html; classtype:attempted-user; sid:37078; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"|7C|O|3A|"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?(?-i)\x7CO\x3A/Him"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-8562; reference:url,developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html; classtype:attempted-user; sid:37077; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Atlassian HipChat Plugin template injection remote code execution attempt"; flow:to_server,established; content:"/rest/hipchat/integrations"; fast_pattern:only; http_uri; content:"java.lang.Runtime"; nocase; http_client_body; content:".exec"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,76698; reference:cve,2015-5603; reference:url,confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html; classtype:attempted-admin; sid:37039; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HumHub index.php from parameter SQL injection attempt"; flow:to_server,established; content:"/humhub/"; fast_pattern:only; http_uri; content:"/index.php"; nocase; http_uri; content:"from="; nocase; http_uri; pcre:"/[?&]from=[^&]*?[\x27\x3b]/Ui"; metadata:service http; reference:url,seclists.org/fulldisclosure/2015/Nov/106; classtype:web-application-attack; sid:37038; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP wordpress kses bypass cross site scripting attempt"; flow:to_server,established; content:"/wp-admin/post.php"; http_uri; content:"|29 27 22 3E|"; fast_pattern:only; http_client_body; content:"visibility"; http_client_body; content:"public"; within:10; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5714; classtype:attempted-user; sid:37019; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP wordpress kses bypass cross site scripting attempt"; flow:to_server,established; content:"/wp-admin/post.php"; http_uri; content:"application/x-www-form-urlencoded"; http_header; content:"%29%27%22%3E"; fast_pattern:only; http_client_body; content:"visibility"; http_client_body; content:"public"; within:10; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5714; classtype:attempted-user; sid:37018; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt"; flow:to_server,established; content:"/FileDownload.jsp"; fast_pattern:only; http_uri; content:"fName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2015/Oct/14; classtype:web-application-attack; sid:37140; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt"; flow:to_server,established; content:"/FileDownload.jsp"; fast_pattern:only; http_uri; content:"fName="; nocase; http_client_body; pcre:"/(^|&)fName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2015/Oct/14; classtype:web-application-attack; sid:37139; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk FileDownload.jsp fName directory traversal attempt"; flow:to_server,established; content:"/FileDownload.jsp"; fast_pattern:only; http_uri; content:"fName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?fName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2015/Oct/14; classtype:web-application-attack; sid:37138; rev:2;)
alert tcp any any -> any $FILE_DATA_PORTS (msg:"SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt"; flow:to_server,established; file_data; content:"|6D 91 B5 47 A1 F0 1F B8 45 C8 5D 45 3D D6 B0 8E 7C 6A DC 22 E8 8B E3 49|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,googleprojectzero.blogspot.com/2015/12/fireeye-exploitation-project-zeros.html; classtype:attempted-user; sid:37137; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt"; flow:to_server,established; file_data; content:"|6D 91 B5 47 A1 F0 1F B8 45 C8 5D 45 3D D6 B0 8E 7C 6A DC 22 E8 8B E3 49|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,googleprojectzero.blogspot.com/2015/12/fireeye-exploitation-project-zeros.html; classtype:attempted-user; sid:37136; rev:2;)
alert tcp any $FILE_DATA_PORTS -> any any (msg:"SERVER-WEBAPP Fireeye Java decompiler reflection remote code execution attempt"; flow:to_client,established; file_data; content:"|6D 91 B5 47 A1 F0 1F B8 45 C8 5D 45 3D D6 B0 8E 7C 6A DC 22 E8 8B E3 49|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,googleprojectzero.blogspot.com/2015/12/fireeye-exploitation-project-zeros.html; classtype:attempted-user; sid:37135; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla com_youtubegallery module SQL injection attempt"; flow:to_server,established; content:"option=com_youtubegallery"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&](list|theme)id=[^&]*?[\x27\x28]/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,68676; reference:cve,2014-4960; classtype:web-application-attack; sid:37134; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla com_youtubegallery module SQL injection attempt"; flow:to_server,established; content:"option=com_youtubegallery"; fast_pattern:only; content:"id="; nocase; http_client_body; pcre:"/(^|&)(list|theme)id=[^&]*?([\x27\x28]|%27|%28)/Pim"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,68676; reference:cve,2014-4960; classtype:web-application-attack; sid:37133; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Gallery Objects Plugin viewid SQL injection attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; nocase; http_uri; content:"action=go_view_object"; fast_pattern:only; http_uri; content:"viewid="; nocase; http_uri; pcre:"/[?&]viewid=[^&]*?[^\d&]/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,68791; reference:cve,2014-5201; classtype:web-application-attack; sid:37148; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk Plus FileUploader servlet directory traversal attempt"; flow:to_server,established; content:"qqfile="; fast_pattern:only; http_uri; content:"uniqueId="; nocase; http_uri; content:"module="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]module=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:url,seclists.org/bugtraq/2015/Oct/23; classtype:web-application-attack; sid:37233; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DCS-900 Series Network Camera arbitrary file upload attempt"; flow:to_server,established; content:"/setFileUpload"; fast_pattern:only; http_uri; content:"ConfigUploadFile"; nocase; http_client_body; content:"Authorization:"; nocase; http_header; content:"YWRtaW46"; distance:0; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-2049; classtype:attempted-admin; sid:37242; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Limesurvey unauthenticated file download attempt"; flow:to_server,established; content:"/limesurvey/index.php/admin/update/sa/backup"; fast_pattern:only; http_uri; content:"datasupdateinfo="; nocase; http_client_body; pcre:"/(^|&)datasupdateinfo=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:url,limesurvey.org/en/blog/76-limesurvey-news/security-advisories/1836-limesurvey-security-advisory-10-2015; classtype:web-application-attack; sid:37349; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Limesurvey unauthenticated file download attempt"; flow:to_server,established; content:"/limesurvey/index.php/admin/update/sa/backup"; fast_pattern:only; http_uri; file_data; content:"&datasupdateinfo="; nocase; base64_decode:bytes 100, offset 0, relative; base64_data; content:"../"; within:100; metadata:service http; reference:url,limesurvey.org/en/blog/76-limesurvey-news/security-advisories/1836-limesurvey-security-advisory-10-2015; classtype:web-application-attack; sid:37348; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DNS-326 check_login command injection attempt"; flow:to_server,established; content:"/cgi-bin/system_mgr.cgi"; fast_pattern:only; http_uri; content:"username="; nocase; http_cookie; pcre:"/username=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Cim"; metadata:service http; reference:url,seclists.org/fulldisclosure/2015/May/125; classtype:web-application-attack; sid:37343; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt"; flow:to_server,established; content:"DslCpeCliAccess"; fast_pattern:only; http_client_body; content:"<command"; nocase; http_client_body; isdataat:256,relative; content:!"</command"; within:256; nocase; http_client_body; pcre:"/<command[^>]*?>\s*se\s[^<]{256}/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Jan/13; classtype:attempted-admin; sid:37324; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cacti graphs_new.php SQL injection attempt"; flow:to_server,established; content:"/cacti/graphs_new.php"; fast_pattern:only; http_uri; content:"cg_g="; nocase; http_client_body; pcre:"/(^|&)cg_g=[^&]*?[^\d&]/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-8604; reference:url,bugs.cacti.net/view.php?id=2652; classtype:web-application-attack; sid:37321; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP eWON default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtOmFkbQ=="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37396; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Westermo default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46d2VzdGVybW8="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37395; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wago default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46d2Fnbw=="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37394; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Schneider default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"VVNFUjpVU0VS"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37393; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Schneider default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"QWRtaW5pc3RyYXRvcjpHYXRld2F5"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37392; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Samsung default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"cm9vdDpya3dqc2R1c3JudGg="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37391; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rockwell Automation default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW5pc3RyYXRvcjptbDExMDA="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37390; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rockwell Automation default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW5pc3RyYXRvcjptbDE0MDA="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37389; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NOVUS AUTOMATION default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"c3VwZXJ2aWV3OnN1cGVydmlldw=="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37388; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46cm9vdA=="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37387; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Hirschmann default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"dXNlcjpwdWJsaWM="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37386; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Hirschmann default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46cHJpdmF0ZQ=="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37385; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Emerson default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46ZGVmYXVsdA=="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37384; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Digi default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"dXNlcm5hbWU6cGFzc3dvcmQ="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37383; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Digi default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"dXNlcjpwYXNzd2Q="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37382; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Digi default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"cm9vdDpkYnBz"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37381; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BinTec Elmeg default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46ZnVud2Vyaw=="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37380; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BinTec Elmeg default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46YmludGVj"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37379; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ABB default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"c2VydmljZTpBQkI4MDB4QQ=="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:37378; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ipswitch WhatsUp iDroneComAPI SQL injection attempt"; flow:to_server,established; content:"/iDrone/iDroneComAPI.asmx"; nocase; http_uri; content:"<DroneDeleteOldMeasurements"; fast_pattern:only; http_client_body; content:"<iDroneName"; nocase; http_client_body; pcre:"/<iDroneName[^>]*?>[^<]*?\x3b/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-8261; classtype:attempted-admin; sid:37369; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt"; flow:to_server,established; content:"/cgi-bin/admin/servetest"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(cmd|ServerName|ServerPort|RcptToAddr1|SourceName)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy security-ips drop, service http; reference:cve,2013-2578; classtype:web-application-attack; sid:37430; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt"; flow:to_server,established; content:"/cgi-bin/admin/servetest"; fast_pattern:only; http_uri; pcre:"/(^|&)(cmd|ServerName|ServerPort|RcptToAddr1|SourceName)=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy security-ips drop, service http; reference:cve,2013-2578; classtype:web-application-attack; sid:37429; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt"; flow:to_server,established; content:"/cgi-bin/admin/servetest"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](cmd|ServerName|ServerPort|SourceName)=[^&]*?%26/Ii"; metadata:policy security-ips drop, service http; reference:cve,2013-2578; classtype:web-application-attack; sid:37428; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt"; flow:to_server,established; content:"/cgi-bin/admin/servetest"; fast_pattern:only; http_uri; pcre:"/[?&](cmd|ServerName|ServerPort|SourceName)=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy security-ips drop, service http; reference:cve,2013-2578; classtype:web-application-attack; sid:37427; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP JBoss expression language actionOutcome remote code execution attempt"; flow:to_server,established; content:"actionOutcome=/"; fast_pattern:only; http_client_body; content:"?"; http_client_body; content:"%3D%23|7B|"; within:40; nocase; http_client_body; metadata:service http; reference:bugtraq,41994; reference:cve,2010-1871; classtype:attempted-admin; sid:37415; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SevOne NMS kill.php command injection attempt"; flow:to_server,established; content:"/doms/discoveryqueue/kill.php"; fast_pattern:only; http_uri; content:"pids[]="; nocase; http_uri; pcre:"/[?&]pids\x5b\x5d=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/135276/; classtype:attempted-admin; sid:37413; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SevOne NMS kill.php command injection attempt"; flow:to_server,established; content:"/doms/discoveryqueue/kill.php"; fast_pattern:only; http_uri; content:"pids"; nocase; http_client_body; pcre:"/(^|&)pids(%5B|\x5b)(%5d|\x5d)=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/135276/; classtype:attempted-admin; sid:37412; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SevOne NMS hidden credentials authentication attempt"; flow:to_server,established; content:"/doms/login/processLogin.php"; nocase; http_uri; content:"SevOnestats"; nocase; http_client_body; content:"n3v3rd13"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/135276/; classtype:attempted-admin; sid:37411; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Job Manager plugin cross site scripting attempt"; flow:to_server,established; content:"?page_id="; fast_pattern:only; http_uri; content:"name="; nocase; http_client_body; pcre:"/name=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,76503; reference:cve,2015-2321; classtype:attempted-user; sid:37463; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Job Manager plugin cross site scripting attempt"; flow:to_server,established; content:"?page_id="; fast_pattern:only; http_uri; content:"name="; nocase; http_client_body; pcre:"/name=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:service http; reference:bugtraq,76503; reference:cve,2015-2321; classtype:attempted-user; sid:37462; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Roundcube Webmail index.php _skin directory traversal attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"_skin="; fast_pattern:only; http_client_body; pcre:"/(^|&)_skin=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2015-8770; reference:url,roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/; classtype:web-application-attack; sid:37444; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1111 (msg:"SERVER-WEBAPP F-Secure web console username overflow attempt"; flow:to_server,established; content:"/authorise"; nocase; content:"userName"; fast_pattern; nocase; content:"|5C|"; within:292; isdataat:293,relative; content:!"&"; within:293; reference:bugtraq,18201; reference:cve,2006-2838; classtype:attempted-admin; sid:37471; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP InterWoven WorkDocs XSS attempt"; flow:to_client,established; file_data; content:"UserOptions.asp"; nocase; content:"compnrtid"; within:12; fast_pattern; nocase; content:"script"; within:72; nocase; metadata:service http; classtype:web-application-attack; sid:37468; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP HANA hdbindexserver buffer overflow attempt"; flow:to_server,established; content:"/sap/hana/xs/formLogin/login.xscfunc"; fast_pattern:only; http_uri; content:"xs-username="; nocase; http_client_body; isdataat:500,relative; content:!"&"; within:500; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-7986; reference:url,service.sap.com/sap/support/notes/2197428; classtype:attempted-admin; sid:37504; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP eClinicalWorks portalUserService.jsp SQL injection attempt"; flow:to_server,established; content:"/ccmr/clientPortal/admin/service/portalUserService.jsp"; fast_pattern:only; http_uri; content:"uemail="; nocase; http_client_body; pcre:"/(^|&)uemail=[^&]*?(\x27|%27)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,82296; reference:cve,2015-4592; classtype:web-application-attack; sid:37547; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt"; flow:to_server,established; content:"/rokform/SysListDetail"; fast_pattern:only; http_uri; pcre:"/[?&](name|comp)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37624; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt"; flow:to_server,established; content:"/rokform/SysGroupDetail"; fast_pattern:only; http_uri; pcre:"/[?&](name|comp)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37623; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt"; flow:to_server,established; content:"/rokform/SysDataDetail"; fast_pattern:only; http_uri; pcre:"/[?&](name|comp)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37622; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt"; flow:to_server,established; content:"/HPE/thememaker"; fast_pattern:only; http_uri; content:"HPEInc="; nocase; http_uri; pcre:"/[?&]HPEInc=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,19663; classtype:web-application-attack; sid:37662; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt"; flow:to_server,established; content:"/HPE/plugins"; fast_pattern:only; http_uri; content:"HPEInc="; nocase; http_uri; pcre:"/[?&]HPEInc=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,19663; classtype:web-application-attack; sid:37661; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt"; flow:to_server,established; content:"/HPE/motd"; fast_pattern:only; http_uri; content:"HPEInc="; nocase; http_uri; pcre:"/[?&]HPEInc=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,19663; classtype:web-application-attack; sid:37660; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt"; flow:to_server,established; content:"/HPE/loadcatnews"; fast_pattern:only; http_uri; content:"HPEInc="; nocase; http_uri; pcre:"/[?&]HPEInc=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,19663; classtype:web-application-attack; sid:37659; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt"; flow:to_server,established; content:"/HPE/lang"; fast_pattern:only; http_uri; content:"HPEInc="; nocase; http_uri; pcre:"/[?&]HPEInc=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,19663; classtype:web-application-attack; sid:37658; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt"; flow:to_server,established; content:"/HPE/clickerr"; fast_pattern:only; http_uri; content:"HPEInc="; nocase; http_uri; pcre:"/[?&]HPEInc=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,19663; classtype:web-application-attack; sid:37657; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle e-Business Suite HR_UTIL_DISP_WEB SQL injection attempt"; flow:to_server,established; content:"/HR_UTIL_DISP_WEB.display_fatal_errors?"; fast_pattern:only; http_uri; content:"p_message="; nocase; http_uri; pcre:"/[?&]p_message=[^&]*?\x27/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0517; classtype:web-application-attack; sid:37687; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DSL router cross site scripting attempt"; flow:to_server,established; content:"lancfg2get.cgi"; fast_pattern:only; http_uri; content:"brName="; nocase; http_uri; pcre:"/[?&]brName=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|alert|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,72725; reference:cve,2015-1028; classtype:attempted-user; sid:37857; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DSL router cross site scripting attempt"; flow:to_server,established; content:"wlsecurity.wl"; fast_pattern:only; http_uri; content:"wlWpaPsk="; nocase; http_uri; pcre:"/[?&]wlWpaPsk=[^&]*?([\x23\x27\x3c\x3e\x28\x29]alert|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,72725; reference:cve,2015-1028; classtype:attempted-user; sid:37856; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DSL router cross site scripting attempt"; flow:to_server,established; content:"wlsecrefresh.wl"; fast_pattern:only; http_uri; pcre:"/[?&](wlAuthMode|wl_wsc_reg|wl_wsc_mode)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|alert|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,72725; reference:cve,2015-1028; classtype:attempted-user; sid:37855; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DSL router cross site scripting attempt"; flow:to_server,established; content:"dnsProxy.cmd"; fast_pattern:only; http_uri; content:"domainname="; nocase; http_uri; pcre:"/[?&]domainname=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|alert|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,72725; reference:cve,2015-1028; classtype:attempted-user; sid:37854; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,6099,7001,$HTTP_PORTS] (msg:"SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt"; flow:to_server,established; content:"|AC ED 00 05|"; content:"/runtime/callsite/"; distance:0; content:"|00 0C|java.io.File"; distance:0; content:"|70 74 00 07|execute"; within:100; content:"|00 08|entrySet|76 72 00 12|java.lang.Override"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service java_rmi; reference:cve,2015-3253; reference:cve,2015-4852; reference:cve,2015-7450; reference:cve,2015-8103; reference:cve,2016-0638; reference:cve,2016-4385; reference:cve,2017-15708; reference:url,foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#weblogic; reference:url,github.com/frohoff/ysoserial; classtype:attempted-user; sid:37860; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,6099,7001,$HTTP_PORTS] (msg:"SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt"; flow:to_server,established; content:"|AC ED 00 05|"; content:"getRuntime"; distance:0; content:"Ljava/lang/Runtime|3B|"; within:30; content:"exec|01 00 27|(Ljava/lang/String|3B|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service java_rmi; reference:cve,2015-3253; reference:cve,2015-4852; reference:cve,2015-7450; reference:cve,2015-8103; reference:cve,2016-1291; reference:cve,2016-4385; reference:cve,2017-15708; reference:url,github.com/frohoff/ysoserial; classtype:attempted-user; sid:37859; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Thru Managed File Transfer Portal command injection attempt"; flow:to_server,established; content:"/App/asp/contacts.asp?"; fast_pattern:only; http_uri; pcre:"/[?&](sortorder|letterrange)=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:service http; reference:url,packetstormsecurity.com/files/135857/Thru-Managed-File-Transfer-Portal-9.0.2-SQL-Injection.html; classtype:web-application-attack; sid:37858; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Centreon Web Interface index.php command injection attempt"; flow:to_server,established; content:"/centreon/index.php"; fast_pattern:only; http_uri; content:"useralias="; nocase; http_client_body; pcre:"/(^|&)useralias=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:service http; reference:url,www.github.com/centreon/centreon/commit/015e875482d7ff6016edcca27bffe765c2bd77c1; classtype:web-application-attack; sid:38049; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Alienvault OSSIM graph_geoloc.php SQL injection attempt"; flow:to_server,established; content:"/geoloc/graph_geoloc.php"; fast_pattern:only; http_uri; content:"date_from="; nocase; http_uri; pcre:"/[?&]date_from=[^&]*?\x27/Ui"; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:38012; rev:2;)
# alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Apache HTTP server potential cookie disclosure attempt"; flow:to_server,established; content:"Cookie|3A 20|"; http_raw_header; isdataat:8192,relative; content:!"|0A|"; within:8192; http_raw_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51706; reference:cve,2012-0053; classtype:web-application-attack; sid:37968; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt"; flow:to_server,established; content:"/Help_Errors.asp"; fast_pattern:only; http_uri; pcre:"/[?&]r\d=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30137; reference:cve,2008-2991; reference:url,adobe.com/support/security/bulletins/apsb08-16.html; classtype:attempted-user; sid:37953; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt"; flow:to_server,established; content:"/ossim/ossec/data/agents/ajax/a_deployment.php"; fast_pattern:only; pcre:"/[?&](?:user|pass)=[^&]*?([\x60\x3b\x7c]|\x24\x28)/i"; metadata:policy max-detect-ips drop, service http; reference:url,www.securityfocus.com/archive/1/534488/30/0/threaded; classtype:attempted-admin; sid:37943; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt"; flow:to_server,established; content:"/ossim/ossec/data/agents/ajax/a_deployment.php"; fast_pattern:only; content:"urlencoded"; nocase; pcre:"/(^|&)(?:user|pass)=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/i"; metadata:policy max-detect-ips drop, service http; reference:url,www.securityfocus.com/archive/1/534488/30/0/threaded; classtype:attempted-admin; sid:37942; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-WEBAPP AlienVault OSSIM a_deployment.php command injection attempt"; flow:to_server,established; content:"/ossim/ossec/data/agents/ajax/a_deployment.php"; fast_pattern:only; content:"multipart"; nocase; pcre:"/name\s*?=\s*?[\x22\x27]?(?:user|pass)(?:(?!^--).)*?[\r\n]{2,}(?:(?!^--).)*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%24%28)/sim"; metadata:policy max-detect-ips drop, service http; reference:url,www.securityfocus.com/archive/1/534488/30/0/threaded; classtype:attempted-admin; sid:37941; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AMX backdoor username login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"MU1CQHRNYU4"; fast_pattern:only; http_header; metadata:service http; reference:cve,2016-1984; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-049-02; classtype:default-login-attempt; sid:37917; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ProSafe NMS arbitrary JSP file upload attempt"; flow:to_server,established; content:"/fileUpload.do"; fast_pattern:only; http_uri; content:"<%"; http_client_body; metadata:service http; reference:bugtraq,82630; reference:cve,2016-1525; classtype:attempted-admin; sid:37890; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ProSafe NMS image.do directory traversal attempt"; flow:to_server,established; content:"/data/config/image.do"; fast_pattern:only; http_uri; content:"realName="; nocase; http_client_body; pcre:"/(^|&)realName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:bugtraq,82630; reference:cve,2016-1524; classtype:web-application-attack; sid:38132; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ProSafe NMS image.do directory traversal attempt"; flow:to_server,established; content:"/data/config/image.do"; fast_pattern:only; http_uri; content:"realName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?realName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:bugtraq,82630; reference:cve,2016-1524; classtype:web-application-attack; sid:38131; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt"; flow:to_server,established; content:"lib/layout/layoutParser.php"; fast_pattern:only; http_uri; content:"LibDir="; nocase; http_uri; pcre:"/[?&]LibDir=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,40049; reference:cve,2010-1922; classtype:web-application-attack; sid:38159; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt"; flow:to_server,established; content:"lib/layout/layoutManager.php"; fast_pattern:only; http_uri; content:"LibDir="; nocase; http_uri; pcre:"/[?&]LibDir=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,40049; reference:cve,2010-1922; classtype:web-application-attack; sid:38158; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt"; flow:to_server,established; content:"lib/layout/layoutHeaderFuncs.php"; fast_pattern:only; http_uri; content:"LibDir="; nocase; http_uri; pcre:"/[?&]LibDir=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,40049; reference:cve,2010-1922; classtype:web-application-attack; sid:38157; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt"; flow:to_server,established; content:"lib/page/pageDescriptionObject.php"; fast_pattern:only; http_uri; content:"LibDir="; nocase; http_uri; pcre:"/[?&]LibDir=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,40049; reference:cve,2010-1922; classtype:web-application-attack; sid:38156; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ATutor connections.php SQL injection attempt"; flow:to_server,established; content:"/ATutor/mods/_standard/social/connections.php"; fast_pattern:only; http_uri; content:"search_friends_"; nocase; http_client_body; pcre:"/(^|&)search_friends_\w+=[^&]*?(\x27|%27)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-2555; classtype:web-application-attack; sid:38140; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite UploadFileAction servlet directory traversal attempt"; flow:to_server,established; content:"/olt/UploadFileUpload.do"; fast_pattern:only; http_uri; content:"directory"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?directory((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,81169; reference:cve,2016-0491; classtype:web-application-attack; sid:38164; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP VmWare Tools command injection attempt"; flow:to_server,established; content:"ui/sb"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; content:"exec"; nocase; http_client_body; content:"UpgradeTools_Task"; nocase; http_client_body; pcre:"/exec:\x22\/cmd\/vm\x22.*},\x22\x3b.*([\x60\x3b\x7c\x26]|\x24\x28|%60|%3b|%7c|%26|%24%28).*\x3b\x22/Psim"; metadata:service http; reference:bugtraq,45166; reference:cve,2010-4297; classtype:web-application-attack; sid:38243; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP VmWare Tools command injection attempt"; flow:to_server,established; content:"ui/sb"; fast_pattern:only; http_uri; content:"exec"; nocase; http_client_body; content:"UpgradeTools_Task"; nocase; http_client_body; pcre:"/exec:\x22\/cmd\/vm\x22.*},\x22\x3b.*([\x60\x3b\x7c\x26]|\x24\x28|%60|%3b|%7c|%26|%24%28).*\x3b\x22/Pim"; metadata:service http; reference:bugtraq,45166; reference:cve,2010-4297; classtype:web-application-attack; sid:38242; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress MM Forms community plugin arbitrary PHP file upload attempt"; flow:to_server,established; content:"doajaxfileupload.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:service http; reference:bugtraq,53852; reference:cve,2012-3574; classtype:attempted-admin; sid:38236; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Simple Ads Manager sam-ajax-admin.php directory traversal attempt"; flow:to_server,established; content:"/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php"; fast_pattern:only; http_uri; content:"path"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?path((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,73924; reference:cve,2015-2825; classtype:web-application-attack; sid:38229; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_system command injection attempt"; flow:to_server,established; content:"/cgi-bin/cgi_system"; fast_pattern:only; http_uri; content:"bfile="; nocase; http_client_body; pcre:"/(^|&)bfile=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,kb.netgear.com/app/answers/detail/a_id/30275; classtype:attempted-admin; sid:38269; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AWStats awstats.cgi remote file include attempt"; flow:to_server,established; content:"awstats.cgi"; fast_pattern:only; http_uri; content:"configdir="; nocase; http_client_body; pcre:"/(^|&)configdir=[^&]*?(\x5c\x5c|http|ftp)/Pim"; metadata:service http; reference:cve,2010-4367; classtype:web-application-attack; sid:38253; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AWStats awstats.cgi remote file include attempt"; flow:to_server,established; content:"awstats.cgi"; fast_pattern:only; http_uri; content:"configdir="; nocase; http_uri; pcre:"/[?&]configdir=[^&]*?(http|ftp|\x2f)/Ui"; metadata:service http; reference:cve,2010-4367; classtype:web-application-attack; sid:38252; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Samsung Data Manager default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46MTIzNA=="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:38249; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,5054] (msg:"SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt"; flow:to_server,established; content:"/goform/edit_lf_process"; fast_pattern:only; content:"lf="; nocase; content:"..|5C|"; pcre:"/[?&]lf=[^&]*?\x2e\x2e\x5c/i"; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:38316; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,5054] (msg:"SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt"; flow:to_server,established; content:"/goform/edit_lf_process"; fast_pattern:only; content:"lf="; pcre:"/(^|&)lf=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/im"; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:38315; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,5054] (msg:"SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt"; flow:to_server,established; content:"/goform/edit_lf_process"; fast_pattern:only; content:"lf="; nocase; content:"Content-Disposition"; nocase; pcre:"/name\s*=\s*[\x22\x27]?lf=((?!^--).)*?\x2e\x2e[\x2f\x5c]/sim"; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:38314; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Bonita BPM themeResource directory traversal attempt"; flow:to_server,established; content:"/bonita/portal/themeResource"; fast_pattern:only; http_uri; content:"theme="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]theme=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,75130; reference:cve,2015-3897; classtype:web-application-attack; sid:38303; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Data Center Network Manager processImageSave.jsp directory traversal attempt"; flow:to_server,established; content:"/cues_utility/charts/processImageSave.jsp?savefile=true&chartid=../../../../../../../../../../../../../../poc.txt%00&mode=save&data=VEVMVVMgU0VDVVJJVFkgTEFCUw=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,62484; reference:cve,2013-5486; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm; classtype:attempted-admin; sid:38351; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Bharat Mediratta Gallery PHP file inclusion attempt"; flow:to_server,established; content:"GALLERY_BASEDIR="; fast_pattern:only; http_uri; pcre:"/GALLERY_BASEDIR=(https?|[^\x0a]*ftps?|[^\x26]*\.\.)/Ui"; metadata:service http; reference:bugtraq,5375; reference:cve,2002-1412; classtype:attempted-admin; sid:38371; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8811 (msg:"SERVER-WEBAPP IPESOFT D2000 directory traversal attempt"; flow:to_server,established; content:"|2E 2E 5C|"; fast_pattern:only; reference:url,owasp.org/index.php/Path_Traversal; classtype:web-application-attack; sid:38370; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt"; flow:to_server,established; content:"/jetspeed"; fast_pattern:only; http_uri; content:"PK|03 04|"; http_client_body; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0709; reference:url,portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0709; classtype:attempted-admin; sid:38393; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt"; flow:to_server,established; content:"/jetspeed"; fast_pattern:only; http_uri; content:"PK|03 04|"; http_client_body; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0709; reference:url,portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0709; classtype:attempted-admin; sid:38392; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 4070 (msg:"SERVER-WEBAPP HID door command injection attempt"; flow:to_server; content:"command_blink_on"; fast_pattern:only; content:"|60|"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,zerodayinitiative.com/advisories/ZDI-16-223/; classtype:attempted-admin; sid:38389; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotCMS UserAjax.getUsersList.dwr SQL injection attempt"; flow:to_server,established; content:"/dwr/call/plaincall/UserAjax.getUsersList.dwr"; fast_pattern:only; http_uri; content:"c0-e3="; nocase; http_client_body; pcre:"/(^|&)c0-e3=[^&]*?(\x27|%27)/Pim"; metadata:service http; reference:cve,2016-3688; classtype:web-application-attack; sid:38398; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite Grid Control directory traversal attempt"; flow:to_server,established; content:"/otm/ReportImage.do"; fast_pattern:only; http_uri; content:"tempfilename="; nocase; http_client_body; pcre:"/(^|&)tempfilename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:bugtraq,81184; reference:cve,2016-0489; classtype:web-application-attack; sid:38396; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite Grid Control directory traversal attempt"; flow:to_server,established; content:"/otm/ReportImage.do"; fast_pattern:only; http_uri; content:"tempfilename="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]tempfilename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,81184; reference:cve,2016-0489; classtype:web-application-attack; sid:38395; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Scoreme cross site scripting attempt"; flow:to_server,established; content:"/wordpress/"; fast_pattern:only; http_uri; content:"s="; nocase; http_uri; pcre:"/[?&]s=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:url,www.vulnerability-lab.com/get_content.php?id=1808; classtype:attempted-user; sid:38536; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WSN Live SQL injection attempt SQL injection attempt"; flow:to_server,established; content:"/search.php"; fast_pattern:only; http_uri; content:"namecondition="; nocase; http_uri; pcre:"/[?&]namecondition=[^&]*?(\x29|%29){1,2}/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,44593; reference:cve,2010-4006; classtype:web-application-attack; sid:38531; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt"; flow:to_server,established; content:"/otm/download"; fast_pattern:only; http_uri; content:"scheduleReportName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]scheduleReportName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,81097; reference:cve,2016-0481; classtype:web-application-attack; sid:38520; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt"; flow:to_server,established; content:"/otm/download"; fast_pattern:only; http_uri; content:"scheduleReportName="; nocase; http_client_body; pcre:"/(^|&)scheduleReportName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,81097; reference:cve,2016-0481; classtype:web-application-attack; sid:38519; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt"; flow:to_server,established; content:"/otm/download"; fast_pattern:only; http_uri; content:"scheduleReportName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?scheduleReportName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,81097; reference:cve,2016-0481; classtype:web-application-attack; sid:38518; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ATutor question_import.php directory traversal attempt"; flow:to_server,established; content:"/ATutor/mods/_standard/tests/question_import.php"; fast_pattern:only; http_uri; content:"PK|03 04|"; http_client_body; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; http_client_body; metadata:service http; reference:url,sourceincite.com/research/src-2016-11/; classtype:web-application-attack; sid:38513; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ATutor question_import.php directory traversal attempt"; flow:to_server,established; content:"/ATutor/mods/_standard/tests/question_import.php"; fast_pattern:only; http_uri; content:"PK|03 04|"; http_client_body; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; http_client_body; metadata:service http; reference:url,sourceincite.com/research/src-2016-11/; classtype:web-application-attack; sid:38512; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,8700] (msg:"SERVER-WEBAPP Novell Service Desk directory traversal attempt"; flow:to_server,established; content:"/LiveTime/WebObjects/LiveTime.woa"; fast_pattern:only; content:"filename"; nocase; content:"Content-Disposition"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-1593; reference:url,www.novell.com/support/kb/doc.php?id=7017428; classtype:web-application-attack; sid:38511; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Atvise denial of service attempt"; flow:to_server,established; urilen:9; content:"/shutdown"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,exploit-db.com/exploits/17963; classtype:attempted-dos; sid:38579; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP pfSense status_rrd_graph_img.php command injection attempt"; flow:to_server,established; content:"/status_rrd_graph_img.php"; fast_pattern:only; http_uri; content:"graph="; nocase; http_uri; pcre:"/[?&]graph=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc; classtype:web-application-attack; sid:38609; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/sysconf.cgi"; fast_pattern:only; http_uri; content:"perf_measure_server_ip="; nocase; http_uri; pcre:"/[?&]perf_measure_server_ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:service http; reference:url,www.telrad.com/support; classtype:web-application-attack; sid:38626; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/sysconf.cgi"; fast_pattern:only; http_uri; content:"perf_measure_server_ip="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]perf_measure_server_ip=[^&]*?%26/Ii"; metadata:service http; reference:url,www.telrad.com/support; classtype:web-application-attack; sid:38625; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sefrengo CMS main.php SQL injection attempt"; flow:to_server,established; content:"/sefrengo/backend/main.php"; fast_pattern:only; http_uri; pcre:"/[?&](idclient|idcat)=[^&]*?\x27/Ui"; metadata:service http; reference:bugtraq,71885; reference:cve,2015-0919; classtype:web-application-attack; sid:38675; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet directory traversal attempt"; flow:to_server,established; content:"/otm/download"; fast_pattern:only; http_uri; content:"../"; http_uri; pcre:"/[?&](scriptPath|TMAPReportImage)=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,81070; reference:bugtraq,81102; reference:cve,2016-0480; reference:cve,2016-0484; reference:url,www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html; classtype:web-application-attack; sid:38673; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt"; flow:to_server,established; content:"/wp-content/plugins/simple-ads-manager/sam-ajax.php"; fast_pattern:only; http_uri; content:"hits["; nocase; http_uri; pcre:"/[?&]hits\x5b\d\x5d\x5b\x5d=[^&]*?\x27/Ui"; metadata:service http; reference:bugtraq,73698; reference:cve,2015-2824; classtype:web-application-attack; sid:38723; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt"; flow:to_server,established; content:"/wp-content/plugins/simple-ads-manager/sam-ajax.php"; fast_pattern:only; http_uri; content:"hits"; nocase; http_client_body; pcre:"/(^|&)hits(\x5b|%5b)\d(\x5d|%5d)([\x5b\x5d]|%5b|%5d){2}=[^&]*?(\x27|%27)/Pim"; metadata:service http; reference:bugtraq,73698; reference:cve,2015-2824; classtype:web-application-attack; sid:38722; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt"; flow:to_server,established; content:"/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php"; fast_pattern:only; http_uri; pcre:"/[?&](cstr|searchTerm|subscriber|contributor|author|editor|admin|sadmin)=[^&]*?\x27/Ui"; metadata:service http; reference:bugtraq,73698; reference:cve,2015-2824; classtype:web-application-attack; sid:38721; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt"; flow:to_server,established; content:"/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php"; fast_pattern:only; http_uri; pcre:"/(^|&)(cstr|searchTerm|subscriber|contributor|author|editor|admin|sadmin)=[^&]*?(\x27|%27)/Pim"; metadata:service http; reference:bugtraq,73698; reference:cve,2015-2824; classtype:web-application-attack; sid:38720; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-Address remote file include attempt"; flow:to_server,established; content:"globals.php"; fast_pattern:only; http_uri; content:"LangCookie="; nocase; http_uri; pcre:"/[?&]LangCookie=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,5039; reference:cve,2002-0953; classtype:web-application-attack; sid:38807; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [8088,8089] (msg:"SERVER-WEBAPP Oracle application testing suite DownloadServlet directory traversal attempt"; flow:to_server,established; content:"/otm/download"; fast_pattern:only; http_uri; content:"downloadType=OTMReport"; nocase; http_client_body; content:"reportName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?reportName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0485; classtype:web-application-attack; sid:38791; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [8088,8089] (msg:"SERVER-WEBAPP Oracle application testing suite DownloadServlet directory traversal attempt"; flow:to_server,established; content:"/otm/download"; fast_pattern:only; http_uri; content:"downloadType=OTMReport"; nocase; http_client_body; content:"reportName="; nocase; http_client_body; pcre:"/(^|&)reportName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0485; classtype:web-application-attack; sid:38790; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [8088,8089] (msg:"SERVER-WEBAPP Oracle application testing suite DownloadServlet directory traversal attempt"; flow:to_server,established; content:"/otm/download"; fast_pattern:only; http_uri; content:"downloadType=OTMReport"; http_uri; content:"reportName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]reportName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0485; classtype:web-application-attack; sid:38789; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8088,8089] (msg:"SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt"; flow:to_server,established; content:"/olt/download"; fast_pattern:only; http_uri; content:"downloadType=scenario"; nocase; http_uri; pcre:"/(^|&)(scenario|workspace|repository)=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,81153; reference:cve,2016-0477; classtype:web-application-attack; sid:38942; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8088,8089] (msg:"SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt"; flow:to_server,established; content:"/olt/download"; fast_pattern:only; http_uri; content:"downloadType=scenario"; nocase; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(scenario|workspace|repository)((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,81153; reference:cve,2016-0477; classtype:web-application-attack; sid:38941; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8088,8089] (msg:"SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt"; flow:to_server,established; content:"/olt/download"; fast_pattern:only; http_uri; content:"downloadType=scenario"; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&](scenario|workspace|repository)=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,81153; reference:cve,2016-0477; classtype:web-application-attack; sid:38940; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ORACLE-SERVER Oracle Application Testing Suite filename directory traversal attempt"; flow:to_server,established; content:"/otm/upload?"; fast_pattern:only; http_uri; content:"dataSource=OATS_otm_DS"; http_uri; content:"&user="; http_uri; content:"filename:"; nocase; http_header; content:".."; http_header; pcre:"/filename: [^\r\n]*?\x2e\x2e/Hi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0490; classtype:web-application-attack; sid:38939; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [8088,8089] (msg:"SERVER-WEBAPP Oracle Application Testing Suite actionservlet directory traversal attempt"; flow:to_server,established; content:"/otm/"; depth:5; fast_pattern; nocase; http_uri; content:"../"; offset:5; http_raw_uri; content:".do"; distance:0; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0487; classtype:attempted-user; sid:38934; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt"; flow:to_server,established; content:"/d4d/login.php"; fast_pattern:only; http_uri; content:"user_id="; nocase; http_uri; pcre:"/[?&]user_id=[^&]*?[^\d\x20&]/Ui"; metadata:service http; reference:url,support.software.dell.com/sonicwall-scrutinizer; classtype:web-application-attack; sid:38930; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt"; flow:to_server,established; content:"/d4d/login.php"; fast_pattern:only; http_uri; content:"user_id="; nocase; http_client_body; pcre:"/(^|&)user_id=[^&]*?[^\d\x20&]/Pim"; metadata:service http; reference:url,support.software.dell.com/sonicwall-scrutinizer; classtype:web-application-attack; sid:38929; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt"; flow:to_server,established; content:"/d4d/login.php"; fast_pattern:only; http_uri; content:"setSkin="; nocase; http_uri; pcre:"/[?&]setSkin=[^&]*?\x27/Ui"; metadata:service http; reference:url,support.software.dell.com/sonicwall-scrutinizer; classtype:web-application-attack; sid:38928; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt"; flow:to_server,established; content:"/d4d/login.php"; fast_pattern:only; http_uri; content:"setSkin="; nocase; http_client_body; pcre:"/(^|&)setSkin=[^&]*?(\x27|%27)/Pim"; metadata:service http; reference:url,support.software.dell.com/sonicwall-scrutinizer; classtype:web-application-attack; sid:38927; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt"; flow:to_server,established; content:"/d4d/dashboards.php"; fast_pattern:only; http_uri; content:"deleteTab="; nocase; http_uri; pcre:"/[?&]deleteTab=[^&]*?[^\d\x20&]/Ui"; metadata:service http; reference:url,support.software.dell.com/sonicwall-scrutinizer; classtype:web-application-attack; sid:38926; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt"; flow:to_server,established; content:"/d4d/dashboards.php"; fast_pattern:only; http_uri; content:"deleteTab="; nocase; http_client_body; pcre:"/(^|&)deleteTab=[^&]*?[^\d\x20&]/Pim"; metadata:service http; reference:url,support.software.dell.com/sonicwall-scrutinizer; classtype:web-application-attack; sid:38925; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt"; flow:to_server,established; content:"/otm/download"; nocase; http_uri; content:"downloadType=OTMExportFile"; fast_pattern:only; nocase; http_uri; content:"exportFileName="; nocase; http_uri; content:"../"; http_uri; pcre:"/exportFileName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,81107; reference:cve,2016-0486; reference:url,oracle.com/technetwork/oem/app-test/etest-101273.html; classtype:web-application-attack; sid:38913; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Jenkins CI Server insecure deserialization command execution attempt"; flow:to_server,established; content:"/create"; nocase; http_uri; content:"groovy.runtime.MethodClosure"; fast_pattern:only; http_client_body; content:"java.lang"; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0792; reference:url,wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24; classtype:attempted-admin; sid:38894; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt"; flow:to_server,established; content:"/webui/systemConfig/validateAdminConfig"; fast_pattern:only; http_uri; content:"mcPort="; nocase; http_uri; pcre:"/[?&]mcPort=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-2002; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085303; classtype:web-application-attack; sid:38880; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt"; flow:to_server,established; content:"/webui/systemConfig/validateAdminConfig"; fast_pattern:only; http_uri; content:"mcPort="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]mcPort=[^&]*?%26/Ii"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-2002; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085303; classtype:web-application-attack; sid:38879; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file upload attempt"; flow:to_server,established; content:"/cbmui/ImageUploadServlet"; fast_pattern:only; http_uri; content:"<%"; http_client_body; metadata:policy security-ips drop, service http; reference:bugtraq,60484; reference:cve,2013-3520; reference:url,www.vmware.com/security/advisories/VMSA-2013-0008.html; classtype:attempted-user; sid:38965; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager downTimeScheduler.do SQL injection attempt"; flow:to_server,established; content:"/downTimeScheduler.do"; fast_pattern:only; http_uri; content:"taskid="; nocase; http_uri; pcre:"/[?&]taskid=[^&]*?[^\d\x20&]/Ui"; metadata:service http; reference:url,www.manageengine.com/products/applications_manager/release-notes.html; classtype:web-application-attack; sid:39027; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Struts I18NInterceptor locale object cross site scripting attempt"; flow:to_server,established; content:".action?"; http_uri; content:"request_locale="; fast_pattern:only; nocase; http_uri; pcre:"/[?&]request_locale=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2016-2162; classtype:attempted-user; sid:38990; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt"; flow:to_server,established; content:"/XMII/"; fast_pattern:only; http_uri; content:"Mode=GetFileList"; nocase; http_uri; content:"Path="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]Path=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-2389; classtype:web-application-attack; sid:38988; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt"; flow:to_server,established; content:"/XMII/"; fast_pattern:only; http_uri; content:"Mode=GetFileList"; nocase; http_uri; content:"Path="; nocase; http_client_body; pcre:"/(^|&)Path=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-2389; classtype:web-application-attack; sid:38987; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP NetWeaver xMII directory traversal attempt"; flow:to_server,established; content:"/XMII/"; fast_pattern:only; http_uri; content:"Mode=GetFileList"; nocase; http_uri; content:"Path"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?Path((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-2389; classtype:web-application-attack; sid:38986; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWall Scrutinizer methodDetail SQL injection attempt"; flow:to_server,established; content:"/d4d/exporters.php"; fast_pattern:only; http_uri; content:"methodDetail="; nocase; http_uri; pcre:"/[?&]methodDetail=[^&]*?[^\d\x20&]/Ui"; metadata:service http; reference:bugtraq,68495; reference:cve,2014-4977; classtype:web-application-attack; sid:38979; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [8088,8089] (msg:"SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt"; flow:to_server,established; content:"/olt/download"; fast_pattern:only; http_uri; content:"downloadType=report"; nocase; http_client_body; content:"reportName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?reportName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0476; classtype:web-application-attack; sid:38970; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [8088,8089] (msg:"SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt"; flow:to_server,established; content:"/olt/download"; fast_pattern:only; http_uri; content:"downloadType=report"; nocase; http_client_body; content:"reportName="; nocase; http_client_body; pcre:"/(^|&)reportName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0476; classtype:web-application-attack; sid:38969; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [8088,8089] (msg:"SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt"; flow:to_server,established; content:"/olt/download"; fast_pattern:only; http_uri; content:"downloadType=report"; nocase; http_uri; content:"reportName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]reportName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0476; classtype:web-application-attack; sid:38968; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP NetWeaver UDDISecurityImplBean SQL injection attempt"; flow:to_server,established; content:"/UDDISecurityImplBean"; fast_pattern:only; http_uri; content:"<permissionId"; nocase; http_client_body; pcre:"/<permissionId[^>]*?>[^<]*?\x27/Pi"; metadata:service http; reference:cve,2016-2386; reference:url,service.sap.com/sap/support/notes/2101079; classtype:web-application-attack; sid:39060; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer list cross site scripting attempt"; flow:to_server,established; content:"/ProxyServer/list?"; fast_pattern:only; http_uri; pcre:"/[?&](ns|interface)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2016-2387; classtype:attempted-user; sid:39069; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer unregister cross site scripting attempt"; flow:to_server,established; content:"/ProxyServer/unregister?"; fast_pattern:only; http_uri; pcre:"/[?&](ns|interface|bean|method)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2016-2387; classtype:attempted-user; sid:39068; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer register cross site scripting attempt"; flow:to_server,established; content:"/ProxyServer/register?"; fast_pattern:only; http_uri; pcre:"/[?&](ns|interface|bean|method)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2016-2387; classtype:attempted-user; sid:39067; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8088,8089] (msg:"SERVER-WEBAPP Oracle Application Testing Suite arbitrary file read attempt"; flow:to_server,established; content:"/otm/download"; fast_pattern:only; http_uri; content:"downloadType=subReport"; nocase; http_client_body; content:"file"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?file((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0482; classtype:web-application-attack; sid:39089; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8088,8089] (msg:"SERVER-WEBAPP Oracle Application Testing Suite arbitrary file read attempt"; flow:to_server,established; content:"/otm/download"; fast_pattern:only; http_uri; content:"downloadType=subReport"; nocase; http_uri; content:"file="; nocase; http_client_body; pcre:"/(^|&)file=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0482; classtype:web-application-attack; sid:39088; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8088,8089] (msg:"SERVER-WEBAPP Oracle Application Testing Suite arbitrary file read attempt"; flow:to_server,established; content:"/otm/download"; fast_pattern:only; http_uri; content:"downloadType=subReport"; nocase; http_uri; content:"file="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]file=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0482; classtype:web-application-attack; sid:39087; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Aruba Networks IAP swarm.cgi raddb config injection attempt"; flow:to_server,established; content:"/swarm.cgi"; nocase; http_uri; content:"opcode=config"; fast_pattern:only; http_uri; content:"cmd="; nocase; http_uri; pcre:"/[?&]cmd=[^&]*?\x22/Ui"; metadata:service http; reference:cve,2016-2031; reference:url,www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-004.txt; classtype:web-application-attack; sid:39075; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Aruba Networks IAP swarm.cgi command injection attempt"; flow:to_server,established; content:"/swarm.cgi"; nocase; http_uri; content:"opcode=image-url-upgrade"; fast_pattern:only; http_uri; content:"image_url="; nocase; http_uri; pcre:"/[?&]image_url=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:service http; reference:cve,2016-2031; reference:url,www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-004.txt; classtype:web-application-attack; sid:39074; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Aruba Networks IAP swarm.cgi command injection attempt"; flow:to_server,established; content:"/swarm.cgi"; nocase; http_uri; content:"opcode=image-url-upgrade"; fast_pattern:only; http_uri; content:"image_url="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]image_url=[^&]*?%26/Ii"; metadata:service http; reference:cve,2016-2031; reference:url,www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-004.txt; classtype:web-application-attack; sid:39073; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Aruba Networks IAP insecure disclosure of environment variables attempt"; flow:to_server,established; content:"/swarm.cgi"; nocase; http_uri; content:"opcode=printenv"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2016-2031; reference:url,www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-004.txt; classtype:attempted-recon; sid:39072; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dlink local file disclosure attempt"; flow:to_server,established; content:"/model/__show_info.php"; fast_pattern:only; http_uri; content:"REQUIRE_FILE="; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,64043; classtype:web-application-attack; sid:39070; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ubiquiti Networks XM Firmware scr.cgi directory traversal attempt"; flow:to_server,established; content:"/scr.cgi"; fast_pattern:only; http_uri; content:"fname="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fname=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:url,dl.ubnt.com/firmwares/XN-fw/v5.6.6/changelog.txt; classtype:web-application-attack; sid:39135; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ubiquiti Networks XM Firmware scr.cgi command injection attempt"; flow:to_server,established; content:"/scr.cgi"; fast_pattern:only; http_uri; content:"fname="; nocase; http_uri; pcre:"/[?&]fname=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:service http; reference:url,dl.ubnt.com/firmwares/XN-fw/v5.6.6/changelog.txt; classtype:web-application-attack; sid:39134; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ubiquiti Networks XM Firmware scr.cgi command injection attempt"; flow:to_server,established; content:"/scr.cgi"; fast_pattern:only; http_uri; content:"fname="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]fname=[^&]*?%26/Ii"; metadata:service http; reference:url,dl.ubnt.com/firmwares/XN-fw/v5.6.6/changelog.txt; classtype:web-application-attack; sid:39133; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Huawei HG866 GPON root password change attempt"; flow:to_server,established; content:"/html/password.html"; fast_pattern:only; http_uri; content:"save=Apply"; http_client_body; content:"&psw="; http_client_body; content:"&reenterpsw="; http_client_body; metadata:service http; classtype:web-application-attack; sid:39152; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI backend API server side request forgery attempt"; flow:to_server,established; content:"/nagiosxi/backend"; nocase; http_uri; content:"cmd=geturlhtml"; fast_pattern:only; http_uri; content:"url="; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]url=[^&]*?(http|ftp|file)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Jun/9; classtype:web-application-attack; sid:39188; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Unified Interactive Voice Response directory traversal attempt"; flow:to_server,established; content:"/ccmivr/IVRGetAudioFile.do"; fast_pattern:only; http_uri; content:"file"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?file((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:cve,2011-3315; classtype:web-application-attack; sid:39187; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Unified Interactive Voice Response directory traversal attempt"; flow:to_server,established; content:"/ccmivr/IVRGetAudioFile.do"; fast_pattern:only; http_uri; content:"file="; nocase; http_client_body; pcre:"/(^|&)file=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2011-3315; classtype:web-application-attack; sid:39186; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Unified Interactive Voice Response directory traversal attempt"; flow:to_server,established; content:"/ccmivr/IVRGetAudioFile.do"; fast_pattern:only; http_uri; content:"file="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]file=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2011-3315; classtype:web-application-attack; sid:39185; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt"; flow:to_server,established; content:"/olt/download"; fast_pattern:only; http_uri; content:"scriptName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?scriptName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:cve,2016-0478; classtype:web-application-attack; sid:39184; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt"; flow:to_server,established; content:"/olt/download"; fast_pattern:only; http_uri; content:"scriptName="; nocase; http_client_body; pcre:"/(^|&)scriptName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2016-0478; classtype:web-application-attack; sid:39183; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt"; flow:to_server,established; content:"/olt/download"; fast_pattern:only; http_uri; content:"scriptName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]scriptName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2016-0478; classtype:web-application-attack; sid:39182; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI ajaxproxy.php server side request forgery attempt"; flow:to_server,established; content:"/nagiosxi/ajaxproxy.php"; fast_pattern:only; http_uri; content:"proxyurl="; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]proxyurl=[^&]*?(http|ftp|file)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Jun/9; classtype:web-application-attack; sid:39181; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI nagiosim.php command injection attempt"; flow:to_server,established; content:"/nagiosim.php"; fast_pattern:only; http_uri; content:"title="; nocase; http_uri; pcre:"/[?&]title=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Jun/9; classtype:web-application-attack; sid:39180; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI nagiosim.php command injection attempt"; flow:to_server,established; content:"/nagiosim.php"; fast_pattern:only; http_uri; content:"title="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]title=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Jun/9; classtype:web-application-attack; sid:39179; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI graphApi.php command injection attempt"; flow:to_server,established; content:"/graphApi.php"; fast_pattern:only; http_uri; pcre:"/[?&](start|end)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Jun/9; classtype:web-application-attack; sid:39178; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI graphApi.php command injection attempt"; flow:to_server,established; content:"/graphApi.php"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](start|end)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Jun/9; classtype:web-application-attack; sid:39177; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Video Surveillance Operations Manager directory traversal attempt"; flow:to_server,established; content:"/BWT/utils/logs/read_log.jsp"; fast_pattern:only; http_uri; content:"log"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?log((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy security-ips drop, service http; reference:cve,2013-3429; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm; classtype:web-application-attack; sid:39172; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Video Surveillance Operations Manager directory traversal attempt"; flow:to_server,established; content:"/BWT/utils/logs/read_log.jsp"; fast_pattern:only; http_uri; content:"log="; nocase; http_client_body; pcre:"/(^|&)log=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy security-ips drop, service http; reference:cve,2013-3429; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm; classtype:web-application-attack; sid:39171; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Video Surveillance Operations Manager directory traversal attempt"; flow:to_server,established; content:"/BWT/utils/logs/read_log.jsp"; fast_pattern:only; http_uri; content:"log="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]log=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy security-ips drop, service http; reference:cve,2013-3429; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm; classtype:web-application-attack; sid:39170; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Alpha Networks ADSL2/2+ Wireless Router password disclosure attempt"; flow:to_server,established; content:"/APIS/returnJSON.htm"; fast_pattern:only; http_uri; metadata:service http; reference:url,alfa.com; classtype:web-application-attack; sid:39169; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Asus RT-N56U router password disclosure attempt"; flow:to_server,established; content:"/QIS_wizard.htm"; fast_pattern:only; http_uri; content:"flag=detect"; http_uri; metadata:service http; reference:url,kb.cert.org/vuls/id/200814; classtype:web-application-attack; sid:39166; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5201 (msg:"SERVER-WEBAPP iperf3 heap overflow remote code execution attempt"; flow:to_server,established; content:"|5C|u"; content:"|22|"; within:4; content:!"|22|"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-4303; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-user; sid:39165; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link authentication bypass attempt"; flow:to_server,established; content:"/tools_admin.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,45554; classtype:attempted-admin; sid:39198; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AirTies RT hardcoded credentials login attempt"; flow:to_server,established; content:"/cgi-bin/webcm"; http_uri; content:"username=isp"; http_client_body; content:"password=isp"; fast_pattern:only; http_client_body; metadata:service http; reference:url,airties.com; classtype:attempted-admin; sid:39197; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link router unauthorised DNS change attempt"; flow:to_server,established; content:"/Forms/dns_1"; fast_pattern:only; http_uri; content:"Enable_DNSFollowing="; nocase; http_uri; content:"dnsPrimary="; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,theregister.co.uk/2015/02/02/dns_hijack_d_link/; classtype:attempted-admin; sid:39192; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla PayPlans Extension com_payplans group_id SQL injection attempt"; flow:to_server,established; content:"option=com_payplans"; fast_pattern:only; http_uri; content:"group_id="; nocase; http_uri; pcre:"/[?&]group_id=[^&]*?[^\d\x20&]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.readybytes.net/payplans/change-logs; classtype:web-application-attack; sid:39268; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt"; flow:to_server,established; content:"/session_complete"; fast_pattern:only; http_uri; content:"survey="; nocase; http_uri; pcre:"/[?&]survey=[^&]*?(?-i)O\x3a/Ui"; metadata:service http; reference:bugtraq,74460; reference:cve,2015-0935; classtype:web-application-attack; sid:39325; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt"; flow:to_server,established; content:"/session_complete"; fast_pattern:only; http_uri; content:"survey="; nocase; http_client_body; pcre:"/(^|&)survey=[^&]*?(?-i)O(?i)(\x3a|%3a)/Pim"; metadata:service http; reference:bugtraq,74460; reference:cve,2015-0935; classtype:web-application-attack; sid:39324; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt"; flow:to_server,established; content:"/WindowsEventLogsServlet"; fast_pattern:only; http_uri; content:"winEvent"; nocase; http_uri; pcre:"/[?&]winEvent(Source|Id|Log)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:39340; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt"; flow:to_server,established; content:"/WindowsEventLogsServlet"; fast_pattern:only; http_uri; content:"winEvent"; nocase; http_client_body; pcre:"/(^|&)winEvent(Source|Id|Log)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:39339; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt"; flow:to_server,established; content:"/ScriptServlet"; fast_pattern:only; http_uri; pcre:"/(^|&)(ScriptSchedule|state)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:39338; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt"; flow:to_server,established; content:"/BexDriveUsageSummaryServlet"; fast_pattern:only; http_uri; content:"sort"; nocase; http_uri; pcre:"/[?&]sort(Field|Direction)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:39337; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt"; flow:to_server,established; content:"/BexDriveUsageSummaryServlet"; fast_pattern:only; http_uri; content:"sort"; nocase; http_client_body; pcre:"/(^|&)sort(Field|Direction)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:39336; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt"; flow:to_server,established; content:"/ScriptServlet"; fast_pattern:only; http_uri; pcre:"/[?&](ScriptSchedule|state)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:39335; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt"; flow:to_server,established; content:"/DuplicateFilesServlet"; fast_pattern:only; http_uri; pcre:"/[?&](sortField|sortDirection|fileName)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:39334; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt"; flow:to_server,established; content:"/DuplicateFilesServlet"; fast_pattern:only; http_uri; pcre:"/(^|&)(sortField|sortDirection|fileName)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:39333; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt"; flow:to_server,established; content:"/BackupExceptionsServlet"; fast_pattern:only; http_uri; pcre:"/[?&](group|groupName|clientName)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:39332; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt"; flow:to_server,established; content:"/BackupExceptionsServlet"; fast_pattern:only; http_uri; pcre:"/(^|&)(group|groupName|clientName)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:39331; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt"; flow:to_server,established; content:"/tiki-calendar.php"; fast_pattern:only; http_uri; content:"viewmode="; nocase; http_uri; pcre:"/[?&]viewmode=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,tiki.org/article414-important-security-fix-for-all-versions-of-tiki; classtype:web-application-attack; sid:39330; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt"; flow:to_server,established; content:"/tiki-calendar.php"; fast_pattern:only; http_uri; content:"viewmode="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]viewmode=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,tiki.org/article414-important-security-fix-for-all-versions-of-tiki; classtype:web-application-attack; sid:39329; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt"; flow:to_server,established; content:"/tiki-calendar.php"; fast_pattern:only; http_uri; content:"viewmode="; nocase; http_client_body; pcre:"/(^|&)viewmode=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,tiki.org/article414-important-security-fix-for-all-versions-of-tiki; classtype:web-application-attack; sid:39328; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WolfCMS file_manager arbitrary PHP file upload attempt"; flow:to_server,established; content:"/plugin/file_manager/upload"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:service http; reference:cve,2015-6567; reference:cve,2015-6568; reference:url,www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.html; classtype:attempted-admin; sid:39353; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP NetWeaver CrashFileDownloadServlet directory traversal attempt"; flow:to_server,established; content:"/CrashFileDownloadServlet"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fileName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2016-3976; reference:url,service.sap.com/sap/support/notes/2234971; classtype:web-application-attack; sid:39352; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP NetWeaver CrashFileDownloadServlet directory traversal attempt"; flow:to_server,established; content:"/CrashFileDownloadServlet"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_client_body; pcre:"/(^|&)fileName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2016-3976; reference:url,service.sap.com/sap/support/notes/2234971; classtype:web-application-attack; sid:39351; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Mobile Detector Plugin remote file upload attempt"; flow:to_server,established; content:"/wp-content/plugins/wp-mobile-detector"; fast_pattern:only; http_uri; content:"src="; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]src=[^&]*?(http|ftp)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,wordpress.org/plugins/wp-mobile-detector/changelog; classtype:web-application-attack; sid:39350; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Mobile Detector Plugin remote file upload attempt"; flow:to_server,established; content:"/wp-content/plugins/wp-mobile-detector"; fast_pattern:only; http_uri; content:"src="; nocase; http_client_body; pcre:"/(^|&)src=[^&]*?(http|ftp)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,wordpress.org/plugins/wp-mobile-detector/changelog; classtype:web-application-attack; sid:39349; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP servlet authentication bypass attempt"; flow:to_server,established; content:"/servlet/"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2010-5326; classtype:attempted-admin; sid:39348; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Riverbed SteelCentral NetProfiler popup.php command injection attempt"; flow:to_server,established; content:"/popup.php"; fast_pattern:only; http_uri; content:"page="; nocase; http_uri; pcre:"/[?&](device|query)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:service http; reference:url,seclists.org/fulldisclosure/2016/Jun/68; classtype:web-application-attack; sid:39366; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Riverbed SteelCentral NetProfiler popup.php command injection attempt"; flow:to_server,established; content:"/popup.php"; fast_pattern:only; http_uri; content:"page="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](device|query)=[^&]*?%26/Ii"; metadata:service http; reference:url,seclists.org/fulldisclosure/2016/Jun/68; classtype:web-application-attack; sid:39365; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Riverbed SteelCentral NetProfiler index.php command injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"xjxargs"; fast_pattern:only; http_client_body; pcre:"/(^|&)xjxargs(\x5b|%5b)(\x5d|%5d)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:service http; reference:url,seclists.org/fulldisclosure/2016/Jun/68; classtype:web-application-attack; sid:39364; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Riverbed SteelCentral NetProfiler index.php command injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"setup"; nocase; http_client_body; content:"network"; within:10; fast_pattern; nocase; http_client_body; content:"hostname"; within:11; nocase; http_client_body; pcre:"/(^|&)Setup(\x2f|%2f)setup(\x2f|%2f)network(\x5f|%5f)hostname=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:service http; reference:url,seclists.org/fulldisclosure/2016/Jun/68; classtype:web-application-attack; sid:39363; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Ninja Forms nf_async_upload arbitrary PHP file upload attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; nocase; http_uri; content:"nf_async_upload"; fast_pattern:only; http_client_body; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-1209; classtype:attempted-admin; sid:39359; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DPC2420 router configuration file access attempt"; flow:to_server,established; content:"/filename.gwc"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.cisco.com/web/consumer/support/modem_DPC2420.html; classtype:attempted-recon; sid:39358; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WANem WAN emulator command injection attempt"; flow:to_server,established; content:"/WANem/result.php"; fast_pattern:only; http_uri; content:"pc"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?pc((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:service http; reference:url,itsecuritysolutions.org/2012-08-12-WANem-v2.3-multiple-vulnerabilities; classtype:web-application-attack; sid:39415; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WANem WAN emulator command injection attempt"; flow:to_server,established; content:"/WANem/result.php"; fast_pattern:only; http_uri; content:"pc="; nocase; http_client_body; pcre:"/(^|&)pc=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:service http; reference:url,itsecuritysolutions.org/2012-08-12-WANem-v2.3-multiple-vulnerabilities; classtype:web-application-attack; sid:39414; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WANem WAN emulator command injection attempt"; flow:to_server,established; content:"/WANem/result.php"; fast_pattern:only; http_uri; content:"pc="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]pc=[^&]*?%26/Ii"; metadata:service http; reference:url,itsecuritysolutions.org/2012-08-12-WANem-v2.3-multiple-vulnerabilities; classtype:web-application-attack; sid:39413; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WANem WAN emulator command injection attempt"; flow:to_server,established; content:"/WANem/result.php"; fast_pattern:only; http_uri; content:"pc="; nocase; http_uri; pcre:"/[?&]pc=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:service http; reference:url,itsecuritysolutions.org/2012-08-12-WANem-v2.3-multiple-vulnerabilities; classtype:web-application-attack; sid:39412; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt"; flow:to_server,established; file_data; content:"|69 5D E6 5A 5D EE 11 91 C9 06 7D 3D 30 A3 68 B5 79 5A A4 B1 6D 2A B5 0B 69 6B 15 12 4C 30 64 E1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-2210; classtype:attempted-user; sid:39401; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Symantec Decomposer Engine Dec2LHA buffer overflow attempt"; flow:to_client,established; file_data; content:"|69 5D E6 5A 5D EE 11 91 C9 06 7D 3D 30 A3 68 B5 79 5A A4 B1 6D 2A B5 0B 69 6B 15 12 4C 30 64 E1|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-2210; classtype:attempted-user; sid:39400; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8445 (msg:"SERVER-WEBAPP Symantec open redirect in external URL .php script attempt"; flow:to_server,established; content:"/Reporting/common/externalurl.php?"; fast_pattern:only; content:"url="; nocase; pcre:"/[?&]url=[^&]*?(http|ftp)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5304; reference:url,hyp3rlinx.altervista.org/advisories/SYMANTEC-SEPM-MULTIPLE-VULNS.txt; classtype:web-application-attack; sid:39399; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8445 (msg:"SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt"; flow:to_server,established; content:"/Reporting/Admin/notificationpopup.php"; fast_pattern:only; content:"height="; nocase; pcre:"/[?&]height=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3c|%3e|%28|%29|script|onload|src)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,91444; reference:cve,2016-3652; classtype:attempted-user; sid:39398; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IntegraXOR SQL injection attempt"; flow:to_server,established; content:"/demo/getData"; fast_pattern:only; http_uri; content:"function="; nocase; http_uri; pcre:"/[?&]function=[^&]*?\x3b/Ui"; metadata:service http; reference:cve,2016-2301; classtype:web-application-attack; sid:39390; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wintr SQL injection attempt"; flow:to_server,established; content:"/demo_htm/tag.asp"; fast_pattern:only; http_uri; content:"q="; nocase; http_uri; pcre:"/[?&]q=[^&]*?[\x3b\x2a\x2f]/Ui"; metadata:service http; reference:url,fultek.com.tr; classtype:web-application-attack; sid:39389; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ICSCADA SQL injection attempt"; flow:to_server,established; content:"/outlaw/"; fast_pattern:only; http_uri; pcre:"/(^|&)(user|password)=[^&]*?(\x25|%25)/Pim"; metadata:service http; classtype:web-application-attack; sid:39388; rev:1;)
# alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DAP-1160 authentication bypass attempt"; flow:to_server,established; content:"/tools_firmw.htm"; depth:16; nocase; http_uri; urilen:16,norm; metadata:policy max-detect-ips drop, service http; reference:bugtraq,41187; classtype:attempted-admin; sid:39387; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle E-Business Suite Arbitrary Document Download attempt"; flow:to_server,established; content:"/pls/"; http_uri; content:"/ADI_display_report.DisplayFile?"; fast_pattern:only; http_uri; content:"P_DOCID="; http_uri; metadata:service http; reference:bugtraq,23532; reference:cve,2007-2135; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html; classtype:web-application-attack; sid:39442; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech SQL injection attempt"; flow:to_server,established; content:"/broadweb/system/bwview.asp"; fast_pattern:only; http_uri; pcre:"/[?&](pos|proj|node)=[^&]*?[\x27\x22\x3b]/Ui"; metadata:service http; reference:url,advantech.com; classtype:web-application-attack; sid:39437; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Soitec Smart Energy SQL injection attempt"; flow:to_server,established; content:"/scada/login"; fast_pattern:only; http_uri; pcre:"/(^|&)(login|password)=[^&]*?([\x27\x22\x3b]|%27|%22|%3b)/Pim"; metadata:service http; reference:url,soitec.com; classtype:web-application-attack; sid:39436; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech SQL injection attempt"; flow:to_server,established; content:"/broadweb/user/signin.asp"; fast_pattern:only; http_uri; pcre:"/(^|&)(page|password|username)=[^&]*?([\x22\x3b\x27]|%22|%3b|%27)/Pim"; metadata:service http; reference:url,advantech.com; classtype:web-application-attack; sid:39435; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle E-Business Suite SQL injection attempt"; flow:to_server,established; content:"/pls/"; http_uri; content:"/ICXSUPWF.DisplayContacts?"; fast_pattern:only; http_uri; content:"p_where="; nocase; http_client_body; pcre:"/(^|&)p_where=[^&]*?([\x31\x25\x33\x44\x32\x25]|%31|%25|%33|%44|%32|%25)/Pim"; metadata:service http; reference:bugtraq,23532; reference:cve,2007-2126; classtype:web-application-attack; sid:39462; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle E-Business Suite SQL injection attempt"; flow:to_server,established; content:"/pls/"; http_uri; content:"/ICXSUPWF.DisplayContacts?"; fast_pattern:only; http_uri; content:"p_where="; nocase; http_uri; pcre:"/[?&]p_where=[^&]*?[\x31\x25\x33\x44\x32\x25]/Ui"; metadata:service http; reference:bugtraq,23532; reference:cve,2007-2126; classtype:web-application-attack; sid:39461; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle E-Business Suite SQL injection attempt"; flow:to_server,established; content:"/pls/"; http_uri; content:"/ICXSUPWF.DisplayContacts?"; fast_pattern:only; http_uri; content:"p_where"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?p_where((?!^--).)*?[\r\n]{2,}((?!^--).)*?[\x31\x25\x33\x44\x32\x25]/Psim"; metadata:service http; reference:bugtraq,23532; reference:cve,2007-2126; classtype:web-application-attack; sid:39460; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"SERVER-WEBAPP Oracle Web Cache HTTP header null byte injection attempt"; flow:to_server,established; content:"Header: |00|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,9868; reference:cve,2004-0385; classtype:web-application-attack; sid:39459; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NAS4Free txtPHPCommand remote code execution attempt"; flow:to_server,established; content:"/exec.php"; nocase; http_uri; content:"txtPHPCommand"; fast_pattern:only; http_client_body; content:"<?"; http_client_body; metadata:service http; reference:bugtraq,63448; reference:cve,2013-3631; reference:url,www.kb.cert.org/vuls/id/326830; classtype:attempted-admin; sid:39456; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ACTi ASOC command injection attempt"; flow:to_server,established; content:"/cgi-bin/test"; fast_pattern:only; http_uri; content:"iperf="; nocase; http_uri; pcre:"/[?&]iperf=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/16993/; classtype:web-application-attack; sid:39471; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ACTi ASOC command injection attempt"; flow:to_server,established; content:"/cgi-bin/test"; fast_pattern:only; http_uri; content:"iperf="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]iperf=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/16993/; classtype:web-application-attack; sid:39470; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ACTi ASOC command injection attempt"; flow:to_server,established; content:"/cgi-bin/test"; fast_pattern:only; http_uri; content:"iperf="; nocase; http_client_body; pcre:"/(^|&)iperf=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/16993/; classtype:web-application-attack; sid:39469; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ACTi ASOC command injection attempt"; flow:to_server,established; content:"/cgi-bin/test"; fast_pattern:only; http_uri; content:"iperf"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?iperf((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/16993/; classtype:web-application-attack; sid:39468; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Riverbed SteelCentral NetProfiler port_config SQL injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"PortsSelectControl"; fast_pattern:only; http_client_body; pcre:"/(^|&)PortsSelectControl(\x2f|%2f)ports(\x5f|%5f)config(\x2f|%2f)port(\x5f|%5f)(names|numbers|proto)=[^&]*?([\x27\x28\x29\x3b]|%27|%28|%29|%3b)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Jun/68; classtype:web-application-attack; sid:39477; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Riverbed SteelCentral NetProfiler export_report SQL injection attempt"; flow:to_server,established; content:"/popup.php"; nocase; http_uri; content:"page=export_report"; fast_pattern:only; http_uri; content:"report_id="; nocase; http_uri; pcre:"/[?&]report_id=[^&]*?[^\d\x20&]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Jun/68; classtype:web-application-attack; sid:39476; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Riverbed SteelCentral NetProfiler algorithm_settings SQL injection attempt"; flow:to_server,established; content:"/popup.php"; nocase; http_uri; content:"page=algorithm_settings"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?[^\d\x20&]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Jun/68; classtype:web-application-attack; sid:39475; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Riverbed SteelCentral NetProfiler REST API login SQL injection attempt"; flow:to_server,established; content:"/api/common/1.0/login"; fast_pattern:only; http_uri; content:"|22|username|22|"; nocase; http_client_body; pcre:"/\x22username\x22[\s\r\n]*\x3a[\s\r\n]*\x22[^\x22]*?[\x27\x3b]/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Jun/68; classtype:web-application-attack; sid:39474; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Shopware getTemplateName directory traversal attempt"; flow:to_server,established; content:"/backend/"; depth:9; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]f(ile)?=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97979; reference:cve,2016-3109; reference:url,github.com/shopware/shopware/commit/d73e9031a5b2ab6e918eb86d1e2b; classtype:web-application-attack; sid:39473; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Invision Power Board index.php content_class PHP code injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"module=system"; nocase; http_uri; content:"controller=content"; fast_pattern:only; http_uri; content:"content_class="; nocase; http_uri; pcre:"/[?&]content_class=[^&]*?\x3b/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6174; reference:url,seclists.org/fulldisclosure/2016/Jul/19; classtype:web-application-attack; sid:39562; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TikiWiki elFinder component arbitrary PHP file upload attempt"; flow:to_server,established; content:"/vendor_extra/elfinder/php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:service http; reference:url,tiki.org/article434-security-update-tiki-15-2-tiki-14-4-and-tiki-12-9-released; classtype:attempted-admin; sid:39590; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP WebNMS Framework arbitrary file upload attempt"; flow:to_server,established; content:"/servlets/FileUploadServlet"; fast_pattern:only; nocase; http_uri; content:"fileName="; nocase; http_uri; content:"../jsp/WebStart"; nocase; http_uri; content:".jsp"; nocase; http_uri; pcre:"/\x2e\x2e[\x2f\x5c]jsp[\x2f\x5c]WebStart[^&?].*?\x2Ejsp/iU"; metadata:policy max-detect-ips drop, service http; reference:url,packetstormsecurity.com/files/138324/WebNMS-Framework-Server-5.2-Arbitrary-File-Upload.html; classtype:attempted-admin; sid:39589; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP WebNMS Framework arbitrary file upload attempt"; flow:to_server,established; content:"/servlets/FileUploadServlet"; fast_pattern:only; nocase; http_uri; content:"fileName="; nocase; http_uri; content:"../jsp/Login.jsp"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/2712; classtype:attempted-admin; sid:39588; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Google Chromecast factory reset attempt"; flow:to_server,established; content:"/setup/reboot"; fast_pattern:only; http_uri; content:"{|22|params|22|:"; http_client_body; content:"|22|fdr|22|}"; http_client_body; metadata:service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/chromecast/chromecast_reset.rb; classtype:attempted-dos; sid:39585; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP phar extension remote code execution attempt"; flow:to_server,established; file_data; content:"filename="; http_client_body; content:"|00|"; within:60; http_client_body; content:".phar"; within:60; http_client_body; metadata:service http; reference:cve,2016-4072; reference:url,bugs.php.net/bug.php?id=71860; reference:url,php.net/ChangeLog-7.php; classtype:attempted-user; sid:39662; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal Coder Module insecure remote file deserialization attempt"; flow:to_server,established; content:"/coder_upgrade.run.php"; fast_pattern:only; http_uri; content:"file="; nocase; http_uri; content:"|3A|/"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.drupal.org/node/2765575; classtype:web-application-attack; sid:39645; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP WebNMS framework server credential disclosure attempt"; flow:to_server,established; content:"/servlets/FetchFile"; fast_pattern:only; nocase; http_uri; content:"fileName="; nocase; http_uri; content:"conf/securitydbData.xml"; nocase; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; reference:url,blogs.securiteam.com/index.php/archives/2712; classtype:attempted-admin; sid:39642; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP WebNMS Framework directory traversal attempt"; flow:to_server,established; content:"/servlets/FetchFile"; fast_pattern:only; http_uri; content:"fileName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?fileName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/2712; classtype:attempted-admin; sid:39641; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP WebNMS Framework directory traversal attempt"; flow:to_server,established; content:"/servlets/FetchFile"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_client_body; pcre:"/(^|&)fileName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/2712; classtype:attempted-admin; sid:39640; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP WebNMS Framework directory traversal attempt"; flow:to_server,established; content:"/servlets/FetchFile"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fileName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/2712; classtype:attempted-admin; sid:39639; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP InBoundio Marketing for Wordpress plugin PHP file upload attempt"; flow:to_server,established; content:"/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:service http; reference:url,inboundio.com/tools; classtype:attempted-admin; sid:39733; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt"; flow:to_server,established; content:"taxonomy_"; fast_pattern:only; http_uri; pcre:"/[=\x2f]taxonomy_(term|vocabulary)\x2f([^\x2f]*?\x2f)?(eval|exec|shell_exec|pcntl_exec|system|passthru|proc_open|popen)\x2f/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.drupal.org/node/2765567; classtype:attempted-admin; sid:39726; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt"; flow:to_server,established; content:"file/"; fast_pattern:only; http_uri; pcre:"/[=\x2f]file\x2f([^\x2f]*?\x2f)?(eval|exec|shell_exec|pcntl_exec|system|passthru|proc_open|popen)\x2f/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.drupal.org/node/2765567; classtype:attempted-admin; sid:39725; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpFileManager command injection attempt"; flow:to_server,established; content:"/phpFileManager-0.9.8/index.php"; fast_pattern:only; http_uri; content:"cmd"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?cmd((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:service http; reference:url,phpfm.sourceforge.net/; classtype:web-application-attack; sid:39717; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpFileManager command injection attempt"; flow:to_server,established; content:"/phpFileManager-0.9.8/index.php"; fast_pattern:only; http_uri; content:"cmd="; nocase; http_client_body; pcre:"/(^|&)cmd=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:service http; reference:url,phpfm.sourceforge.net/; classtype:web-application-attack; sid:39716; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpFileManager command injection attempt"; flow:to_server,established; content:"/phpFileManager-0.9.8/index.php"; fast_pattern:only; http_uri; content:"cmd="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]action=[^&]*?%26/Ii"; metadata:service http; reference:url,phpfm.sourceforge.net/; classtype:web-application-attack; sid:39715; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpFileManager command injection attempt"; flow:to_server,established; content:"/phpFileManager-0.9.8/index.php"; fast_pattern:only; http_uri; content:"cmd="; nocase; http_uri; pcre:"/[?&]cmd=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:service http; reference:url,exploit-db.com/exploits/37709; classtype:web-application-attack; sid:39714; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt"; flow:to_server,established; content:"<methodName"; nocase; content:"set_time_config"; fast_pattern:only; content:"<string"; nocase; pcre:"/<string[^>]*?>[^<]*?([\x60\x3b\x7c\x26]|\x24\x28)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9866; reference:url,support.software.dell.com/product-notification/207447; classtype:web-application-attack; sid:39743; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21009 (msg:"SERVER-WEBAPP Dell SonicWall GMS set_dns XMLRPC method command injection attempt"; flow:to_server,established; content:"<methodName"; nocase; content:"set_dns"; fast_pattern:only; content:"<string"; nocase; pcre:"/<string[^>]*?>[^<]*?([\x60\x3b\x7c\x26]|\x24\x28)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.software.dell.com/product-notification/207447; classtype:web-application-attack; sid:39742; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HttpOxy CGI application vulnerability potential man-in-the-middle attempt"; flow:to_server,established; content:"|0A|Proxy|3A|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2016-5385; reference:cve,2016-5386; reference:cve,2016-5387; reference:cve,2016-5388; reference:url,httpoxy.org; classtype:web-application-attack; sid:39737; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP GoAhead Embedded Web Server directory traversal attempt"; flow:to_server,established; content:"../../../"; fast_pattern:only; pcre:"/(\.\.\/){3}(\.[^.]\/){3}/I"; metadata:service http; reference:cve,2014-9707; reference:url,packetstormsecurity.com/files/131156/GoAhead-3.4.1-Heap-Overflow-Traversal.html; classtype:attempted-admin; sid:39770; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ruby on Rails ActionPack inline content rendering code injection attempt"; flow:to_server,established; content:"|22|inline|22|"; nocase; http_client_body; content:"%="; distance:0; http_client_body; pcre:"/\x22inline\x22\s*\x3A\s*\x22[^\x22]*?(\x5Cu003c|<)%=/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-2098; classtype:web-application-attack; sid:39765; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt"; flow:to_server,established; content:"/ccca_ajaxhandler.php"; fast_pattern:only; http_uri; pcre:"/(^|&)(host|apikey|enable)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6266; classtype:web-application-attack; sid:39850; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt"; flow:to_server,established; content:"/ccca_ajaxhandler.php"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(host|apikey|enable)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6266; classtype:web-application-attack; sid:39849; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS Surveillance handle_daylightsaving command injection attempt"; flow:to_server,established; content:"/handle_daylightsaving.php"; fast_pattern:only; http_uri; content:"NTPServer="; nocase; http_uri; pcre:"/[?&]NTPServer=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5675; reference:url,www.kb.cert.org/vuls/id/856152; classtype:web-application-attack; sid:39848; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS Surveillance handle_daylightsaving command injection attempt"; flow:to_server,established; content:"/handle_daylightsaving.php"; fast_pattern:only; http_uri; content:"NTPServer="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]NTPServer=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5675; reference:url,www.kb.cert.org/vuls/id/856152; classtype:web-application-attack; sid:39847; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS Surveillance debugging_center_utils command injection attempt"; flow:to_server,established; content:"__debugging_center_utils___.php"; fast_pattern:only; http_uri; content:"log="; nocase; http_uri; pcre:"/[?&]log=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5674; reference:url,www.kb.cert.org/vuls/id/856152; classtype:web-application-attack; sid:39846; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS Surveillance debugging_center_utils command injection attempt"; flow:to_server,established; content:"__debugging_center_utils___.php"; fast_pattern:only; http_uri; content:"log="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]log=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5674; reference:url,www.kb.cert.org/vuls/id/856152; classtype:web-application-attack; sid:39845; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Siemens IP-Camera credential disclosure attempt"; flow:to_server,established; content:"/cgi-bin/readfile.cgi"; fast_pattern:only; http_uri; content:"query=ADMINID"; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; reference:url,www.exploit-db.com/exploits/40260/; classtype:attempted-admin; sid:39930; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress pingback gethostbyname heap buffer overflow attempt"; flow:to_server,established; content:"/xml-rpc.php"; fast_pattern:only; http_uri; content:"pingback.ping"; nocase; http_client_body; content:"://"; http_client_body; isdataat:500,relative; content:!"/"; within:500; http_client_body; pcre:"/\x3a\x2f\x2f\d[\d\x2e]{500}/P"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72325; reference:cve,2015-0235; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:web-application-attack; sid:39925; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Smart Protection Server admin_notification.php command injection attempt"; flow:to_server,established; content:"/admin_notification.php"; fast_pattern:only; http_uri; content:"spare_"; nocase; http_client_body; pcre:"/(^|&)spare_(Community|AllowGroupIP|AllowGroupNetmask)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6267; classtype:web-application-attack; sid:39913; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Smart Protection Server admin_notification.php command injection attempt"; flow:to_server,established; content:"/admin_notification.php"; fast_pattern:only; http_uri; content:"spare_"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?spare_(Community|AllowGroupIP|AllowGroupNetmask)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6267; classtype:web-application-attack; sid:39912; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt"; flow:to_server,established; content:"/admin/ajax.php"; fast_pattern:only; http_uri; content:"recordings"; nocase; content:"file"; nocase; http_uri; pcre:"/[?&]file(name)?=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,issues.freepbx.org/browse/FREEPBX-12908; classtype:web-application-attack; sid:39945; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt"; flow:to_server,established; content:"/admin/ajax.php"; fast_pattern:only; http_uri; content:"recordings"; nocase; content:"file"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]file(name)?=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,issues.freepbx.org/browse/FREEPBX-12908; classtype:web-application-attack; sid:39944; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt"; flow:to_server,established; content:"/admin/ajax.php"; fast_pattern:only; http_uri; content:"recordings"; nocase; content:"file"; nocase; http_client_body; pcre:"/(^|&)file(name)?=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,issues.freepbx.org/browse/FREEPBX-12908; classtype:web-application-attack; sid:39943; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX Recordings Module ajax.php command injection attempt"; flow:to_server,established; content:"/admin/ajax.php"; fast_pattern:only; http_uri; content:"recordings"; nocase; content:"file"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?file(name)?((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,issues.freepbx.org/browse/FREEPBX-12908; classtype:web-application-attack; sid:39942; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_main stack buffer overflow attempt"; flow:to_server,established; urilen:>128,norm; content:"/cgi-bin/cgi_main"; nocase; http_uri; content:"transfer_license"; fast_pattern:only; content:"sn="; nocase; http_uri; pcre:"/[?&]sn=[^&]{129}/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5680; reference:url,www.kb.cert.org/vuls/id/856152; classtype:attempted-admin; sid:39982; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_main stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi_main"; nocase; http_uri; content:"transfer_license"; fast_pattern:only; content:"sn="; nocase; http_client_body; pcre:"/(^|&)sn=[^&]{129}/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5680; reference:url,www.kb.cert.org/vuls/id/856152; classtype:attempted-admin; sid:39981; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_main command injection attempt"; flow:to_server,established; content:"/cgi-bin/cgi_main"; nocase; http_uri; content:"transfer_license"; fast_pattern:only; content:"sn="; nocase; http_uri; pcre:"/[?&]sn=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5679; reference:url,www.kb.cert.org/vuls/id/856152; classtype:attempted-admin; sid:39980; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_main command injection attempt"; flow:to_server,established; content:"/cgi-bin/cgi_main"; nocase; http_uri; content:"transfer_license"; fast_pattern:only; content:"sn="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]sn=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5679; reference:url,www.kb.cert.org/vuls/id/856152; classtype:attempted-admin; sid:39979; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_main command injection attempt"; flow:to_server,established; content:"/cgi-bin/cgi_main"; nocase; http_uri; content:"transfer_license"; fast_pattern:only; content:"sn="; nocase; http_client_body; pcre:"/(^|&)sn=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/OPim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5679; reference:url,www.kb.cert.org/vuls/id/856152; classtype:attempted-admin; sid:39978; rev:2;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin F9K1122 webpage buffer overflow attempt"; flow:to_server,established; content:"/goform/formSetLanguage"; fast_pattern:only; http_uri; content:"webpage="; http_client_body; isdataat:64,relative; content:!"&"; within:64; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/40332/; classtype:attempted-user; sid:40047; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/main"; fast_pattern:only; http_uri; content:"name=|22|button|22|"; nocase; http_client_body; isdataat:500,relative; content:!"-"; within:500; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3962; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-175-03; classtype:web-application-attack; sid:40042; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/main"; fast_pattern:only; http_uri; content:"button="; nocase; http_client_body; isdataat:500,relative; content:!"&"; within:500; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3962; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-175-03; classtype:web-application-attack; sid:40041; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt"; flow:to_server,established; content:"/admin/config.php"; fast_pattern:only; http_uri; content:"display="; nocase; http_uri; pcre:"/[?&]display=[^&]*?\x22/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,issues.freepbx.org/browse/FREEPBX-11252; classtype:web-application-attack; sid:40040; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt"; flow:to_server,established; content:"/admin/config.php"; fast_pattern:only; http_uri; content:"display="; nocase; http_client_body; pcre:"/(^|&)display=[^&]*?(\x22|%22)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,issues.freepbx.org/browse/FREEPBX-11252; classtype:web-application-attack; sid:40039; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP unserialize var_hash use-after-free attempt"; flow:to_server,established; file_data; content:"session.serialize_handler"; fast_pattern:only; content:"xi:"; content:"session_decode"; within:75; nocase; content:"unserialize"; nocase; content:"unset"; within:75; nocase; content:"R|3A|"; distance:0; nocase; content:"unserialize"; within:75; nocase; metadata:service http; reference:cve,2016-6290; reference:url,bugs.php.net/bug.php?id=72562; classtype:attempted-user; sid:40038; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt"; flow:to_server,established; content:"/admin/config.php"; fast_pattern:only; http_uri; content:"remotemod="; nocase; http_uri; pcre:"/[?&]remotemod=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/138505/; classtype:web-application-attack; sid:40033; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt"; flow:to_server,established; content:"/admin/config.php"; fast_pattern:only; http_uri; content:"remotemod="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]remotemod=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/138505/; classtype:web-application-attack; sid:40032; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt"; flow:to_server,established; content:"/admin/config.php"; fast_pattern:only; http_uri; content:"remotemod="; nocase; http_client_body; pcre:"/(^|&)remotemod=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/138505/; classtype:web-application-attack; sid:40031; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt"; flow:to_server,established; content:"/admin/config.php"; fast_pattern:only; http_uri; content:"remotemod"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?remotemod((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/138505/; classtype:web-application-attack; sid:40030; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting"; flow:to_server,established; content:"/wordpress/|3F 22|><"; fast_pattern:only; http_uri; content:"<body"; nocase; http_uri; content:"form"; nocase; http_uri; metadata:service http; reference:cve,2012-4226; classtype:attempted-user; sid:40058; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt"; flow:to_server,established; content:"/zabbix/latest.php"; fast_pattern:only; http_uri; content:"toggle_ids[]="; nocase; http_uri; pcre:"/[?&]toggle_ids\x5b\x5d=[^&]*?[\x3b\x29\x28]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.zabbix.com/browse/ZBX-11023; classtype:web-application-attack; sid:40071; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt"; flow:to_server,established; content:"/zabbix/latest.php"; fast_pattern:only; http_uri; content:"toggle"; nocase; http_client_body; pcre:"/(^|&)toggle(\x5f|%5f)ids(\x5b|%5b)(\x5d|%5d)=[^&]*?([\x3b\x29\x28]|%3b|%29|%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.zabbix.com/browse/ZBX-11023; classtype:web-application-attack; sid:40070; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt"; flow:to_server,established; content:"/zabbix/jsrpc.php"; fast_pattern:only; http_uri; content:"profileIdx2="; nocase; http_uri; pcre:"/[?&]profileIdx2=[^&]*?[\x3b\x29\x28]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.zabbix.com/browse/ZBX-11023; classtype:web-application-attack; sid:40069; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt"; flow:to_server,established; content:"/zabbix/jsrpc.php"; fast_pattern:only; http_uri; content:"profileIdx2="; nocase; http_client_body; pcre:"/(^|&)profileIdx2=[^&]*?([\x3b\x29\x28]|%3b|%29|%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.zabbix.com/browse/ZBX-11023; classtype:web-application-attack; sid:40068; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP WebNMS framework server .jsp file retrieval attempt"; flow:to_server,established; content:"/jsp/WebStart-"; fast_pattern:only; http_uri; content:".jsp"; nocase; http_uri; pcre:"/[\x2f\x5c]jsp[\x2f\x5c]WebStart[^&?].*?\x2Ejsp/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,packetstormsecurity.com/files/138324/WebNMS-Framework-Server-5.2-Arbitrary-File-Upload.html; classtype:attempted-admin; sid:40185; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AirOS authentication bypass attempt"; flow:to_server,established; content:"/admin.cgi/sd.css"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,51178; classtype:attempted-admin; sid:40182; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt"; flow:to_server,established; content:"/ CSCOE /logon.html"; fast_pattern:only; http_uri; content:"password"; nocase; http_uri; pcre:"/[?&]password=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|onclick)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,66290; reference:cve,2014-2120; reference:url,tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2120; classtype:web-application-attack; sid:40231; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt"; flow:to_server,established; content:"/ CSCOE /logon.html"; fast_pattern:only; http_uri; content:"ServerType="; nocase; http_uri; pcre:"/[?&]ServerType=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|onclick)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,66290; reference:cve,2014-2120; reference:url,tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2120; classtype:web-application-attack; sid:40230; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt"; flow:to_server,established; content:"/ CSCOE /logon.html"; fast_pattern:only; http_uri; content:"tgroup="; nocase; http_uri; pcre:"/[?&]tgroup=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|onclick)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,66290; reference:cve,2014-2120; reference:url,tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2120; classtype:web-application-attack; sid:40229; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt"; flow:to_server,established; content:"/ CSCOE /logon.html"; fast_pattern:only; http_uri; content:"state="; nocase; http_uri; pcre:"/[?&]state=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|onclick)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,66290; reference:cve,2014-2120; reference:url,tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2120; classtype:web-application-attack; sid:40228; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt"; flow:to_server,established; content:"/ CSCOE /logon.html"; fast_pattern:only; http_uri; content:"password_min="; nocase; http_uri; pcre:"/[?&]password_min=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|onclick)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,66290; reference:cve,2014-2120; reference:url,tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2120; classtype:web-application-attack; sid:40227; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt"; flow:to_server,established; content:"/ CSCOE /logon.html"; fast_pattern:only; http_uri; content:"username="; nocase; http_uri; pcre:"/[?&]username=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|onclick)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,66290; reference:cve,2014-2120; reference:url,tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2120; classtype:web-application-attack; sid:40226; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt"; flow:to_server,established; content:"/ CSCOE /logon.html"; fast_pattern:only; http_uri; content:"reason="; nocase; http_uri; pcre:"/[?&]reason=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|onclick)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,66290; reference:cve,2014-2120; reference:url,tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2120; classtype:web-application-attack; sid:40225; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco ASA WebVPN auth_handle cross site scripting attempt"; flow:to_server,established; content:"/ CSCOE /logon.html"; fast_pattern:only; http_uri; content:"auth_handle="; nocase; http_uri; pcre:"/[?&]auth_handle=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src|onclick)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,66290; reference:cve,2014-2120; reference:url,tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2120; classtype:web-application-attack; sid:40224; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Idera Up.Time Monitoring Station post2file.php arbitrary PHP file upload attempt"; flow:to_server,established; content:"/wizards/post2file.php"; fast_pattern:only; http_uri; content:"file_name="; nocase; http_client_body; content:"script="; nocase; http_client_body; pcre:"/script=.*?(<?|%3c%3f|\x3c\x3f)/P"; metadata:service http; reference:bugtraq,64031; classtype:attempted-admin; sid:40256; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX Music Module ajax.php command injection attempt"; flow:to_server,established; content:"/admin/ajax.php"; fast_pattern:only; http_uri; content:"command"; nocase; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filename\s*=\s*\x22[^\x22]*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,wiki.freepbx.org/display/fop/security+information; classtype:web-application-attack; sid:40255; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaltura redirectWidgetCmd PHP object injection attempt"; flow:to_server,established; content:"/keditorservices/redirectWidgetCmd"; fast_pattern:only; http_uri; content:"kdata="; nocase; http_uri; base64_decode:bytes 64, offset 0, relative; base64_data; content:"O|3A|"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/138806; classtype:attempted-admin; sid:40283; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt"; flow:to_server,established; content:"/sugarcrm/service/v4/rest.php"; fast_pattern:only; http_uri; content:"rest_data="; nocase; http_uri; pcre:"/[?&]rest_data=[^&]*?(?-i)O\x3a/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.sugarcrm.com/security/sugarcrm-sa-2016-008; classtype:web-application-attack; sid:40277; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt"; flow:to_server,established; content:"/sugarcrm/service/v4/rest.php"; fast_pattern:only; http_uri; content:"rest_data="; nocase; http_client_body; pcre:"/(^|&)rest_data=[^&]*?(?-i)O(?i)(\x3a|%3a)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.sugarcrm.com/security/sugarcrm-sa-2016-008; classtype:web-application-attack; sid:40276; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt"; flow:to_server,established; content:"/WADashboard/ajax/FileAjaxAction.aspx"; fast_pattern:only; http_uri; content:"wbWidPath"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?wbWidPath((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:cve,2016-0855; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-014-01; classtype:web-application-attack; sid:40293; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt"; flow:to_server,established; content:"/WADashboard/ajax/FileAjaxAction.aspx"; fast_pattern:only; http_uri; content:"wbWidPath="; nocase; http_client_body; pcre:"/(^|&)wbWidPath=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2016-0855; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-014-01; classtype:web-application-attack; sid:40292; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt"; flow:to_server,established; content:"/WADashboard/ajax/FileAjaxAction.aspx"; fast_pattern:only; http_uri; content:"wbWidPath="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]wbWidPath=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2016-0855; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-014-01; classtype:web-application-attack; sid:40291; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,3000] (msg:"SERVER-WEBAPP Ruby on Rails Web Console remote code execution attempt"; flow:to_server,established; content:"X-Forwarded-For|3A| "; fast_pattern:only; nocase; content:"PUT"; depth:3; content:"input="; distance:0; pcre:"/X-Forwarded-For: [0:]{3,39}1\r\n/i"; metadata:service http; reference:cve,2015-3224; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_web_console_v2_code_exec.rb; classtype:web-application-attack; sid:40332; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP JBoss default credential login attempt"; flow:to_server,established; content:"/jmx-console/"; nocase; http_uri; content:"Authorization: Basic YWRtaW46YWRtaW4="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:40331; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX Hotelwakeup Module ajax.php directory traversal attempt"; flow:to_server,established; content:"/admin/ajax.php"; nocase; http_uri; content:"command=savecall"; fast_pattern:only; content:"destination="; nocase; http_client_body; pcre:"/(^|&)destination=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,wiki.freepbx.org/display/FOP/Security+Information; classtype:web-application-attack; sid:40342; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX Hotelwakeup Module ajax.php PHP code injection attempt"; flow:to_server,established; content:"/admin/ajax.php"; nocase; http_uri; content:"command=savecall"; fast_pattern:only; content:"language="; nocase; http_client_body; pcre:"/(^|&)language=[^&]*?(\x3c|%3c)(\x3f|%3f)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,wiki.freepbx.org/display/FOP/Security+Information; classtype:web-application-attack; sid:40341; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 444 (msg:"SERVER-WEBAPP IPFire proxy.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/proxy.cgi"; fast_pattern:only; content:"NCSA_PASS"; nocase; content:"Content-Disposition"; nocase; pcre:"/name\s*=\s*[\x22\x27]?NCSA_PASS(_CONFIRM)?((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/sim"; reference:url,ipfire.org/news/ipfire-2-19-core-update-101-released; classtype:web-application-attack; sid:40352; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 444 (msg:"SERVER-WEBAPP IPFire proxy.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/proxy.cgi"; fast_pattern:only; content:"NCSA_PASS"; nocase; pcre:"/(^|&)NCSA_PASS(_CONFIRM)?=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; reference:url,ipfire.org/news/ipfire-2-19-core-update-101-released; classtype:web-application-attack; sid:40351; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 444 (msg:"SERVER-WEBAPP IPFire proxy.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/proxy.cgi"; fast_pattern:only; content:"NCSA_PASS"; nocase; content:"%26"; pcre:"/[?&]NCSA_PASS(_CONFIRM)?=[^&]*?%26/i"; reference:url,ipfire.org/news/ipfire-2-19-core-update-101-released; classtype:web-application-attack; sid:40350; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 444 (msg:"SERVER-WEBAPP IPFire proxy.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/proxy.cgi"; fast_pattern:only; content:"NCSA_PASS"; nocase; pcre:"/[?&]NCSA_PASS(_CONFIRM)?=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/i"; reference:url,ipfire.org/news/ipfire-2-19-core-update-101-released; classtype:web-application-attack; sid:40349; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nibbleblog remote code execution attempt"; flow:to_server,established; content:"admin.php"; http_uri; content:"plugin=my_image"; fast_pattern:only; http_uri; content:"controller=plugins"; http_uri; content:"Content-Disposition: form-data|3B| name="; nocase; http_client_body; content:"image"; within:6; http_client_body; content:"|0A|"; distance:0; http_client_body; content:".php"; within:6; distance:-7; nocase; http_client_body; metadata:service http; reference:cve,2015-6967; classtype:attempted-user; sid:40454; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Messaging Gateway KavaChart Component directory traversal attempt"; flow:to_server,established; content:"/brightmail/servlet/com.ve.kavachart.servlet.ChartStream"; fast_pattern:only; http_uri; content:"sn="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]sn=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5312; classtype:web-application-attack; sid:40451; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt"; flow:to_server,established; content:"/search.cgi"; nocase; http_uri; content:"action=cgi_query"; nocase; http_uri; content:"queryb64str="; fast_pattern:only; http_uri; pcre:"/[?&](username|password)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Oct/36; classtype:attempted-admin; sid:40448; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Avtech IP Camera search.cgi command injection attempt"; flow:to_server,established; content:"/search.cgi"; nocase; http_uri; content:"action=cgi_query"; nocase; http_uri; content:"queryb64str="; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](username|password)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Oct/36; classtype:attempted-admin; sid:40447; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Avtech IP Camera unauthenticated config access attempt"; flow:to_server,established; content:"/cgi-bin/"; nocase; http_uri; content:"/config.cgi"; fast_pattern:only; http_uri; content:"category="; nocase; http_uri; pcre:"/^\x2fcgi-bin[^\n]*?(\x2fnobody|\x2ecab)/Uim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Oct/36; classtype:attempted-admin; sid:40446; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Magento Cms_Wysiwyg SQL injection attempt"; flow:to_server,established; content:"/admin/Cms_Wysiwyg/directive/index/"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; content:"filter="; base64_decode:bytes 200, relative; base64_data; pcre:"/name\s*=\s*[\x22\x27]?(popularity\[(from|to|field_expr)\])((?!^--).)*?[\r\n]{2,}((?!^--).)*?[\x30\x33]/Psim"; metadata:service http; reference:cve,2015-1397; classtype:web-application-attack; sid:40464; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Magento Cms_Wysiwyg SQL injection attempt"; flow:to_server,established; content:"/admin/Cms_Wysiwyg/directive/index/"; fast_pattern:only; http_uri; content:"filter="; base64_decode:bytes 200, relative; base64_data; pcre:"/(^|&)(popularity\[(from|to|field_expr)\])=[^&]*?([\x30\x33]|%30|%33)/Pim"; metadata:service http; reference:cve,2015-1397; classtype:web-application-attack; sid:40463; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Magento Cms_Wysiwyg SQL injection attempt"; flow:to_server,established; content:"/admin/Cms_Wysiwyg/directive/index/"; fast_pattern:only; http_uri; content:"filter="; base64_decode:bytes 200, relative; base64_data; pcre:"/popularity\[(from|to|field_expr)\]=[^&]*?[\x30\x33]/i"; metadata:service http; reference:cve,2015-1397; classtype:web-application-attack; sid:40462; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Plugin RevSlider file upload attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"Content-Disposition:"; nocase; http_client_body; content:"|22|client_action|22|"; within:50; http_client_body; content:"Content-Disposition:"; distance:0; nocase; http_client_body; content:"|22|update_file|22|"; within:50; nocase; http_client_body; file_data; content:"PK"; depth:2; metadata:service http; reference:cve,2014-9735; classtype:web-application-attack; sid:40497; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt"; flow:to_server,established; content:"/wp-content/plugins/wp-symposium/server/php/index.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71686; reference:cve,2014-10021; reference:url,wpvulndb.com/vulnerabilities/7716/; classtype:attempted-admin; sid:40494; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ektron ServerControlWS.asmx XSL transform code injection attempt"; flow:to_server,established; content:"/WorkArea/ServerControlWS.asmx"; fast_pattern:only; http_uri; content:"<msxsl:script"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-0931; reference:url,attack.mitre.org/techniques/T1220; reference:url,www.kb.cert.org/vuls/id/377644; classtype:web-application-attack; sid:40493; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro SafeSync JSON API ad_sync_now command injection attempt"; flow:to_server,established; content:"/api/admin/ad/ad_sync_now"; fast_pattern:only; http_uri; content:"|22|id|22|"; nocase; pcre:"/\x22id\x22\s*\x3a\s*\x22[^\x22]*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,92919; reference:url,success.trendmicro.com/solution/1115193-security-bulletin-trend-micro-safesync-for-enterprise-ssfe-remote-code-execution-vulnerability; classtype:web-application-attack; sid:40524; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt"; flow:to_server,established; content:"com_users"; nocase; content:"user.register"; fast_pattern:only; content:"user[username]"; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8869; reference:cve,2016-8870; reference:url,developer.joomla.org/security-centre/659-20161001-core-account-creation.html; reference:url,developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html; classtype:attempted-admin; sid:40609; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt"; flow:to_server,established; content:"/component/users"; nocase; http_uri; content:"user.register"; fast_pattern:only; content:"user[username]"; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8869; reference:cve,2016-8870; reference:url,developer.joomla.org/security-centre/659-20161001-core-account-creation.html; reference:url,developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html; classtype:attempted-admin; sid:40608; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DaloRADIUS notificationsBatchDetails.php SQL injection attempt"; flow:to_server,established; content:"/include/common/notificationsBatchDetails.php"; fast_pattern:only; http_uri; content:"batch_name="; nocase; http_uri; pcre:"/[?&]batch_name=[^&]*?\x27/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Oct/92; classtype:web-application-attack; sid:40592; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt"; flow:to_server,established; content:"/config-maint-disconnect-user.php"; fast_pattern:only; http_uri; content:"customattributes="; nocase; http_uri; pcre:"/[?&]customattributes=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Oct/92; classtype:web-application-attack; sid:40591; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt"; flow:to_server,established; content:"/config-maint-disconnect-user.php"; fast_pattern:only; http_uri; content:"customattributes="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]customattributes=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Oct/92; classtype:web-application-attack; sid:40590; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DaloRADIUS config-maint-disconnect-user.php command injection attempt"; flow:to_server,established; content:"/config-maint-disconnect-user.php"; fast_pattern:only; http_uri; content:"customattributes="; nocase; http_client_body; pcre:"/(^|&)customattributes=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Oct/92; classtype:web-application-attack; sid:40589; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt"; flow:to_server,established; content:"/admin/LoginSubmit.do"; fast_pattern:only; http_uri; content:"../"; http_raw_uri; metadata:service http; reference:cve,2016-0488; reference:url,www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html; classtype:attempted-admin; sid:40617; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt"; flow:to_server,established; content:"/admin/Login.do"; fast_pattern:only; http_uri; content:"../"; http_raw_uri; metadata:service http; reference:cve,2016-0488; reference:url,www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html; classtype:attempted-admin; sid:40616; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt"; flow:to_server,established; content:"/admin/LoginUpgrade.do"; fast_pattern:only; http_uri; content:"../"; http_raw_uri; metadata:service http; reference:cve,2016-0488; reference:url,www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html; classtype:attempted-admin; sid:40615; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt"; flow:to_server,established; content:"/admin/Logout.do"; fast_pattern:only; http_uri; content:"../"; http_raw_uri; metadata:service http; reference:cve,2016-0488; reference:url,www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html; classtype:attempted-admin; sid:40614; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Testing Suite authentication bypass attempt"; flow:to_server,established; content:"/admin/EloadUsersTab.do"; fast_pattern:only; http_uri; content:"../"; http_raw_uri; metadata:service http; reference:cve,2016-0488; reference:url,www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html; classtype:attempted-admin; sid:40613; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Alienvault OSSIM gauge.php value SQL injection attempt"; flow:to_server,established; content:"/ossim/dashboard/sections/widgets/data/gauge.php"; fast_pattern:only; http_uri; content:"value="; nocase; http_uri; pcre:"/[?&]value=[^&]*?(\x2d\x2d|\x2f\x2a)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,93866; reference:cve,2016-8582; reference:url,www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities; classtype:web-application-attack; sid:40754; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR Series Routers HNAP stack buffer overflow attempt"; flow:to_server,established; content:"/HNAP1"; fast_pattern:only; http_uri; content:"<soap"; nocase; http_client_body; content:"<Login"; nocase; http_client_body; isdataat:1024,relative; content:!"</soap"; within:1024; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,94130; reference:cve,2016-6563; classtype:attempted-admin; sid:40750; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sophos Web Security Appliance command injection attempt"; flow:to_server,established; content:"c=logs"; fast_pattern:only; content:"by="; nocase; http_client_body; pcre:"/(^|&)by=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.html; classtype:web-application-attack; sid:40786; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sophos Web Security Appliance command injection attempt"; flow:to_server,established; content:"c=diagnostic_tools"; fast_pattern:only; content:"request_id="; nocase; http_client_body; pcre:"/(^|&)request_id=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.html; classtype:web-application-attack; sid:40785; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [5555,7547] (msg:"SERVER-WEBAPP ZyXEL TR-064 SetNTPServers command injection attempt"; flow:to_server,established; content:"SetNTPServers"; fast_pattern:only; content:"<NewNTPServer"; nocase; pcre:"/<NewNTPServer[^>]*?>[^<]*?([\x3b\x7c\x26\x60]|\x24\x28)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.broadband-forum.org/technical/download/TR-064.pdf; classtype:attempted-admin; sid:40784; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [5555,7547] (msg:"SERVER-WEBAPP ZyXEL TR-064 GetSecurityKeys information disclosure attempt"; flow:to_server,established; content:"service:WLANConfiguration"; fast_pattern:only; content:"GetSecurityKeys"; nocase; metadata:service http; reference:url,www.broadband-forum.org/technical/download/TR-064.pdf; classtype:attempted-recon; sid:40783; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Web Gateway new_whitelist.php command injection attempt"; flow:to_server,established; content:"/spywall/new_whitelist.php"; fast_pattern:only; http_uri; content:"white_ip="; nocase; http_client_body; pcre:"/(^|&)white_ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,93284; reference:cve,2016-5313; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20161005_00; classtype:web-application-attack; sid:40817; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_system administrator password reset attempt"; flow:to_server,established; content:"/cgi-bin/cgi_system"; nocase; http_uri; content:"cmd=loaddefconfig"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,92318; reference:cve,2016-5676; reference:url,seclists.org/bugtraq/2016/Aug/45; classtype:attempted-admin; sid:40815; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Bassmaster Batch remote code execution attempt"; flow:to_server,established; urilen:6; content:"/batch"; nocase; http_uri; content:"|22|path|22|"; fast_pattern:only; http_client_body; pcre:"/\x22path\x22\s*?:\s*?\x22.*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/smiP"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-7205; classtype:attempted-admin; sid:40865; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9201 (msg:"SERVER-WEBAPP VTSCADA WAP information disclosure attempt"; flow:to_server,established; content:"/Settings.Startup%00"; fast_pattern:only; metadata:service http; reference:cve,2016-4510; classtype:attempted-user; sid:40854; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9201 (msg:"SERVER-WEBAPP VTSCADA WAP information disclosure attempt"; flow:to_server,established; content:"/Settings.Dynamic%00"; fast_pattern:only; metadata:service http; reference:cve,2016-4510; classtype:attempted-user; sid:40853; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9201 (msg:"SERVER-WEBAPP VTSCADA WAP information disclosure attempt"; flow:to_server,established; content:"/Servers%00"; fast_pattern:only; metadata:service http; reference:cve,2016-4510; classtype:attempted-user; sid:40852; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9201 (msg:"SERVER-WEBAPP VTSCADA WAP information disclosure attempt"; flow:to_server,established; content:"/AppRoot%00"; fast_pattern:only; metadata:service http; reference:cve,2016-4510; classtype:attempted-user; sid:40851; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9201 (msg:"SERVER-WEBAPP VTSCADA WAP information disclosure attempt"; flow:to_server,established; content:"/Accounts.Dynamic%00"; fast_pattern:only; metadata:service http; reference:cve,2016-4510; classtype:attempted-user; sid:40850; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Veritas NetBackup Appliance getLicense command injection attempt"; flow:to_server,established; content:"/appliancews/getLicense"; fast_pattern:only; http_uri; content:"hostName="; nocase; http_uri; pcre:"/[?&]hostName=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,94384; reference:cve,2016-7399; reference:url,www.veritas.com/support/en_US/article.000116055; classtype:web-application-attack; sid:40838; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Veritas NetBackup Appliance getLicense command injection attempt"; flow:to_server,established; content:"/appliancews/getLicense"; fast_pattern:only; http_uri; content:"hostName="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]hostName=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,94384; reference:cve,2016-7399; reference:url,www.veritas.com/support/en_US/article.000116055; classtype:web-application-attack; sid:40837; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Symposium get_album_item.php SQL injection attempt"; flow:to_server,established; content:"/wp-symposium/get_album_item.php"; fast_pattern:only; http_uri; content:"size="; nocase; http_uri; pcre:"/[?&]size=[^&]*?\x3b/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,76499; reference:cve,2015-6522; classtype:web-application-attack; sid:40882; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Symposium get_album_item.php SQL injection attempt"; flow:to_server,established; content:"/wp-symposium/get_album_item.php"; fast_pattern:only; http_uri; content:"size="; nocase; http_client_body; pcre:"/(^|&)size=[^&]*?(\x3b|%3b)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,76499; reference:cve,2015-6522; classtype:web-application-attack; sid:40881; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress XMLRPC pingback ddos attempt"; flow:established,to_server,only_stream; content:"GET"; http_method; content:"User-Agent: WordPress/"; http_header; content:"|3B| verifying pingback from "; fast_pattern:only; http_header; content:"X-Pingback-Forwarded-For: "; http_header; detection_filter:track by_dst, count 1000, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0235; reference:url,blog.sucuri.net/2016/02/wordpress-sites-leveraged-in-ddos-campaigns.html; classtype:web-application-attack; sid:40883; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Flexense DiskPulse Disk Change Monitor login buffer overflow attempt"; flow:to_server,established; content:"/login"; http_uri; content:"password="; http_client_body; isdataat:100,relative; content:!"&"; within:100; metadata:service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/disk_pulse_enterprise_bof.rb; classtype:attempted-admin; sid:40890; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Barracuda WAF UPDATE_scan_information_in_use command injection attempt"; flow:to_server,established; content:"/cgi-mod/index.cgi"; nocase; http_uri; content:"UPDATE_scan_information_in_use"; fast_pattern:only; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?UPDATE_scan_information_in_use((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6320; reference:url,campus.barracuda.com/product/loadbalanceradc/article/ADC/ReleaseNotes610003/; classtype:web-application-attack; sid:40889; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle Weblogic default credentials login attempt"; flow:to_server,established; content:"/j_security_check"; fast_pattern:only; http_uri; content:"j_username="; http_client_body; content:"j_password=weblogic"; http_client_body; pcre:"/j_username=(root|system)/P"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-admin; sid:40905; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle Weblogic default credentials login attempt"; flow:to_server,established; content:"/j_security_check"; fast_pattern:only; http_uri; content:"j_username=weblogic"; http_client_body; content:"j_password"; http_client_body; pcre:"/j_password=(welcome1|weblogic|admin)/P"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-admin; sid:40904; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Reference Design Kit ajax_network_diagnostic_tools.php command injection attempt"; flow:to_server,established; content:"/actionHandler/ajax_network_diagnostic_tools.php"; fast_pattern:only; http_uri; content:"destination_address="; nocase; http_client_body; pcre:"/(^|&)destination_address=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/rdkcmf/rdkb-webui/commit/112770d; classtype:web-application-attack; sid:40933; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sony IPELA IP Cameras prima-factory.cgi telnet backdoor access attempt"; flow:to_server,established; content:"/command/prima-factory.cgi"; fast_pattern:only; http_uri; content:"Telnet="; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.pro.sony.eu/pro/lang/en/eu/article/sony-new-firmware-for-network-cameras; classtype:attempted-admin; sid:40994; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios Core Configuration Manager command injection attempt"; flow:to_server,established; content:"/nagiosxi/includes/components/ccm/index.php"; fast_pattern:only; http_uri; content:"tfCommand="; nocase; http_client_body; pcre:"/(^|&)tfCommand=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy security-ips drop, service http; reference:cve,2013-6875; classtype:web-application-attack; sid:41030; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios Core Configuration Manager SQL injection attempt"; flow:to_server,established; content:"/nagiosql/index.php"; fast_pattern:only; http_uri; content:"tfPassword="; nocase; http_client_body; pcre:"/(^|&)tfPassword=[^&]*?([\x27\x23\x2a]|%27|%23|%2a)/Pim"; metadata:policy security-ips drop, service http; reference:cve,2013-6875; classtype:web-application-attack; sid:41029; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess Dashboard remote code execution attempt"; flow:to_server,established; content:"/WADashboard/ajax/UploadAjaxAction.aspx"; fast_pattern:only; http_uri; content:"actionName"; nocase; content:"filename"; nocase; http_client_body; pcre:"/filename\s*=\s*[^\r\n]*?\.asp/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,80745; reference:cve,2016-0854; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-014-01; classtype:attempted-admin; sid:41026; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA wmi_domain_controllers command injection attempt"; flow:to_server,established; content:"/rest/wmi_domain_controllers"; fast_pattern:only; http_uri; pcre:"/(^|&)(domain|username|password)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1114185; classtype:web-application-attack; sid:41039; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA testConfiguration command injection attempt"; flow:to_server,established; content:"/rest/testConfiguration"; fast_pattern:only; http_uri; pcre:"/(^|&)(authmethod|basedn|password|user|vendor|hostname)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1114185; classtype:web-application-attack; sid:41038; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA domains command injection attempt"; flow:to_server,established; content:"/rest/domains"; fast_pattern:only; http_uri; pcre:"/(^|&)(admin|bdn|password)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1114185; classtype:web-application-attack; sid:41037; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt"; flow:to_server,established; content:"/servlet/com.trend.iwss.gui.servlet.ManagePatches"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filename\s*=\s*\x22[^\x22]*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1114185; classtype:web-application-attack; sid:41036; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro hotfix_upload.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/hotfix_upload.cgi"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filename\s*=\s*\x22[^\x22]*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,91229; reference:cve,2016-5840; reference:cve,2016-8588; reference:url,success.trendmicro.com/solution/1114281; classtype:web-application-attack; sid:41032; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt"; flow:to_server,established; content:"/Operajserv/webarchive/ProcessInfo"; fast_pattern:only; http_uri; content:"pid="; nocase; http_uri; pcre:"/[?&]pid=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,93768; reference:cve,2016-5563; reference:url,www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html; classtype:web-application-attack; sid:41087; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt"; flow:to_server,established; content:"/Operajserv/webarchive/ProcessInfo"; fast_pattern:only; http_uri; content:"pid="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]pid=[^&]*?%26/Ii"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,93768; reference:cve,2016-5563; reference:url,www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html; classtype:web-application-attack; sid:41086; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHPMailer command injection remote code execution attempt"; flow:to_server,established; content:"-oq"; fast_pattern; nocase; http_client_body; content:"-X"; within:100; http_client_body; content:"@"; within:100; http_client_body; pcre:"/\\[\x22\x27]\s+\-OQ.+\-X.+\s+.*\x5c?\x22\s*@/smiG"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-10033; reference:cve,2016-10034; reference:cve,2016-10045; reference:cve,2016-10074; reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html; classtype:attempted-admin; sid:41106; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt"; flow:to_server,established; content:"/lang_check"; nocase; http_uri; content:"hidden_lang_avi="; nocase; http_client_body; isdataat:36,relative; content:!"&"; within:36; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10174; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-admin; sid:41096; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt"; flow:to_server,established; content:"/apply_noauth.cgi"; depth:17; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10176; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-admin; sid:41095; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWall GMS WorkFlowServlet.class SQL injection attempt"; flow:to_server,established; content:"/sgms/workflow"; fast_pattern:only; http_uri; content:"ChangeOrderID="; nocase; http_uri; pcre:"/[?&](first|second)ChangeOrderID=[^&]*?\x27/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.sonicwall.com/product-notification/215257; classtype:web-application-attack; sid:41117; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWall GMS WorkFlowServlet.class SQL injection attempt"; flow:to_server,established; content:"/sgms/workflow"; fast_pattern:only; http_uri; content:"ChangeOrderID="; nocase; http_client_body; pcre:"/(^|&)(first|second)ChangeOrderID=[^&]*?(\x27|%27)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.sonicwall.com/product-notification/215257; classtype:web-application-attack; sid:41116; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWall GMS TaskViewServlet.class SQL injection attempt"; flow:to_server,established; content:"/sgms/TaskViewServlet"; fast_pattern:only; http_uri; content:"searchBySonicwall="; nocase; http_uri; pcre:"/[?&]searchBySonicwall=[^&]*?\x27/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.sonicwall.com/product-notification/215257; classtype:web-application-attack; sid:41115; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWall GMS TaskViewServlet.class SQL injection attempt"; flow:to_server,established; content:"/sgms/TaskViewServlet"; fast_pattern:only; http_uri; content:"searchBySonicwall="; nocase; http_client_body; pcre:"/(^|&)searchBySonicwall=[^&]*?(\x27|%27)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.sonicwall.com/product-notification/215257; classtype:web-application-attack; sid:41114; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWall GMS Logs.class SQL injection attempt"; flow:to_server,established; content:"/sgms/Logs"; fast_pattern:only; http_uri; content:"coDomainId="; nocase; http_uri; pcre:"/[?&]coDomainId=[^&]*?\x27/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.sonicwall.com/product-notification/215257; classtype:web-application-attack; sid:41113; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWall GMS Logs.class SQL injection attempt"; flow:to_server,established; content:"/sgms/Logs"; fast_pattern:only; http_uri; content:"coDomainId="; nocase; http_client_body; pcre:"/(^|&)coDomainId=[^&]*?(\x27|%27)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.sonicwall.com/product-notification/215257; classtype:web-application-attack; sid:41112; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SourceBans advsearch banlist cross site scripting attempt"; flow:to_server,established; content:"&p=banlist"; fast_pattern:only; http_uri; content:"advSearch="; nocase; http_uri; pcre:"/[?&]advSearch=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2015-8349; reference:url,packetstormsecurity.com/files/133854; classtype:attempted-user; sid:41119; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Lotus Domino srvnam.htm information disclosure attempt"; flow:to_server,established; content:"/srvnam.htm"; depth:11; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:url,www.ibm.com/support/entry/portal/product/collaboration_solutions/ibm_domino; classtype:attempted-recon; sid:41189; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Lotus Domino NSF database information disclosure attempt"; flow:to_server,established; content:".nsf"; fast_pattern:only; http_uri; pcre:"/^\x2F((archive|doc|help|iNotes|mail|mtdata|nntp|quickplace\x2Fquickplace|quickstart)\x2F)?[a-z0-9_]+\.nsf$/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,www.ibm.com/support/docview.wss?uid=swg21675947; classtype:attempted-recon; sid:41188; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Lotus Domino BOX mailbox information disclosure attempt"; flow:to_server,established; content:".box"; fast_pattern:only; http_uri; pcre:"/^\x2F[a-z0-9_]+\.box$/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,www.ibm.com/support/docview.wss?uid=swg21675947; classtype:attempted-recon; sid:41187; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; content:"/web/google_analytics.php"; fast_pattern:only; http_uri; content:"cmd=set"; nocase; http_client_body; content:"arg"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase; http_cookie; pcre:"/name\s*=\s*[\x22\x27]?arg((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10108; classtype:web-application-attack; sid:41349; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; content:"/web/google_analytics.php"; fast_pattern:only; http_uri; content:"cmd=set"; nocase; http_client_body; content:"arg="; nocase; http_client_body; content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase; http_cookie; pcre:"/(^|&)arg=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10108; classtype:web-application-attack; sid:41348; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; content:"/web/google_analytics.php"; fast_pattern:only; http_uri; content:"cmd=set"; nocase; http_raw_uri; content:"arg="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase; http_cookie; pcre:"/[?&]arg=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10108; classtype:web-application-attack; sid:41347; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; content:"/web/google_analytics.php"; fast_pattern:only; http_uri; content:"cmd=set"; nocase; http_uri; content:"arg="; nocase; http_uri; content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase; http_cookie; pcre:"/[?&]arg=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10108; classtype:web-application-attack; sid:41346; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Admin API ajax-actions.php directory traversal attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"plugin="; nocase; http_client_body; pcre:"/(^|&)plugin=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,92573; reference:cve,2016-6896; reference:cve,2016-6897; classtype:web-application-attack; sid:41355; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9201 (msg:"SERVER-WEBAPP Trihedral VTScada WAP URI null byte injection attempt"; flow:to_server,established; content:"/vts/WAP/"; depth:15; nocase; content:"%00"; distance:0; metadata:policy max-detect-ips drop, service http; reference:bugtraq,91077; reference:cve,2016-4532; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-159-01; classtype:web-application-attack; sid:41359; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Firepower Management Console 6.0 local file include attempt"; flow:to_server,established; content:"/events/reports/view.cgi"; fast_pattern:only; http_uri; content:"files="; nocase; http_uri; content:"%00"; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6435; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc2; classtype:web-application-attack; sid:41356; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Billion 5200W ADSL Router tools_time.asp command injection attempt"; flow:to_server,established; content:"/cgi-bin/tools_time.asp"; fast_pattern:only; http_uri; content:"uiViewSNTPServer="; nocase; http_client_body; pcre:"/(^|&)uiViewSNTPServer=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2017/Jan/40; classtype:web-application-attack; sid:41402; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Billion 5200W ADSL Router adv_remotelog.asp command injection attempt"; flow:to_server,established; content:"/cgi-bin/adv_remotelog.asp"; fast_pattern:only; http_uri; content:"syslogServerAddr="; nocase; http_client_body; pcre:"/(^|&)syslogServerAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2017/Jan/40; classtype:web-application-attack; sid:41401; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Commons Library FileUpload unauthorized Java object upload attempt"; flow:to_server,established; file_data; content:"|AC ED 00 05|"; content:"DiskFileItem"; within:55; content:"sizeThreshold"; within:125; content:"dfos"; within:100; content:"|00 0C|java.io.File"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-1000031; reference:url,github.com/frohoff/ysoserial; classtype:attempted-user; sid:41390; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZyXEL P660HN ADSL Router viewlog.asp command injection attempt"; flow:to_server,established; content:"/cgi-bin/ViewLog.asp"; fast_pattern:only; http_uri; content:"remote_host="; nocase; http_client_body; pcre:"/(^|&)remote_host=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2017/Jan/40; reference:url,www.zyxel.com/support/announcement_unauthenticated.shtml; classtype:web-application-attack; sid:41388; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZyXEL P660HN ADSL Router logset.asp command injection attempt"; flow:to_server,established; content:"/cgi-bin/pages/maintenance/logSetting/logSet.asp"; fast_pattern:only; http_uri; content:"serverIP="; nocase; http_client_body; pcre:"/(^|&)serverIP=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2017/Jan/40; reference:url,www.zyxel.com/support/announcement_unauthenticated.shtml; classtype:web-application-attack; sid:41387; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP ZipArchive getFromIndex and getFromName integer overflow attempt"; flow:to_server,established; file_data; content:"PK|01 02|"; fast_pattern; content:"|00 00|"; within:2; distance:18; byte_test:4,>=,0x00FFFFFF,0,relative,little; metadata:policy max-detect-ips drop, service http; reference:cve,2016-3078; reference:url,bugs.php.net/bug.php?id=71923; classtype:attempted-admin; sid:41384; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP ZipArchive getFromIndex and getFromName integer overflow attempt"; flow:to_server,established; content:".php"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; content:"|00 00|"; within:2; distance:16; byte_test:4,>=,0x00FFFFFF,0,relative,little; metadata:policy max-detect-ips drop, service http; reference:cve,2016-3078; reference:url,bugs.php.net/bug.php?id=71923; classtype:attempted-admin; sid:41383; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla JCE multiple plugin arbitrary PHP file upload attempt"; flow:to_server,established; content:"option=com_jce"; fast_pattern:only; http_uri; content:"plugin="; nocase; http_uri; content:"<?"; http_client_body; metadata:service http; reference:url,joomlacontenteditor.net/index.php?option=com_content&view=article&id=567&catid=7&Itemid=121; classtype:attempted-user; sid:41404; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt"; flow:to_server,established; content:"/WaExlViewer/updateTemplate.aspx"; fast_pattern:only; http_uri; content:"template="; nocase; http_uri; pcre:"/[?&]template=[^&]*?\x27/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95410; reference:cve,2017-5154; reference:url,ics-cert.us-cert.gov/advisories/ICSA-17-012-01; classtype:web-application-attack; sid:41455; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt"; flow:to_server,established; content:"/WaExlViewer/updateTemplate.aspx"; fast_pattern:only; http_uri; content:"template="; nocase; http_client_body; pcre:"/(^|&)template=[^&]*?(\x27|%27)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95410; reference:cve,2017-5154; reference:url,ics-cert.us-cert.gov/advisories/ICSA-17-012-01; classtype:web-application-attack; sid:41454; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Meraki default admin credentials attempt"; flow:to_server,established; content:"Authorization: Basic bWZfdGVzdDptZl90ZXN0"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-7993; reference:cve,2014-7994; reference:cve,2014-7995; reference:cve,2014-7999; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-admin; sid:41446; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt"; flow:to_server,established; content:".php"; http_uri; content:"O:"; fast_pattern; http_uri; pcre:"/O:\d+:\x22\w+\x22:\d+:.*s:(29|[3-9]\d|\d{3})\d+:/smiU"; metadata:service http; reference:cve,2016-7479; reference:url,bugs.php.net/bug.php?id=71311; classtype:attempted-admin; sid:41433; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt"; flow:to_server,established; content:".php"; fast_pattern:only; http_uri; content:"O:"; http_client_body; pcre:"/O:\d+:\x22\w+\x22:\d+:.*s:(29|[3-9]\d|\d{3})\d+:/smiP"; metadata:service http; reference:cve,2016-7479; reference:url,bugs.php.net/bug.php?id=71311; classtype:attempted-admin; sid:41432; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt"; flow:to_server,established; content:"DateInterval|22|:"; fast_pattern:only; http_uri; content:"O:"; http_uri; content:"x:i:0"; distance:0; nocase; http_uri; pcre:"/O:\d+:\x22DateInterval\x22:\d+:.*C:\d+:\x22\w+\x22:\d+:\x7b.*x:i:0.*\x3b\x3bm:r:/smiU"; metadata:service http; reference:cve,2016-7479; reference:url,bugs.php.net/bug.php?id=71311; classtype:attempted-admin; sid:41431; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt"; flow:to_server,established; content:"DateInterval|22|:"; fast_pattern:only; http_client_body; content:"O:"; http_client_body; content:"x:i:0"; distance:0; nocase; http_client_body; pcre:"/O:\d+:\x22DateInterval\x22:\d+:.*C:\d+:\x22\w+\x22:\d+:\x7b.*x:i:0.*\x3b\x3bm:r:/smiP"; metadata:service http; reference:cve,2016-7479; reference:url,bugs.php.net/bug.php?id=71311; classtype:attempted-admin; sid:41430; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt"; flow:to_server,established; content:"/wp-admin/"; nocase; http_uri; content:"/wp-config.php"; fast_pattern:only; http_uri; content:"../"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,69497; classtype:web-application-attack; sid:41421; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt"; flow:to_server,established; content:"/wp-content/"; nocase; http_uri; content:"/wp-config.php"; fast_pattern:only; http_uri; content:"../"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,69497; classtype:web-application-attack; sid:41420; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress get_post authentication bypass attempt"; flow:to_server,established; content:"/wp-json/"; fast_pattern:only; http_uri; content:"id="; nocase; http_client_body; pcre:"/[?&]id=[^&]*?[^\d&]/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/; classtype:web-application-attack; sid:41496; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress get_post authentication bypass attempt"; flow:to_server,established; content:"/wp-json/"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?[^\d&]/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/; classtype:web-application-attack; sid:41495; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sophos Web Security Appliance command injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"blockip="; fast_pattern:only; http_uri; pcre:"/[?&](un)?blockip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95853; reference:cve,2016-9553; reference:url,swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.html; classtype:web-application-attack; sid:41490; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sophos Web Security Appliance command injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"blockip="; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](un)?blockip=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95853; reference:cve,2016-9553; reference:url,swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.html; classtype:web-application-attack; sid:41489; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitHub Enterprise pre-receive-hooks SQL injection attempt"; flow:to_server,established; content:"/pre-receive-hooks"; fast_pattern:only; http_uri; content:"/organizations/"; nocase; http_uri; content:"sort="; nocase; http_uri; pcre:"/[?&]sort=[^&]*?[\x28\x3b]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html; classtype:web-application-attack; sid:41488; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP McAfee ePolicy Orchestrator data channel SQL injection attempt"; flow:to_server,established; content:"/dcRedirect/dataChannelMsg.dc"; fast_pattern:only; http_uri; content:"|01 00|"; depth:2; offset:2; http_client_body; byte_jump:1,9,relative; byte_jump:1,0,relative; byte_extract:1,0,guid_len,relative; content:"|27|"; within:guid_len; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8027; reference:url,www.talosintelligence.com/reports/TALOS-2016-0229/; classtype:attempted-user; sid:41410; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress get_post authentication bypass attempt"; flow:to_server,established; content:"/wp-json/"; fast_pattern:only; http_uri; content:"|22|id|22|"; nocase; http_client_body; pcre:"/\x22id\x22\s*\x3A\s*\x22[^\x22]*?[^\d\x22]/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/; classtype:web-application-attack; sid:41497; rev:2;)
# alert tcp $HOME_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP McAfee Virus Scan Linux url encoded bracket tag file poisoning attempt"; flow:to_server,established; content:"/0409/nails"; nocase; content:"%5B%25"; distance:0; content:"%25%5D"; distance:0; metadata:service http; reference:cve,2016-8017; classtype:web-application-attack; sid:41519; rev:1;)
# alert tcp $HOME_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP McAfee Virus Scan Linux bracket tag file poisoning attempt"; flow:to_server,established; content:"/0409/nails"; nocase; content:"[%"; content:"%]"; distance:0; metadata:service http; reference:cve,2016-8017; classtype:web-application-attack; sid:41518; rev:1;)
# alert tcp $HOME_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP McAfee Virus Scan Linux replace tag file poisoning attempt"; flow:to_server,established; content:"/0409/nails"; nocase; content:"__REPLACE_THIS__"; distance:0; nocase; metadata:service http; reference:cve,2016-8017; classtype:web-application-attack; sid:41517; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP McAfee Virus Scan Linux file existence test attempt"; flow:to_server,established; content:"GET /0409/nails"; fast_pattern:only; content:"&tplt="; nocase; pcre:"/&tplt=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)[^&]*?(&|\s)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8016; classtype:web-application-attack; sid:41516; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear passwordrecovered.cgi insecure admin password disclosure attempt"; flow:to_server,established; content:"/passwordrecovered.cgi"; fast_pattern:only; http_uri; content:"id="; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,95457; reference:cve,2017-5521; reference:url,kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability; classtype:attempted-recon; sid:41504; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZoneMinder file.php directory traversal attempt"; flow:to_server,established; content:"view=file"; fast_pattern:only; http_uri; content:"path="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]path=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5595; reference:url,seclists.org/fulldisclosure/2017/Feb/11; classtype:web-application-attack; sid:41536; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-WEBAPP Broadwin WebAccess DOS attempt"; flow:to_server,established; content:"|05 00 16 02 7D E2 96 58 AF 98 B7 E0 47|"; isdataat:300,relative; metadata:policy security-ips drop; reference:cve,2012-0241; classtype:attempted-dos; sid:41535; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 55443 (msg:"SERVER-WEBAPP McAfee Virus Scan Linux cross site scripting attempt"; flow:to_server,established; content:"/0409/nails"; fast_pattern:only; content:"&tplt="; nocase; content:"&info|3A|"; nocase; pcre:"/&tplt=(nailsconfig.html|monitorhost.html)&.*?&info\x3A(5|7)=[^&\s\r\n]*?([\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3C|%3E|%28|%29|script|onload|src)[^&\s\n\r]*?(&|\s)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8019; classtype:web-application-attack; sid:41521; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TP-LINK AC750 ping diagnostic command injection attempt"; flow:to_server,established; content:"IPPING_DIAG"; fast_pattern:only; http_client_body; content:"host="; nocase; http_client_body; pcre:"/^host=[^\r\n]*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/22; classtype:web-application-attack; sid:41642; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP Wordpress NextGEN gallery directory traversal attempt"; flow:to_server,established; content:"/?photocrati_ajax=1"; fast_pattern:only; nocase; http_uri; content:"nextgen_upload_image_sec="; nocase; http_client_body; content:"action=browse_folder"; nocase; http_client_body; content:"dir="; nocase; http_client_body; pcre:"/(^|&)dir=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:url,permalink.gmane.org/gmane.comp.security.oss.general/17650; classtype:attempted-recon; sid:41639; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP Wordpress NextGEN gallery directory traversal attempt"; flow:to_server,established; content:"/?photocrati_ajax=1"; fast_pattern:only; nocase; http_uri; content:"nextgen_upload_image_sec="; nocase; http_client_body; content:"action=browse_folder"; nocase; http_client_body; content:"dir="; nocase; http_client_body; pcre:"/dir\s*=\s*[\x22\x27]?a((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:url,permalink.gmane.org/gmane.comp.security.oss.general/17650; classtype:attempted-recon; sid:41638; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt"; flow:to_server,established; content:"/uapi-cgi/viewer/testaction.cgi"; fast_pattern:only; http_uri; content:"ip="; nocase; http_uri; pcre:"/[?&]ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5173; reference:cve,2017-5174; reference:url,ics-cert.us-cert.gov/advisories/ICSA-17-045-02; classtype:web-application-attack; sid:41654; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt"; flow:to_server,established; content:"/uapi-cgi/viewer/testaction.cgi"; fast_pattern:only; http_uri; content:"ip="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ip=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5173; reference:cve,2017-5174; reference:url,ics-cert.us-cert.gov/advisories/ICSA-17-045-02; classtype:web-application-attack; sid:41653; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt"; flow:to_server,established; content:"/uapi-cgi/viewer/testaction.cgi"; fast_pattern:only; http_uri; content:"ip="; nocase; http_client_body; pcre:"/(^|&)ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5173; reference:cve,2017-5174; reference:url,ics-cert.us-cert.gov/advisories/ICSA-17-045-02; classtype:web-application-attack; sid:41652; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Excerpt cross site scripting attempt"; flow:to_server,established; content:"/wp-admin/post.php"; fast_pattern:only; http_uri; content:"excerpt="; pcre:"/[?&]excerpt=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%3C|%3E|script|onload|src)/i"; metadata:service http; reference:cve,2017-5612; classtype:attempted-user; sid:41650; rev:1;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP Wordpress xmlrpc.php multiple failed authentication response"; flow:to_client,established; file_data; content:"<methodResponse>"; fast_pattern; nocase; content:"<array>"; within:100; nocase; content:"faultString"; within:250; nocase; content:"Incorrect username or password"; within:250; nocase; content:"Incorrect username or password"; within:250; nocase; content:"Incorrect username or password"; within:250; nocase; content:"Incorrect username or password"; within:250; nocase; metadata:service http; classtype:web-application-attack; sid:41643; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 55443 (msg:"SERVER-WEBAPP McAfee Virus Scan Linux remote code execution attempt"; flow:to_server,established; content:"/0409/nails"; nocase; content:"&tplt=schedOnDemand.html&"; distance:0; nocase; content:"scannerPath="; distance:0; nocase; isdataat:4,relative; content:!"/opt"; within:4; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8020; classtype:web-application-attack; sid:41681; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan Web Security Appliance insecure configuration import attempt"; flow:to_server,established; content:"/com.trend.iwss.gui.servlet.ConfigBackup"; fast_pattern:only; http_uri; content:"import"; nocase; content:"packageName"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-9314; reference:url,success.trendmicro.com/solution/1116672; classtype:attempted-admin; sid:41678; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan Web Security Appliance insecure configuration export attempt"; flow:to_server,established; content:"/com.trend.iwss.gui.servlet.ConfigBackup"; fast_pattern:only; http_uri; content:"action="; nocase; pcre:"/action=(export|download)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-9314; reference:url,success.trendmicro.com/solution/1116672; classtype:attempted-recon; sid:41677; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS np_handler command injection attempt"; flow:to_server,established; content:"/np_handler"; fast_pattern:only; http_uri; content:"SECTION="; nocase; http_client_body; pcre:"/(^|&)SECTION=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:service http; reference:cve,2013-2751; classtype:web-application-attack; sid:41672; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS np_handler command injection attempt"; flow:to_server,established; content:"/np_handler"; fast_pattern:only; http_uri; content:"SECTION="; nocase; http_raw_uri; content:"%26"; http_raw_uri; pcre:"/[?&]SECTION=[^&]*?%26/Ii"; metadata:service http; reference:cve,2013-2751; classtype:web-application-attack; sid:41671; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS np_handler command injection attempt"; flow:to_server,established; content:"/np_handler"; fast_pattern:only; http_uri; content:"SECTION="; nocase; http_uri; pcre:"/[?&]SECTION=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:service http; reference:cve,2013-2751; classtype:web-application-attack; sid:41670; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 55443 (msg:"SERVER-WEBAPP McAfee Virus Scan Linux unauthorized authentication token usage attempt"; flow:to_server,established; content:"/0409/nails"; fast_pattern:only; nocase; content:"Cookie|3A| nailsSessionId="; nocase; content:"pg=proxy"; nocase; content:"&tplt="; distance:0; nocase; pcre:"/Cookie: nailsSessionId=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\w*?\/\d*?\/\d{10}-checksum\/\/0?\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i"; metadata:service http; reference:cve,2016-8022; classtype:web-application-attack; sid:41692; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Siemens WinCC DoS attempt"; flow:to_server,established; content:"POST |FA|"; depth:6; metadata:service http; reference:url,w3.siemens.com/mcms/human-machine-interface/en/visualization-software/scada/simatic-wincc/pages/default.aspx; classtype:attempted-dos; sid:41691; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke installation attempt detected"; flow:to_server,established; content:"/Install/InstallWizard.aspx"; fast_pattern:only; http_uri; content:"executeinstall"; http_uri; metadata:ruleset community, service http; reference:cve,2015-2794; reference:url,www.exploit-db.com/exploits/39777; classtype:attempted-admin; sid:41713; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 55443 (msg:"SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt"; flow:to_server,established; content:"/0409/nails"; nocase; content:"pg=proxy"; distance:0; nocase; content:"&tplt="; distance:0; nocase; content:"&info%3A0="; distance:0; nocase; pcre:"/&info%3A0=[^&]*?(%5Cr|%5Cn|%0d|%0a)/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8024; classtype:web-application-attack; sid:41707; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only; http_uri; pcre:"/[?&]ping_IPAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41700; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping_IPAddr=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41699; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only; http_client_body; pcre:"/(^|&)ping_IPAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41698; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Avtech IP Camera machine.cgi information disclosure attempt"; flow:to_server,established; content:"/Machine.cgi"; nocase; http_uri; content:"/cgi-bin/"; nocase; http_uri; content:"action=get_capability"; fast_pattern:only; http_uri; pcre:"/^\x2fcgi-bin[^\n]*?(\x2fnobody|\x2ecab)/Uim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Oct/36; classtype:attempted-recon; sid:41697; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Avtech IP Camera cloudsetup.cgi command execution attempt"; flow:to_server,established; content:"/cgi-bin/supervisor/CloudSetup.cgi"; fast_pattern:only; http_uri; content:"exefile="; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Oct/36; classtype:attempted-admin; sid:41696; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/supervisor/PwdGrp.cgi"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](user|pwd|grp)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Oct/36; classtype:attempted-admin; sid:41695; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/supervisor/PwdGrp.cgi"; fast_pattern:only; http_uri; pcre:"/[?&](user|pwd|grp)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Oct/36; classtype:attempted-admin; sid:41694; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Avtech IP Camera adcommand.cgi command execution attempt"; flow:to_server,established; content:"/cgi-bin/supervisor/adcommand.cgi"; fast_pattern:only; http_uri; content:"DoShellCmd"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Oct/36; classtype:attempted-admin; sid:41693; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"SERVER-WEBAPP Mikrotik Syslog Server DoS attempt"; flow:to_server,established; content:"<0>Apr19 10.0.0.2 badass: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; fast_pattern:only; reference:url,wiki.mikrotik.com/wiki/Main_Page; classtype:attempted-dos; sid:41721; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt"; flow:to_server,established; content:"/saveCert.imss"; fast_pattern:only; http_uri; pcre:"/[?&](countryCode|state|locality|org|orgUnit|commonName|emailAddress)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution; classtype:web-application-attack; sid:41735; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt"; flow:to_server,established; content:"/saveCert.imss"; fast_pattern:only; http_uri; pcre:"/(^|&)(countryCode|state|locality|org|orgUnit|commonName|emailAddress)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution; classtype:web-application-attack; sid:41734; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt"; flow:to_server,established; content:"/saveCert.imss"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(countryCode|state|locality|org|orgUnit|commonName|emailAddress)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution; classtype:web-application-attack; sid:41733; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt"; flow:to_server,established; content:"/saveCert.imss"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](countryCode|state|locality|org|orgUnit|commonName|emailAddress)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution; classtype:web-application-attack; sid:41732; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress NextGEN Gallery SQL injection attempt"; flow:to_server,established; content:"/nggallery/"; fast_pattern:only; http_uri; content:"%25"; http_raw_uri; pcre:"/%25(1|%31)(\x24|%24)/I"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.sucuri.net/2017/02/sql-injection-vulnerability-nextgen-gallery-wordpress.html; classtype:web-application-attack; sid:41770; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WP_Query plugin SQL injection attempt"; flow:to_server,established; content:"wp-includes/class-wp-query.php"; fast_pattern:only; http_uri; content:"post_type="; nocase; http_client_body; pcre:"/(^|&)post_type=[^&]*?([\x27\x3b]|%27|%3b)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95816; reference:cve,2017-5611; reference:url,openwall.com/lists/oss-security/2017/01/28/5; classtype:web-application-attack; sid:41769; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WP_Query plugin SQL injection attempt"; flow:to_server,established; content:"wp-includes/class-wp-query.php"; fast_pattern:only; http_uri; content:"post_type"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?post_type((?!^--).)*?[\r\n]{2,}((?!^--).)*?[\x27\x3b]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95816; reference:cve,2017-5611; reference:url,openwall.com/lists/oss-security/2017/01/28/5; classtype:web-application-attack; sid:41768; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WP_Query plugin SQL injection attempt"; flow:to_server,established; content:"wp-includes/class-wp-query.php"; fast_pattern:only; http_uri; content:"post_type="; nocase; http_uri; pcre:"/[?&]post_type=[^&]*?[\x27\x3b]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95816; reference:cve,2017-5611; reference:url,openwall.com/lists/oss-security/2017/01/28/5; classtype:web-application-attack; sid:41767; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name="; nocase; http_uri; pcre:"/[?&]host_name=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41751; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]host_name=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41750; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name="; nocase; http_client_body; pcre:"/(^|&)host_name=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41749; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?host_name((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41748; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP carel plantvisor directory traversal exploitation attempt"; flow:to_server, established; content:"/Index.htm"; fast_pattern:only; http_uri; content:"INI%3A"; http_client_body; pcre:"/INI%3A.*?(\x2E|%2E){2}([\x2F\x5C]|%2F|%5C)/Pm"; metadata:service http; reference:url,carelusa.com/product/plantvisor; classtype:web-application-attack; sid:41785; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt"; flow:to_server, established; content:"/PlantVisorPRO/arch/manager/LogsReader.jsp"; fast_pattern:only; nocase; http_uri; content:"cmd="; nocase; http_client_body; content:"ftype="; nocase; http_client_body; content:"fname="; nocase; http_client_body; content:"fileToList="; nocase; http_client_body; pcre:"/fname((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,carel.com/product/plantvisorpro; classtype:web-application-attack; sid:41782; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt"; flow:to_server, established; content:"/PlantVisorPRO/arch/manager/LogsReader.jsp"; fast_pattern:only; nocase; http_uri; content:"cmd="; nocase; http_client_body; content:"ftype="; nocase; http_client_body; content:"fname="; nocase; http_client_body; content:"fileToList="; nocase; http_client_body; pcre:"/(^|&)(fname)=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,carel.com/product/plantvisorpro; classtype:web-application-attack; sid:41781; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt"; flow:to_server,established; content:"/u/jsp/tools/exec.jsp"; fast_pattern:only; http_uri; content:"command="; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/41499/; classtype:attempted-admin; sid:41815; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt"; flow:to_server,established; content:"/u/jsp/tools/exec.jsp"; fast_pattern:only; http_uri; content:"argument="; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/41499/; classtype:attempted-admin; sid:41814; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHPMailer command injection remote code execution attempt"; flow:to_server,established; content:"-oq"; fast_pattern; nocase; http_client_body; content:"-X"; within:100; http_client_body; pcre:"/(%22|%27).+\-oq.+-X.+(%22|%27)%40/smiG"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-10033; reference:cve,2016-10034; reference:cve,2016-10045; reference:cve,2016-10074; reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html; classtype:attempted-admin; sid:41813; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt"; flow:to_server,established; content:"/CliMonitorReportServlet"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95691; reference:cve,2016-8207; reference:url,www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2016-180.htm; classtype:web-application-attack; sid:41790; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Plugins Simple Ads Manager information disclosure attempt"; flow:to_server,established; content:"/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php"; fast_pattern:only; http_uri; content:"action="; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2015-2826; classtype:web-application-attack; sid:41826; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Plugins Simple Ads Manager information disclosure attempt"; flow:to_server,established; content:"/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php"; fast_pattern:only; http_uri; content:"action="; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2015-2826; classtype:web-application-attack; sid:41825; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"SERVER-WEBAPP Reprise License Manager diagnostics_doit outputfile directory traversal attempt"; flow:to_server,established; content:"/goform/diagnostics_doit"; depth:30; nocase; content:"outputfile="; nocase; pcre:"/outputfile=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/i"; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:41820; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP generic SQL select statement possible sql injection"; flow:established,to_server; content:"select * from"; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190; classtype:web-application-attack; sid:41817; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_server,established; file_data; content:"<?xml"; depth:100; content:"<String"; nocase; content:"Content"; within:200; nocase; content:!">"; within:512; pcre:"/<String[^>]*?Content\d\s*=[\x22\x27][^\x22\x27]{512}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41881; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_server,established; file_data; content:"<?xml"; depth:100; content:"<ScreenSet"; nocase; content:"ScrnName"; distance:0; nocase; content:!">"; within:128; pcre:"/<ScreenSet.*?ScrnName\s*=[\x22\x27][^\x22\x27]{128}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41880; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_server,established; file_data; content:"<?xml"; depth:100; content:"<ScreenSet"; nocase; content:"ScrnFile"; distance:0; nocase; content:!">"; within:64; pcre:"/<ScreenSet.*?ScrnFile\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41879; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_server,established; file_data; content:"<?xml"; depth:100; content:"<PLC"; nocase; content:"Type"; within:200; nocase; content:!">"; within:128; pcre:"/<PLC[^>]*?Type\s*=[\x22\x27][^\x22\x27]{128}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41878; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_server,established; file_data; content:"<?xml"; depth:100; content:"<HmiSet"; nocase; content:"Type"; within:200; nocase; content:!">"; within:520; pcre:"/<HmiSet[^>]*?Type\s*=[\x22\x27][^\x22\x27]{520}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41877; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_server,established; file_data; content:"<?xml"; depth:100; content:"<HmiSet"; nocase; content:"Style"; within:100; nocase; content:!">"; within:64; pcre:"/<HmiSet[^>]*?Style\s*=[\x22\x27][^\x22\x27]{64}/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41876; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_server,established; file_data; content:"<?xml"; depth:100; content:"<CommSet"; nocase; content:"Port"; within:200; nocase; content:!">"; within:64; pcre:"/<CommSet[^>]*?Port\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41875; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_server,established; file_data; content:"<?xml"; depth:100; content:"<BaseSet"; nocase; content:"ScrIDWordAddr"; within:200; nocase; content:!">"; within:64; pcre:"/<BaseSet[^>]*?ScrIDWordAddr\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41874; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_server,established; file_data; content:"<?xml"; depth:100; content:"<BaseSet"; nocase; content:"HMINAME"; within:200; nocase; content:!">"; within:64; pcre:"/<BaseSet[^>]*?HMINAME\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41873; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_server,established; file_data; content:"<?xml"; depth:100; content:"<BaseSet"; nocase; content:"EnterTime"; within:200; nocase; content:!">"; within:520; pcre:"/<BaseSet[^>]*?EnterTime\s*=[\x22\x27][^\x22\x27]{520}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41872; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_server,established; file_data; content:"<?xml"; depth:100; content:"<BaseSet"; nocase; content:"CurScrIdAddr"; within:200; nocase; content:!">"; within:64; pcre:"/<BaseSet[^>]*?CurScrIdAddr\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41871; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_server,established; file_data; content:"<?xml"; depth:100; content:"<BaseSet"; nocase; content:"BgOnOffBitAddr"; within:200; nocase; content:!">"; within:64; pcre:"/<BaseSet[^>]*?BgOnOffBitAddr\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41870; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_server,established; file_data; content:"<?xml"; depth:100; content:"<Address"; nocase; content:"Name"; within:200; nocase; content:!">"; within:64; pcre:"/<Address[^>]*?Name\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41869; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; depth:100; content:"<String"; nocase; content:"Content"; within:200; nocase; content:!">"; within:512; pcre:"/<String[^>]*?Content\d\s*=[\x22\x27][^\x22\x27]{512}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41868; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; depth:100; content:"<ScreenSet"; nocase; content:"ScrnName"; distance:0; nocase; content:!">"; within:128; pcre:"/<ScreenSet.*?ScrnName\s*=[\x22\x27][^\x22\x27]{128}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41867; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; depth:100; content:"<ScreenSet"; nocase; content:"ScrnFile"; distance:0; nocase; content:!">"; within:64; pcre:"/<ScreenSet.*?ScrnFile\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41866; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; depth:100; content:"<PLC"; nocase; content:"Type"; within:200; nocase; content:!">"; within:128; pcre:"/<PLC[^>]*?Type\s*=[\x22\x27][^\x22\x27]{128}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41865; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; depth:100; content:"<HmiSet"; nocase; content:"Type"; within:200; nocase; content:!">"; within:520; pcre:"/<HmiSet[^>]*?Type\s*=[\x22\x27][^\x22\x27]{520}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41864; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; depth:100; content:"<HmiSet"; nocase; content:"Style"; within:100; nocase; content:!">"; within:64; pcre:"/<HmiSet[^>]*?Style\s*=[\x22\x27][^\x22\x27]{64}/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41863; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; depth:100; content:"<CommSet"; nocase; content:"Port"; within:200; nocase; content:!">"; within:64; pcre:"/<CommSet[^>]*?Port\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41862; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; depth:100; content:"<BaseSet"; nocase; content:"ScrIDWordAddr"; within:200; nocase; content:!">"; within:64; pcre:"/<BaseSet[^>]*?ScrIDWordAddr\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41861; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; depth:100; content:"<BaseSet"; nocase; content:"HMINAME"; within:200; nocase; content:!">"; within:64; pcre:"/<BaseSet[^>]*?HMINAME\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41860; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; depth:100; content:"<BaseSet"; nocase; content:"EnterTime"; within:200; nocase; content:!">"; within:520; pcre:"/<BaseSet[^>]*?EnterTime\s*=[\x22\x27][^\x22\x27]{520}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41859; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; depth:100; content:"<BaseSet"; nocase; content:"CurScrIdAddr"; within:200; nocase; content:!">"; within:64; pcre:"/<BaseSet[^>]*?CurScrIdAddr\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41858; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; depth:100; content:"<BaseSet"; nocase; content:"BgOnOffBitAddr"; within:200; nocase; content:!">"; within:64; pcre:"/<BaseSet[^>]*?BgOnOffBitAddr\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41857; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WECON LeviStudio multiple xml parameter overflows attempt"; flow:to_client,established; file_data; content:"<?xml"; depth:100; content:"<Address"; nocase; content:"Name"; within:200; nocase; content:!">"; within:64; pcre:"/<Address[^>]*?Name\s*=[\x22\x27][^\x22\x27]{64}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4533; reference:cve,2016-5781; classtype:attempted-admin; sid:41856; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Struts URL validator denial of service attempt"; flow:to_server,established; content:"tp://"; nocase; http_client_body; content:"/////"; within:100; http_client_body; pcre:"/(https?|ftp)\x3a\x2f\x2f[^&\x0d\x0a=]*?(\x2f){5}/Pi"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-4465; reference:url,cwiki.apache.org/confluence/display/WW/S2-041; classtype:web-application-attack; sid:41850; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP pfSense status_rrd_graph_img.php command injection via CSRF attempt"; flow:to_client,established; file_data; content:"/status_rrd_graph_img.php"; fast_pattern:only; content:"graph="; nocase; pcre:"/[?&]graph=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/i"; metadata:policy max-detect-ips drop, service http; reference:url,www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc; classtype:web-application-attack; sid:41845; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpFileManager cmd parameter command injection attempt"; flow:to_server,established; content:"action=9"; fast_pattern:only; http_client_body; content:"/index.php"; http_uri; content:"cmd="; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5958; reference:url,www.securityfocus.com/archive/1/536117; classtype:web-application-attack; sid:41844; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpFileManager cmd parameter command injection attempt"; flow:to_server,established; content:"action=6"; fast_pattern:only; http_client_body; content:"/index.php"; http_uri; content:"cmd="; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5958; reference:url,www.securityfocus.com/archive/1/536117; classtype:web-application-attack; sid:41843; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpFileManager cmd parameter command injection attempt"; flow:to_server,established; content:"action=9"; fast_pattern:only; http_uri; content:"/index.php"; http_uri; content:"cmd="; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5958; reference:url,www.securityfocus.com/archive/1/536117; classtype:web-application-attack; sid:41842; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpFileManager cmd parameter command injection attempt"; flow:to_server,established; content:"action=6"; fast_pattern:only; http_uri; content:"/index.php"; http_uri; content:"cmd="; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5958; reference:url,www.securityfocus.com/archive/1/536117; classtype:web-application-attack; sid:41841; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8085 (msg:"SERVER-WEBAPP PAESSLER PRTG DoS attempt"; flow:to_server,established; content:"GET ?%"; depth:6; metadata:service http; reference:url,www.paessler.com/prtg/download; classtype:attempted-dos; sid:41921; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 55443 (msg:"SERVER-WEBAPP McAfee Virus Scan Linux authentication token brute force attempt"; flow:to_server,established,no_stream; content:"/0409/nails"; fast_pattern:only; nocase; content:"Cookie|3A| nailsSessionId="; nocase; content:"pg=proxy"; nocase; content:"&tplt="; distance:0; nocase; detection_filter:track by_src, count 25, seconds 5; metadata:service http; reference:cve,2016-8023; reference:url,attack.mitre.org/techniques/T1110; classtype:web-application-attack; sid:41920; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Carel PlantVisorPRO malicious sql query attempt - RCmdComm2"; flow:to_server, established; content:"/PlantVisorPRO/arch/manager/"; fast_pattern:only; nocase; http_uri; content:"RCmdComm2.jsp"; nocase; http_uri; content:"jsessionid="; nocase; http_uri; content:"jsessionid="; nocase; http_uri; content:"sqlcommand="; nocase; http_client_body; content:"sqlresult="; nocase; http_client_body; pcre:"/(^|&)sqlcommand=[^&]*?(\x3b|%3b)[^&]{2,}&sqlresult=/Pim"; metadata:service http; reference:url,carelusa.com/product/plantvisorpro; classtype:web-application-attack; sid:41919; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Carel PlantVisorPRO malicious sql query attempt - RCmdComm"; flow:to_server, established; content:"/PlantVisorPRO/arch/manager/"; fast_pattern:only; nocase; http_uri; content:"RCmdComm.jsp"; nocase; http_uri; content:"jsessionid="; nocase; http_uri; content:"sqlcommand="; nocase; http_client_body; content:"sqlresult="; nocase; http_client_body; pcre:"/(^|&)sqlcommand=[^&]*?(\x3b|%3b)[^&]{2,}&sqlresult=/Pim"; metadata:service http; reference:url,carelusa.com/product/plantvisorpro; classtype:web-application-attack; sid:41918; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Carel PlantVisorPRO default login attempt"; flow:to_server, established; content:"/PlantVisorPRO/arch/manager/"; fast_pattern:only; nocase; http_uri; content:"param1=debug"; nocase; http_client_body; content:"param2=pvprod3bug"; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,carelusa.com/product/plantvisorpro; classtype:web-application-attack; sid:41917; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Carel PlantVisorPRO malicious sql query attempt - DBCommander"; flow:to_server, established; content:"/PlantVisorPRO/arch/manager/"; fast_pattern:only; nocase; http_uri; content:"DBCommander.jsp"; nocase; http_uri; content:"jsessionid="; nocase; http_uri; content:"sqlcommand="; nocase; http_client_body; content:"sqlresult="; nocase; http_client_body; pcre:"/(^|&)sqlcommand=[^&]*?(\x3b|%3b)[^&]{2,}&sqlresult=/Pim"; metadata:service http; reference:url,carelusa.com/product/plantvisorpro; classtype:web-application-attack; sid:41916; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Plugin RevSlider file upload attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"Content-Disposition:"; nocase; http_client_body; content:"|22|client_action|22|"; within:50; http_client_body; content:"Content-Disposition:"; distance:0; nocase; http_client_body; content:"|22|update_file|22|"; within:50; nocase; http_client_body; file_data; content:"<?php"; depth:5; metadata:service http; reference:cve,2014-9735; classtype:web-application-attack; sid:41914; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 57772 (msg:"SERVER-WEBAPP InterSystem Cache DOS attempt"; flow:to_server,established; content:"GET ???????????"; depth:15; metadata:service http; reference:url,intersystems.com/our-products/cache/cache-overview; classtype:web-application-attack; sid:41913; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Logsign JSON API validate_file command injection attempt"; flow:to_server,established; content:"/api/log_browser/validate"; fast_pattern:only; http_uri; content:"|22|file|22|"; nocase; http_client_body; pcre:"/\x22file\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.logsign.net/hc/en-us/articles/115001174783-V-4-4-167-Release-Notes-27-02-2017; classtype:attempted-admin; sid:42005; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP dnaLIMS sysAdmin.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/cgi-bin/dna/sysAdmin.cgi"; fast_pattern:only; http_uri; content:"Action=executeCmd"; nocase; http_client_body; content:"executeCmdData="; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,96823; reference:cve,2017-6526; reference:url,www.kb.cert.org/vuls/id/929263; classtype:attempted-admin; sid:42048; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress embedded URL video cross site scripting attempt"; flow:to_server,established; content:"POST"; http_method; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"shortcode="; nocase; http_client_body; pcre:"/[?&]shortcode=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:service http; classtype:attempted-user; sid:42043; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Press-This cross site request forgery attempt"; flow:to_server,established; content:"/wp-admin/press-this.php"; fast_pattern:only; http_uri; content:"u="; http_uri; content:!"_wpnonce"; http_uri; metadata:service http; reference:cve,2017-6819; reference:url,wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/; classtype:denial-of-service; sid:42042; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/dna/viewAppletFsa.cgi"; fast_pattern:only; http_uri; content:"seqID="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]seqID=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,96823; reference:cve,2017-6527; reference:cve,2017-6528; reference:url,www.kb.cert.org/vuls/id/929263; classtype:web-application-attack; sid:42050; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/dna/viewAppletFsa.cgi"; fast_pattern:only; http_uri; content:"seqID="; nocase; http_client_body; pcre:"/(^|&)seqID=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:bugtraq,96823; reference:cve,2017-6527; reference:cve,2017-6528; reference:url,www.kb.cert.org/vuls/id/929263; classtype:web-application-attack; sid:42049; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Aultware pwStore denial of service attempt"; flow:to_server, established; file_data; content:"|5C|x0d|5C|x0a"; fast_pattern:only; http_header; metadata:service http; reference:cve,2013-5657; classtype:web-application-attack; sid:42072; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress plugin arbitrary file deletion attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"plugin="; nocase; http_client_body; content:"action=delete"; nocase; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; reference:url,wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/; classtype:web-application-attack; sid:42066; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1974,1975] (msg:"SERVER-WEBAPP xArrow null pointer denial of service exploitation attempt"; flow:to_server, established; content:"|EB 90 EB 90 EB 90 A3 A3 A3 A3 38 5C 5C 5C 55 8B CC B7|"; depth:18; reference:cve,2012-2426; reference:url,ics-cert.us-cert.gov/advisories/ICSA-12-145-02; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-12-065-01; classtype:attempted-dos; sid:42063; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1974,1975] (msg:"SERVER-WEBAPP xArrow heap corruption exploitation attempt"; flow:to_server, established; content:"|EB 90 EB 90 EB 90 54 5C 5C 5C 5C 5C 5C 5C 55 8B CC B7|"; depth:18; reference:cve,2012-2427; reference:url,ics-cert.us-cert.gov/advisories/ICSA-12-145-02; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-12-065-01; classtype:attempted-dos; sid:42062; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; fast_pattern:only; http_uri; content:"page="; nocase; pcre:"/page=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/i"; metadata:service http; reference:cve,2010-4730; reference:url,ics-cert.us-cert.gov/advisories/ICSA-10-316-01A; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-10-293-01; classtype:web-application-attack; sid:42095; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; http_uri; content:"file="; distance:0; http_uri; content:"/home/config/users.cfg"; distance:0; http_uri; metadata:service http; reference:cve,2010-4731; reference:url,ics-cert.us-cert.gov/advisories/ICSA-10-316-01A; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-10-293-01; classtype:web-application-attack; sid:42094; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt"; flow:to_server,established; content:"If|3A 20|"; nocase; isdataat:130,relative; content:!"|0D 0A|"; within:130; metadata:policy max-detect-ips drop, service http; reference:bugtraq,97127; reference:cve,2017-7269; classtype:attempted-admin; sid:42110; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EyesOfNetwork module command injection attempt"; flow:to_server,established; content:"/module/index.php"; fast_pattern:only; http_uri; content:"module="; nocase; http_uri; content:"link="; nocase; http_uri; pcre:"/[?&]module=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6087; reference:url,seclists.org/fulldisclosure/2017/Mar/61; classtype:web-application-attack; sid:42108; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EyesOfNetwork module command injection attempt"; flow:to_server,established; content:"/module/index.php"; fast_pattern:only; http_uri; content:"module="; nocase; http_uri; content:"link="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]module=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6087; reference:url,seclists.org/fulldisclosure/2017/Mar/61; classtype:web-application-attack; sid:42107; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt"; flow:to_server,established; content:"/module/monitoring_ged/ged_actions.php"; fast_pattern:only; http_uri; content:"selected_events[]="; nocase; http_uri; pcre:"/[?&]selected_events\x5b\x5d=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6087; reference:url,seclists.org/fulldisclosure/2017/Mar/61; classtype:web-application-attack; sid:42106; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt"; flow:to_server,established; content:"/module/monitoring_ged/ged_actions.php"; fast_pattern:only; http_uri; content:"selected_events[]="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]selected(\x5f|%5f)events(\x5b|%5b)(\x5d|%5d)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6087; reference:url,seclists.org/fulldisclosure/2017/Mar/61; classtype:web-application-attack; sid:42105; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro SafeSync command injection attempt"; flow:to_server,established; content:"/api/admin/storage/reconnect"; fast_pattern:only; http_uri; pcre:"/[?&](role|device_id)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1116749; classtype:web-application-attack; sid:42104; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro SafeSync command injection attempt"; flow:to_server,established; content:"/api/admin/storage/reconnect"; fast_pattern:only; http_uri; pcre:"/(^|&)(role|device_id)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1116749; classtype:web-application-attack; sid:42103; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro SafeSync command injection attempt"; flow:to_server,established; content:"/api/admin/storage/reconnect"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](role|device_id)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1116749; classtype:web-application-attack; sid:42102; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dahua IP Camera username and password disclosure attempt"; flow:to_server,established; content:"/current_config/passwd"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,96449; reference:bugtraq,96456; reference:cve,2017-6341; reference:cve,2017-6343; reference:url,us.dahuasecurity.com/en/us/Security-Bulletin_030617.php; classtype:attempted-recon; sid:42121; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dahua IP Camera username and password disclosure attempt"; flow:to_server,established; content:"/current_config/Account1"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,96449; reference:bugtraq,96456; reference:cve,2017-6341; reference:cve,2017-6343; reference:url,us.dahuasecurity.com/en/us/Security-Bulletin_030617.php; classtype:attempted-recon; sid:42120; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP pfSense openvpn_wizard PHP code injection attempt"; flow:to_server,established; content:"xml=openvpn_wizard.xml"; fast_pattern:only; content:"/wizard.php"; nocase; http_uri; content:"interface="; nocase; http_client_body; pcre:"/(^|&)interface=[^&]*?([\x60\x3b\x24\x28]|%60|%3b|%24|%28|include|require)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2017/Mar/71; classtype:web-application-attack; sid:42119; rev:2;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP Infinite Automation Mango Automation info leak attempt"; flow:to_client,established; file_data; content:"SESSION ATTRIBUTES"; fast_pattern:only; content:"username="; content:"password="; distance:0; metadata:service http; reference:cve,2015-7900; classtype:attempted-recon; sid:42136; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GE Proficy CimWeb substitute.bcl arbitrary file access attempt"; flow:to_server,established; content:"/CimWeb/gefebt"; fast_pattern:only; http_uri; content:"substitute"; http_uri; content:"bcl"; distance:0; http_uri; content:"FILE"; nocase; http_uri; pcre:"/[?&]substitute[^&]*?bcl[^&]*?FILE[^&]*?\w(\x3A|%3A)([\x2F\x5C]|%2F|%5C)/Ui"; metadata:service http; reference:cve,2013-0653; reference:url,ics-cert.us-cert.gov/advisories/ICSA-13-022-02; classtype:web-application-attack; sid:42135; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GE Proficy CimWeb substitute.bcl arbitrary file access attempt"; flow:to_server,established; content:"/CimWeb/gefebt"; fast_pattern:only; http_uri; content:"substitute"; http_uri; content:"bcl"; distance:0; http_uri; content:"FILE"; nocase; http_uri; pcre:"/[?&]substitute[^&]*?bcl[^&]*?FILE[^&]*?(\x2E|%2E){2}([\x2F\x5C]|%2F|%5C)/Ui"; metadata:service http; reference:cve,2013-0653; reference:url,ics-cert.us-cert.gov/advisories/ICSA-13-022-02; classtype:web-application-attack; sid:42134; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt"; flow:to_server,established; content:"/cgi-bin/luci/"; nocase; http_uri; content:"/admin/traceroute"; fast_pattern:only; http_uri; content:"traceroute"; nocase; http_client_body; pcre:"/(^|&)traceroute(\x5f|%5f)ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83; classtype:web-application-attack; sid:42132; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt"; flow:to_server,established; content:"/cgi-bin/luci/"; nocase; http_uri; content:"/admin/ping"; fast_pattern:only; http_uri; pcre:"/(^|&)(ping(\x5f|%5f)ip|packets(\x5f|%5f)num|buf(\x5f|%5f)size|ttl)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83; classtype:web-application-attack; sid:42131; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BlueCoat CAS report-email command injection attempt"; flow:to_server,established; content:"/avenger/rest/report-email/send"; fast_pattern:only; http_uri; content:"|22|url|22|"; nocase; http_client_body; pcre:"/\x22url\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-9091; reference:url,bto.bluecoat.com/security-advisory/sa138; classtype:web-application-attack; sid:42220; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/filemanager/utilRequest.cgi"; fast_pattern:only; http_uri; content:"pid="; nocase; http_uri; pcre:"/[?&]pid=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97059; reference:cve,2017-6359; reference:url,www.qnap.com/en/support/con_show.php?cid=113; classtype:web-application-attack; sid:42241; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/filemanager/utilRequest.cgi"; fast_pattern:only; http_uri; content:"pid="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]pid=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97059; reference:cve,2017-6359; reference:url,www.qnap.com/en/support/con_show.php?cid=113; classtype:web-application-attack; sid:42240; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/filemanager/utilRequest.cgi"; fast_pattern:only; http_uri; content:"pid="; nocase; http_client_body; pcre:"/(^|&)pid=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97059; reference:cve,2017-6359; reference:url,www.qnap.com/en/support/con_show.php?cid=113; classtype:web-application-attack; sid:42239; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/userConfig.cgi"; fast_pattern:only; http_uri; content:"hash="; nocase; http_uri; pcre:"/[?&]hash=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97059; reference:cve,2017-6360; reference:url,www.qnap.com/en/support/con_show.php?cid=113; classtype:web-application-attack; sid:42238; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/userConfig.cgi"; fast_pattern:only; http_uri; content:"hash="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]hash=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97059; reference:cve,2017-6360; reference:url,www.qnap.com/en/support/con_show.php?cid=113; classtype:web-application-attack; sid:42237; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/userConfig.cgi"; fast_pattern:only; http_uri; content:"hash="; nocase; http_client_body; pcre:"/(^|&)hash=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97059; reference:cve,2017-6360; reference:url,www.qnap.com/en/support/con_show.php?cid=113; classtype:web-application-attack; sid:42236; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP NAS authLogin.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/authLogin.cgi"; fast_pattern:only; http_uri; content:"reboot_notice_msg="; nocase; http_uri; base64_decode:bytes 256,relative; base64_data; content:"QNAPVJBD"; depth:8; pcre:"/^QNAPVJBD.*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/s"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97059; reference:cve,2017-6361; reference:url,www.qnap.com/en/support/con_show.php?cid=113; classtype:attempted-admin; sid:42234; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa MX Studio login page denial of service attempt"; flow:to_server,established; isdataat:2000; urilen:15; content:"/goform/account"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7456; classtype:attempted-dos; sid:42222; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa private key disclosure attempt"; flow:to_server,established; urilen:17; content:"/certs/mxview.key"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7455; classtype:web-application-attack; sid:42221; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 40011 (msg:"SERVER-WEBAPP AlienVault OSSIM API get_host_fqdn host_ip command injection attempt"; flow:to_server,established; content:"POST /av/api/1.0/system/local/network/fqdn"; depth:42; nocase; content:"host_ip="; nocase; pcre:"/(^|&)host_ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.alienvault.com/forums/discussion/8415/; classtype:web-application-attack; sid:42291; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-WEBAPP xArrow webserver denial of service attempt"; flow:to_server, established; content:"|0A|"; depth:1; content:"|0D 0A 0D 0A|"; within:4; distance:10; reference:url,xarrow.com/en/index.php; classtype:attempted-dos; sid:42306; rev:1;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP SensorIP2 default credentials enumeration attempt"; flow:to_client,established; file_data; content:"<select class=|22|drpdwn|22| name=|22|user|22| onchange=|22|setpasswd()|22|>"; fast_pattern:only; content:"<option value=|22|"; content:"<input class=|22|stxt|22| type=|22|password|22| size=|22|"; distance:0; content:"maxlength=|22|"; distance:0; content:"name=|22|passwd|22| value=|22|"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,sensorip.com/index.php/produits/sensor-ip-2; classtype:web-application-attack; sid:42300; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Events HMI information disclosure attempt"; flow:to_server,established; urilen:20; content:"/log/webRegister.txt"; fast_pattern:only; http_uri; metadata:service http; classtype:attempted-recon; sid:42295; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Squirrelmail sendmail delivery parameter injection attempt"; flow:to_server,established; content:"src/options.php"; fast_pattern:only; http_uri; content:"new_email_address="; nocase; http_client_body; pcre:"/(^|&)new_email_address=[^&]*?(\x09|%09|%20|\x20)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7692; classtype:web-application-attack; sid:42354; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt"; flow:to_server,established; content:"/simpleupload.py"; fast_pattern:only; http_uri; content:"tns_appliance_session_user="; nocase; http_uri; pcre:"/[?&]tns_appliance_session_user=[^&]*?([\x60\x3b\x7c\x22]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-8051; reference:url,www.tenable.com/security/tns-2017-07; classtype:web-application-attack; sid:42347; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt"; flow:to_server,established; content:"/simpleupload.py"; fast_pattern:only; http_uri; content:"tns_appliance_session_user="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]tns(\x5f|%5f)appliance(\x5f|%5f)session(\x5f|%5f)user=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-8051; reference:url,www.tenable.com/security/tns-2017-07; classtype:web-application-attack; sid:42346; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt"; flow:to_server,established; content:"/simpleupload.py"; fast_pattern:only; http_uri; content:"appliance"; nocase; http_client_body; pcre:"/(^|&)tns(\x5f|%5f)appliance(\x5f|%5f)session(\x5f|%5f)user=[^&]*?([\x60\x3b\x7c\x22]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%22|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-8051; reference:url,www.tenable.com/security/tns-2017-07; classtype:web-application-attack; sid:42345; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Threat Discovery Appliance logoff.cgi directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/logoff.cgi"; fast_pattern:only; http_uri; content:"session_id="; nocase; http_cookie; pcre:"/session_id=[^\x3b\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Ci"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97599; reference:cve,2016-7552; classtype:web-application-attack; sid:42336; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/admin_sys_time.cgi"; fast_pattern:only; http_uri; content:"timezone="; nocase; http_uri; pcre:"/[?&]timezone=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97610; reference:cve,2016-7547; classtype:web-application-attack; sid:42335; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/admin_sys_time.cgi"; fast_pattern:only; http_uri; content:"timezone="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]timezone=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97610; reference:cve,2016-7547; classtype:web-application-attack; sid:42334; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/admin_sys_time.cgi"; fast_pattern:only; http_uri; content:"timezone="; nocase; http_client_body; pcre:"/(^|&)timezone=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97610; reference:cve,2016-7547; classtype:web-application-attack; sid:42333; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cpanel cgiemail format string code execution attempt"; flow:to_server,established; content:"/hello/~"; fast_pattern:only; http_uri; content:"failure=stdin"; nocase; http_uri; content:"%p"; http_client_body; content:"%p"; within:10; http_client_body; content:"%p"; within:10; http_client_body; content:"%p"; within:10; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95870; reference:cve,2017-5613; reference:url,news.cpanel.com/tsr-2017-0001-full-disclosure/; classtype:attempted-user; sid:42328; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cpanel cgiemail format string code execution attempt"; flow:to_server,established; content:"/cgi-sys/cgiecho/~"; fast_pattern:only; http_uri; content:"failure=stdin"; nocase; http_uri; content:"%p"; http_client_body; content:"%p"; within:10; http_client_body; content:"%p"; within:10; http_client_body; content:"%p"; within:10; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95870; reference:cve,2017-5613; reference:url,news.cpanel.com/tsr-2017-0001-full-disclosure/; classtype:attempted-user; sid:42327; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"SERVER-WEBAPP IOServer OPC Server directory traversal exploitation attempt"; flow:to_server, established; content:".../"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2012-4680; reference:url,ics-cert.us-cert.gov/advisories/ICSA-12-258-01; classtype:web-application-attack; sid:42323; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP multiple product command injection attempt"; flow:to_server,established; content:"/auth-cgi-bin/distUpgReq"; fast_pattern:only; http_uri; content:"Type=licxfer"; nocase; http_client_body; content:"licfile="; nocase; http_client_body; pcre:"/(^|&)licfile=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, service http; reference:url,virustotal.com/en/file/0f8dd094516f1be96da5f9addc0f97bcac8f2a348374bd9631aa912344559628/analysis/; classtype:attempted-admin; sid:42402; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP multiple product version scan attempt"; flow:to_server,established; content:"/auth-cgi-bin/distUpgReq"; fast_pattern:only; http_uri; content:"Type=query"; nocase; http_client_body; content:"ftp="; nocase; http_client_body; content:"version="; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:url,virustotal.com/en/file/0f8dd094516f1be96da5f9addc0f97bcac8f2a348374bd9631aa912344559628/analysis/; classtype:attempted-recon; sid:42401; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Yealink VoIP phone directory traversal attempt"; flow:to_server,established; content:"/cgiServer.exx"; fast_pattern:only; http_uri; content:"page="; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?page=((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy security-ips drop, service http; reference:bugtraq,68053; reference:cve,2013-5756; classtype:web-application-attack; sid:42394; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Yealink VoIP phone directory traversal attempt"; flow:to_server,established; content:"/cgiServer.exx"; fast_pattern:only; http_uri; content:"page="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]page=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,68053; reference:cve,2013-5756; classtype:web-application-attack; sid:42393; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Yealink VoIP phone directory traversal attempt"; flow:to_server,established; content:"/cgiServer.exx"; fast_pattern:only; http_uri; content:"page="; nocase; http_client_body; pcre:"/(^|&)page=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy security-ips drop, service http; reference:bugtraq,68053; reference:cve,2013-5756; classtype:web-application-attack; sid:42392; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [6001,6002,7001,7002] (msg:"SERVER-WEBAPP DataRate SCADA directory traversal attempt"; flow:to_server, established; content:"GET"; depth:3; content:"/..|5C|"; distance:0; fast_pattern; content:"HTTP/1."; distance:0; metadata:service http; reference:cve,2008-0760; classtype:web-application-attack; sid:42388; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [6001,6002,7001,7002] (msg:"SERVER-WEBAPP DataRate SCADA directory traversal attempt"; flow:to_server, established; content:"GET"; depth:3; content:"/../"; distance:0; fast_pattern; content:"HTTP/1."; distance:0; metadata:service http; reference:cve,2007-6483; classtype:web-application-attack; sid:42387; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/detected_potential_files.cgi"; fast_pattern:only; http_uri; content:"cache_id="; nocase; http_uri; pcre:"/[?&]cache_id=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8586; classtype:web-application-attack; sid:42384; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/detected_potential_files.cgi"; fast_pattern:only; http_uri; content:"cache_id="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]cache(\x5f|%5f)id=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8586; classtype:web-application-attack; sid:42383; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/detected_potential_files.cgi"; fast_pattern:only; http_uri; content:"cache"; nocase; http_client_body; pcre:"/(^|&)cache(\x5f|%5f)id=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8586; classtype:web-application-attack; sid:42382; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenCart directory traversal attempt"; flow:to_server,established; content:"/oc1551/admin/index.php"; fast_pattern:only; http_uri; content:"directory="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]directory=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2013-1891; classtype:web-application-attack; sid:42381; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenCart directory traversal attempt"; flow:to_server, established; content:"/oc1551/admin/index.php"; fast_pattern:only; http_uri; content:"directory"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?directory((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:cve,2013-1891; classtype:web-application-attack; sid:42380; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenCart directory traversal attempt"; flow:to_server, established; content:"/oc1551/admin/index.php"; fast_pattern:only; http_uri; content:"directory="; nocase; http_client_body; pcre:"/(^|&)directory=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2013-1891; classtype:web-application-attack; sid:42379; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Phpcms user registration remote file include attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"a=register"; fast_pattern:only; http_uri; content:"info"; nocase; http_client_body; content:"content"; within:12; nocase; http_client_body; pcre:"/(^|&)info(%5B|\x5B)content(\x5D|%5D)=[^&]*?(http|ftp)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:42430; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Phpcms user registration remote file include attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"a=register"; fast_pattern:only; http_uri; content:"info"; nocase; http_uri; content:"content"; within:12; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]info(%5B|\x5B)content(%5D|\x5D)=[^&]*?(http|ftp)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:42429; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Phpcms attachment upload SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"a=swfupload_json"; fast_pattern:only; http_client_body; content:"id"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?id((?!^--).)*?[\r\n]{2,}((?!^--).)*?[\x27\x22]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:42428; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Phpcms attachment upload SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"a=swfupload_json"; fast_pattern:only; http_client_body; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?([\x27\x22]|%27|%22)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:42427; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Phpcms attachment upload SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"a=swfupload_json"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?[\x27\x22]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:42426; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WePresent WiPG session id check bypass attempt"; flow:to_server,established; content:"/cgi-bin/return_test.cgi"; nocase; http_uri; content:"<noNeedSeid"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.redguard.ch/advisories/wepresent-wipg1000.txt; classtype:attempted-admin; sid:42411; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WePresent WiPG rdtool backdoor login attempt"; flow:to_server,established; content:"/cgi-bin/login"; nocase; http_uri; content:"rdtool"; nocase; http_client_body; content:"=mistral5885"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.redguard.ch/advisories/wepresent-wipg1000.txt; classtype:attempted-admin; sid:42410; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/rdfs.cgi"; fast_pattern:only; http_uri; content:"Client="; nocase; http_uri; pcre:"/[?&]Client=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.redguard.ch/advisories/wepresent-wipg1000.txt; classtype:web-application-attack; sid:42409; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/rdfs.cgi"; fast_pattern:only; http_uri; content:"Client="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]Client=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.redguard.ch/advisories/wepresent-wipg1000.txt; classtype:web-application-attack; sid:42408; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WePresent WiPG rdfs.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/rdfs.cgi"; fast_pattern:only; http_uri; content:"Client="; nocase; http_client_body; pcre:"/(^|&)Client=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.redguard.ch/advisories/wepresent-wipg1000.txt; classtype:web-application-attack; sid:42407; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WePresent WiPG admin backdoor login attempt"; flow:to_server,established; content:"/cgi-bin/login"; nocase; http_uri; content:"admin"; nocase; http_client_body; content:"=aw%25root%3F"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.redguard.ch/advisories/wepresent-wipg1000.txt; classtype:attempted-admin; sid:42406; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt"; flow:to_server,established; content:"/cgi-bin/log_query"; fast_pattern:only; http_uri; content:"cache_id="; nocase; http_uri; pcre:"/[?&]cache_id=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,98343; reference:cve,2016-8589; reference:cve,2016-8590; reference:cve,2016-8591; reference:cve,2016-8592; classtype:web-application-attack; sid:42405; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt"; flow:to_server,established; content:"/cgi-bin/log_query"; fast_pattern:only; http_uri; content:"cache_id="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]cache(\x5f|%5f)id=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,98343; reference:cve,2016-8589; reference:cve,2016-8590; reference:cve,2016-8591; reference:cve,2016-8592; classtype:web-application-attack; sid:42404; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt"; flow:to_server,established; content:"/cgi-bin/log_query"; fast_pattern:only; http_uri; content:"cache"; nocase; http_client_body; pcre:"/(^|&)cache(\x5f|%5f)id=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,98343; reference:cve,2016-8589; reference:cve,2016-8590; reference:cve,2016-8591; reference:cve,2016-8592; classtype:web-application-attack; sid:42403; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formWpsStart"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(ateFunc|ateGain|ateTxCount|ateChan|ateRate|ateMacID|e2pTxPower1|e2pTxPower2|e2pTxPower3|e2pTxPower4|e2pTxPower5|e2pTxPower6|e2pTxPower7|e2pTx2Power1|e2pTx2Power|e2pTx2Power2|e2pTx2Power3|e2pTx2Power4|e2pTx2Power5|e2pTx2Power6|e2pTx2Power7|ateTxFreqOffset|ateMode|ateBW|ateAntenna|e2pTxFreqOffset|e2pTxPwDeltaB|e2pTxPwDeltaG|e2pTxPwDeltaMix|e2pTxPwDeltaN|readE2P)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42488; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formWpsStart"; fast_pattern:only; http_uri; pcre:"/(^|&)(ateFunc|ateGain|ateTxCount|ateChan|ateRate|ateMacID|e2pTxPower1|e2pTxPower2|e2pTxPower3|e2pTxPower4|e2pTxPower5|e2pTxPower6|e2pTxPower7|e2pTx2Power1|e2pTx2Power|e2pTx2Power2|e2pTx2Power3|e2pTx2Power4|e2pTx2Power5|e2pTx2Power6|e2pTx2Power7|ateTxFreqOffset|ateMode|ateBW|ateAntenna|e2pTxFreqOffset|e2pTxPwDeltaB|e2pTxPwDeltaG|e2pTxPwDeltaMix|e2pTxPwDeltaN|readE2P)=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42487; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formWpsStart"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](ateFunc|ateGain|ateTxCount|ateChan|ateRate|ateMacID|e2pTxPower1|e2pTxPower2|e2pTxPower3|e2pTxPower4|e2pTxPower5|e2pTxPower6|e2pTxPower7|e2pTx2Power1|e2pTx2Power|e2pTx2Power2|e2pTx2Power3|e2pTx2Power4|e2pTx2Power5|e2pTx2Power6|e2pTx2Power7|ateTxFreqOffset|ateMode|ateBW|ateAntenna|e2pTxFreqOffset|e2pTxPwDeltaB|e2pTxPwDeltaG|e2pTxPwDeltaMix|e2pTxPwDeltaN|readE2P)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42486; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formWpsStart"; fast_pattern:only; http_uri; pcre:"/[?&](ateFunc|ateGain|ateTxCount|ateChan|ateRate|ateMacID|e2pTxPower1|e2pTxPower2|e2pTxPower3|e2pTxPower4|e2pTxPower5|e2pTxPower6|e2pTxPower7|e2pTx2Power1|e2pTx2Power|e2pTx2Power2|e2pTx2Power3|e2pTx2Power4|e2pTx2Power5|e2pTx2Power6|e2pTx2Power7|ateTxFreqOffset|ateMode|ateBW|ateAntenna|e2pTxFreqOffset|e2pTxPwDeltaB|e2pTxPwDeltaG|e2pTxPwDeltaMix|e2pTxPwDeltaN|readE2P)=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42485; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formWlanMP"; fast_pattern:only; http_uri; content:"pinCode"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?pinCode((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; classtype:web-application-attack; sid:42484; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formWlanMP"; fast_pattern:only; http_uri; content:"pinCode="; nocase; http_client_body; pcre:"/(^|&)pinCode=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; classtype:web-application-attack; sid:42483; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formWlanMP"; fast_pattern:only; http_uri; content:"pinCode="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]pinCode=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; classtype:web-application-attack; sid:42482; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formWlanMP"; fast_pattern:only; http_uri; content:"pinCode="; nocase; http_uri; pcre:"/[?&]pinCode=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; classtype:web-application-attack; sid:42481; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formConnectionSetting"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(max_Conn|timeOut)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42480; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formConnectionSetting"; fast_pattern:only; http_uri; pcre:"/(^|&)(max_Conn|timeOut)=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42479; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formConnectionSetting"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](max_Conn|timeOut)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42478; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formConnectionSetting"; fast_pattern:only; http_uri; pcre:"/[?&](max_Conn|timeOut)=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42477; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formHwSet"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(regDomain|ABandregDomain|nic0Addr|nic1Addr|wlanAddr|inicAddr)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42474; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formHwSet"; fast_pattern:only; http_uri; pcre:"/(^|&)(regDomain|ABandregDomain|nic0Addr|nic1Addr|wlanAddr|inicAddr)=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42473; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formHwSet"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](regDomain|ABandregDomain|nic0Addr|nic1Addr|wlanAddr|inicAddr)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42472; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formHwSet"; fast_pattern:only; http_uri; pcre:"/[?&](regDomain|ABandregDomain|nic0Addr|nic1Addr|wlanAddr|inicAddr)=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42471; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formUSBStorage"; fast_pattern:only; http_uri; content:"sub_dir"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?sub_dir((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; classtype:web-application-attack; sid:42470; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formUSBStorage"; fast_pattern:only; http_uri; content:"sub_dir="; nocase; http_client_body; pcre:"/(^|&)sub_dir=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; classtype:web-application-attack; sid:42469; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formUSBStorage"; fast_pattern:only; http_uri; content:"sub_dir="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]sub_dir=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; classtype:web-application-attack; sid:42468; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formUSBStorage"; fast_pattern:only; http_uri; content:"sub_dir="; nocase; http_uri; pcre:"/[?&]sub_dir=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; classtype:web-application-attack; sid:42467; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP triple dot directory traversal attempt"; flow:to_server,established; content:".../.../"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2012-5972; classtype:web-application-attack; sid:42465; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Unitrends Enterprise Backup Appliance reports.php directory traversal attempt"; flow:to_server,established; content:"/recoveryconsole/bpl/reports.php"; fast_pattern:only; http_uri; content:"name="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]name=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7281; reference:url,support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcWLAA0; classtype:web-application-attack; sid:42462; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Unitrends Enterprise Backup Appliance reports.php PHP file injection attempt"; flow:to_server,established; content:"/recoveryconsole/bpl/reports.php"; fast_pattern:only; http_uri; content:"contents="; nocase; http_uri; content:"<?"; http_uri; pcre:"/[?&]contents=[^&]*?\x3c\x3f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7281; reference:url,support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcWLAA0; classtype:web-application-attack; sid:42461; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Unitrends Enterprise Backup Appliance password.php command injection attempt"; flow:to_server,established; content:"/recoveryconsole/bpl/password.php"; fast_pattern:only; http_uri; pcre:"/[?&](user|password|newpassword)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7280; reference:url,support.unitrends.com/ReliableDR/s/article/ka640000000CcVwAAK; classtype:web-application-attack; sid:42457; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Unitrends Enterprise Backup Appliance password.php command injection attempt"; flow:to_server,established; content:"/recoveryconsole/bpl/password.php"; fast_pattern:only; http_uri; pcre:"/(^|&)(user|password|newpassword)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7280; reference:url,support.unitrends.com/ReliableDR/s/article/ka640000000CcVwAAK; classtype:web-application-attack; sid:42456; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Unitrends Enterprise Backup Appliance password.php command injection attempt"; flow:to_server,established; content:"/recoveryconsole/bpl/password.php"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](user|password|newpassword)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7280; reference:url,support.unitrends.com/ReliableDR/s/article/ka640000000CcVwAAK; classtype:web-application-attack; sid:42455; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MCA Sistemas ScadaBR index.php brute force login attempt"; flow:to_server,established,only_stream; content:"/ScadaBR/login.htm"; fast_pattern:only; http_uri; content:"JSESSIONID"; http_raw_header; content:"username"; http_client_body; content:"password"; http_client_body; detection_filter:track by_src, count 10, seconds 30; metadata:service http; reference:url,attack.mitre.org/techniques/T1110; reference:url,scadabr.com.br; classtype:web-application-attack; sid:42451; rev:3;)
# alert tcp any any -> $HOME_NET [16992,16993,16994,16995,623,664] (msg:"SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt"; flow:to_server,established; content:"Authorization:"; content:"Digest"; distance:0; content:"|22|admin|22|"; distance:0; fast_pattern; nocase; content:"response="; distance:0; pcre:"/response=\x20*(\x22{2}|[\x2c\x0d\x0a])/"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5689; reference:url,www-ssl.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html; classtype:policy-violation; sid:42805; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7131 (msg:"SERVER-WEBAPP IntegraXor directory traversal attempt"; flow:to_server,established; content:"open"; nocase; content:"file_name="; within:200; fast_pattern; content:"..|5C|"; within:100; pcre:"/open\?.*?file_name=[^&\s]*?\.\.\\/i"; reference:cve,2010-4598; classtype:web-application-attack; sid:42804; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress admin password reset attempt"; flow:to_server,established; content:"/wp/wordpress/wp-login.php?action=lostpassword"; fast_pattern:only; http_uri; content:"user_login=admin"; http_client_body; metadata:service http; reference:cve,2017-8295; classtype:web-application-attack; sid:42819; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt"; flow:to_server,established; content:"/sgms/ImagePreviewServlet"; fast_pattern:only; http_uri; content:"logoID"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?logoID((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.sonicwall.com/product-notification/215257; classtype:web-application-attack; sid:42852; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt"; flow:to_server,established; content:"/sgms/ImagePreviewServlet"; fast_pattern:only; http_uri; content:"logoID="; nocase; http_client_body; pcre:"/(^|&)logoID=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.sonicwall.com/product-notification/215257; classtype:web-application-attack; sid:42851; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt"; flow:to_server,established; content:"/sgms/ImagePreviewServlet"; fast_pattern:only; http_uri; content:"logoID="; nocase; http_uri; pcre:"/[?&]logoID=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,support.sonicwall.com/product-notification/215257; classtype:web-application-attack; sid:42850; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8443 (msg:"SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt"; flow:to_server,established; content:"/servlet/ConsoleServlet"; fast_pattern:only; http_uri; content:"GUID="; nocase; http_uri; pcre:"/[?&]GUID=[\d]*?[^\d&]/iU"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-1491; classtype:web-application-attack; sid:42849; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8443 (msg:"SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt"; flow:to_server,established; content:"/servlet/ConsoleServlet"; fast_pattern:only; http_uri; content:"GUID="; nocase; http_client_body; pcre:"/(^|&)GUID=[\d]*?[^\d\s&]/miP"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-1491; classtype:web-application-attack; sid:42848; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Unitrends Enterprise Backup Appliance download-files command injection attempt"; flow:to_server,established; content:"/api/restore/download-files"; fast_pattern:only; http_uri; content:"|22|filenames|22|"; nocase; http_client_body; pcre:"/\x22filenames\x22\s*\x3a\s*\x5b[^\x5d]*?([\x60\x3b\x7c\x26\x27]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7283; reference:url,support.unitrends.com/UnitrendsVirtualBackup/s/article/ka640000000CcWBAA0; classtype:web-application-attack; sid:42843; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt"; flow:to_server,established; content:"/goform/edit_lf_"; fast_pattern:only; content:"lf="; nocase; pcre:"/\x2fgoform\x2fedit_lf_.*?lf=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/i"; metadata:policy max-detect-ips drop, policy security-ips drop; classtype:web-application-attack; sid:42842; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Crypttech CryptoLog logshares_ajax.php command injection attempt"; flow:to_server,established; content:"/cryptolog/logshares_ajax.php"; fast_pattern:only; http_uri; content:"ls"; nocase; http_client_body; pcre:"/(^|&)ls(id|sharetype)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,pentest.blog/advisory-cryptolog-unauthenticated-remote-code-execution; classtype:web-application-attack; sid:42840; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Crypttech CryptoLog login.php SQL injection attempt"; flow:to_server,established; content:"/cryptolog/login.php"; fast_pattern:only; http_uri; content:"user="; nocase; http_client_body; pcre:"/(^|&)user=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,pentest.blog/advisory-cryptolog-unauthenticated-remote-code-execution; classtype:web-application-attack; sid:42839; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formAccept"; fast_pattern:only; http_uri; content:"submit-url"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?submit-url((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28|\x3c\x28|\x3e\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42829; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formAccept"; fast_pattern:only; http_uri; content:"submit-url="; nocase; http_client_body; pcre:"/(^|&)submit-url=[^&]*?([\x60\x3b\x7c]|\x24\x28|\x3c\x28|\x3e\x28|%60|%3b|%7c|%26|%24%28|%3c%28|%3e%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42828; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formAccept"; fast_pattern:only; http_uri; content:"submit-url="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]submit-url=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42827; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt"; flow:to_server,established; content:"/goform/formAccept"; fast_pattern:only; http_uri; content:"submit-url="; nocase; http_uri; pcre:"/[?&]submit-url=[^&]*?([\x60\x3b\x7c]|\x24\x28|\x3c\x28|\x3e\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5536; reference:url,blog.vectranetworks.com/blog/belkin-analysis; classtype:web-application-attack; sid:42826; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4679 (msg:"SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt"; flow:to_server,established; content:"/view_list.php"; content:"paneStatusListSortBy"; distance:0; pcre:"/paneStatusListSortBy=[^&]*?(%25)?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%26|%22|%27|%60|%3b|%7c|\x24\x28|%24%28)/i"; reference:bugtraq,54161; classtype:attempted-user; sid:42898; rev:1;)
# alert tcp $EXTERNAL_NET 12348 -> $HOME_NET any (msg:"SERVER-WEBAPP Eaton VURemote denial of service attempt"; flow:to_client,established,no_stream; content:"DOPN|00 00 00 00|"; depth:8; detection_filter:track by_src, count 80, seconds 60; reference:url,eaton.com/Eaton/ProductsServices/Electrical/ProductsandServices/AutomationandControl/OperatorInterface/HMi/index.htm; classtype:denial-of-service; sid:42893; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache TomEE java deserialization attempt"; flow:to_server,established; content:"PUT"; http_method; content:"|0D 0A 0D 0A AC ED 00 05 73 72|"; fast_pattern:only; metadata:service http; reference:cve,2016-0779; reference:url,tomee.apache.org/security/tomee.html; classtype:attempted-user; sid:42879; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache TomEE java deserialization attempt"; flow:to_server,established; content:"POST"; http_method; content:"|AC ED 00 05 73 72|"; depth:6; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2016-0779; reference:cve,2017-3248; reference:url,tomee.apache.org/security/tomee.html; classtype:attempted-user; sid:42878; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GE Proficy RT Portal information disclosure attempt"; flow:to_server,established; content:"POST"; http_method; content:"/infoAgentSrv/iFixWeb"; fast_pattern:only; http_uri; content:"Method"; nocase; http_header; metadata:service http; reference:cve,2013-0651; classtype:attempted-recon; sid:42867; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GE Proficy RT Portal information disclosure attempt"; flow:to_server,established; content:"GET"; http_method; content:"/ProficyPortal/config/"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-0651; classtype:attempted-recon; sid:42866; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP CVS password disclosure attempt"; flow:to_client,established; file_data; content:"|3A|pserver|3A|"; fast_pattern; nocase; content:"|3A|"; within:75; content:"@"; within:75; content:"|3A|"; within:175; content:"/"; within:7; metadata:service http; reference:url,docstore.mik.ua/orelly/other/cvs/cvs-CHP-8-SECT-7.htm; classtype:attempted-recon; sid:42858; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MVPower DVR Shell arbitrary command execution attempt"; flow:to_server,established; content:"/shell?"; fast_pattern:only; http_uri; urilen:>16,norm; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.pentestpartners.com/blog/pwning-cctv-cameras/; classtype:attempted-admin; sid:42857; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23423 (msg:"SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt"; flow:to_server,established; content:"POST /rest/action"; depth:17; nocase; content:"|22|checkStreamUrl|22|"; fast_pattern:only; content:"|22|VIDEO|22|"; nocase; pcre:"/\x22VIDEO\x22\s*\x2c\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28|\x5cu00)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php; classtype:web-application-attack; sid:42854; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23423 (msg:"SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt"; flow:to_server,established; content:"POST /rest/action"; depth:17; nocase; content:"checkStreamUrl"; fast_pattern:only; content:"<parameter"; nocase; content:"VIDEO"; nocase; pcre:"/<parameter[^>]*?>[^<]*?([\x60\x3b\x7c\x26]|\x24\x28)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php; classtype:web-application-attack; sid:42853; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LogRhythm Network Monitor JSON configuration API command injection attempt"; flow:to_server,established; content:"/data/api/configuration/"; fast_pattern:only; http_uri; content:"|22|configurations|22|"; nocase; http_client_body; content:"|22|value|22|"; nocase; http_client_body; pcre:"/\x22value\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,security-assessment.com/files/documents/advisory/Logrhythm-NetMonitor-Advisory.pdf; classtype:web-application-attack; sid:42920; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5080 (msg:"SERVER-WEBAPP XML entity parsing information disclosure attempt"; flow:to_server,established; content:"<!DOCTYPE "; nocase; content:"<!ENTITY"; distance:0; nocase; pcre:"/<!ENTITY[^>]*?(SYSTEM|PUBLIC)/i"; metadata:policy max-detect-ips drop; reference:cve,2017-7664; reference:url,openmeetings.apache.org/security.html; classtype:attempted-recon; sid:43814; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC cross site scripting attempt"; flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"scriptName="; nocase; http_uri; pcre:"/[?&]scriptName=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9813; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:attempted-user; sid:43813; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"reportId"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?reportId((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43812; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"reportId="; nocase; http_client_body; pcre:"/(^|&)reportId=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43811; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"reportId="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]reportId=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43810; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC cross site request forgery attempt"; flow:to_server,established; content:"/cgi-bin/cgictl?action=setTaskSettings"; fast_pattern:only; http_uri; content:"settings={|22|"; nocase; http_client_body; content:"taskId="; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9810; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43809; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8445 (msg:"SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt"; flow:to_server,established; content:"=alert(create"; fast_pattern:only; pcre:"/=alert\x28create(ModalDialogFromURL|WindowFromURL|WindowFromForm|IEWindowFromForm)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,91444; reference:cve,2016-3652; classtype:attempted-user; sid:43793; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt"; flow:to_server,established; content:"/info.php"; fast_pattern:only; http_uri; content:"RESULT="; nocase; http_uri; pcre:"/[?&]RESULT=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2013-7389; classtype:attempted-user; sid:43783; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt"; flow:to_server,established; content:"/bsc_sms_send.php"; fast_pattern:only; http_uri; content:"receiver="; nocase; http_uri; pcre:"/[?&]receiver=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2013-7389; classtype:attempted-user; sid:43782; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt"; flow:to_server,established; content:"/parentalcontrols/bind.php"; fast_pattern:only; http_uri; content:"deviceid="; nocase; http_uri; pcre:"/[?&]deviceid=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2013-7389; classtype:attempted-user; sid:43781; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-645 router buffer overflow attempt"; flow:to_server,established; content:"/post_login.xml"; fast_pattern:only; http_uri; content:"hash="; nocase; http_uri; isdataat:292,relative; content:!"&"; within:292; http_uri; metadata:service http; reference:cve,2013-7389; classtype:attempted-admin; sid:43780; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt"; flow:to_server,established; content:"/SiteScope/EmailServlet"; fast_pattern:only; http_uri; content:"webinfra_emailFileName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?webinfra_emailFileName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:cve,2014-2614; classtype:web-application-attack; sid:43777; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt"; flow:to_server,established; content:"/SiteScope/EmailServlet"; fast_pattern:only; http_uri; content:"webinfra_emailFileName="; nocase; http_client_body; pcre:"/(^|&)webinfra_emailFileName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2014-2614; classtype:web-application-attack; sid:43776; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt"; flow:to_server,established; content:"/SiteScope/EmailServlet"; fast_pattern:only; http_uri; content:"webinfra_emailFileName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]webinfra_emailFileName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2014-2614; classtype:web-application-attack; sid:43775; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ScadaBR remote credential export attempt"; flow:to_server,established; file_data; content:"ScadaBR/dwr/call/plaincall/EmportDwr.createExportData.dwr"; fast_pattern:only; http_uri; content:"JSESSIONID"; http_raw_header; content:"ScadaBR/emport.shtm"; http_client_body; content:"c0-scriptName=EmportDwr"; http_client_body; content:"c0-methodName=createExportData"; http_client_body; metadata:service http; reference:url,scadabr.com.br/?q=node/1375; classtype:web-application-attack; sid:43757; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Coppermine Photo Gallery thumbnails.php SQL injection attempt"; flow:to_server,established; content:"/cpg/thumbnails.php"; fast_pattern:only; http_uri; content:"cpg131_fav="; http_cookie; metadata:service http; reference:bugtraq,22709; reference:cve,2007-1107; classtype:web-application-attack; sid:43756; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sophos XG Firewall Controller filter SQL injection attempt"; flow:to_server,established; content:"/userportal/Controller"; fast_pattern:only; http_uri; content:"key"; nocase; http_uri; content:"receiver"; nocase; http_uri; content:"value"; nocase; http_client_body; pcre:"/value\"[^\"]+\"\'\)[^\"]+\"/Pim"; metadata:service http; reference:url,sophos.com/en-us/products/next-gen-firewall.aspx; classtype:web-application-attack; sid:43734; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sophos XG Firewall Controller filter SQL injection attempt"; flow:to_server,established; content:"/userportal/Controller"; fast_pattern:only; http_uri; content:"key"; nocase; http_uri; content:"receiver"; nocase; http_uri; content:"value"; nocase; http_uri; pcre:"/value\"[^\"]+\"\'\)[^\"]+\"/Ui"; metadata:service http; reference:url,sophos.com/en-us/products/next-gen-firewall.aspx; classtype:web-application-attack; sid:43733; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FCRing sfuss remote file include attempt"; flow:to_server,established; content:"fcring.php?"; fast_pattern:only; http_uri; content:"s_fuss="; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]s_fuss=[^&]*?(http|ftp)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,22693; reference:cve,2007-1133; classtype:web-application-attack; sid:43724; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FCRing sfuss remote file include attempt"; flow:to_server,established; content:"fcring.php?"; fast_pattern:only; http_uri; content:"s_fuss="; nocase; http_client_body; pcre:"/(^|&)s_fuss=[^&]*?(http|ftp)/Pim"; metadata:policy security-ips drop, service http; reference:bugtraq,22693; reference:cve,2007-1133; classtype:web-application-attack; sid:43723; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt"; flow:to_server,established; content:"/scripts/wgate/pbw2/"; fast_pattern:only; http_uri; content:"~template="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]~template=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,8516; reference:cve,2003-0748; classtype:web-application-attack; sid:43722; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt"; flow:to_server,established; content:"/scripts/wgate/pbw2/"; fast_pattern:only; http_uri; content:"~template="; nocase; http_client_body; pcre:"/(^|&)~template=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:bugtraq,8516; reference:cve,2003-0748; classtype:web-application-attack; sid:43721; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt"; flow:to_server,established; content:"/scripts/wgate/pbw2/"; fast_pattern:only; http_uri; content:"~template"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?~template((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:bugtraq,8516; reference:cve,2003-0748; classtype:web-application-attack; sid:43720; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Site-Assistant menu.php remote file include attempt"; flow:to_server,established; content:"menu.php"; fast_pattern:only; http_uri; content:"paths[version]="; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]paths\x5bversion\x5d=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,22467; reference:cve,2007-0867; classtype:web-application-attack; sid:43719; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Site-Assistant menu.php remote file include attempt"; flow:to_server,established; content:"menu.php"; fast_pattern:only; http_uri; content:"paths[version]="; nocase; http_client_body; pcre:"/(^|&)paths\x5bversion\x5d=[^&]*?(http|ftp)/Pim"; metadata:service http; reference:bugtraq,22467; reference:cve,2007-0867; classtype:web-application-attack; sid:43718; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt"; flow:to_server,established; content:"/cgi-bin/gencsr"; fast_pattern:only; http_uri; content:"key_size="; nocase; http_uri; pcre:"/[?&]key_size=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/143421; classtype:web-application-attack; sid:43711; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt"; flow:to_server,established; content:"/cgi-bin/gencsr"; fast_pattern:only; http_uri; content:"key_size="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]key(\x5f|%5f)size=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/143421; classtype:web-application-attack; sid:43710; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt"; flow:to_server,established; content:"/cgi-bin/gencsr"; fast_pattern:only; http_uri; content:"key_size"; nocase; http_client_body; pcre:"/(^|&)key_size=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/143421; classtype:web-application-attack; sid:43709; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA DeployWizard command injection attempt"; flow:to_server,established; content:"/deploywizard/deploywizard.do"; fast_pattern:only; http_uri; content:"haport="; nocase; http_uri; pcre:"/[?&]haport=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1116960; classtype:web-application-attack; sid:43697; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA DeployWizard command injection attempt"; flow:to_server,established; content:"/deploywizard/deploywizard.do"; fast_pattern:only; http_uri; content:"haport="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]haport=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1116960; classtype:web-application-attack; sid:43696; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA DeployWizard command injection attempt"; flow:to_server,established; content:"/deploywizard/deploywizard.do"; fast_pattern:only; http_uri; content:"haport="; nocase; http_client_body; pcre:"/(^|&)haport=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1116960; classtype:web-application-attack; sid:43695; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Mantis Bug Tracker password reset attempt"; flow:to_server,established; content:"/mantisbt"; nocase; http_uri; content:"/verify.php"; nocase; http_uri; content:"confirm_hash="; nocase; http_uri; content:"|00|"; within:5; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7615; classtype:attempted-admin; sid:43694; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Mantis Bug Tracker password reset attempt"; flow:to_server,established; content:"/mantisbt"; nocase; http_uri; content:"/verify.php"; nocase; http_uri; content:"confirm_hash="; fast_pattern:only; nocase; http_uri; content:"confirm_hash= HTTP|2F|1.1"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7615; classtype:attempted-admin; sid:43693; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ultimate Fun Book function.php remote file include attempt"; flow:to_server,established; content:"/function.php"; nocase; http_uri; content:"gbpfad="; fast_pattern; http_uri; content:"tp|3A|/"; within:20; nocase; http_uri; metadata:service http; reference:cve,2007-1059; classtype:web-application-attack; sid:43691; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall Secure Remote Access viewcert command injection attempt"; flow:to_server,established; content:"/cgi-bin/viewcert"; fast_pattern:only; http_uri; content:"CERT="; nocase; http_uri; pcre:"/[?&]CERT=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,96375; reference:cve,2016-9684; reference:url,www.sonicwall.com/en-us/support/knowledge-base/170502466823148; classtype:web-application-attack; sid:43690; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall Secure Remote Access viewcert command injection attempt"; flow:to_server,established; content:"/cgi-bin/viewcert"; fast_pattern:only; http_uri; content:"CERT="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]CERT=[^&]*?%26/Ii"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,96375; reference:cve,2016-9684; reference:url,www.sonicwall.com/en-us/support/knowledge-base/170502466823148; classtype:web-application-attack; sid:43689; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall Secure Remote Access viewcert command injection attempt"; flow:to_server,established; content:"/cgi-bin/viewcert"; fast_pattern:only; http_uri; content:"CERT="; nocase; http_client_body; pcre:"/(^|&)CERT=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,96375; reference:cve,2016-9684; reference:url,www.sonicwall.com/en-us/support/knowledge-base/170502466823148; classtype:web-application-attack; sid:43688; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpSecurePages secure.php remote file include attempt"; flow:to_server,established; content:"/phpSecurePages/secure.php"; fast_pattern:only; http_uri; content:"cfgProgDir="; nocase; http_client_body; content:"tp:|2F|"; within:20; nocase; http_client_body; metadata:service http; reference:cve,2001-1468; classtype:web-application-attack; sid:43681; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpSecurePages secure.php remote file include attempt"; flow:to_server,established; content:"/phpSecurePages/secure.php"; fast_pattern:only; http_uri; content:"cfgProgDir="; nocase; http_uri; content:"tp:|2F|"; within:20; nocase; http_uri; metadata:service http; reference:cve,2001-1468; classtype:web-application-attack; sid:43680; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP core unserialize use after free attempt"; flow:to_server,established; content:"O|25|3A"; fast_pattern:only; http_client_body; content:"|25|7Bs|25|3A"; http_client_body; content:"a|25|3A"; distance:0; http_client_body; content:"s|25|3A"; distance:0; http_client_body; content:"R|25|3A"; http_client_body; metadata:service http; reference:cve,2014-8142; classtype:attempted-user; sid:43668; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP VirtualSystem VS-News-System remote file include attempt"; flow:to_server,established; content:"/show_news_inc.php"; fast_pattern:only; http_uri; content:"newsordner="; nocase; http_client_body; content:"tp:|2F|"; within:20; nocase; http_client_body; metadata:service http; reference:cve,2007-1017; classtype:web-application-attack; sid:43667; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP VirtualSystem VS-News-System remote file include attempt"; flow:to_server,established; content:"/show_news_inc.php"; fast_pattern:only; http_uri; content:"newsordner="; nocase; http_uri; content:"tp:|2F|"; within:20; nocase; http_uri; metadata:service http; reference:cve,2007-1017; classtype:web-application-attack; sid:43666; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Pheap edit.php directory traversal attempt"; flow:to_server,established; content:"/edit.php"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:service http; reference:cve,2007-1140; classtype:web-application-attack; sid:43655; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Pheap edit.php directory traversal attempt"; flow:to_server,established; content:"/edit.php"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2007-1140; classtype:web-application-attack; sid:43654; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Pheap edit.php directory traversal attempt"; flow:to_server,established; content:"/edit.php"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2007-1140; classtype:web-application-attack; sid:43653; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall Secure Remote Access diagnostics command injection attempt"; flow:to_server,established; content:"/cgi-bin/diagnostics"; fast_pattern:only; http_uri; pcre:"/[?&](currentTSREmailTo|tsrDeleteRestartedFile)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,96375; reference:cve,2016-9682; reference:url,www.sonicwall.com/en-us/support/knowledge-base/170502466823148; classtype:web-application-attack; sid:43647; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall Secure Remote Access diagnostics command injection attempt"; flow:to_server,established; content:"/cgi-bin/diagnostics"; fast_pattern:only; http_uri; pcre:"/(^|&)(currentTSREmailTo|tsrDeleteRestartedFile)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,96375; reference:cve,2016-9682; reference:url,www.sonicwall.com/en-us/support/knowledge-base/170502466823148; classtype:web-application-attack; sid:43646; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall Secure Remote Access diagnostics command injection attempt"; flow:to_server,established; content:"/cgi-bin/diagnostics"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](currentTSREmailTo|tsrDeleteRestartedFile)=[^&]*?%26/Ii"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,96375; reference:cve,2016-9682; reference:url,www.sonicwall.com/en-us/support/knowledge-base/170502466823148; classtype:web-application-attack; sid:43645; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP Internet Transaction Server cross site scripting attempt"; flow:to_server,established; content:"/scripts/wgate.dll"; fast_pattern:only; http_uri; content:"~service="; nocase; http_uri; pcre:"/~service=[^~]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2003-0749; classtype:attempted-user; sid:43637; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Zenoss call home remote code execution attempt"; flow:to_client,established; file_data; content:"p1|0A|"; content:"p2|0A|"; distance:0; content:"p3|0A|"; distance:0; content:"|0A|S|27|"; fast_pattern:only; content:!"|0A|S|27|latest|27|"; metadata:service http; reference:cve,2014-6261; classtype:attempted-user; sid:43634; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Axis M3004 remote code execution attempt"; flow:to_server,established; content:"/onvif/device_service"; fast_pattern:only; http_uri; content:"<?"; isdataat:64,relative; content:!"?"; within:64; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9765; classtype:attempted-user; sid:43625; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt"; flow:to_server,established; content:"/cgi-bin/"; http_uri; content:"-msg.cgi"; within:15; fast_pattern; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:service http; reference:url,sourceforge.net/projects/esva-project/; classtype:web-application-attack; sid:43619; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt"; flow:to_server,established; content:"/cgi-bin/"; http_uri; content:"-msg.cgi"; within:15; fast_pattern; http_uri; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:service http; reference:url,sourceforge.net/projects/esva-project/; classtype:web-application-attack; sid:43618; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt"; flow:to_server,established; content:"/cgi-bin/"; http_uri; content:"-msg.cgi"; within:15; fast_pattern; http_uri; content:"id"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?id((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:service http; reference:url,sourceforge.net/projects/esva-project/; classtype:web-application-attack; sid:43617; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt"; flow:to_server,established; content:"/cgi-bin/"; http_uri; content:"-msg.cgi"; within:15; fast_pattern; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]id=[^&]*?%26/Ii"; metadata:service http; reference:url,sourceforge.net/projects/esva-project/; classtype:web-application-attack; sid:43616; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"SERVER-WEBAPP Netgear Prosafe filesystem denial of service attempt"; flow:to_server,established; content:"/filesystem/ "; fast_pattern:only; metadata:service http; reference:cve,2013-4776; classtype:denial-of-service; sid:43595; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt"; flow:to_server,established; content:"delivery.php"; fast_pattern:only; http_uri; content:"testconn_host="; nocase; http_uri; pcre:"/[?&]testconn_host=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:service http; reference:bugtraq,65984; reference:cve,2013-6719; classtype:web-application-attack; sid:43594; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt"; flow:to_server,established; content:"delivery.php"; fast_pattern:only; http_uri; content:"testconn_host="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]testconn(\x5f|%5f)host=[^&]*?%26/Ii"; metadata:service http; reference:bugtraq,65984; reference:cve,2013-6719; classtype:web-application-attack; sid:43593; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt"; flow:to_server,established; content:"delivery.php"; fast_pattern:only; http_uri; content:"testconn_host"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?testconn_host((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:service http; reference:bugtraq,65984; reference:cve,2013-6719; classtype:web-application-attack; sid:43592; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt"; flow:to_server,established; content:"delivery.php"; fast_pattern:only; http_uri; content:"testconn"; nocase; http_client_body; pcre:"/(^|&)testconn(\x5f|%5f)host=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:service http; reference:bugtraq,65984; reference:cve,2013-6719; classtype:web-application-attack; sid:43591; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Brocade Network Advisor directory traversal attempt"; flow:to_server,established; content:"/DashboardFileReceiveServlet/DashboardFileReceiveServlet.do"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/\s*[\x22\x27]?\x3b\x20filename=((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95694; reference:cve,2016-8205; reference:url,www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2016-178.htm; classtype:web-application-attack; sid:43590; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Brocade Network Advisor directory traversal attempt"; flow:to_server,established; content:"/DashboardFileReceiveServlet/DashboardFileReceiveServlet.do"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95694; reference:cve,2016-8205; reference:url,www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2016-178.htm; classtype:web-application-attack; sid:43589; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Brocade Network Advisor directory traversal attempt"; flow:to_server,established; content:"/DashboardFileReceiveServlet/DashboardFileReceiveServlet.do"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/\s*[\x22\x27]?\x3b\x20filename=((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95694; reference:cve,2016-8205; reference:url,www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2016-178.htm; classtype:web-application-attack; sid:43588; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA eHealth command injection attempt"; flow:to_server,established; content:"/aviewbin/licsys.pl"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?\w+((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,80698; reference:cve,2016-6152; reference:url,www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20160721-01-security-notice-for-ca-ehealth.html; classtype:web-application-attack; sid:43586; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA eHealth command injection attempt"; flow:to_server,established; content:"/aviewbin/licsys.pl"; fast_pattern:only; http_uri; content:"="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]\w+=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,80698; reference:cve,2016-6152; reference:url,www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20160721-01-security-notice-for-ca-ehealth.html; classtype:web-application-attack; sid:43585; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA eHealth command injection attempt"; flow:to_server,established; content:"/aviewbin/licsys.pl"; fast_pattern:only; http_uri; content:"="; nocase; http_uri; pcre:"/[?&]\w+=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,80698; reference:cve,2016-6152; reference:url,www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20160721-01-security-notice-for-ca-ehealth.html; classtype:web-application-attack; sid:43584; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA eHealth command injection attempt"; flow:to_server,established; content:"/aviewbin/licsys.pl"; fast_pattern:only; http_uri; content:"="; nocase; http_client_body; pcre:"/(^|&)\w+=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,80698; reference:cve,2016-6152; reference:url,www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20160721-01-security-notice-for-ca-ehealth.html; classtype:web-application-attack; sid:43583; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9700 (msg:"SERVER-WEBAPP Oracle BPEL Process Manager directory traversal attempt"; flow:to_server,established; content:"GET /BPELConsole/script?../"; fast_pattern:only; metadata:service http; reference:bugtraq,63058; reference:cve,2013-3828; classtype:attempted-user; sid:43577; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Wing FTP Server command injection attempt"; flow:to_client,established; file_data; content:"<html"; depth:20; nocase; content:":5466/admin_lua_script.html"; fast_pattern; content:"POST"; within:20; nocase; content:"value="; nocase; content:"os.execute("; within:20; nocase; metadata:service http; reference:bugtraq,75043; reference:cve,2015-4107; reference:url,seclists.org/bugtraq/2015/Jun/25; classtype:web-application-attack; sid:43574; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zavio Cam command injection attempt"; flow:to_server,established; content:"/cgi-bin/mft/wireless_mft"; fast_pattern:only; http_uri; content:"ap="; nocase; http_uri; pcre:"/[?&]ap=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:service http; reference:cve,2013-2568; classtype:web-application-attack; sid:43572; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zavio Cam command injection attempt"; flow:to_server,established; content:"/cgi-bin/mft/wireless_mft"; fast_pattern:only; http_uri; content:"ap="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ap=[^&]*?%26/Ii"; metadata:service http; reference:cve,2013-2568; classtype:web-application-attack; sid:43571; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zavio Cam command injection attempt"; flow:to_server,established; content:"/cgi-bin/mft/wireless_mft"; fast_pattern:only; http_uri; content:"ap="; nocase; http_client_body; pcre:"/(^|&)ap=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:service http; reference:cve,2013-2568; classtype:web-application-attack; sid:43570; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zavio Cam command injection attempt"; flow:to_server,established; content:"/cgi-bin/mft/wireless_mft"; fast_pattern:only; http_uri; content:"ap"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?ap((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:service http; reference:cve,2013-2568; classtype:web-application-attack; sid:43569; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt"; flow:to_server,established; content:"/OA_HTML/RF.jsp"; fast_pattern:only; http_uri; content:"OADiagnostic=1|3B|"; http_cookie; metadata:service http; reference:cve,2013-0397; classtype:attempted-recon; sid:43568; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt"; flow:to_server,established; content:"/OA_HTML/RF.jsp"; fast_pattern:only; http_uri; content:"OADeveloperMode=1|3B|"; http_cookie; metadata:service http; reference:cve,2013-0397; classtype:attempted-recon; sid:43567; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ReadyDesk upload remote code execution attempt"; flow:to_server,established; content:"/readydesk/hd/upload.aspx"; fast_pattern:only; http_uri; content:"TID=."; nocase; http_client_body; content:"filename"; nocase; http_client_body; content:"filedata="; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:43554; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ReadyDesk upload remote code execution attempt"; flow:to_server,established; content:"/readydesk/hd/upload.aspx"; fast_pattern:only; http_uri; content:"TID=."; nocase; http_client_body; content:"filename="; nocase; http_uri; content:"filedata="; nocase; http_client_body; content:"../"; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:43553; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ReadyDesk upload remote code execution attempt"; flow:to_server,established; content:"/readydesk/hd/upload.aspx"; fast_pattern:only; http_uri; content:"TID=."; nocase; http_client_body; content:"filename="; nocase; http_client_body; content:"filedata="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:43552; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AlienVault Unified Security Manager authentication bypass attempt"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"AV Report Scheduler"; within:30; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:43549; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Brocade Network Advisor remote code execution attempt"; flow:to_server,established; content:"/FileReceiveServlet.do"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[^\x3b]*\x3b\s*filename=((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95695; reference:cve,2016-8204; reference:url,www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2016-177.htm; classtype:web-application-attack; sid:43548; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2381 (msg:"SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt"; flow:to_server,established; content:"POST /proxy/SetSMHData"; fast_pattern:only; content:"-group="; isdataat:1280,relative; pcre:"/-group[^\r\n\s]{1280}/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,93961; reference:cve,2016-4395; classtype:attempted-admin; sid:43545; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA ArcServe information disclosure attempt"; flow:to_server,established; content:"/contents/service/homepage"; http_uri; content:"2C6B33BED38F825C48AE73C093241510"; fast_pattern:only; http_client_body; metadata:service http; reference:cve,2011-3011; classtype:attempted-user; sid:43544; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Koha directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/koha/opac-main.pl"; fast_pattern:only; http_uri; content:"KohaOpacLanguage="; nocase; http_cookie; pcre:"/KohaOpacLanguage=[^\x3b\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Ci"; metadata:service http; reference:cve,2011-4715; classtype:web-application-attack; sid:43539; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AlienVault OSSIM nfsen.php command injection attempt"; flow:to_server,established; content:"/nfsen/nfsen.php"; fast_pattern:only; http_uri; content:"customfmt="; nocase; http_uri; pcre:"/[?&]customfmt=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6971; reference:url,www.alienvault.com/forums/discussion/8324/; classtype:web-application-attack; sid:43536; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AlienVault OSSIM nfsen.php command injection attempt"; flow:to_server,established; content:"/nfsen/nfsen.php"; fast_pattern:only; http_uri; content:"customfmt="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]customfmt=[^&]*?%26/Ii"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6971; reference:url,www.alienvault.com/forums/discussion/8324/; classtype:web-application-attack; sid:43535; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AlienVault OSSIM nfsen.php command injection attempt"; flow:to_server,established; content:"/nfsen/nfsen.php"; fast_pattern:only; http_uri; content:"customfmt="; nocase; http_client_body; pcre:"/(^|&)customfmt=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6971; reference:url,www.alienvault.com/forums/discussion/8324/; classtype:web-application-attack; sid:43534; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt"; flow:to_server,established; content:"/webacs/rs/wap/preference/value/@@me/"; fast_pattern:only; http_uri; pcre:"/[?&](PI_RECENT_LINKS|categoryPath)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:service http; reference:cve,2017-6698; classtype:web-application-attack; sid:43513; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt"; flow:to_server,established; content:"/webacs/rs/wap/preference/value/@@me/"; fast_pattern:only; http_uri; pcre:"/(^|&)(PI(\x5f|%5f)RECENT(\x5f|%5f)LINKS|categoryPath)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:service http; reference:cve,2017-6698; classtype:web-application-attack; sid:43512; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt"; flow:to_server,established; content:"/webacs/rs/preferences/systemPreferencesForNode/default."; fast_pattern:only; http_uri; content:"|22|items|22|"; http_client_body; pcre:"/\x22items\x22\s*\x3a\s*\x5b\s*\x22((?!(?<!\x5c)\x22).)*?([\x27\x3b\x23]|\x2f\x2a|\x2d\x2d)/Pi"; metadata:service http; reference:cve,2017-6698; classtype:web-application-attack; sid:43511; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt"; flow:to_server,established; content:"/webacs/rs/json/userService/getAuditRecordsForGivenRange/"; fast_pattern:only; http_uri; pcre:"/[?&](userName|ipAddress|time|auditDescription|userGroup|activeDomain)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:service http; reference:cve,2017-6698; classtype:web-application-attack; sid:43510; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt"; flow:to_server,established; content:"/webacs/rs/json/userService/getAuditRecordsForGivenRange/"; fast_pattern:only; http_uri; pcre:"/(^|&)(userName|ipAddress|time|auditDescription|userGroup|activeDomain)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:service http; reference:cve,2017-6698; classtype:web-application-attack; sid:43509; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt"; flow:to_server,established; content:"/webacs/rs/json/jobSchedulerService/getJobDetails/"; fast_pattern:only; http_uri; pcre:"/\x2fgetJobDetails\x2f[^\x2f]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:service http; reference:cve,2017-6698; classtype:web-application-attack; sid:43508; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt"; flow:to_server,established; content:"/webacs/rs/json/jobSchedulerService/getAllJobsCtr/Infrastructure/"; fast_pattern:only; http_uri; pcre:"/\x2fInfrastructure\x2f[^\x2f]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:service http; reference:cve,2017-6698; classtype:web-application-attack; sid:43507; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt"; flow:to_server,established; content:"/webacs/rs/json/jobSchedulerService/getAllJobs/"; fast_pattern:only; http_uri; pcre:"/\x2fgetAllJobs\x2f[^\x2f]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:service http; reference:cve,2017-6698; classtype:web-application-attack; sid:43506; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt"; flow:to_server,established; content:"/webacs/rs/device-rest/getfiltercriteria/device"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:service http; reference:cve,2017-6698; classtype:web-application-attack; sid:43505; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt"; flow:to_server,established; content:"/webacs/rs/device-rest/getfiltercriteria/device"; fast_pattern:only; http_uri; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:service http; reference:cve,2017-6698; classtype:web-application-attack; sid:43504; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt"; flow:to_server,established; content:"/webacs/inventoryRestService/ifm/inventory-rest/getImportTaskStatusDTO/"; fast_pattern:only; http_uri; pcre:"/\x2fgetImportTaskStatusDTO\x2f[^\x2f]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:service http; reference:cve,2017-6698; classtype:web-application-attack; sid:43503; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure cross site scripting attempt"; flow:to_server,established; content:"/webacs/loginAction.do"; fast_pattern:only; http_uri; content:"jobBreadcrumName="; nocase; http_uri; pcre:"/[?&]jobBreadcrumName=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2017-6700; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm4; classtype:attempted-user; sid:43502; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure cross site scripting attempt"; flow:to_server,established; content:"/webacs/index_abs.jsp"; fast_pattern:only; http_uri; content:"jobName="; nocase; http_uri; pcre:"/[?&]jobName=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2017-6700; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm4; classtype:attempted-user; sid:43501; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure cross site scripting attempt"; flow:to_server,established; content:"/webacs/applications/inventory/html/ImportJobResults.jsp"; fast_pattern:only; http_uri; pcre:"/[?&](task|jobResultPage)Id=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2017-6699; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm3; classtype:attempted-user; sid:43500; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Prime Infrastructure cross site scripting attempt"; flow:to_server,established; content:"/webacs/applications/common/jsp/SystemPreferences_Configurable.jsp"; fast_pattern:only; http_uri; pcre:"/[?&](taskName|confUrl)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2017-6699; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170621-piepnm3; classtype:attempted-user; sid:43499; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-WEBAPP Lets Encrypt SSL certificate issuer detected"; flow:to_client,established; ssl_state:server_hello; content:"|30 4A 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 16 30 14 06 03 55 04 0A 13 0D 4C 65 74 27 73 20 45 6E 63 72 79 70 74 31 23 30 21 06 03 55 04 03 13 1A 4C 65 74 27 73 20 45 6E 63 72 79 70 74 20 41 75 74 68 6F 72 69 74 79 20 58 33|"; fast_pattern:only; metadata:service ssl; classtype:misc-attack; sid:43496; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal"; flow:to_client,established; ssl_state:server_hello; content:"|30 4A 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 16 30 14 06 03 55 04 0A 13 0D 4C 65 74 27 73 20 45 6E 63 72 79 70 74 31 23 30 21 06 03 55 04 03 13 1A 4C 65 74 27 73 20 45 6E 63 72 79 70 74 20 41 75 74 68 6F 72 69 74 79 20 58 33|"; content:"paypal"; distance:0; nocase; metadata:policy max-detect-ips drop, service ssl; classtype:misc-attack; sid:43495; rev:3;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling appleid"; flow:to_client,established; ssl_state:server_hello; content:"|30 4A 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 16 30 14 06 03 55 04 0A 13 0D 4C 65 74 27 73 20 45 6E 63 72 79 70 74 31 23 30 21 06 03 55 04 03 13 1A 4C 65 74 27 73 20 45 6E 63 72 79 70 74 20 41 75 74 68 6F 72 69 74 79 20 58 33|"; content:"appleid"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ssl; classtype:misc-attack; sid:43494; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress wp_title function cross site scripting attempt"; flow:to_server,established; content:"year="; fast_pattern:only; http_uri; pcre:"/[?&]year=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2007-1894; classtype:attempted-user; sid:43458; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TerraMaster NAS arbitrary PHP file upload attempt"; flow:to_server,established; content:"/include/upload.php"; nocase; http_uri; content:"kod_name"; fast_pattern:only; content:"kod_name"; nocase; http_cookie; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.evilsocket.net/2017/05/30/Terramaster-NAS-Unauthenticated-RCE-as-root/; classtype:attempted-admin; sid:43451; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP XML entity parsing information disclosure attempt"; flow:to_server,established; content:"PUT"; nocase; http_method; content:"<!DOCTYPE "; nocase; content:"<!ENTITY"; distance:0; nocase; pcre:"/<!ENTITY[^>]*?(SYSTEM|PUBLIC)/i"; metadata:policy max-detect-ips drop, service http; reference:cve,2013-6429; reference:cve,2014-0054; classtype:attempted-recon; sid:43444; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GoAutoDial validate_credentials SQL injection attempt"; flow:to_server,established; content:"/index.php/go_login/validate_credentials"; fast_pattern:only; http_uri; pcre:"/\x2fvalidate_credentials\x2f(\w+\x2f)?[^\x2f]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74281; reference:cve,2015-2843; classtype:web-application-attack; sid:43441; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GoAutoDial validate_credentials SQL injection attempt"; flow:to_server,established; content:"/index.php/go_login/validate_credentials"; fast_pattern:only; http_uri; content:"user"; nocase; http_client_body; pcre:"/(^|&)user(\x5f|%5f)(name|pass)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74281; reference:cve,2015-2843; classtype:web-application-attack; sid:43440; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GoAutoDial go_get_user_info SQL injection attempt"; flow:to_server,established; content:"/index.php/go_site/go_get_user_info"; fast_pattern:only; http_uri; pcre:"/\x2fgo_get_user_info\x2f[^\x2f]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74281; reference:cve,2015-2843; classtype:web-application-attack; sid:43439; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GoAutoDial cpanel command injection attempt"; flow:to_server,established; content:"/index.php/go_site/cpanel"; fast_pattern:only; http_uri; pcre:"/\x2fcpanel\x2f(\w+\x2f)?[^\x2f]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74281; reference:cve,2015-2844; reference:cve,2015-2845; classtype:web-application-attack; sid:43438; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GoAutoDial cpanel command injection attempt"; flow:to_server,established; content:"/index.php/go_site/cpanel"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/\x2fcpanel\x2f(\w+\x2f)?[^\x2f]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74281; reference:cve,2015-2844; reference:cve,2015-2845; classtype:web-application-attack; sid:43437; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GE Fanuc Real Time Information Portal arbitrary file write attempt"; flow:to_server,established; content:"/infoAgentSrv/iFixWeb"; fast_pattern:only; http_uri; content:"<writeFile"; nocase; http_client_body; metadata:service http; reference:bugtraq,27446; reference:cve,2008-0175; reference:url,www.kb.cert.org/vuls/id/339345; classtype:web-application-attack; sid:43436; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Secure Access Control Server cross site scripting attempt"; flow:to_server,established; content:"/CScgi/LogonProxy.cgi"; fast_pattern:only; http_uri; pcre:"/[?&](error|Ok)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2006-3101; classtype:attempted-user; sid:43435; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center directory traversal directory traversal attempt"; flow:to_server,established; content:"/upload/upload"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fileName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,68540; reference:cve,2014-2618; classtype:web-application-attack; sid:43404; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center directory traversal directory traversal attempt"; flow:to_server,established; content:"/upload/upload"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_client_body; pcre:"/(^|&)fileName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy security-ips drop, service http; reference:bugtraq,68540; reference:cve,2014-2618; classtype:web-application-attack; sid:43403; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center directory traversal directory traversal attempt"; flow:to_server,established; content:"/upload/upload"; fast_pattern:only; http_uri; content:"fileName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?fileName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy security-ips drop, service http; reference:bugtraq,68540; reference:cve,2014-2618; classtype:web-application-attack; sid:43402; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MySQL Commander remote file include attempt"; flow:to_server,established; content:"/ressourcen/dbopen.php"; fast_pattern:only; http_uri; content:"home="; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]home=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:bugtraq,22941; reference:cve,2007-1439; classtype:web-application-attack; sid:43392; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MySQL Commander remote file include attempt"; flow:to_server,established; content:"/ressourcen/dbopen.php"; fast_pattern:only; http_uri; content:"home="; nocase; http_client_body; pcre:"/(^|&)home=[^&]*?(http|ftp)/Pim"; metadata:service http; reference:bugtraq,22941; reference:cve,2007-1439; classtype:web-application-attack; sid:43391; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"SERVER-WEBAPP Netgear Prosafe startup config information disclosure attempt"; flow:to_server,established; content:"/filesystem/startup-config "; fast_pattern:only; metadata:service http; reference:cve,2013-4775; classtype:attempted-recon; sid:43390; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA ERwin Web Portal ProfileIconServlet directory traversal attempt "; flow:to_server,established; content:"/MM/ProfileIconServlet"; fast_pattern:only; http_uri; content:"../"; http_uri; pcre:"/[?&](fileName=|customImageName=)[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2014-2210; classtype:web-application-attack; sid:43379; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Piwigo directory traversal attempt"; flow:to_server,established; content:"/install.php"; fast_pattern:only; http_uri; content:"piwigo/install.php"; http_raw_uri; content:"dl="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]dl=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy security-ips drop, service http; reference:cve,2013-1469; classtype:web-application-attack; sid:43366; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Complete Gallery Manager arbitrary PHP file upload attempt"; flow:to_server,established; content:"/wordpress/wp-content/plugins/complete-gallery-manager/frames/upload-images.php"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-5962; classtype:attempted-admin; sid:43365; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Server 9i unauthenticated dms access attempt"; flow:to_server,established; content:"/oprocmgr-service"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2002-0563; classtype:attempted-recon; sid:43357; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Server 9i unauthenticated dms access attempt"; flow:to_server,established; content:"/fcgi-bin/echo"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2002-0563; classtype:attempted-recon; sid:43356; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Server 9i unauthenticated dms access attempt"; flow:to_server,established; content:"/dms/DMSDump"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2002-0563; classtype:attempted-recon; sid:43355; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Server 9i unauthenticated dms access attempt"; flow:to_server,established; content:"/dms/AggreSpy"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2002-0563; classtype:attempted-recon; sid:43354; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Server 9i unauthenticated dms access attempt"; flow:to_server,established; content:"/demo/email/sendmail.jsp"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2002-0563; classtype:attempted-recon; sid:43353; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Server 9i unauthenticated dms access attempt"; flow:to_server,established; content:"/demo/basic/info/info.jsp"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2002-0563; classtype:attempted-recon; sid:43352; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 446 (msg:"SERVER-WEBAPP OpenFiler NetworkCard command execution attempt"; flow:to_server,established; content:"/admin/system.html"; nocase; content:"device="; distance:0; nocase; pcre:"/[?&]device=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%3c%28|%3e%28|%24%28|%26)/i"; reference:bugtraq,55490; classtype:attempted-admin; sid:43334; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AssetMan download_pdf.php directory traversal attempt"; flow:to_server,established; content:"/download_pdf.php"; fast_pattern:only; http_uri; content:"pdf_file"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?pdf_file((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:cve,2007-1427; classtype:web-application-attack; sid:43331; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AssetMan download_pdf.php directory traversal attempt"; flow:to_server,established; content:"/download_pdf.php"; fast_pattern:only; http_uri; content:"pdf_file="; nocase; http_client_body; pcre:"/(^|&)pdf_file=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2007-1427; classtype:web-application-attack; sid:43330; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AssetMan download_pdf.php directory traversal attempt"; flow:to_server,established; content:"/download_pdf.php"; fast_pattern:only; http_uri; content:"pdf_file="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]pdf_file=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2007-1427; classtype:web-application-attack; sid:43329; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Laserjet Pro Webadmin password reset attempt"; flow:to_server,established; content:"/cgi-bin/ip_password_result.htm"; fast_pattern:only; http_uri; content:"Apply="; http_client_body; metadata:service http; reference:url,packetstormsecurity.com/files/121786; classtype:attempted-admin; sid:43327; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9201 (msg:"SERVER-WEBAPP Trihedral VTScada directory traversal attempt"; flow:to_server,established; content:"HEAD"; depth:4; nocase; content:".."; within:40; metadata:policy max-detect-ips drop; reference:bugtraq,91077; reference:cve,2016-4532; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-159-01; classtype:web-application-attack; sid:43326; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9201 (msg:"SERVER-WEBAPP Trihedral VTScada directory traversal attempt"; flow:to_server,established; content:"POST"; depth:4; nocase; content:".."; within:40; metadata:policy max-detect-ips drop; reference:bugtraq,91077; reference:cve,2016-4532; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-159-01; classtype:web-application-attack; sid:43325; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9201 (msg:"SERVER-WEBAPP Trihedral VTScada directory traversal attempt"; flow:to_server,established; content:"GET"; depth:3; nocase; content:".."; within:40; metadata:policy max-detect-ips drop; reference:bugtraq,91077; reference:cve,2016-4532; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-159-01; classtype:web-application-attack; sid:43324; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csSearch setup attempt"; flow:to_server,established; content:"csSearch.cgi"; fast_pattern:only; http_uri; content:"command=savesetup"; nocase; http_uri; content:"setup="; nocase; http_uri; metadata:service http; reference:bugtraq,4368; reference:cve,2002-0495; classtype:web-application-activity; sid:43307; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csNewsRemote setup attempt"; flow:to_server,established; content:"csNewsRemote.cgi"; fast_pattern:only; http_uri; content:"command=savesetup"; nocase; http_uri; content:"setup="; nocase; http_uri; metadata:service http; reference:bugtraq,4451; reference:cve,2002-1753; classtype:web-application-activity; sid:43306; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csLiveSupport setup attempt"; flow:to_server,established; content:"csLiveSupport.cgi"; fast_pattern:only; http_uri; content:"command=savesetup"; nocase; http_uri; content:"setup="; nocase; http_uri; metadata:service http; reference:bugtraq,4450; reference:cve,2002-1751; classtype:web-application-activity; sid:43305; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csChatRBox setup attempt"; flow:to_server,established; content:"csChatRBox.cgi"; fast_pattern:only; http_uri; content:"command=savesetup"; nocase; http_uri; content:"setup="; nocase; http_uri; metadata:service http; reference:bugtraq,4452; reference:cve,2002-1752; classtype:web-application-activity; sid:43304; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N150 abitrary file read attempt"; flow:to_server,established; content:"/cgi-bin/webproc"; fast_pattern:only; http_uri; content:"getpage="; nocase; http_uri; content:"page="; distance:0; nocase; http_uri; metadata:service http; reference:cve,2014-2962; classtype:web-application-attack; sid:43299; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IP3 Networks NetAccess directory traversal attempt"; flow:to_server,established; content:"/portalgroups/getfile.cgi"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2007-0883; classtype:web-application-attack; sid:43296; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cybozu Office directory traversal attempt"; flow:to_server,established; content:"/scripts/cbag/ag.exe"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]id=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2006-4490; classtype:web-application-attack; sid:43295; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cybozu Office directory traversal attempt"; flow:to_server,established; content:"/scripts/s360v2/s360.exe"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]id=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2006-4490; classtype:web-application-attack; sid:43294; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Server 9i unauthenticated application deployment attempt"; flow:to_server,established; content:"/soap/soaplet/soaprouter"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2001-1371; classtype:attempted-recon; sid:43291; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /ws_ftp.log file access attempt"; flow:to_server,established; content:"/ws_ftp.log"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:43290; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/shadow file access attempt"; flow:to_server,established; content:"/etc/shadow"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:43289; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/motd file access attempt"; flow:to_server,established; content:"/etc/motd"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:43288; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/inetd.conf file access attempt"; flow:to_server,established; content:"/etc/inetd.conf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:43287; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-bin/sh file access attempt"; flow:to_server,established; content:"/cgi-bin/sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:43286; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /.svn/entries file access attempt"; flow:to_server,established; content:"/.svn/entries"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:43285; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Network Automation RedirectServlet SQL injection attempt"; flow:to_server,established; content:"/connector.redirect"; fast_pattern:only; http_uri; content:"deviceID="; nocase; http_uri; pcre:"/[?&]deviceID=[^&]*?[^\d\x20&]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,98331; reference:cve,2017-5810; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03740en_us; classtype:web-application-attack; sid:43284; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP .NET AjaxControlToolkit directory traversal remote code execution attempt"; flow:to_server,established; content:"/AjaxFileUploadHandler.axd"; fast_pattern:only; http_uri; content:"fileId"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?fileId((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:cve,2015-4670; classtype:attempted-user; sid:43283; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP .NET AjaxControlToolkit directory traversal remote code execution attempt"; flow:to_server,established; content:"/AjaxFileUploadHandler.axd"; fast_pattern:only; http_uri; content:"fileId="; nocase; http_client_body; pcre:"/(^|&)fileId=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2015-4670; classtype:attempted-user; sid:43282; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP .NET AjaxControlToolkit directory traversal remote code execution attempt"; flow:to_server,established; content:"/AjaxFileUploadHandler.axd"; fast_pattern:only; http_uri; content:"fileId="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fileId=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2015-4670; classtype:attempted-user; sid:43281; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess cross site scripting attempt"; flow:to_server,established; content:"/broadWeb/include/gUpdate.asp"; fast_pattern:only; http_uri; content:"ProjDesc="; nocase; http_uri; pcre:"/[?&]ProjDesc=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-0233; classtype:attempted-user; sid:43280; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess cross site scripting attempt"; flow:to_server,established; content:"/broadWeb/include/gUpdate.asp"; fast_pattern:only; http_uri; content:"ProjDesc="; nocase; http_client_body; pcre:"/ProjDesc=[^&]*?(\x25(22|27|3c|3e|28|29))+?|script|onload|src/Pi"; metadata:service http; reference:cve,2012-0233; classtype:attempted-user; sid:43279; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt"; flow:to_server,established; content:"/WADashboard/ajax/FileAjaxAction.aspx"; fast_pattern:only; http_uri; content:"folderName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]folderName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0855; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-014-01; classtype:web-application-attack; sid:43274; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt"; flow:to_server,established; content:"/WADashboard/ajax/FileAjaxAction.aspx"; fast_pattern:only; http_uri; content:"folderName="; nocase; http_client_body; pcre:"/(^|&)folderName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0855; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-014-01; classtype:web-application-attack; sid:43273; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt"; flow:to_server,established; content:"/WADashboard/ajax/FileAjaxAction.aspx"; fast_pattern:only; http_uri; content:"folderName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?folderName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0855; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-014-01; classtype:web-application-attack; sid:43272; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Squid ESI processing buffer overflow attempt"; flow:to_client,established; file_data; content:"Surrogate-Control:"; fast_pattern; http_header; content:"ESI/1.0"; within:100; nocase; http_header; content:"Content-Type:"; nocase; http_header; content:"text/"; within:50; nocase; http_header; content:"<"; isdataat:2000,relative; content:!">"; within:2000; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4054; reference:url,www.squid-cache.org/Advisories/SQUID-2016_6.txt; classtype:attempted-user; sid:43268; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt"; flow:to_server,established; content:"/ReportView"; fast_pattern:only; http_uri; content:"fileName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?fileName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:cve,2016-1605; classtype:web-application-attack; sid:43267; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt"; flow:to_server,established; content:"/ReportView"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_client_body; pcre:"/(^|&)fileName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2016-1605; classtype:web-application-attack; sid:43266; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt"; flow:to_server,established; content:"/ReportView"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fileName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2016-1605; classtype:web-application-attack; sid:43265; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA eHealth command injection command injection attempt"; flow:to_server,established; content:"/aviewbin/licsys.pl"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; content:"action=License"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(username|passwd|name|custid|email|licensetype|duration|http_proxy|http_proxy_port|proxy_username|proxy_password)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6152; reference:url,www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20160721-01-security-notice-for-ca-ehealth.html; classtype:web-application-attack; sid:43258; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA eHealth command injection command injection attempt"; flow:to_server,established; content:"/aviewbin/licsys.pl"; fast_pattern:only; http_uri; content:"action=License"; nocase; http_client_body; pcre:"/(^|&)(username|passwd|name|custid|email|licensetype|duration|http(\x5f|%5f)proxy|http(\x5f|%5f)proxy(\x5f|%5f)port|proxy(\x5f|%5f)username|proxy(\x5f|%5f)password)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6152; reference:url,www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20160721-01-security-notice-for-ca-ehealth.html; classtype:web-application-attack; sid:43257; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA LogSettingHandler command injection attempt"; flow:to_server,established; content:"/rest/commonlog/log_setting/mount_device"; fast_pattern:only; http_uri; content:"|22|mount_device|22|"; nocase; http_client_body; pcre:"/\x22mount_device\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1116960; classtype:web-application-attack; sid:43251; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nuxeo CMS BatchUploadObject directory traversal attempt"; flow:to_server,established; content:"/nuxeo/site/automation/batch/upload"; fast_pattern:only; http_uri; content:"X-File-Name|3A|"; nocase; http_header; pcre:"/^X-File-Name\x3a[^\r\n]*?\x2e\x2e[\x2f\x5c]/Him"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97083; reference:cve,2017-5869; reference:url,www.openwall.com/lists/oss-security/2017/03/23/6; classtype:web-application-attack; sid:43250; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nuxeo CMS BatchUploadObject arbitrary JSP file upload attempt"; flow:to_server,established; content:"/nuxeo/site/automation/batch/upload"; fast_pattern:only; http_uri; content:"<%"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97083; reference:cve,2017-5869; reference:url,www.openwall.com/lists/oss-security/2017/03/23/6; classtype:attempted-admin; sid:43249; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt"; flow:to_server,established; content:"activecalendar/data/showcode.php"; fast_pattern:only; http_uri; content:"page"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?page((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:cve,2007-1110; classtype:web-application-attack; sid:43246; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt"; flow:to_server,established; content:"activecalendar/data/showcode.php"; fast_pattern:only; http_uri; content:"page="; nocase; http_client_body; pcre:"/(^|&)page=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2007-1110; classtype:web-application-attack; sid:43245; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt"; flow:to_server,established; content:"activecalendar/data/showcode.php"; fast_pattern:only; http_uri; content:"page="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]page=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2007-1110; classtype:web-application-attack; sid:43244; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt"; flow:to_server,established; content:"HEAD "; depth:5; content:"HEAD"; http_method; urilen:1; content:"/"; http_uri; metadata:service http; reference:url,aluigi.altervista.org/adv/xitami_1-adv.txt; classtype:attempted-dos; sid:43238; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt "; flow:to_server,established; urilen:15; content:"/AssetTypes.jsp"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:43237; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler XiotechMonitorServlet SQL injection attempt"; flow:to_server,established; content:"/XiotechMonitorServlet"; fast_pattern:only; http_uri; pcre:"/[?&](sortField|sortDirection|name|ipOne|ipTwo|ipThree)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43210; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler XiotechMonitorServlet SQL injection attempt"; flow:to_server,established; content:"/XiotechMonitorServlet"; fast_pattern:only; http_uri; pcre:"/(^|&)(sortField|sortDirection|name|ipOne|ipTwo|ipThree)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43209; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler UserDefinedFieldConfigServlet SQL injection attempt"; flow:to_server,established; content:"/UserDefinedFieldConfigServlet"; fast_pattern:only; http_uri; pcre:"/[?&](udfName|displayName|udfDescription|udfDataValue|udfSectionName|udfId)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43208; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler UserDefinedFieldConfigServlet SQL injection attempt"; flow:to_server,established; content:"/UserDefinedFieldConfigServlet"; fast_pattern:only; http_uri; pcre:"/(^|&)(udfName|displayName|udfDescription|udfDataValue|udfSectionName|udfId)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43207; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler QuantumMonitorServlet SQL injection attempt"; flow:to_server,established; content:"/QuantumMonitorServlet"; fast_pattern:only; http_uri; content:"order"; nocase; http_uri; pcre:"/[?&]order(Fld|Dir)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43206; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler QuantumMonitorServlet SQL injection attempt"; flow:to_server,established; content:"/QuantumMonitorServlet"; fast_pattern:only; http_uri; content:"order"; nocase; http_client_body; pcre:"/(^|&)order(Fld|Dir)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43205; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler ProcessesServlet SQL injection attempt"; flow:to_server,established; content:"/ProcessesServlet"; fast_pattern:only; http_uri; content:"processOs="; nocase; http_uri; pcre:"/[?&]processOs=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43204; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler ProcessesServlet SQL injection attempt"; flow:to_server,established; content:"/ProcessesServlet"; fast_pattern:only; http_uri; content:"processOs="; nocase; http_client_body; pcre:"/(^|&)processOs=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43203; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler NbuErrorMessageServlet SQL injection attempt"; flow:to_server,established; content:"/NbuErrorMessageServlet"; fast_pattern:only; http_uri; content:"exitCode="; nocase; http_uri; pcre:"/[?&]exitCode=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43202; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler NbuErrorMessageServlet SQL injection attempt"; flow:to_server,established; content:"/NbuErrorMessageServlet"; fast_pattern:only; http_uri; content:"exitCode="; nocase; http_client_body; pcre:"/(^|&)exitCode=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43201; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler HostStorageServlet SQL injection attempt"; flow:to_server,established; content:"/HostStorageServlet"; fast_pattern:only; http_uri; content:"order"; nocase; http_uri; pcre:"/[?&]order(By|Dir)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43200; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler HostStorageServlet SQL injection attempt"; flow:to_server,established; content:"/HostStorageServlet"; fast_pattern:only; http_uri; content:"order"; nocase; http_client_body; pcre:"/(^|&)order(By|Dir)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43199; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler FileActionAssignmentServlet SQL injection attempt"; flow:to_server,established; content:"/FileActionAssignmentServlet"; fast_pattern:only; http_uri; content:"assignedNames="; nocase; http_uri; pcre:"/[?&]assignedNames=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43198; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler FileActionAssignmentServlet SQL injection attempt"; flow:to_server,established; content:"/FileActionAssignmentServlet"; fast_pattern:only; http_uri; content:"assignedNames="; nocase; http_client_body; pcre:"/(^|&)assignedNames=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43197; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler BackupAssociationServlet SQL injection attempt"; flow:to_server,established; content:"/BackupAssociationServlet"; fast_pattern:only; http_uri; content:"val"; nocase; http_uri; pcre:"/[?&]val(DB|FS)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43196; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SolarWinds SRM Profiler BackupAssociationServlet SQL injection attempt"; flow:to_server,established; content:"/BackupAssociationServlet"; fast_pattern:only; http_uri; content:"val"; nocase; http_client_body; pcre:"/(^|&)val(DB|FS)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,89557; reference:cve,2016-4350; reference:url,www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm; classtype:web-application-attack; sid:43195; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Messaging Gateway performBackupNow.do command injection attempt"; flow:to_server,established; content:"/brightmail/admin/backup/performBackupNow.do"; fast_pattern:only; http_uri; content:"remoteBackupPath="; nocase; http_client_body; pcre:"/(^|&)remoteBackupPath=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6326; reference:url,www.symantec.com/docs/ALERT2377; classtype:web-application-attack; sid:43191; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP VICIdial user_authorization command injection attempt"; flow:to_server,established; content:"/vicidial/"; fast_pattern:only; http_uri; content:".php"; nocase; http_uri; content:"Authorization|3A|"; nocase; content:"Basic"; distance:0; nocase; base64_decode:bytes 64, offset 0, relative; base64_data; pcre:"/([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.vicidial.org/VICIDIALmantis/view.php?id=1016; classtype:attempted-admin; sid:43178; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt"; flow:to_server,established; content:"/servlet/com.trend.iwss.gui.servlet.PacFileManagement"; fast_pattern:only; http_uri; content:"pac_file_name="; nocase; http_uri; pcre:"/[?&]pac_file_name=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1116960; classtype:web-application-attack; sid:43154; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt"; flow:to_server,established; content:"/servlet/com.trend.iwss.gui.servlet.PacFileManagement"; fast_pattern:only; http_uri; content:"pac_file_name="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]pac(\x5f|%5f)file(\x5f|%5f)name=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1116960; classtype:web-application-attack; sid:43153; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt"; flow:to_server,established; content:"/servlet/com.trend.iwss.gui.servlet.PacFileManagement"; fast_pattern:only; http_uri; content:"pac_file_name"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?pac_file_name((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1116960; classtype:web-application-attack; sid:43152; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt"; flow:to_server,established; content:"/servlet/com.trend.iwss.gui.servlet.PacFileManagement"; fast_pattern:only; http_uri; content:"file"; nocase; http_client_body; pcre:"/(^|&)pac(\x5f|%5f)file(\x5f|%5f)name=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1116960; classtype:web-application-attack; sid:43151; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM OpenAdmin Tool SOAP welcomeService.php PHP code injection attempt"; flow:to_server,established; content:"/openadmin/services/welcome/welcomeService.php"; fast_pattern:only; http_uri; content:"<new_home_page"; nocase; http_client_body; pcre:"/<new_home_page[^>]*?>[^<]*?([\x60\x3b\x24\x28]|include|require)/Pi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,98615; reference:cve,2017-1092; reference:url,www-01.ibm.com/support/docview.wss?uid=swg22002897; classtype:web-application-attack; sid:43147; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3052 (msg:"SERVER-WEBAPP CyberPower Systems PowerPanel XXE out of band data retrieval attempt"; flow:to_server,established; file_data; content:"POST"; depth:4; nocase; content:"/client/ppbe.xml"; distance:0; nocase; content:"|3C|?xml"; distance:0; nocase; content:"|3C|!DOCTYPE"; distance:0; nocase; content:"|3C|!ENTITY"; distance:0; nocase; content:"SYSTEM"; distance:0; nocase; pcre:"/<!ENTITY\s*?%\s*?[\w\d]*?\s*?SYSTEM[^<]*?(http|ftp)/i"; metadata:service http; reference:url,cyberpowersystems.com/; classtype:web-application-attack; sid:43119; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"SERVER-WEBAPP Schneider Electric IGSS dashboard deletion attempt"; flow:to_server,established; content:"|01 00 34 12 0D 00 00 00 00 00 00 00|"; depth:12; offset:2; fast_pattern; content:"|04|"; within:1; distance:4; content:"DASH"; distance:3; nocase; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; reference:url,schneider-electric.com/site/home/index.cfm/dk/; classtype:web-application-attack; sid:43113; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12401 (msg:"SERVER-WEBAPP Schneider Electric IGSS dashboard overwrite attempt"; flow:to_server,established; content:"|01 00 34 12 0D 00 00 00 00 00 00 00|"; depth:12; offset:2; fast_pattern; content:"|02|"; within:1; distance:4; content:"DASH"; distance:3; nocase; reference:url,schneider-electric.com/site/home/index.cfm/dk/; classtype:web-application-attack; sid:43112; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Mango Automation arbitrary JSP code upload attempt"; flow:to_server,established; content:"POST"; http_method; content:"/graphicalViewsBackgroundUpload"; fast_pattern:only; http_uri; content:"jsp"; nocase; http_client_body; metadata:service http; reference:cve,2015-7904; classtype:attempted-admin; sid:43102; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5120 (msg:"SERVER-WEBAPP Beckhoff CX9020 remote configuration modification attempt"; flow:to_server,established; content:"POST"; depth:4; nocase; content:"/upnpisapi"; distance:0; content:"?"; distance:0; content:"urn:beckhoff.com:serviceId:cxconfig"; distance:0; content:"SOAPAction"; distance:0; content:"beckhoff.com:service:cxconfig:1#Write"; distance:0; reference:cve,2015-4051; reference:url,beckhoff.com/english.asp?embedded_pc/cx9020.htm; classtype:web-application-attack; sid:43101; rev:1;)
# alert tcp $HOME_NET 8750 -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP Simple SCADA web-socket remote command execution attempt"; flow:to_client,established; flowbits:isset,simplescada; content:"|82|"; depth:1; content:"|06|"; distance:0; pcre:"/\x06.*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/i"; metadata:service http; reference:url,simple-scada.com/; classtype:misc-activity; sid:43100; rev:1;)
alert tcp $HOME_NET 8750 -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP Simple SCADA web-socket connection initialization attempt"; flow:to_client,established; file_data; content:"HTTP"; depth:4; nocase; content:"101"; within:3; distance:5; content:"Switching Protocols"; within:19; distance:1; nocase; content:"Upgrade"; distance:0; nocase; content:"websocket"; distance:0; nocase; content:"Connection"; distance:0; nocase; content:"Upgrade"; distance:0; nocase; content:"Sec-WebSocket-Accept"; distance:0; nocase; flowbits:set,simplescada; flowbits:noalert; metadata:service http; reference:url,simple-scada.com/; classtype:misc-activity; sid:43099; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt"; flow:to_server,established; content:"download_lar.jsp"; fast_pattern:only; http_uri; content:"lar="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]lar=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5803; reference:url,www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20161109-01-security-notice-for-ca-unified-infrastructure-mgmt.html; classtype:web-application-attack; sid:43093; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AggreGate SCADA HMI web form upload xml external entity attack attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/wd/desktop.jsf"; fast_pattern; nocase; http_uri; content:"JSESSIONID"; nocase; http_raw_header; content:"ice.push.browser"; nocase; http_raw_header; content:"javax.faces.ViewState"; nocase; http_client_body; content:"ice.window"; nocase; http_client_body; content:"ice.view"; nocase; http_client_body; content:"webDesktopForm"; nocase; http_client_body; content:"<!DOCTYPE "; distance:0; nocase; http_client_body; content:"<!ENTITY"; distance:0; nocase; http_client_body; content:"file:///"; distance:0; nocase; http_client_body; metadata:service http; reference:url,aggregate.tibbo.com/solutions/scada_hmi.html; classtype:web-application-attack; sid:43091; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt"; flow:to_server,established; content:"/servlet/com.trend.iwss.gui.servlet.ManagePatches"; fast_pattern:only; http_uri; content:"patchName="; nocase; http_uri; pcre:"/[?&]patchName=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1114185; classtype:web-application-attack; sid:43079; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt"; flow:to_server,established; content:"/servlet/com.trend.iwss.gui.servlet.ManagePatches"; fast_pattern:only; http_uri; content:"patchName="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]patchName=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1114185; classtype:web-application-attack; sid:43078; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt"; flow:to_server,established; content:"/servlet/com.trend.iwss.gui.servlet.ManagePatches"; fast_pattern:only; http_uri; content:"patchName="; nocase; http_client_body; pcre:"/(^|&)patchName=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,success.trendmicro.com/solution/1114185; classtype:web-application-attack; sid:43077; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Control Manager importFile.php directory traversal attempt"; flow:established, to_server; content:"modTMCM/inc/importFile.php"; fast_pattern:only; http_uri; content:"name="; http_client_body; content:"|22|action|22|"; within:20; http_client_body; content:"importPolicy"; within:100; http_client_body; content:"fileName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?fileName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:url,docs.trendmicro.com/all/ent/tmcm/v6.0-sp3/en-us/tmcm_6.0-sp3_readme.html; classtype:web-application-attack; sid:43066; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cogent Datahub EvalExpresssion remote code execution attempt"; flow:to_server,established; urilen:5; content:"POST"; http_method; content:"ajax"; nocase; http_uri; content:"command"; nocase; http_client_body; content:"EvalExpression"; within:50; nocase; http_client_body; metadata:service http; reference:url,www.cogentdatahub.com; classtype:attempted-admin; sid:43062; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Schneider Electric ClearSCADA information disclosure attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/webservices/scx"; fast_pattern:only; http_uri; content:"SOAPAction"; http_header; content:"/webservices/SCX6/PrepareQuery"; within:150; nocase; http_header; content:"PrepareQuery"; http_client_body; content:"SQL"; within:250; http_client_body; metadata:service http; reference:url,www.schneider-electric.com/en/product-range/61264-struxureware-scada-expert-clearscada/; classtype:attempted-recon; sid:43050; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZOHO ManageEngine OpManager probeName SQL injection attempt"; flow:to_server,established; content:"/servlet/com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus"; fast_pattern:only; http_uri; content:"probeName="; nocase; http_client_body; pcre:"/(^|&)probeName=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-7868; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix; classtype:web-application-attack; sid:43041; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZOHO ManageEngine OpManager probeName SQL injection attempt"; flow:to_server,established; content:"/servlet/com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus"; fast_pattern:only; http_uri; content:"probeName="; nocase; http_uri; pcre:"/[?&]probeName=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-7868; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix; classtype:web-application-attack; sid:43040; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZOHO ManageEngine OpManager Search query SQL injection attempt"; flow:to_server,established; content:"/servlet/DataComparisonServlet"; fast_pattern:only; http_uri; content:"query="; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-7868; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix; classtype:web-application-attack; sid:43039; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZOHO ManageEngine OpManager Search query SQL injection attempt"; flow:to_server,established; content:"/servlet/DataComparisonServlet"; fast_pattern:only; http_uri; content:"query="; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-7868; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix; classtype:web-application-attack; sid:43038; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZOHO ManageEngine OpManager OPM_BVNAME SQL injection attempt"; flow:to_server,established; content:"/servlet/APMBVHandler"; fast_pattern:only; http_uri; content:"OPM_BVNAME="; nocase; http_uri; pcre:"/[?&]OPM_BVNAME=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-7868; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix; classtype:web-application-attack; sid:43037; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZOHO ManageEngine OpManager OPM_BVNAME SQL injection attempt"; flow:to_server,established; content:"/servlet/APMBVHandler"; fast_pattern:only; http_uri; content:"OPM_BVNAME"; nocase; http_client_body; pcre:"/(^|&)OPM(\x5f|%5f)BVNAME=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-7868; reference:url,support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix; classtype:web-application-attack; sid:43036; rev:1;)
# alert tcp $HOME_NET any -> any 8461:8462 (msg:"SERVER-WEBAPP MailStore Server cross site scripting attempt"; flow:to_server,established; content:"GET"; content:"/a/"; within:4; content:"/search-result/"; within:35; content:"c-"; nocase; content:"HTTP/1.1"; within:100; pcre:"/[?&]c-(f|q|from|to)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy max-detect-ips drop, service http; reference:url,www.mailstore.com/en/mailstore-server-changelog.aspx; classtype:attempted-user; sid:43006; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Brocade Network Advisor directory traversal attempt"; flow:to_server,established; content:"/inmservlets/SoftwareImageUpload"; fast_pattern:only; http_uri; content:"name"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8206; classtype:web-application-attack; sid:42999; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ReadyDesk arbitrary file upload attempt"; flow:established,to_server; content:"/readydesk/chat/sendfile.aspx"; fast_pattern:only; http_uri; content:"FRM=SUB"; http_uri; content:"SESID="; http_uri; content:"Content-Disposition:"; http_client_body; content:"filename="; within:100; http_client_body; content:"aspx|22 0D 0A|"; within:100; http_client_body; file_data; content:"|3C|script"; metadata:service http; reference:cve,2016-5050; classtype:web-application-attack; sid:42994; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ReadyDesk arbitrary file upload attempt"; flow:established,to_server; content:"/readydesk/chat/sendfile.aspx"; fast_pattern:only; http_uri; content:"FRM=SUB"; http_uri; content:"SESID="; http_uri; file_data; content:"MZ"; depth:2; metadata:service http; reference:cve,2016-5050; classtype:web-application-attack; sid:42993; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,7001,$HTTP_PORTS] (msg:"SERVER-WEBAPP Java URLDNS Library unauthorized serialized object attempt"; flow:to_server,established; content:"|AC ED 00 05|"; depth:4; content:"java.util.HashMap"; distance:0; content:"java.net.URL"; distance:0; metadata:service http, service java_rmi; reference:url,github.com/frohoff/ysoserial; classtype:attempted-admin; sid:42966; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,7001,$HTTP_PORTS] (msg:"SERVER-WEBAPP Java RMI Library unauthorized serialized object attempt"; flow:to_server,established; content:"|AC ED 00 05|"; depth:4; content:"java.rmi.server.RemoteObject"; distance:0; metadata:service http, service java_rmi; reference:url,github.com/frohoff/ysoserial; classtype:attempted-admin; sid:42965; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,7001,$HTTP_PORTS] (msg:"SERVER-WEBAPP Java MyFaces Library unauthorized serialized object attempt"; flow:to_server,established; content:"|AC ED 00 05|"; depth:4; content:"java.util.HashMap"; distance:0; content:"Corg.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression"; distance:0; metadata:service http, service java_rmi; reference:url,github.com/frohoff/ysoserial; classtype:attempted-admin; sid:42964; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,7001,$HTTP_PORTS] (msg:"SERVER-WEBAPP Java Mozilla Library unauthorized serialized object attempt"; flow:to_server,established; content:"|AC ED 00 05|"; depth:4; content:"Ljava/lang/Object"; distance:0; content:"Lorg/mozilla/javascript/NativeFunction"; distance:0; metadata:service http, service java_rmi; reference:url,github.com/frohoff/ysoserial; classtype:attempted-admin; sid:42963; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,7001,$HTTP_PORTS] (msg:"SERVER-WEBAPP Java Hibernate Library unauthorized serialized object attempt"; flow:to_server,established; content:"|AC ED 00 05|"; depth:4; content:"Ljava/util/Map"; distance:0; content:"java.util.Vector"; distance:0; content:"Ljava.lang.Object"; distance:0; metadata:service http, service java_rmi; reference:url,github.com/frohoff/ysoserial; classtype:attempted-admin; sid:42962; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,7001,$HTTP_PORTS] (msg:"SERVER-WEBAPP Java Groovy Library unauthorized serialized object attempt"; flow:to_server,established; content:"|AC ED 00 05|"; depth:4; content:"Ljava/lang/reflect/InvocationHandler"; distance:0; content:"org.codehaus.groovy.runtime"; distance:0; metadata:service http, service java_rmi; reference:url,github.com/frohoff/ysoserial; classtype:attempted-admin; sid:42961; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,7001,$HTTP_PORTS] (msg:"SERVER-WEBAPP Java BeanShell Library unauthorized serialized object attempt"; flow:to_server,established; content:"|AC ED 00 05|"; depth:4; content:"java.util.PriorityQueue"; distance:0; content:"Ljava/lang/reflect/InvocationHandler"; distance:0; metadata:service http, service java_rmi; reference:url,github.com/frohoff/ysoserial; classtype:attempted-admin; sid:42960; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"view=fields"; fast_pattern:only; http_uri; content:"fullordering"; nocase; http_client_body; pcre:"/(^|&)list(\x5b|%5b)fullordering(\x5d|%5d)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-8917; reference:url,www.joomla.org/announcements/release-news/5705-joomla-3-7-1-release.html; classtype:web-application-attack; sid:42959; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"view=fields"; fast_pattern:only; http_uri; content:"list[fullordering]="; nocase; http_uri; pcre:"/[?&]list\x5bfullordering\x5d=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-8917; reference:url,www.joomla.org/announcements/release-news/5705-joomla-3-7-1-release.html; classtype:web-application-attack; sid:42958; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt"; flow:to_server,established; content:"/CliMonitorReportServlet"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95691; reference:cve,2016-8207; reference:url,www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2016-180.htm; classtype:web-application-attack; sid:42957; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt"; flow:to_server,established; content:"/CliMonitorReportServlet"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?filename((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,95691; reference:cve,2016-8207; reference:url,www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2016-180.htm; classtype:web-application-attack; sid:42956; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Threat Discovery Appliance upload.cgi directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/upload.cgi"; fast_pattern:only; http_uri; content:"dID="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]dID=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8593; classtype:web-application-attack; sid:42955; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt"; flow:to_server,established; content:"/mapviewer/addmapdata"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97746; reference:cve,2017-3230; reference:url,www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html; classtype:web-application-attack; sid:42954; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt"; flow:to_server,established; content:"/mapviewer/addmapdata"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97746; reference:cve,2017-3230; reference:url,www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html; classtype:web-application-attack; sid:42953; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt"; flow:to_server,established; content:"/mapviewer/addmapdata"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?filename((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97746; reference:cve,2017-3230; reference:url,www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html; classtype:web-application-attack; sid:42952; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Fusion Middleware MapViewer arbitrary JSP file upload attempt"; flow:to_server,established; content:"/mapviewer/addmapdata"; fast_pattern:only; http_uri; content:"layerFile"; nocase; http_client_body; content:"<%"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,97746; reference:cve,2017-3230; reference:url,www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html; classtype:attempted-admin; sid:42951; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech SUSIAccess Server downloadCSV.jsp directory traversal attempt"; flow:to_server,established; content:"/downloadCSV.jsp"; fast_pattern:only; http_uri; content:"file="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]file=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,94629; reference:cve,2016-9349; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-336-04; classtype:web-application-attack; sid:43824; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech SUSIAccess Server downloadCSV.jsp directory traversal attempt"; flow:to_server,established; content:"/downloadCSV.jsp"; fast_pattern:only; http_uri; content:"file="; nocase; http_client_body; pcre:"/(^|&)file=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,94629; reference:cve,2016-9349; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-336-04; classtype:web-application-attack; sid:43823; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech SUSIAccess Server downloadCSV.jsp directory traversal attempt"; flow:to_server,established; content:"/downloadCSV.jsp"; fast_pattern:only; http_uri; content:"file"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?file((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,94629; reference:cve,2016-9349; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-336-04; classtype:web-application-attack; sid:43822; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaspersky Anti-Virus directory traversal attempt"; flow:to_server,established; content:"cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"action=getReportStatus"; nocase; http_uri; content:"reportId="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]reportId=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,seclists.org/fulldisclosure/2017/Jun/33; classtype:web-application-attack; sid:43821; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaspersky Anti-Virus directory traversal attempt"; flow:to_server,established; content:"cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"action=getReportStatus"; nocase; http_uri; content:"reportId="; nocase; http_client_body; pcre:"/(^|&)reportId=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,seclists.org/fulldisclosure/2017/Jun/33; classtype:web-application-attack; sid:43820; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaspersky Anti-Virus directory traversal attempt"; flow:to_server,established; content:"cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"action=getReportStatus"; nocase; http_uri; content:"reportId"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/names*=s*[\x22\x27]?reportId((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,seclists.org/fulldisclosure/2017/Jun/33; classtype:web-application-attack; sid:43819; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam changeUserName command passwd file injection attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; fast_pattern:only; http_uri; content:"cmd=changeUserName"; nocase; http_uri; content:"newUsrName="; nocase; http_uri; pcre:"/[?&]newUsrName=[^&]*?\x3a/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2850; reference:url,www.talosintelligence.com/reports/TALOS-2017-0352/; classtype:attempted-admin; sid:43061; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam setWifiSetting command psk stack buffer overflow attempt"; flow:to_server,established; urilen:>256,norm; content:"/cgi-bin/CGIProxy.fcgi"; fast_pattern:only; http_uri; content:"cmd=setWifiSetting"; nocase; http_uri; content:"psk="; nocase; http_uri; pcre:"/[?&]psk=[^&]{256}/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2851; reference:url,www.talosintelligence.com/reports/TALOS-2017-0353/; classtype:attempted-admin; sid:43005; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera multipart boundary stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; nocase; http_uri; content:"usrBeatHeart"; fast_pattern:only; content:"Boundary="; nocase; http_raw_header; isdataat:256,relative; content:!"|0A|"; within:256; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2830; reference:url,www.talosintelligence.com/reports/TALOS-2017-0331/; classtype:web-application-attack; sid:42437; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera callbackJson directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; fast_pattern:only; http_uri; content:"callbackJson="; nocase; http_client_body; pcre:"/(^|&)callbackJson=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2829; reference:url,www.talosintelligence.com/reports/TALOS-2017-0330/; classtype:web-application-attack; sid:42436; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera callbackJson directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; fast_pattern:only; http_uri; content:"callbackJson="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]callbackJson=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2829; reference:url,www.talosintelligence.com/reports/TALOS-2017-0330/; classtype:web-application-attack; sid:42435; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera command injection attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; fast_pattern:only; http_uri; pcre:"/(^|&)(usrName|usrPwd|oldPwd|newPwd|sender|smtpServer|password|user|gate|ntpServer|dns\d|psk)=[^&]*?([\x60\x3b\x7c\x0d\x0a]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-0327; reference:cve,2017-2828; reference:cve,2017-2832; reference:cve,2017-2833; reference:cve,2017-2841; reference:cve,2017-2842; reference:cve,2017-2843; reference:cve,2017-2844; reference:cve,2017-2845; reference:cve,2017-2846; reference:cve,2017-2847; reference:cve,2017-2848; reference:cve,2017-2849; reference:cve,2017-2873; reference:url,www.talosintelligence.com/reports/TALOS-2017-0328/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0329/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0334/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0335/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0343/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0344/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0345/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0346/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0347/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0348/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0349/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0350/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0351/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0380/; classtype:web-application-attack; sid:42434; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera command injection attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](usrName|usrPwd|oldPwd|newPwd|sender|smtpServer|password|user|gate|ntpServer|dns\d|psk)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-0327; reference:cve,2017-2828; reference:cve,2017-2832; reference:cve,2017-2833; reference:cve,2017-2841; reference:cve,2017-2842; reference:cve,2017-2843; reference:cve,2017-2844; reference:cve,2017-2845; reference:cve,2017-2846; reference:cve,2017-2847; reference:cve,2017-2848; reference:cve,2017-2849; reference:cve,2017-2873; reference:url,www.talosintelligence.com/reports/TALOS-2017-0328/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0329/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0334/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0335/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0343/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0344/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0345/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0346/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0347/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0348/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0349/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0350/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0351/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0380/; classtype:web-application-attack; sid:42433; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera command injection attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; fast_pattern:only; http_uri; pcre:"/[?&](usrName|usrPwd|oldPwd|newPwd|sender|smtpServer|password|user|gate|ntpServer|dns\d|psk)=[^&]*?([\x60\x3b\x7c\x0d\x0a]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-0327; reference:cve,2017-2828; reference:cve,2017-2832; reference:cve,2017-2833; reference:cve,2017-2841; reference:cve,2017-2842; reference:cve,2017-2843; reference:cve,2017-2844; reference:cve,2017-2845; reference:cve,2017-2846; reference:cve,2017-2847; reference:cve,2017-2848; reference:cve,2017-2849; reference:cve,2017-2873; reference:url,www.talosintelligence.com/reports/TALOS-2017-0328/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0329/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0334/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0335/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0343/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0344/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0345/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0346/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0347/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0348/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0349/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0350/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0351/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0380/; classtype:web-application-attack; sid:42432; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Video Camera CGIProxy.fcgi query append buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; fast_pattern:only; http_uri; content:"remoteP2P="; nocase; http_uri; pcre:"/remoteP2P=[^&]{100}/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2831; reference:url,www.talosintelligence.com/reports/TALOS-2017-0332; classtype:web-application-attack; sid:42431; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Openfire userimportexport plugin XML external entity injection attempt"; flow:to_server,established; content:"/plugins/userimportexport/import-user-data.jsp"; fast_pattern:only; http_uri; content:"thefile"; nocase; http_client_body; content:"ENTITY"; nocase; http_client_body; pcre:"/(\x21|%21)ENTITY((?!\x3e|%3e).)*?(SYSTEM|PUBLIC)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2815; reference:url,www.talosintelligence.com/reports/TALOS-2017-0316/; classtype:web-application-attack; sid:42290; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ProcessMaker Enterprise PHP object injection attempt"; flow:to_server,established; content:"/neoclassic/login/sysLoginVerify.php"; fast_pattern:only; http_uri; content:"d="; nocase; base64_decode:bytes 256,relative; base64_data; content:"O|3A|"; depth:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-9045; reference:url,www.talosintelligence.com/reports/TALOS-2017-0314/; classtype:web-application-attack; sid:42252; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ProcessMaker Enterprise genericAjax SQL injection attempt"; flow:to_server,established; content:"/gulliver/genericAjax"; fast_pattern:only; http_uri; pcre:"/[?&](table|pk|fld|value)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-9048; reference:url,www.talosintelligence.com/reports/TALOS-2017-0313/; classtype:web-application-attack; sid:42251; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ProcessMaker Enterprise translationsAjax.php SQL injection attempt"; flow:to_server,established; content:"/neoclassic/tools/translationsAjax.php"; fast_pattern:only; http_uri; pcre:"/[?&](cat|lang|node)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-9048; reference:url,www.talosintelligence.com/reports/TALOS-2017-0313/; classtype:web-application-attack; sid:42250; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ProcessMaker Enterprise proxy SQL injection attempt"; flow:to_server,established; content:"/neoclassic/cases/proxy"; fast_pattern:only; http_uri; content:"sort="; nocase; http_client_body; pcre:"/(^|&)sort=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-9048; reference:url,www.talosintelligence.com/reports/TALOS-2017-0313/; classtype:web-application-attack; sid:42249; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ProcessMaker Enterprise eventsAjax SQL injection attempt"; flow:to_server,established; content:"/neoclassic/events/eventsAjax"; fast_pattern:only; http_uri; content:"sort="; nocase; http_uri; pcre:"/[?&]sort=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-9048; reference:url,www.talosintelligence.com/reports/TALOS-2017-0313/; classtype:web-application-attack; sid:42248; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Information Builders WebFOCUS Business Intelligence Portal command injection attempt"; flow:to_server,established; content:"/ibi_apps/WFServlet"; fast_pattern:only; http_uri; content:"IBIWF_msgviewer"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?IBIWF_msgviewer((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9044; reference:url,www.talosintelligence.com/reports/TALOS-2017-0315/; classtype:web-application-attack; sid:42247; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Information Builders WebFOCUS Business Intelligence Portal command injection attempt"; flow:to_server,established; content:"/ibi_apps/WFServlet"; fast_pattern:only; http_uri; content:"IBIWF_msgviewer="; nocase; http_client_body; pcre:"/(^|&)IBIWF_msgviewer=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9044; reference:url,www.talosintelligence.com/reports/TALOS-2017-0315/; classtype:web-application-attack; sid:42246; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Information Builders WebFOCUS Business Intelligence Portal command injection attempt"; flow:to_server,established; content:"/ibi_apps/WFServlet"; fast_pattern:only; http_uri; content:"IBIWF_msgviewer="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]IBIWF_msgviewer=[^&]*?%27/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9044; reference:url,www.talosintelligence.com/reports/TALOS-2017-0315/; classtype:web-application-attack; sid:42245; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Information Builders WebFOCUS Business Intelligence Portal command injection attempt"; flow:to_server,established; content:"/ibi_apps/WFServlet"; fast_pattern:only; http_uri; content:"IBIWF_msgviewer="; nocase; http_uri; pcre:"/[?&]IBIWF_msgviewer=[^&]*?([\x60\x3b\x7c]|\x24\x28|\x27)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9044; reference:url,www.talosintelligence.com/reports/TALOS-2017-0315/; classtype:web-application-attack; sid:42244; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam cgiproxy.fcgi stack buffer overflow attempt"; flow:to_server,established; urilen:>64,norm; content:"/cgi-bin/cgiproxy.fcgi"; fast_pattern:only; http_uri; pcre:"/[?&](cmd|pwd|usr)=[^&]{64}/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2805; reference:url,www.talosintelligence.com/reports/TALOS-2017-0299/; classtype:attempted-admin; sid:42078; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A Series cross-site request forgery attempt"; flow:to_server,established; file_data; content:"Password508"; fast_pattern:only; content:"Password508"; http_cookie; pcre:"/^Host:\s*(?P<hostname>[^\s\x2F\x5C]+).*?Referer:\s*https?\x3A\x2F{2}(?!(?P=hostname))/smiH"; metadata:service http; reference:cve,2016-8718; reference:url,www.talosintelligence.com/reports/TALOS-2016-0232/; classtype:attempted-user; sid:41352; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A plaintext password leak attempt"; flow:to_server,established; content:"/forms/webSetUserChgPwd"; fast_pattern:only; http_uri; content:"Passwd="; nocase; metadata:service http; reference:cve,2016-8716; reference:url,www.talosintelligence.com/reports/TALOS-2016-0230/; classtype:policy-violation; sid:41223; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A web application web_runScript access attempt"; flow:to_server,established; content:"/forms/web_runScript"; fast_pattern:only; http_uri; content:"Content-"; http_header; content:"form-data|3B|"; within:50; http_header; metadata:service http; reference:cve,2016-8726; reference:url,www.talosintelligence.com/reports/TALOS-2016-0240; classtype:attempted-dos; sid:41222; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A web application HTTP response parameter injection attempt"; flow:to_server,established; content:"/forms/webSetBasicTime"; fast_pattern:only; http_uri; content:"bkpath="; pcre:!"/bkpath=(\x2f|\x5c|%2f|%5c)time_set.asp(&|$)/mi"; metadata:service http; reference:cve,2016-8720; reference:url,www.talosintelligence.com/reports/TALOS-2016-0234/; classtype:attempted-user; sid:41221; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A web application HTTP response parameter injection attempt"; flow:to_server,established; content:"/forms/iw_webSetParameters"; fast_pattern:only; http_uri; content:"bkpath="; pcre:!"/bkpath=(\x2f|\x5c|%2f|%5c)time_set.asp(&|$)/mi"; metadata:service http; reference:cve,2016-8720; reference:url,www.talosintelligence.com/reports/TALOS-2016-0234/; classtype:attempted-user; sid:41220; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A web application cross site scripting attempt"; flow:to_server,established; content:"wireless_security.asp"; fast_pattern:only; http_uri; content:"vapIndex="; nocase; http_uri; pcre:"/[?&]vapIndex=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8719; reference:url,www.talosintelligence.com/reports/TALOS-2016-0233; classtype:attempted-user; sid:41105; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A web application cross site scripting attempt"; flow:to_server,established; content:"wireless_cert.asp"; fast_pattern:only; http_uri; content:"index="; nocase; http_uri; pcre:"/[?&]index=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8719; reference:url,www.talosintelligence.com/reports/TALOS-2016-0233; classtype:attempted-user; sid:41104; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A web application cross site scripting attempt"; flow:to_server,established; content:"multiple_ssid_set.asp"; fast_pattern:only; http_uri; content:"devIndex="; nocase; http_uri; pcre:"/[?&]devIndex=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8719; reference:url,www.talosintelligence.com/reports/TALOS-2016-0233; classtype:attempted-user; sid:41103; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A web application cross site scripting attempt"; flow:to_server,established; content:"client_list.asp"; fast_pattern:only; http_uri; content:"devIndex="; nocase; http_uri; pcre:"/[?&]devIndex=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8719; reference:url,www.talosintelligence.com/reports/TALOS-2016-0233; classtype:attempted-user; sid:41102; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A webSetPingTrace command injection attempt"; flow:to_server,established; content:"/forms/webSetPingTrace"; fast_pattern:only; http_uri; content:"srvName="; nocase; http_client_body; pcre:"/(^|&)srvName=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8721; reference:url,www.talosintelligence.com/reports/TALOS-2016-0235; classtype:web-application-attack; sid:41085; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A asqc.asp information disclosure attempt"; flow:to_server,established; content:"/asqc.asp"; depth:9; nocase; http_uri; metadata:service http; reference:cve,2016-8722; reference:url,www.talosintelligence.com/reports/TALOS-2016-0236/; classtype:attempted-recon; sid:40916; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products invalid HTTP request attempt"; flow:to_server,established; content:"GET"; depth:3; content:"GET"; http_method; urilen:>0; content:!"/"; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-3913; reference:cve,2016-8723; reference:url,www.talosintelligence.com/reports/TALOS-2016-0237; classtype:attempted-dos; sid:40880; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A getonekey.gz information disclosure attempt"; flow:to_server,established; content:"/getonekey.gz"; depth:13; nocase; http_uri; metadata:service http; reference:cve,2016-8727; reference:url,www.talosintelligence.com/reports/TALOS-2016-0241/; classtype:attempted-recon; sid:40822; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A makeonekey.gz information disclosure attempt"; flow:to_server,established; content:"/makeonekey.gz"; depth:14; nocase; http_uri; metadata:service http; reference:cve,2016-8727; reference:url,www.talosintelligence.com/reports/TALOS-2016-0241/; classtype:attempted-recon; sid:40821; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A systemlog.log information disclosure attempt"; flow:to_server,established; content:"/systemlog.log"; depth:14; nocase; http_uri; metadata:service http; reference:cve,2016-8725; reference:url,www.talosintelligence.com/reports/TALOS-2016-0239/; classtype:attempted-recon; sid:40820; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt"; flow:to_server,established; content:"/cgi-bin/sitecustomization"; fast_pattern:only; http_uri; content:"portalname="; nocase; http_uri; pcre:"/[?&]portalname=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/143422/; classtype:web-application-attack; sid:43898; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt"; flow:to_server,established; content:"/cgi-bin/sitecustomization"; fast_pattern:only; http_uri; content:"portalname="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]portalname=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/143422/; classtype:web-application-attack; sid:43897; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt"; flow:to_server,established; content:"/cgi-bin/sitecustomization"; fast_pattern:only; http_uri; content:"portalname="; nocase; http_client_body; pcre:"/(^|&)portalname=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/143422/; classtype:web-application-attack; sid:43896; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt"; flow:to_server,established; content:"/cgi-bin/sitecustomization"; fast_pattern:only; http_uri; content:"portalname"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?portalname((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/143422/; classtype:web-application-attack; sid:43895; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP SoapUI WSDL types element remote code execution attempt"; flow:to_client,established; file_data; content:"targetNamespace"; fast_pattern:only; content:"element name="; nocase; content:"default|3D 22 24 7B 3D|"; within:80; content:"|28 27|"; within:80; content:"|27 29|"; within:80; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-1202; reference:url,www.exploit-db.com/exploits/30908/; classtype:attempted-user; sid:43958; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt"; flow:to_server,established; urilen:11,norm; content:"/api/status"; fast_pattern:only; http_uri; pcre:"/^Host\x3A[^\x0a]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Him"; metadata:ruleset community, service http; reference:url,cxsecurity.com/issue/WLB-2017080038; classtype:web-application-attack; sid:43957; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt"; flow:to_server,established; content:"/photo/include/synotheme_upload.php"; fast_pattern:only; http_uri; content:"logo_upload"; nocase; content:"security_identifier"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-11151; reference:url,www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation; classtype:attempted-admin; sid:43939; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt"; flow:to_server,established; content:"/photo/include/file_upload.php"; fast_pattern:only; http_uri; content:"session="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]session=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation; classtype:web-application-attack; sid:43938; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt"; flow:to_server,established; content:"/photo/include/file_upload.php"; fast_pattern:only; http_uri; content:"session="; nocase; http_client_body; pcre:"/(^|&)session=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation; classtype:web-application-attack; sid:43937; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt"; flow:to_server,established; content:"/photo/include/file_upload.php"; fast_pattern:only; http_uri; content:"session"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?session((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation; classtype:web-application-attack; sid:43936; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt"; flow:to_server,established; content:"/photo/PixlrEditorHandler.php"; fast_pattern:only; http_uri; content:"path="; nocase; base64_decode:bytes 256,relative; base64_data; content:"../"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-11152; reference:url,www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation; classtype:web-application-attack; sid:43935; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt"; flow:to_server,established; content:"/photo/PixlrEditorHandler.php"; fast_pattern:only; http_uri; content:"type=php"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-11154; reference:url,www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation; classtype:attempted-admin; sid:43934; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?pingAddr((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44008; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr="; nocase; http_client_body; pcre:"/(^|&)pingAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44007; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]pingAddr=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44006; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr="; nocase; http_uri; pcre:"/[?&]pingAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44005; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP malformed quoted printable denial of service attempt"; flow:to_server,established; content:".php"; http_uri; content:"|FF FF|"; distance:0; fast_pattern; http_uri; content:"|FF FF|"; distance:0; http_uri; content:"=|25|"; http_raw_uri; content:"|25|"; within:1; distance:2; http_raw_uri; content:"|25|"; within:1; distance:2; http_raw_uri; content:"|25|"; within:1; distance:2; http_raw_uri; content:"|25|"; within:1; distance:2; http_raw_uri; content:"|25|"; within:1; distance:2; http_raw_uri; pcre:"/\x3D\x25[a-f0-9]{2}(\x25[a-f0-9]{2}){10,}$/Im"; metadata:service http; reference:cve,2013-2110; classtype:denial-of-service; sid:44001; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1311 (msg:"SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt"; flow:to_server,established; content:"|3A DF A6 DC 2B 2F FE 93 A9 14 31 30 C2 DB CB 0E|"; fast_pattern:only; reference:cve,2004-0331; classtype:attempted-user; sid:44021; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt"; flow:to_server,established; content:"/modules/localization/localize.php"; fast_pattern:only; http_uri; content:"username="; nocase; http_uri; pcre:"/[?&]username=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,99344; reference:cve,2017-7973; reference:url,ics-cert.us-cert.gov/advisories/ICSA-17-180-02; reference:url,www.schneider-electric.com/en/download/document/SEVD-2017-178-01/; classtype:web-application-attack; sid:44080; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt"; flow:to_server,established; content:"/modules/localization/localize.php"; fast_pattern:only; http_uri; content:"username="; nocase; http_client_body; pcre:"/(^|&)username=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,99344; reference:cve,2017-7973; reference:url,ics-cert.us-cert.gov/advisories/ICSA-17-180-02; reference:url,www.schneider-electric.com/en/download/document/SEVD-2017-178-01/; classtype:web-application-attack; sid:44079; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt"; flow:to_server,established; content:"/open-admin/plugins/site_protection/index.php"; fast_pattern:only; http_uri; content:"config[o="; nocase; http_client_body; pcre:"/(^|&)config\[o(i_dir\]|peni_dir\])=[^&]*?(http|ftp)/Pim"; metadata:service http; reference:cve,2007-0881; classtype:web-application-attack; sid:44134; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt"; flow:to_server,established; content:"/open-admin/plugins/site_protection/index.php"; fast_pattern:only; http_uri; content:"config[o"; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]config\[o(i_dir\]|peni_dir\])=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:cve,2007-0881; classtype:web-application-attack; sid:44133; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt"; flow:to_server,established; content:"/brightmail/admin/restore/action5.do"; fast_pattern:only; http_uri; content:"localBackupFileSelection="; nocase; http_uri; pcre:"/[?&]localBackupFileSelection=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100135; reference:cve,2017-6327; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20170810_00; classtype:web-application-attack; sid:44118; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt"; flow:to_server,established; content:"/brightmail/admin/restore/action5.do"; fast_pattern:only; http_uri; content:"localBackupFileSelection="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]localBackupFileSelection=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100135; reference:cve,2017-6327; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20170810_00; classtype:web-application-attack; sid:44117; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt"; flow:to_server,established; content:"/brightmail/admin/restore/action5.do"; fast_pattern:only; http_uri; content:"localBackupFileSelection="; nocase; http_client_body; pcre:"/(^|&)localBackupFileSelection=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100135; reference:cve,2017-6327; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20170810_00; classtype:web-application-attack; sid:44116; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt"; flow:to_server,established; content:"/umotion/modules/scripting/runscript.php"; fast_pattern:only; http_uri; pcre:"/[?&]s(cript)?=[^&]*?\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,99344; reference:cve,2017-7974; reference:url,ics-cert.us-cert.gov/advisories/ICSA-17-180-02; classtype:web-application-attack; sid:44176; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt"; flow:to_server,established; content:"/umotion/modules/scripting/runscript.php"; fast_pattern:only; http_uri; pcre:"/(^|&)s(cript)?=[^&]*?([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,99344; reference:cve,2017-7974; reference:url,ics-cert.us-cert.gov/advisories/ICSA-17-180-02; classtype:web-application-attack; sid:44175; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP websocket protocol upgrade request detected"; flow:to_server,established; content:"Upgrade|3A| websocket"; fast_pattern:only; http_header; flowbits:set,websocket; flowbits:noalert; metadata:service http; reference:url,tools.ietf.org/html/rfc6455; classtype:protocol-command-decode; sid:44165; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Websphere cross site scripting attempt"; flow:to_server,established; content:"/ibm/console/"; fast_pattern:only; http_uri; pcre:"/\x2fibm\x2fconsole\x2f.*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2009-0855; reference:cve,2009-0856; classtype:attempted-user; sid:44150; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt"; flow:to_server,established; content:"/wp-content/plugins/wp-symposium/mobile-files/server/php/index.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71686; reference:cve,2014-10021; reference:url,wpvulndb.com/vulnerabilities/7716/; classtype:attempted-admin; sid:44236; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt"; flow:to_server,established; content:"/Dropbox/php/dropbox.php"; fast_pattern:only; http_uri; content:"cmd=getBlacklist"; nocase; content:"account="; nocase; http_uri; pcre:"/[?&]account=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/3397; classtype:web-application-attack; sid:44234; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt"; flow:to_server,established; content:"/Dropbox/php/dropbox.php"; fast_pattern:only; http_uri; content:"cmd=getBlacklist"; nocase; content:"account="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]account=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/3397; classtype:web-application-attack; sid:44233; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt"; flow:to_server,established; content:"/Dropbox/php/dropbox.php"; fast_pattern:only; http_uri; content:"cmd=getBlacklist"; nocase; content:"account="; nocase; http_client_body; pcre:"/(^|&)account=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/3397; classtype:web-application-attack; sid:44232; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Java XML deserialization remote code execution attempt"; flow:to_server,established; content:"Content-Type|3A|"; http_header; content:"application/xml"; within:20; http_header; content:"java.lang.ProcessBuilder"; fast_pattern:only; http_client_body; content:"<command"; http_client_body; content:"<string"; distance:0; http_client_body; pcre:"/<\w+\s+class\s*?\x3D\s*?[\x22\x27]java.lang.ProcessBuilder[\x22\x27]\s*?>.*?<command.*?<string/Pis"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9805; reference:url,struts.apache.org/docs/s2-052.html; classtype:attempted-admin; sid:44315; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Secure Backup web tool command injection attempt"; flow:to_server,established; content:"login.php"; http_uri; content:"uname"; fast_pattern; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?uname((?!^--).)*?[\r\n]{2,}((?!^--).)*?%0a/Psim"; metadata:service http; reference:cve,2011-2261; classtype:web-application-attack; sid:44312; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Secure Backup web tool command injection attempt"; flow:to_server,established; content:"login.php"; http_uri; content:"uname="; fast_pattern; nocase; http_client_body; pcre:"/(^|&)uname=[^&]*?%0a/Pim"; metadata:service http; reference:cve,2011-2261; classtype:web-application-attack; sid:44311; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Secure Backup web tool command injection attempt"; flow:to_server,established; content:"login.php"; http_uri; content:"uname="; fast_pattern; nocase; http_uri; pcre:"/[?&]uname=[^&]*?%0a/Ui"; metadata:service http; reference:cve,2011-2261; classtype:web-application-attack; sid:44310; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 49955 (msg:"SERVER-WEBAPP AT&T U-verse modem firmware upload attempt"; flow:to_server,established; content:"/caserver"; fast_pattern:only; content:"Authorization: "; content:"dGVjaDo="; within:25; content:"appid"; nocase; content:"firmware"; nocase; content:"upload"; within:15; nocase; reference:url,nomotion.net/blog/sharknatto/; classtype:attempted-admin; sid:44302; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 49955 (msg:"SERVER-WEBAPP AT&T U-verse modem information disclosure attempt"; flow:to_server,established; content:"/caserver"; fast_pattern:only; content:"Authorization: "; content:"dGVjaDo="; within:25; content:"appid"; nocase; content:"get"; nocase; content:"data"; within:10; nocase; reference:url,nomotion.net/blog/sharknatto/; classtype:attempted-recon; sid:44301; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"SERVER-WEBAPP AT&T U-verse modem authentication bypass attempt"; flow:to_server,established; content:"|2A CE 01|"; depth:3; reference:cve,2017-14117; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/wproxy/att_open_proxy.py; reference:url,nomotion.net/blog/sharknatto/; classtype:web-application-attack; sid:44300; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 61001 (msg:"SERVER-WEBAPP AT&T U-verse modem information disclosure attempt"; flow:to_server,established; content:"Authorization: "; content:"YmRjdGVzdDpiZGN0ZXN0"; within:35; content:"/bdc/"; nocase; pcre:"/\x2fbdc\x2f00(03E0|04BD|080E|0B06|0CE5|0E5C|0F9F|0FCC|111A|1180|11AE|1225|128A|12C9|1311|1371|1404|149A|14E8|152F|1596|159A|15A2|15A3|15A4|15A8|15CE|15CF|15D0|15D1|1626|1675|16B5|1784|17E2|17EE|18A4|18C0|192C|195E|19A6|19C0|1A1B|1A66|1A77|1AAD|1ADB|1ADE|1B52|1BDD|1C11|1C12|1CC1|1CC3|1CFB|1D6B|1DBE|1DCD|1DCE|1DCF|1DD0|1DD1|1DD2|1DD3|1DD4|1DD5|1DD6|1E46|1E5A|1E8D|1F7E|1FC4|2040|211E|2136|2143|2180|2210|22B4|230B|2374|2375|2395|23A2|23A3|23AF|23ED|23EE|2493|2495|24A0|24A1|24C1|25F1|25F2)_\d{5}/i"; reference:url,nomotion.net/blog/sharknatto/; classtype:attempted-recon; sid:44299; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 49955 (msg:"SERVER-WEBAPP AT&T U-verse modem command injection attempt"; flow:to_server,established; content:"/caserver"; fast_pattern:only; content:"Authorization: "; content:"dGVjaDo="; within:25; content:"appid"; nocase; content:"set"; nocase; content:"data"; within:10; nocase; pcre:"/(^|&)set(\x5f|%5f)data(\x3d|%3d)[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; reference:url,nomotion.net/blog/sharknatto/; classtype:web-application-attack; sid:44298; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 29003 (msg:"SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt"; flow:to_server,established; content:"/DeleteWorkDirectory.js"; depth:28; nocase; content:"WorkGuid="; nocase; pcre:"/[?&]WorkGuid=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/144012; classtype:web-application-attack; sid:44322; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 29003 (msg:"SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt"; flow:to_server,established; content:"/DeleteWorkDirectory.js"; depth:28; nocase; content:"WorkGuid"; nocase; content:"Content-Disposition"; nocase; pcre:"/name\s*=\s*[\x22\x27]?WorkGuid((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/sim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,packetstormsecurity.com/files/144012; classtype:web-application-attack; sid:44321; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt"; flow:to_server,established; content:"/widget/proxy_controller.php"; fast_pattern:only; http_uri; content:"modTMCSS"; nocase; pcre:"/[?&]([tmcd]|tr|ds|ip|top|CONSOLE_LANG)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100130; reference:cve,2017-11394; reference:url,success.trendmicro.com/solution/1117769; classtype:web-application-attack; sid:44361; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt"; flow:to_server,established; content:"/widget/proxy_controller.php"; fast_pattern:only; http_uri; content:"modTMCSS"; nocase; pcre:"/(^|&)([tmcd]|tr|ds|ip|top|CONSOLE(\x5f|%5f)LANG)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100130; reference:cve,2017-11394; reference:url,success.trendmicro.com/solution/1117769; classtype:web-application-attack; sid:44360; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt"; flow:to_server,established; content:"/widget/proxy_controller.php"; fast_pattern:only; http_uri; content:"modTMCSS"; nocase; content:"%26"; http_raw_uri; pcre:"/[?&]([tmcd]|tr|ds|ip|top|CONSOLE(\x5f|%5f)LANG)=[^&]*?%26/Ii"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100130; reference:cve,2017-11394; reference:url,success.trendmicro.com/solution/1117769; classtype:web-application-attack; sid:44359; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Easy File Sharing HTTP Server Post buffer overflow attempt"; flow:to_server,established; content:"/sendemail.ghp"; fast_pattern:only; http_uri; content:"Email="; nocase; http_client_body; isdataat:250,relative; content:!"&"; within:250; http_client_body; metadata:service http; classtype:web-application-attack; sid:44378; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP XStream void primitive denial of service attempt"; flow:to_server,established; content:"Content-Type|3A|"; http_header; content:"application/xml"; within:20; http_header; content:"<map"; nocase; http_client_body; content:"<entry"; distance:0; fast_pattern; nocase; http_client_body; content:"void"; distance:0; nocase; http_client_body; metadata:service http; reference:cve,2017-9793; reference:cve,2018-1327; reference:url,struts.apache.org/docs/s2-051.html; classtype:denial-of-service; sid:44373; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP form-based file upload DoS attempt"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type: multipart/form-data"; fast_pattern:only; nocase; http_header; content:"Content-Disposition:"; nocase; content:"form-data"; within:50; content:!"|0D 0A 0D 0A|"; within:100; pcre:"/form-data[^\r]*?\n([^\s:]+?\n){5}/Pi"; metadata:service http; reference:cve,2015-4024; classtype:denial-of-service; sid:44390; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple routers getcfg.php credential disclosure attempt"; flow:to_server,established; content:"/getcfg.php"; fast_pattern:only; http_uri; pcre:"/(\n|%0A)(A|%41)(U|%55)(T|%54)(H|%48)/Pi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7034; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; reference:url,blogs.securiteam.com/index.php/archives/3364; reference:url,embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin; classtype:attempted-recon; sid:44388; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link router stack based buffer overflow attempt"; flow:to_server,established; content:"/HNAP1/"; fast_pattern:only; nocase; http_uri; urilen:7; content:"SOAPACTION: http://purenetworks.com/HNAP1/Login"; nocase; http_header; content:"<LoginPassword>"; http_client_body; isdataat:145,relative; content:!"</LoginPassword>"; within:144; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin; classtype:attempted-admin; sid:44387; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link router stack based buffer overflow attempt"; flow:to_server,established; content:"/HNAP1/"; fast_pattern:only; nocase; http_uri; urilen:7; content:"SOAPACTION: http://purenetworks.com/HNAP1/Login"; nocase; http_header; content:"<Username>"; http_client_body; isdataat:140,relative; content:!"</Username>"; within:139; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin; classtype:attempted-admin; sid:44386; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link router stack based buffer overflow attempt"; flow:to_server,established; content:"/HNAP1/"; fast_pattern:only; nocase; http_uri; urilen:7; content:"SOAPACTION: http://purenetworks.com/HNAP1/Login"; nocase; http_header; content:"<Captcha>"; http_client_body; isdataat:139,relative; content:!"</Captcha>"; within:138; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin; classtype:attempted-admin; sid:44385; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link router stack based buffer overflow attempt"; flow:to_server,established; content:"/HNAP1/"; fast_pattern:only; nocase; http_uri; urilen:7; content:"SOAPACTION: http://purenetworks.com/HNAP1/Login"; nocase; http_header; content:"<Action>"; http_client_body; isdataat:138,relative; content:!"</Action>"; within:137; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin; classtype:attempted-admin; sid:44384; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link router firmware update attempt"; flow:to_server,established; content:"/f2.htm"; fast_pattern:only; nocase; http_uri; urilen:7; content:"Content-Disposition: form-data"; content:"filename="; distance:0; content:".bin|22 0D 0A|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin; classtype:misc-attack; sid:44383; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3001 (msg:"SERVER-WEBAPP DenyAll WAF tail.php command injection attempt"; flow:to_server,established; content:"/webservices/stream/tail.php"; depth:33; nocase; pcre:"/[?&](type|uid)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.denyall.com/blog/advisories/advisory-unauthenticated-remote-code-execution-denyall-web-application-firewall/; classtype:web-application-attack; sid:44437; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3001 (msg:"SERVER-WEBAPP DenyAll WAF tail.php command injection attempt"; flow:to_server,established; content:"/webservices/stream/tail.php"; depth:33; nocase; content:"Content-Disposition"; nocase; pcre:"/name\s*=\s*[\x22\x27]?(type|uid)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/sim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.denyall.com/blog/advisories/advisory-unauthenticated-remote-code-execution-denyall-web-application-firewall/; classtype:web-application-attack; sid:44436; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3001 (msg:"SERVER-WEBAPP DenyAll WAF authentication token disclosure attempt"; flow:to_server,established; content:"/webservices/download/index.php"; depth:36; nocase; content:"applianceUid="; nocase; content:"typeOf=debug"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.denyall.com/blog/advisories/advisory-unauthenticated-remote-code-execution-denyall-web-application-firewall/; classtype:attempted-recon; sid:44435; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link hedwig.cgi directory traversal attempt"; flow:to_server,established; content:"/hedwig.cgi"; fast_pattern:only; http_uri; content:"<postxml"; nocase; http_client_body; content:"<module"; nocase; http_client_body; content:"<service"; nocase; http_client_body; pcre:"/<service[^>]*>[^<]*(\x2e|&\x23(x0*2e|0*46)\x3b){2}(\x2f|&\x23(x0*2f|0*47)\x3b)/Pi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/3364; classtype:attempted-recon; sid:44454; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link hedwig.cgi NTP service configuration command injection attempt"; flow:to_server,established; content:"/hedwig.cgi"; fast_pattern:only; http_uri; content:"DEVICE.TIME"; nocase; http_client_body; content:"<ntp"; nocase; http_client_body; content:"<server"; nocase; http_client_body; pcre:"/<server[^>]*>[^<]*[\x60\x3b\x7c\x26\x28]/Pi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/3364; classtype:attempted-recon; sid:44453; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt"; flow:to_server,established; content:"/upgrade_handle.php"; fast_pattern:only; http_uri; content:"uploaddir="; nocase; http_uri; pcre:"/[?&]uploaddir=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/3409; classtype:web-application-attack; sid:44472; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt"; flow:to_server,established; content:"/upgrade_handle.php"; fast_pattern:only; http_uri; content:"uploaddir="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]uploaddir=[^&]*?%26/Ii"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/3409; classtype:web-application-attack; sid:44471; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt"; flow:to_server,established; content:"/services/liliSetDeviceCommand.php"; fast_pattern:only; http_uri; pcre:"/[?&](cmd\d|lang)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,forsec.nl/2017/09/smart-home-remote-command-execution-rce/; classtype:web-application-attack; sid:44467; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt"; flow:to_server,established; content:"/services/liliSetDeviceCommand.php"; fast_pattern:only; http_uri; pcre:"/(^|&)(cmd\d|lang)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,forsec.nl/2017/09/smart-home-remote-command-execution-rce/; classtype:web-application-attack; sid:44466; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt"; flow:to_server,established; content:"/services/liliSetDeviceCommand.php"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](cmd\d|lang)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,forsec.nl/2017/09/smart-home-remote-command-execution-rce/; classtype:web-application-attack; sid:44465; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Faleemi IP Cameras information disclosure attempt"; flow:to_server,established; content:"/hy-cgi/"; depth:8; nocase; http_uri; content:".cgi"; nocase; http_uri; content:"cmd="; nocase; pcre:"/[?&]cmd=(get|check)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce; classtype:attempted-recon; sid:44497; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt"; flow:to_server,established; content:"/hy-cgi/ftp.cgi"; fast_pattern:only; http_uri; content:"server"; nocase; http_client_body; pcre:"/(^|&)ft(\x5f|%5f)server=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce; classtype:web-application-attack; sid:44496; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt"; flow:to_server,established; content:"/hy-cgi/ftp.cgi"; fast_pattern:only; http_uri; content:"ft_server="; nocase; http_uri; pcre:"/[?&]ft_server=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce; classtype:web-application-attack; sid:44495; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt"; flow:to_server,established; content:"/hy-cgi/ftp.cgi"; fast_pattern:only; http_uri; content:"ft_server="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ft(\x5f|%5f)server=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce; classtype:web-application-attack; sid:44494; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Faleemi IP Cameras ONVIF device_service SQL injection attempt"; flow:to_server,established; content:"/onvif/device_service"; fast_pattern:only; http_uri; content:"<Security"; nocase; http_client_body; content:"<Username"; nocase; http_client_body; pcre:"/<Username[^>]*>[^<]*([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-14743; reference:url,medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce; classtype:attempted-admin; sid:44493; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt"; flow:to_server,established; content:"/qos_queue_add.cgi"; fast_pattern:only; http_uri; content:"WebQueueInterface="; nocase; http_uri; pcre:"/[?&]WebQueueInterface=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,gwillem.gitlab.io/2017/09/28/hacking-the-zyxel-p-2812hnu-f1/; classtype:web-application-attack; sid:44492; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt"; flow:to_server,established; content:"/qos_queue_add.cgi"; fast_pattern:only; http_uri; content:"WebQueueInterface="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]WebQueueInterface=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,gwillem.gitlab.io/2017/09/28/hacking-the-zyxel-p-2812hnu-f1/; classtype:web-application-attack; sid:44491; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt"; flow:to_server,established; content:"/qos_queue_add.cgi"; fast_pattern:only; http_uri; content:"WebQueueInterface="; nocase; http_client_body; pcre:"/(^|&)WebQueueInterface=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,gwillem.gitlab.io/2017/09/28/hacking-the-zyxel-p-2812hnu-f1/; classtype:web-application-attack; sid:44490; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center DeviceService Java expression language injection attempt"; flow:to_server,established; content:"/imc/res/deviceselect/gwt/deviceSelect/deviceservice.gwtsvc"; fast_pattern:only; http_uri; content:"new "; nocase; http_client_body; pcre:"/new\s+(java|org|sun)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12491; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:44530; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Endpoint Protection Manager information disclosure attempt"; flow:to_server,established; content:"/servlet/ConsoleServlet"; fast_pattern:only; http_uri; content:"ObjectType=SysAdministratorArray"; nocase; http_uri; content:"ActionType=GetObject"; nocase; http_uri; metadata:service http; reference:bugtraq,91440; reference:cve,2016-3649; classtype:attempted-recon; sid:44507; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Endpoint Protection Manager directory traversal attempt"; flow:to_server,established; content:"/help/wwhelp/wwhimpl/common/html/wwhelp.htm"; fast_pattern:only; http_uri; content:"file="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]file=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,91443; reference:cve,2016-5307; classtype:web-application-attack; sid:44506; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Endpoint Protection Manager directory traversal attempt"; flow:to_server,established; content:"/help/wwhelp/wwhimpl/common/html/wwhelp.htm"; fast_pattern:only; http_uri; content:"file="; nocase; http_client_body; pcre:"/(^|&)file=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,91443; reference:cve,2016-5307; classtype:web-application-attack; sid:44505; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Endpoint Protection Manager directory traversal attempt"; flow:to_server,established; content:"/help/wwhelp/wwhimpl/common/html/wwhelp.htm"; fast_pattern:only; http_uri; content:"file"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?file((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,91443; reference:cve,2016-5307; classtype:web-application-attack; sid:44504; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC wmiConfigContent Java expression language injection attempt"; flow:to_server,established; content:"/imc/vnm/wmi/wmiConfigContent.xhtml"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_uri; pcre:"/[?&]beanName=[^&]*?new\s+(java|org|sun)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12526; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:44536; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC wmiConfigContent Java expression language injection attempt"; flow:to_server,established; content:"/imc/vnm/wmi/wmiConfigContent.xhtml"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_client_body; pcre:"/[?&]beanName=[^&]*?new(\s|%20)+(java|org|sun)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12526; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:44535; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC wmiConfigContent Java expression language injection attempt"; flow:to_server,established; content:"/imc/vnm/wmi/wmiConfigContent.xhtml"; fast_pattern:only; http_uri; content:"beanName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?beanName((?!^--).)*?new\s+(java|org|sun)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12526; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:44534; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Customizer directory traversal attempt"; flow:to_server,established; content:"/wp-admin/customize.php?"; fast_pattern:only; http_uri; content:"theme"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?theme((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:cve,2017-14722; classtype:web-application-attack; sid:44568; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Customizer directory traversal attempt"; flow:to_server,established; content:"/wp-admin/customize.php?"; fast_pattern:only; http_uri; content:"theme="; nocase; http_client_body; pcre:"/(^|&)theme=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2017-14722; classtype:web-application-attack; sid:44567; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Customizer directory traversal attempt"; flow:to_server,established; content:"/wp-admin/customize.php?"; fast_pattern:only; http_uri; content:"theme="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]theme=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2017-14722; classtype:web-application-attack; sid:44566; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro SPS and IMS diagnostic.log session disclosure attempt"; flow:to_server,established; content:"/widget/repository/log/diagnostic.log"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,102275; reference:cve,2017-11398; reference:url,pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/; classtype:attempted-recon; sid:44565; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt"; flow:to_server,established; content:"/officescan/console/html/widget/proxy_controller.php"; fast_pattern:only; http_uri; content:"url="; nocase; http_uri; pcre:"/[?&]url=[^&]*?(http|ftp|file)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/; classtype:web-application-attack; sid:44588; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt"; flow:to_server,established; content:"/officescan/console/html/widget/proxy_controller.php"; fast_pattern:only; http_uri; content:"url="; nocase; http_client_body; pcre:"/(^|&)url=[^&]*?(http|ftp|file)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/; classtype:web-application-attack; sid:44587; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro widget system authentication bypass attempt"; flow:to_server,established; content:"/officescan/console/html/widget/ui/modLogin/talker.php"; fast_pattern:only; http_uri; content:"LogonUser=root"; http_cookie; content:"act=check"; http_client_body; content:"hash="; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/; classtype:attempted-admin; sid:44582; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP NAS HelpDesk App supportutils.php SQL injection attempt"; flow:to_server,established; content:"/apps/qdesk/cli/supportutils/applog/reg/"; fast_pattern:only; http_uri; content:"/*"; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-13068; reference:url,www.qnap.com/en/security-advisory/nas-201709-29; classtype:attempted-user; sid:44578; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt"; flow:to_server,established; content:"/user-create.jsp"; fast_pattern:only; http_uri; content:"Referer:"; nocase; http_header; content:!"/user-create.jsp"; nocase; http_header; content:"create="; nocase; http_client_body; content:"password="; within:200; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2015-6973; classtype:attempted-user; sid:44575; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt"; flow:to_server,established; content:"/mdm/cgi/web_service.dll"; fast_pattern:only; http_uri; content:"|22|slink_id|22|"; nocase; http_client_body; pcre:"/\x22slink_id\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x27\x3b\x23]|\x2f\x2a|\x2d\x2d)/Pi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100966; reference:cve,2017-14078; reference:url,success.trendmicro.com/solution/1118224; classtype:web-application-attack; sid:44573; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt"; flow:to_server,established; content:"/mdm/cgi/web_service.dll"; fast_pattern:only; http_uri; content:"slink_id="; nocase; http_uri; pcre:"/[?&]slink_id=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100966; reference:cve,2017-14078; reference:url,success.trendmicro.com/solution/1118224; classtype:web-application-attack; sid:44572; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt"; flow:to_server,established; content:"/mdm/cgi/web_service.dll"; fast_pattern:only; http_uri; content:"slink"; nocase; http_client_body; pcre:"/(^|&)slink(\x5f|%5f)id=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100966; reference:cve,2017-14078; reference:url,success.trendmicro.com/solution/1118224; classtype:web-application-attack; sid:44571; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress content cross site scripting attempt"; flow:to_server,established; content:"/wp-admin/post.php"; fast_pattern:only; http_uri; content:"content="; nocase; http_client_body; pcre:"/[?&]content=[^&]*?([\x22\x27\x28\x29]|script|onload|src)/Pi"; metadata:service http; reference:url,wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/; classtype:attempted-user; sid:44632; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress plugin bbPress comment cross site scripting attempt"; flow:to_server,established; content:"/forums/forum/"; fast_pattern:only; http_uri; content:"bbp_topic_content="; nocase; http_client_body; pcre:"/[?&]bbp_topic_content=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%3C|%3E|script|onload|src)/Pi"; metadata:service http; reference:url,wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/; classtype:attempted-user; sid:44631; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt"; flow:to_server,established; content:"/imc/usr/user/userSelectPagingContent.xhtml"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_client_body; pcre:"/[?&]beanName=[^&]*?new(\s|%20)+(java|org|sun)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12521; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:44609; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt"; flow:to_server,established; content:"/imc/usr/user/userSelectPagingContent.xhtml"; fast_pattern:only; http_uri; content:"beanName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?beanName((?!^--).)*?new\s+(java|org|sun)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12521; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:44608; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt"; flow:to_server,established; content:"/imc/usr/user/userSelectPagingContent.xhtml"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_uri; pcre:"/[?&]beanName=[^&]*?new\s+(java|org|sun)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12521; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:44607; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center getSelInsBean Java expression language injection attempt"; flow:to_server,established; content:"/imc/perfm/gwt/perfSelInsServer.gwtsvc"; fast_pattern:only; http_uri; content:"new "; nocase; http_client_body; pcre:"/new\s+(java|org|sun)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12490; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:44642; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Unitrends Enterprise Backup storage API command injection attempt"; flow:to_server,established; content:"/api/storage"; fast_pattern:only; http_uri; content:"|22|hostname|22|"; nocase; http_client_body; pcre:"/\x22hostname\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-12478; reference:url,support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756; classtype:web-application-attack; sid:44658; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Unitrends Enterprise Backup API SQL injection attempt"; flow:to_server,established; content:"/api/"; depth:5; nocase; http_uri; content:"AuthToken: "; fast_pattern:only; http_header; content:"AuthToken: "; nocase; base64_decode:bytes 128,offset 0,relative; base64_data; content:"v0"; depth:2; content:"--"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-12478; reference:url,support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756; classtype:web-application-attack; sid:44657; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP pSys index.php shownews parameter SQL injection attempt"; flow:to_server,established; content:"/news/index.php"; nocase; http_uri; content:"shownews="; fast_pattern:only; http_uri; pcre:"/[?&]shownews=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:service http; reference:cve,2008-5269; classtype:web-application-attack; sid:44645; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP pSys index.php shownews parameter SQL injection attempt"; flow:to_server,established; content:"/news/index.php"; nocase; http_uri; content:"shownews="; fast_pattern:only; http_client_body; pcre:"/(^|&)shownews=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:service http; reference:cve,2008-5269; classtype:web-application-attack; sid:44644; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; content:"${IFS}"; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:44699; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; content:"$IFS"; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:44698; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt"; flow:to_server,established; content:"/setup.cgi"; nocase; http_uri; content:"todo=syscmd"; fast_pattern:only; content:"cmd="; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,60281; reference:url,www.exploit-db.com/exploits/25978/; classtype:attempted-admin; sid:44688; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt"; flow:to_server,established; content:"/setup.cgi"; nocase; http_uri; content:"currentsetting.htm"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,60281; reference:url,www.exploit-db.com/exploits/25978/; classtype:attempted-admin; sid:44687; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaltura userzone cookie PHP object injection attempt"; flow:to_server,established; content:"/keditorservices/getAllEntries"; fast_pattern:only; http_uri; content:"userzone="; nocase; base64_decode:bytes 128,offset 0,relative; base64_data; content:"O|3A|"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100976; reference:cve,2017-14143; classtype:web-application-attack; sid:44684; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/snmpviewer.exe"; fast_pattern:only; http_uri; content:"act="; nocase; http_client_body; isdataat:300,relative; content:!"&"; within:300; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1552; classtype:attempted-user; sid:44673; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/snmpviewer.exe"; fast_pattern:only; http_uri; content:"act="; nocase; http_uri; isdataat:300,relative; content:!"&"; within:300; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1552; classtype:attempted-user; sid:44672; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView NNM snmpviewer.exe CGI parameter buffer overflow attempt"; flow:to_server,established; content:"/OvCgi/snmpviewer.exe"; fast_pattern:only; http_uri; content:"app="; nocase; http_uri; isdataat:300,relative; content:!"&"; within:300; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1552; classtype:attempted-user; sid:44671; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess cross site scripting attempt"; flow:to_server,established; content:"/broadWeb/include/gAddNew.asp"; fast_pattern:only; http_uri; content:"ProjDesc="; nocase; http_uri; pcre:"/[?&]ProjDesc=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2012-0233; classtype:attempted-user; sid:44668; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess cross site scripting attempt"; flow:to_server,established; content:"/broadWeb/include/gAddNew.asp"; fast_pattern:only; http_uri; content:"ProjDesc="; nocase; http_client_body; pcre:"/ProjDesc=[^&]*?(\x25(22|27|3c|3e|28|29))+?|script|onload|src/Pi"; metadata:service http; reference:cve,2012-0233; classtype:attempted-user; sid:44667; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt"; flow:to_server,established; file_data; content:"x:i:"; content:"|3B|m:b"; within:100; fast_pattern; metadata:service http; reference:cve,2014-3515; classtype:attempted-user; sid:44749; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt"; flow:to_server,established; file_data; content:"x:i:"; content:"|3B|m:N"; within:100; fast_pattern; metadata:service http; reference:cve,2014-3515; classtype:attempted-user; sid:44748; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt"; flow:to_server,established; file_data; content:"x:i:"; content:"|3B|m:b"; within:100; fast_pattern; metadata:service smtp; reference:cve,2014-3515; classtype:attempted-user; sid:44747; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt"; flow:to_server,established; file_data; content:"x:i:"; content:"|3B|m:N"; within:100; fast_pattern; metadata:service smtp; reference:cve,2014-3515; classtype:attempted-user; sid:44746; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt"; flow:to_client,established; file_data; content:"x:i:"; content:"|3B|m:b"; within:100; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-3515; classtype:attempted-user; sid:44745; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt"; flow:to_client,established; file_data; content:"x:i:"; content:"|3B|m:N"; within:100; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-3515; classtype:attempted-user; sid:44744; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tuleap getRecentElements PHP object injection attempt"; flow:to_server,established; content:"/api/users"; nocase; http_uri; content:"/preferences"; nocase; http_uri; content:"|22|recent_elements|22|"; fast_pattern:only; content:"|22|value|22|"; nocase; pcre:"/\x22value\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?(?-i)O\x3a/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7411; reference:url,tuleap.net/plugins/tracker/?aid=10118; classtype:web-application-attack; sid:44731; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5858 (msg:"SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt"; flow:to_server,established; content:"Content-Length"; fast_pattern:only; nocase; content:"|22|seq|22|"; content:"|22|type|22|"; content:"|22|request|22|"; within:15; content:"|22|command|22|"; content:"|22|evaluate|22|"; within:16; content:"|22|arguments|22|"; content:"|22|expression|22|"; within:18; metadata:policy max-detect-ips drop, policy security-ips drop; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/nodejs_v8_debugger.rb; classtype:policy-violation; sid:44792; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt"; flow:to_server,established; content:"/cfg"; fast_pattern:only; http_uri; content:"process=password"; nocase; http_uri; content:"password1="; nocase; http_uri; content:"password2="; nocase; http_uri; content:"button="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,73013; reference:cve,2015-2350; classtype:policy-violation; sid:44790; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Smart Protection Server cm_agent.php command injection attempt"; flow:to_server,established; content:"/php/cm_agent.php"; nocase; http_uri; content:"|22|SO_SubscriptionSetting|22|"; fast_pattern:only; http_client_body; pcre:"/\x22(ServiceURL|APIKey)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100461; reference:cve,2017-11395; reference:url,success.trendmicro.com/solution/1117933; classtype:web-application-attack; sid:44767; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt"; flow:to_server,established; content:"/cms/cmsimple/admin/addgroup.php"; fast_pattern:only; http_uri; pcre:"/[?&](group|description)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3c|%3e|%28|%29|script|onload|src)/Pi"; metadata:service http; reference:url,www.exploit-db.com/exploits/41997/; classtype:attempted-user; sid:44766; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt"; flow:to_server,established; content:"/cms/cmsimple/admin/addgroup.php"; fast_pattern:only; http_uri; pcre:"/[?&](group|description)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:url,www.exploit-db.com/exploits/41997/; classtype:attempted-user; sid:44765; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CMS Made Simple editusertag.php arbitrary PHP code execution attempt"; flow:to_server,established; content:"/cms/cmsimple/admin/editusertag.php"; fast_pattern:only; http_uri; content:"code="; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-8912; reference:url,www.exploit-db.com/exploits/41997/; classtype:web-application-attack; sid:44764; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9876 (msg:"SERVER-WEBAPP Xplico decoding manager daemon command injection attempt"; flow:to_server,established; content:"/sols/pcap"; depth:15; fast_pattern; nocase; content:"filename"; nocase; content:"Content-Disposition"; nocase; pcre:"/filename\s*=\s*\x22[^\x22]*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16666; reference:url,www.xplico.org/archives/1538; classtype:web-application-attack; sid:44866; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt"; flow:to_server,established; content:"/manageApplications.do"; fast_pattern:only; http_uri; content:"method="; nocase; pcre:"/[?&](name|haid)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16542; reference:cve,2017-16846; reference:url,code610.blogspot.com/2017/11/sql-injection-in-manageengine.html; classtype:web-application-attack; sid:44922; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt"; flow:to_server,established; content:"/manageApplications.do"; fast_pattern:only; http_uri; content:"method="; nocase; pcre:"/(^|&)(name|haid)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16542; reference:cve,2017-16846; reference:url,code610.blogspot.com/2017/11/sql-injection-in-manageengine.html; classtype:web-application-attack; sid:44921; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager GraphicalView.do SQL injection attempt"; flow:to_server,established; content:"/GraphicalView.do"; fast_pattern:only; http_uri; content:"viewid="; nocase; http_uri; pcre:"/[?&]viewid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16543; reference:url,code610.blogspot.com/2017/11/sql-injection-in-manageengine.html; classtype:web-application-attack; sid:44918; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager GraphicalView.do SQL injection attempt"; flow:to_server,established; content:"/GraphicalView.do"; fast_pattern:only; http_uri; content:"viewid="; nocase; http_client_body; pcre:"/(^|&)viewid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16543; reference:url,code610.blogspot.com/2017/11/sql-injection-in-manageengine.html; classtype:web-application-attack; sid:44917; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager GraphicalView.do SQL injection attempt"; flow:to_server,established; content:"/GraphicalView.do"; fast_pattern:only; http_uri; content:"Canvas|22|"; nocase; http_client_body; pcre:"/\x22[xy]Canvas\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x27\x3b\x23]|\x2f\x2a|\x2d\x2d)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16543; reference:url,code610.blogspot.com/2017/11/sql-injection-in-manageengine.html; classtype:web-application-attack; sid:44916; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla LDAP authentication plugin information disclosure exploitation attempt"; flow:to_server,established; content:"/component/users/"; fast_pattern; http_uri; content:"task=user.login"; within:25; http_uri; content:"username="; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/username((?!^--).)*?[\r\n]{2,}((?!^--).)*?[\x28\x29\x7C!<=>\x2A]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-14596; reference:url,developer.joomla.org/security-centre/711-20170902-core-ldap-information-disclosure; classtype:web-application-attack; sid:45039; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla LDAP authentication plugin information disclosure exploitation attempt"; flow:to_server,established; content:"/component/users/"; fast_pattern; http_uri; content:"task=user.login"; within:25; http_uri; content:"username="; nocase; http_client_body; pcre:"/(^|&)username=[^&]*?([\x28\x29\x7C!<=>\x2A]|%(28|29|7C|21|3C|3D|3E|2A))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-14596; reference:url,developer.joomla.org/security-centre/711-20170902-core-ldap-information-disclosure; classtype:web-application-attack; sid:45038; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla LDAP authentication plugin information disclosure exploitation attempt"; flow:to_server,established; content:"/component/users/"; fast_pattern; http_uri; content:"task=user.login"; within:25; http_uri; content:"username="; nocase; http_uri; pcre:"/[?&]username=[^&]*?([\x28\x29\x7C!<=>\x2A])/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-14596; reference:url,developer.joomla.org/security-centre/711-20170902-core-ldap-information-disclosure; classtype:web-application-attack; sid:45037; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information leak attempt"; flow:to_server,established; content:"/BRS_netgear_success.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10175; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-recon; sid:45001; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ruby on Rails file inclusion attempt"; flow:to_server,established; content:"/log/development.log"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2016-0752; reference:url,groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00; classtype:attempted-user; sid:45000; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ruby on Rails file inclusion attempt"; flow:to_server,established; content:"form-data"; http_client_body; content:"filename"; distance:0; http_client_body; content:".gif"; within:30; http_client_body; content:"<%="; distance:0; fast_pattern; http_client_body; content:"`"; within:5; http_client_body; metadata:service http; reference:cve,2016-0752; reference:url,groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00; classtype:attempted-user; sid:44999; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk Plus policy bypass attempt"; flow:to_server,established; content:"/reports/flash/details.jsp?group=Site"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2015-1480; classtype:web-application-attack; sid:44996; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk Plus policy bypass attempt"; flow:to_server,established; content:"/servlet/AJaxServlet?action=getReportData&search=data"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2015-1480; classtype:web-application-attack; sid:44995; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk Plus policy bypass attempt"; flow:to_server,established; content:"/reports/CreateReportTable.jsp?site=0"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2015-1480; classtype:web-application-attack; sid:44994; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk Plus policy bypass attempt"; flow:to_server,established; content:"/swf/flashreport.swf"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2015-1480; classtype:web-application-attack; sid:44993; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk Plus policy bypass attempt"; flow:to_server,established; content:"/servlet/AJaxServlet?action=getTicketData&search=dateCrit"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2015-1480; classtype:web-application-attack; sid:44992; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt"; flow:to_server,established; file_data; content:"/userRpm/"; fast_pattern; content:"Rpm.htm"; within:17; metadata:service smtp; reference:cve,2013-2645; classtype:web-application-attack; sid:45079; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt"; flow:to_client,established; file_data; content:"/userRpm/"; fast_pattern; content:"Rpm.htm"; within:17; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-2645; classtype:web-application-attack; sid:45078; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"form_id="; nocase; http_uri; pcre:"/[?&]form_id=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,101604; reference:cve,2017-15919; reference:url,wordpress.org/plugins/ultimate-form-builder-lite/#developers; classtype:web-application-attack; sid:45077; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"form_id="; nocase; http_client_body; pcre:"/(^|&)form_id=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,101604; reference:cve,2017-15919; reference:url,wordpress.org/plugins/ultimate-form-builder-lite/#developers; classtype:web-application-attack; sid:45076; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"form_id"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?form_id((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,101604; reference:cve,2017-15919; reference:url,wordpress.org/plugins/ultimate-form-builder-lite/#developers; classtype:web-application-attack; sid:45075; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wireless IP Camera WIFICAM information leak attempt"; flow:to_server,established; content:".ini?"; fast_pattern; http_uri; content:"loginuse"; distance:0; http_uri; content:"loginpas"; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-8225; classtype:attempted-recon; sid:45073; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Duplicator cross site scripting attempt"; flow:to_server,established; content:"/plugins/duplicator/installer/build/view.step2.php"; fast_pattern:only; http_uri; content:"logging="; nocase; http_client_body; pcre:"/logging=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16815; reference:url,snapcreek.com/duplicator/docs/changelog; classtype:attempted-user; sid:45067; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Duplicator cross site scripting attempt"; flow:to_server,established; content:"/plugins/duplicator/installer/build/view.step4.php"; fast_pattern:only; http_uri; content:"url_new="; nocase; http_client_body; pcre:"/url_new=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16815; reference:url,snapcreek.com/duplicator/docs/changelog; classtype:attempted-user; sid:45066; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt"; flow:to_server,established; content:"admin.php?page=user-login-history"; fast_pattern:only; http_uri; pcre:"/&(date_from|date_to|user_id|username|country_name|browser|operating_system|ip_address)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2017-15867; classtype:attempted-user; sid:45061; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP pfSense system_groupmanager.php command injection attempt"; flow:to_server,established; content:"/system_groupmanager.php"; fast_pattern:only; http_uri; pcre:"/(^|&)(groupname|members(\x5b|%5b)(\x5d|%5d))=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc; classtype:web-application-attack; sid:45060; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress wpdb prepare sprintf placeholder SQL injection attempt"; flow:to_server,established; content:"/wp-admin/"; depth:10; nocase; http_uri; content:"%251%24%25s"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100912; reference:cve,2017-14723; reference:url,wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release; classtype:web-application-attack; sid:45052; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MediaWiki arbitrary file write attempt"; flow:to_server,established; content:"api.php"; http_uri; content:"syntaxhighlight"; http_client_body; content:"start"; distance:0; http_client_body; content:"full"; within:20; http_client_body; content:"cssfile"; http_client_body; content:".php"; distance:0; http_client_body; content:"|2F|syntaxhighlight"; distance:0; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-0372; classtype:attempted-user; sid:45094; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Archiva XML server side request forgery attempt"; flow:to_server,established; content:"<!DOCTYPE "; fast_pattern:only; http_client_body; content:"jsessionid="; nocase; http_header; pcre:"/\x3C\x21DOCTYPE[^\x22\x27]*?(SYSTEM|PUBLIC)/Pi"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-5002; classtype:web-application-attack; sid:45093; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ruby on Rails log file manipulation attempt"; flow:to_server,established; content:"/log/development.log"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2016-0752; reference:url,groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00; classtype:attempted-recon; sid:45082; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 37215 (msg:"SERVER-WEBAPP Huawei DeviceUpgrade command injection attempt"; flow:to_server,established; content:"<New"; nocase; content:"URL"; within:11; nocase; pcre:"/<New(Status|Download)URL[^>]*?>[^<]*?([\x60\x3b\x7c\x26]|\x24\x28)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17215; classtype:web-application-attack; sid:45117; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt"; flow:to_server,established; content:"/showresource.do"; fast_pattern:only; http_uri; content:"resourceid="; nocase; http_uri; pcre:"/[?&]resourceid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16847; reference:url,code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html; classtype:web-application-attack; sid:45113; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt"; flow:to_server,established; content:"/showresource.do"; fast_pattern:only; http_uri; content:"resourceid="; nocase; http_client_body; pcre:"/(^|&)resourceid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16847; reference:url,code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html; classtype:web-application-attack; sid:45112; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2480 (msg:"SERVER-WEBAPP OrientDB database query attempt"; flow:to_server,established; content:"/listDatabases"; fast_pattern:only; metadata:service http; reference:cve,2017-11467; reference:url,www.blogs.securiteam.com/index.php/archives/3318; classtype:attempted-recon; sid:45111; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2480 (msg:"SERVER-WEBAPP OrientDB privilege escalation attempt"; flow:to_server,established; content:"POST"; depth:4; content:"/command/"; within:15; content:"/sql/"; distance:0; content:"GRANT read ON database.function"; distance:0; content:"TO writer"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-11467; reference:url,www.blogs.securiteam.com/index.php/archives/3318; classtype:attempted-user; sid:45110; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2480 (msg:"SERVER-WEBAPP OrientDB remote code execution attempt"; flow:to_server,established; content:"POST"; depth:4; content:"/document/"; within:15; content:"|22|@class|22|"; content:"|22|ofunction|22|"; within:20; content:"|22|code|22|"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-11467; reference:url,www.blogs.securiteam.com/index.php/archives/3318; classtype:attempted-user; sid:45109; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zavio IP Cameras command injection attempt"; flow:to_server,established; content:"/cgi-bin/admin/param"; fast_pattern:only; http_uri; content:"General"; nocase; http_client_body; pcre:"/(^|&)General(\x2e|%2e)Time(\x2e|%2e)NTP(\x2e|%2e)Server=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:service http; reference:bugtraq,60188; reference:cve,2013-2570; reference:url,www.coresecurity.com/advisories/zavio-ip-cameras-multiple-vulnerabilities; classtype:web-application-attack; sid:45197; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zavio IP Cameras command injection attempt"; flow:to_server,established; content:"/cgi-bin/admin/param"; nocase; http_uri; content:"General.Time.NTP.Server="; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]General(\x2e|%2e)Time(\x2e|%2e)NTP(\x2e|%2e)Server=[^&]*?%26/Ii"; metadata:service http; reference:bugtraq,60188; reference:cve,2013-2570; reference:url,www.coresecurity.com/advisories/zavio-ip-cameras-multiple-vulnerabilities; classtype:web-application-attack; sid:45196; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zavio IP Cameras command injection attempt"; flow:to_server,established; content:"/cgi-bin/admin/param"; nocase; http_uri; content:"General.Time.NTP.Server="; fast_pattern:only; http_uri; pcre:"/[?&]General\x2eTime\x2eNTP\x2eServer=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:service http; reference:bugtraq,60188; reference:cve,2013-2570; reference:url,www.coresecurity.com/advisories/zavio-ip-cameras-multiple-vulnerabilities; classtype:web-application-attack; sid:45195; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager showActionProfiles.do SQL injection attempt"; flow:to_server,established; content:"/showActionProfiles.do"; fast_pattern:only; http_uri; content:"resourceid="; nocase; http_uri; pcre:"/[?&]resourceid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16850; reference:url,code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html; classtype:web-application-attack; sid:45193; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager showActionProfiles.do SQL injection attempt"; flow:to_server,established; content:"/showActionProfiles.do"; fast_pattern:only; http_uri; content:"resourceid="; nocase; http_client_body; pcre:"/(^|&)resourceid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16850; reference:url,code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html; classtype:web-application-attack; sid:45192; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager mypage.do SQL injection attempt"; flow:to_server,established; content:"/MyPage.do"; fast_pattern:only; http_uri; content:"method="; nocase; content:"forpage="; nocase; http_uri; pcre:"/[?&]forpage=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16849; reference:url,code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html; classtype:web-application-attack; sid:45190; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager mypage.do SQL injection attempt"; flow:to_server,established; content:"/MyPage.do"; fast_pattern:only; http_uri; content:"method="; nocase; content:"forpage="; nocase; http_client_body; pcre:"/(^|&)forpage=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16849; reference:url,code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html; classtype:web-application-attack; sid:45189; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Embedthis GoAhead LD_preload code execution attempt"; flow:to_server,established; content:"LD_preload="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17562; classtype:attempted-admin; sid:45219; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Embedthis GoAhead CGI information disclosure attempt"; flow:to_server,established; content:"/cgi-bin/c8fed00eb2e87f1cee8e90ebbe870c190ac3848c"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17562; classtype:attempted-recon; sid:45218; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ActiveCalendar css cross site scripting attempt"; flow:to_server,established; content:"/activecalendar/data/"; fast_pattern:only; http_uri; content:".php"; http_uri; content:"css="; nocase; http_uri; pcre:"/[?&]css=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2007-1111; classtype:web-application-attack; sid:45204; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Delta IEM DIAEnergie file upload attempt"; flow:to_server,established; content:"POST"; http_method; content:"/DataHandler/HandlerPage_KID.ashx"; fast_pattern:only; http_uri; content:"SaveFlashFile"; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.deltaww.com/Products/CategoryListT1.aspx?CID=060702&PID=3169&hl=en-US&Name=Industrial%20Energy%20Management%20System%20DIAEnergie; classtype:attempted-admin; sid:45250; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP UAParser.js library regular expression denial of service attempt"; flow:to_server,established; content:"user-agent: iphone os"; http_header; content:!"|0D 0A|"; within:35; http_header; metadata:service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/ua_parser_js_redos.rb; classtype:denial-of-service; sid:45249; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP Multiple IP cameras format string exploitation attempt"; flow:to_server,established; content:"/Maintain/upgrade.asp"; nocase; content:"ID"; within:100; nocase; content:"%"; within:25; reference:url,seclists.org/fulldisclosure/2017/Dec/55; classtype:web-application-attack; sid:45242; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP Multiple IP cameras format string exploitation attempt"; flow:to_server,established; content:"/main/index.asp"; nocase; content:"ID"; within:100; nocase; content:"%"; within:25; reference:url,seclists.org/fulldisclosure/2017/Dec/55; classtype:web-application-attack; sid:45241; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenEMR fax_dispatch.php command injection attempt"; flow:to_server,established; content:"/interface/fax/fax_dispatch.php"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; pcre:"/(^|&)form(\x5f|%5f)filename=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2017/Dec/16; classtype:web-application-attack; sid:45240; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt"; flow:to_server,established; content:"/incl/image_test.shtml"; fast_pattern:only; http_uri; content:"camnbr="; nocase; http_client_body; pcre:"/(^|&)camnbr=[^&]*?(<|%3c)(!|%21)(-|%2d){2}/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/mcw0/PoC/blob/master/Axis%20SSI%20RCE; classtype:web-application-attack; sid:45238; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Axis Communications IP camera SSI command injection attempt"; flow:to_server,established; content:"/incl/image_test.shtml"; fast_pattern:only; http_uri; content:"camnbr="; nocase; http_uri; pcre:"/[?&]camnbr=[^&]*?<!--/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/mcw0/PoC/blob/master/Axis%20SSI%20RCE; classtype:web-application-attack; sid:45237; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Palo Alto Networks Firewall cms_changeDeviceContext.esp session injection attempt"; flow:to_server,established; content:"/esp/cms_changeDeviceContext.esp"; fast_pattern:only; http_uri; content:"device="; nocase; http_uri; pcre:"/[?&]device=[^&]*?\x22/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,102079; reference:cve,2017-15944; reference:url,securityadvisories.paloaltonetworks.com/Home/Detail/102; classtype:attempted-admin; sid:45236; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Palo Alto Networks Firewall router.php XML attribute injection attempt"; flow:to_server,established; content:"/php/utils/router.php"; nocase; http_uri; content:"|22|Administrator.get|22|"; fast_pattern:only; http_client_body; content:"|22|id|22|"; nocase; http_client_body; pcre:"/\x22id\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?\x27/Pi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,102079; reference:cve,2017-15944; reference:url,securityadvisories.paloaltonetworks.com/Home/Detail/102; classtype:attempted-admin; sid:45235; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX recording interface file upload code execution attempt"; flow:to_server,established; content:"config.php"; fast_pattern:only; content:"Content-Disposition"; nocase; http_client_body; content:"name="; distance:0; http_client_body; content:"../"; distance:0; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43454; reference:cve,2010-3490; classtype:web-application-attack; sid:45226; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Google App Engine open redirect attempt"; flow:to_server,established; content:"appengine"; fast_pattern:only; http_uri; content:"q="; http_uri; content:"logout?continue="; distance:0; http_uri; content:"http"; within:4; http_uri; metadata:service http; reference:url,vagmour.eu/google-open-url-redirection/; classtype:web-application-attack; sid:45262; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Vivotek IP Cameras remote stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/admin/upgrade.cgi"; fast_pattern:only; http_uri; content:"Content-Length:"; nocase; http_header; pcre:"/Content-Length:[^\x0d]{40}/Hi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,download.vivotek.com/downloadfile/support/cyber-security/vivotek-cyber-security-advisory-remote-stack-overflow-of-web-server.pdf; classtype:attempted-user; sid:45261; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP raSMP User-Agent XSS injection attempt"; flow:established, to_server; content:"/index.php"; fast_pattern:only; http_uri; content:"User-Agent|3A|"; nocase; http_header; pcre:"/User-Agent:[^\x0d]*?([\x22\x27\x3c\x3e]|script|onload|src)/Hi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16138; reference:cve,2006-0084; classtype:web-application-attack; sid:45330; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 37777 (msg:"SERVER-WEBAPP Dahua DVR clear logs request attempt"; flow:to_server,established; content:"|60 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 00 00 00 00|"; depth:20; reference:bugtraq,63742; reference:cve,2013-3615; reference:cve,2013-6117; classtype:misc-activity; sid:45329; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 37777 (msg:"SERVER-WEBAPP Dahua DVR admin password reset attempt"; flow:to_server,established; content:"|A6 00 00 00|"; content:"|0A 00 00 00 00 00 00 00 00 00 00 00|"; within:12; distance:4; content:"|00 00 00 00|admin:"; fast_pattern:only; reference:bugtraq,63742; reference:cve,2013-3615; reference:cve,2013-6117; classtype:attempted-admin; sid:45328; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 37777 (msg:"SERVER-WEBAPP Dahua DVR NAS configuration download attempt"; flow:to_server,established; content:"|A3 00 00 00 00 00 00 00|config|00 00 25 00|"; depth:18; reference:bugtraq,63742; reference:cve,2013-3615; reference:cve,2013-6117; classtype:attempted-recon; sid:45327; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 37777 (msg:"SERVER-WEBAPP Dahua DVR user group information query attempt"; flow:to_server,established; content:"|A6 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00|"; depth:20; reference:bugtraq,63742; reference:cve,2013-3615; reference:cve,2013-6117; classtype:attempted-recon; sid:45326; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 37777 (msg:"SERVER-WEBAPP Dahua DVR DDNS configuration download attempt"; flow:to_server,established; content:"|A3 00 00 00 00 00 00 00|config|00 00 8C 00|"; depth:18; reference:bugtraq,63742; reference:cve,2013-3615; reference:cve,2013-6117; classtype:attempted-recon; sid:45325; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 37777 (msg:"SERVER-WEBAPP Dahua DVR user password hash query attempt"; flow:to_server,established; content:"|A6 00 00 00 00 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00|"; depth:20; reference:bugtraq,63742; reference:cve,2013-3615; reference:cve,2013-6117; classtype:attempted-recon; sid:45324; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 37777 (msg:"SERVER-WEBAPP Dahua DVR email configuration download attempt"; flow:to_server,established; content:"|A3 00 00 00 00 00 00 00|config|00 00 0B 00|"; depth:18; reference:bugtraq,63742; reference:cve,2013-3615; reference:cve,2013-6117; classtype:attempted-recon; sid:45323; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 37777 (msg:"SERVER-WEBAPP Dahua DVR channel information query attempt"; flow:to_server,established; content:"|A8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:20; reference:bugtraq,63742; reference:cve,2013-3615; reference:cve,2013-6117; classtype:attempted-recon; sid:45322; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 37777 (msg:"SERVER-WEBAPP Dahua DVR firmware version query attempt"; flow:to_server,established; content:"|A4 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00|"; depth:20; reference:bugtraq,63742; reference:cve,2013-3615; reference:cve,2013-6117; classtype:attempted-recon; sid:45321; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 37777 (msg:"SERVER-WEBAPP Dahua DVR serial number query attempt"; flow:to_server,established; content:"|A4 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00|"; depth:20; reference:bugtraq,63742; reference:cve,2013-3615; reference:cve,2013-6117; classtype:attempted-recon; sid:45320; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt"; flow:to_server,established; content:"CAKEPHP"; fast_pattern:only; content:"CAKEPHP"; http_cookie; pcre:"/CAKEPHP\s*=\s*[^\x3b]*?([\x60\x7c]|[\x3c\x3e\x24]\x28|\x3b[^\x20]|%60|%3b(?!%20)|%7c|%26|%3c%28|%3e%28|%24%28)/Ci"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6316; reference:url,support.citrix.com/article/CTX225990; classtype:web-application-attack; sid:45319; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt"; flow:to_server,established; content:"APNConfigEditorSession"; fast_pattern:only; content:"CGISESSID"; http_cookie; pcre:"/CGISESSID\s*=\s*[^\x3b]*?([\x60\x7c]|[\x3c\x3e\x24]\x28|\x3b[^\x20]|%60|%3b(?!%20)|%7c|%26|%3c%28|%3e%28|%24%28)/Ci"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6316; reference:url,support.citrix.com/article/CTX225990; classtype:web-application-attack; sid:45318; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Chipmunk Guestbook cross site scripting attempt"; flow:to_server,established; content:"/guest"; nocase; http_uri; content:"ook/addentry.php"; within:17; nocase; http_uri; content:"homepage="; nocase; http_uri; pcre:"/[?&]homepage=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2006-0069; classtype:attempted-user; sid:45317; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Beijing Hanbang Hanbanggaoke IP camera admin password change attempt"; flow:to_server,established; content:"/ISAPI/Security/users/1"; fast_pattern:only; http_uri; content:"<userName>"; nocase; content:"<password>"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-14335; reference:url,blogs.securiteam.com/index.php/archives/3420; classtype:attempted-user; sid:45314; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt"; flow:to_server,established; content:"/form/"; http_uri; content:"IPFilter"; within:14; distance:3; fast_pattern; http_uri; content:"filterIp"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?filterIp((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/mcw0/PoC#infinova-rce-authenticated; classtype:web-application-attack; sid:45313; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt"; flow:to_server,established; content:"/form/"; http_uri; content:"IPFilter"; within:14; distance:3; fast_pattern; http_uri; content:"filterIp="; nocase; http_client_body; pcre:"/(^|&)filterIp=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/mcw0/PoC#infinova-rce-authenticated; classtype:web-application-attack; sid:45312; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Axis Communications CGI Parser information disclosure attempt"; flow:to_server,established; content:"/index.shtml?"; fast_pattern:only; http_uri; content:"size="; http_raw_uri; content:"%"; within:10; http_raw_uri; pcre:"/size=[^&$]*?%/I"; metadata:service http; reference:url,www.axis.com/global/en/support/product-security; classtype:attempted-recon; sid:45308; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CMS Made Simple server side template injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"cntnt01detailtemplate="; fast_pattern:only; pcre:"/cntnt01detailtemplate=[^&]*?(string|eval)[^&]*?:[^&]*?%253c/Ui"; metadata:service http; reference:cve,2017-16783; classtype:web-application-attack; sid:45264; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CMS Made Simple server side template injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"cntnt01detailtemplate="; fast_pattern:only; pcre:"/cntnt01detailtemplate=[^&]*?(string|eval)[^&]*?:[^&]*?(%7B|{)php(%7D|})/Ui"; metadata:service http; reference:cve,2017-16783; classtype:web-application-attack; sid:45263; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Fortinet FortiOS redir parameter cross site scripting attempt"; flow:to_server,established; content:"/remote/loginredir"; fast_pattern:only; http_uri; content:"redir="; nocase; http_uri; pcre:"/[?&]redir=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service ssl; reference:bugtraq,101955; reference:cve,2017-14186; classtype:attempted-user; sid:45401; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Huawei router command injection attempt"; flow:to_server,established; content:"/html/application/addcfg.cgi?"; fast_pattern:only; http_uri; content:"PortMappingEnabled=1"; nocase; http_client_body; content:"InternalPort=23"; nocase; http_client_body; metadata:service http; classtype:web-application-attack; sid:45382; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt"; flow:to_server,established; content:"/console/Highlander_docs/SSO-Error.jsp"; fast_pattern:only; http_uri; content:"ErrorMsg="; nocase; http_uri; pcre:"/[?&]ErrorMsg=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-3438; classtype:web-application-attack; sid:45381; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Smart Protection Server directory traversal attempt"; flow:to_server,established; content:"/widget/inc/widget_package_manager.php"; fast_pattern:only; http_uri; content:"|22|update_type|22|"; nocase; http_client_body; pcre:"/\x22update_type\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?(\x2e|\x5cu002e){2}(\x2f|\x5c([\x2f\x5c]|u00(2f|5c)))/Pi"; metadata:service http; reference:bugtraq,102275; reference:cve,2017-14095; reference:url,success.trendmicro.com/solution/1118992; classtype:web-application-attack; sid:45373; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Smart Protection Server admin_update_program.php command injection attempt"; flow:to_server,established; content:"/php/admin_update_program.php"; fast_pattern:only; http_uri; content:"hidTiming"; nocase; http_client_body; pcre:"/(^|&)hidTiming(Min|Hour|Day)=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%23|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:service http; reference:bugtraq,102275; reference:cve,2017-14094; reference:url,success.trendmicro.com/solution/1118992; classtype:web-application-attack; sid:45372; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_pattern:only; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Hikvision IP camera admin authentication attempt"; flow:to_server,established; content:"auth=YWRtaW46"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7921; reference:url,hikvision.com/us/about_10805.html; classtype:web-application-attack; sid:45413; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Asus RT-AC88U deleteOfflineClients memory corruption attempt"; flow:to_server,established; urilen:>64; content:"/deleteOfflineClient.cgi"; fast_pattern:only; http_uri; content:"delete_offline_client="; http_uri; pcre:"/[?&]delete_offline_client=[^&]{14}/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-12754; classtype:attempted-admin; sid:45412; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/nas_sharing.cgi"; fast_pattern:only; http_uri; pcre:"/[?&](coun|star)t=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125; classtype:web-application-attack; sid:45410; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/nas_sharing.cgi"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](coun|star)t=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125; classtype:web-application-attack; sid:45409; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/nas_sharing.cgi"; fast_pattern:only; http_uri; pcre:"/(^|&)(coun|star)t=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%23|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125; classtype:web-application-attack; sid:45408; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud nas_sharing.cgi backdoor account access attempt"; flow:to_server,established; content:"/cgi-bin/nas_sharing.cgi"; fast_pattern:only; http_uri; content:"mydlinkBRionyg"; content:"YWJjMTIzNDVjYmE"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125; reference:url,securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10110; classtype:web-application-attack; sid:45407; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Possible Phpmyadmin CSRF exploitation attempt"; flow:to_server,established; content:"/phpmyadmin/sql.php"; fast_pattern:only; http_uri; content:"sql_query="; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2017-1000499; classtype:policy-violation; sid:45406; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PostfixAdmin protected alias deletion attempt"; flow:to_server,established; content:"delete.php"; fast_pattern:only; http_uri; content:"table"; http_uri; content:"alias"; within:10; http_uri; content:"delete"; http_uri; metadata:service http; reference:bugtraq,96142; reference:cve,2017-5930; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/pfadmin_set_protected_alias.rb; classtype:policy-violation; sid:45454; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys WVBR0-25 Wireless Video Bridge command injection attempt"; flow:to_server,established; content:"User-Agent: |22 3B|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17411; classtype:attempted-user; sid:45453; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys WVBR0-25 Wireless Video Bridge command injection attempt"; flow:to_server,established; content:"User-Agent: |22 60|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17411; classtype:attempted-user; sid:45452; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys WVBR0-25 Wireless Video Bridge command injection attempt"; flow:to_server,established; content:"User-Agent: |22 7C|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17411; classtype:attempted-user; sid:45451; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys WVBR0-25 Wireless Video Bridge command injection attempt"; flow:to_server,established; content:"User-Agent: |22 3C 28|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17411; classtype:attempted-user; sid:45450; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys WVBR0-25 Wireless Video Bridge command injection attempt"; flow:to_server,established; content:"User-Agent: |22 3E 28|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17411; classtype:attempted-user; sid:45449; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys WVBR0-25 Wireless Video Bridge command injection attempt"; flow:to_server,established; content:"User-Agent: |22 24 28|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17411; classtype:attempted-user; sid:45448; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys WVBR0-25 Wireless Video Bridge command injection attempt"; flow:to_server,established; content:"User-Agent: |22 26|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17411; classtype:attempted-user; sid:45447; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PhpCollab editclient.php arbitrary PHP file upload attempt"; flow:to_server,established; content:"/clients/editclient.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6090; reference:url,sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated; classtype:attempted-admin; sid:45421; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Drupal HTTP Strict Transport Security module security bypass attempt"; flow:to_client,established; content:"Strict-Transport-Security"; nocase; http_header; content:"max-age="; within:30; nocase; http_header; content:"include_subdomains"; within:40; fast_pattern; nocase; http_header; metadata:service http; reference:cve,2015-5505; reference:url,drupal.org/forum/newsletters/security-advisories-for-contributed-projects/2015-06-17/http-strict-transport; classtype:web-application-attack; sid:45420; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Samsung SRN-1670D cslog_export.php arbitrary file read attempt"; flow:to_server,established; content:"/cslog_export.php"; fast_pattern:only; http_uri; content:"path="; nocase; metadata:service http; reference:cve,2015-8279; reference:url,blog.emaze.net/2016/01/multiple-vulnerabilities-samsung-srn.html; classtype:attempted-recon; sid:45457; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Samsung SRN-1670D network_ssl_upload.php arbitrary PHP file upload attempt"; flow:to_server,established; content:"/network_ssl_upload.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:service http; reference:cve,2017-16524; reference:url,blog.emaze.net/2016/01/multiple-vulnerabilities-samsung-srn.html; classtype:attempted-admin; sid:45456; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt"; flow:to_server,established; content:"/goform/logRead"; fast_pattern:only; http_uri; content:"Readfile="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]Readfile=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5261; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/cnpilot_r_fpt.rb; classtype:web-application-attack; sid:45482; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt"; flow:to_server,established; content:"/goform/logRead"; fast_pattern:only; http_uri; content:"Readfile="; nocase; http_client_body; pcre:"/(^|&)Readfile=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5261; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/cnpilot_r_fpt.rb; classtype:web-application-attack; sid:45481; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt"; flow:to_server,established; content:"/goform/logRead"; fast_pattern:only; http_uri; content:"Readfile"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?Readfile((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5261; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/cnpilot_r_fpt.rb; classtype:web-application-attack; sid:45480; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt"; flow:to_server,established; content:"/web/jquery/uploader/multi_uploadify.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17560; reference:url,blog.westerndigital.com/western-digital-cloud-update/; classtype:attempted-admin; sid:45479; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt"; flow:to_server,established; content:"/adm/syscmd.asp"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5259; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.rb; classtype:attempted-admin; sid:45498; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt"; flow:to_server,established; content:"/goform/SystemCommand"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5259; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.rb; classtype:attempted-admin; sid:45497; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt"; flow:to_server,established; content:"/uploadTelemetry.psp"; fast_pattern:only; http_uri; content:"TimeStamp="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]TimeStamp=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-5347; reference:url,blogs.securiteam.com/index.php/archives/3548; classtype:web-application-attack; sid:45496; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt"; flow:to_server,established; content:"/getLogs.psp"; fast_pattern:only; http_uri; pcre:"/[?&](time_stamp|arch_id)=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-5347; reference:url,blogs.securiteam.com/index.php/archives/3548; classtype:web-application-attack; sid:45495; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt"; flow:to_server,established; content:"/uploadTelemetry.psp"; fast_pattern:only; http_uri; content:"TimeStamp="; nocase; http_uri; pcre:"/[?&]TimeStamp=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-5347; reference:url,blogs.securiteam.com/index.php/archives/3548; classtype:web-application-attack; sid:45494; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt"; flow:to_server,established; content:"/getLogs.psp"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](time(\x5f|%5f)stamp|arch(\x5f|%5f)id)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-5347; reference:url,blogs.securiteam.com/index.php/archives/3548; classtype:web-application-attack; sid:45493; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP AsusWRT vpnupload.cgi unauthenticated NVRAM configuration modification attempt"; flow:to_server,established; content:"/vpnupload.cgi"; depth:14; fast_pattern; nocase; http_uri; content:"Content-Disposition"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-5999; reference:cve,2018-6000; classtype:attempted-admin; sid:45526; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Moonshot Provisioning Manager Appliance khuploadfile.cgi directory traversal attempt"; flow:to_server,established; content:"khuploadfile.cgi"; fast_pattern:only; http_uri; content:"../"; metadata:policy max-detect-ips drop, service http; reference:cve,2017-8975; reference:cve,2017-8976; reference:cve,2017-8977; reference:url,support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03803en_us; classtype:attempted-admin; sid:45570; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Squid host header cache poisoning attempt"; flow:to_server,established; content:"://"; fast_pattern:only; http_uri; content:"Host|3A 20|"; http_header; pcre:"/GET\x20http[s]*\x3A\x2F\x2F(?<gethost>[^\x2F\x20]+)[^\x20]*?\x20HTTP.*?Host\x3A\x20((?!\k<gethost>).)*$/smi"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-4553; reference:url,bugs.squid-cache.org/show_bug.cgi?id=4501; classtype:attempted-user; sid:45569; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt"; flow:to_server,established; content:"/jsproxy"; depth:8; fast_pattern; nocase; http_uri; content:"|0D 0A|Content-Length: "; nocase; byte_test:10,>,0x20000,0,relative,string,dec; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,forum.mikrotik.com/viewtopic.php?t=119308; classtype:attempted-admin; sid:45555; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PMSotware Simple Web Server connection header buffer overflow attempt"; flow:to_server,established; content:"|E9 A3 F7 FF FF 0D 0A|Content-Length: 0"; fast_pattern:only; content:"Connection: "; isdataat:100,relative; content:!"|0D 0A|"; within:100; metadata:policy max-detect-ips drop, service http; reference:url,ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/; classtype:attempted-user; sid:45585; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt"; flow:to_server,established; content:"/goform/down_cfg_file"; fast_pattern:only; http_uri; urilen:21; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5260; reference:url,blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/; classtype:web-application-attack; sid:45592; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cambium ePMP 1000 admin account password reset attempt"; flow:to_server,established; content:"/#config:system"; fast_pattern:only; http_uri; content:"device_props"; http_client_body; content:"admin_password"; distance:0; http_client_body; metadata:service http; reference:cve,2017-5254; reference:url,blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/; classtype:web-application-attack; sid:45601; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC WebDM arbitrary Java object deserialization attempt"; flow:to_server,established; content:"/imc/topo/WebDM"; fast_pattern:only; http_uri; content:"|AC ED|"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,101152; reference:cve,2017-12557; reference:cve,2017-12558; reference:url,support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03778en_us; classtype:attempted-admin; sid:45617; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC mibBrowser arbitrary Java object deserialization attempt"; flow:to_server,established; content:"/imc/topo/mibBrowserTopoFilterServlet"; fast_pattern:only; http_uri; content:"|AC ED|"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,101152; reference:cve,2017-12556; reference:url,support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03778en_us; classtype:attempted-admin; sid:45677; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP php_mime_split multipart file upload buffer overflow attempt"; flow:to_server,established; content:"Content-Disposition: form-data|3B| name=|22|0x08|22 0D 0A 0D 0A|"; fast_pattern:only; http_client_body; metadata:service http; reference:cve,2002-0081; classtype:attempted-user; sid:45676; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess SQL injection attempt"; flow:to_server,established; content:"/BWMobileService/BWScadaRest.svc/Login/"; fast_pattern:only; http_uri; pcre:"/\/BWMobileService\/BWScadaRest\.svc\/Login\/.*([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16716; classtype:web-application-attack; sid:45688; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22006 (msg:"SERVER-WEBAPP Ulterius web server directory traversal attempt"; flow:to_server,established; content:"GET /c|3A|/"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-16806; reference:url,github.com/rapid7/metasploit-framework/blob/b533ec60190dcc4cf14ac18867b4b782b702b1ad/modules/auxiliary/admin/http/ulterius_file_download.rb; classtype:web-application-attack; sid:45722; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22006 (msg:"SERVER-WEBAPP Ulterius web server directory traversal attempt"; flow:to_server,established; content:"GET /.../"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-16806; reference:url,github.com/rapid7/metasploit-framework/blob/b533ec60190dcc4cf14ac18867b4b782b702b1ad/modules/auxiliary/admin/http/ulterius_file_download.rb; classtype:web-application-attack; sid:45721; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP PHP unserialize integer overflow attempt"; flow:to_server,established; file_data; content:"o:"; depth:10; content:"|3B|a:"; content:!":{"; within:9; content:":{"; within:35; distance:10; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,95371; reference:cve,2017-5340; classtype:attempted-admin; sid:45769; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"SERVER-WEBAPP PHP unserialize integer overflow attempt"; flow:to_client,established; file_data; content:"o:"; depth:10; content:"|3B|a:"; content:!":{"; within:9; content:":{"; within:35; distance:10; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,95371; reference:cve,2017-5340; classtype:attempted-admin; sid:45768; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHPUnit PHP remote code execution attempt"; flow:to_server,established; content:"/phpunit/src/Util/PHP/eval-stdin.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9841; classtype:web-application-attack; sid:45749; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC TopoMsgServlet arbitrary Java object deserialization attempt"; flow:to_server,established; content:"/imc/topo/topomsgservlet"; fast_pattern:only; http_uri; content:"|AC ED|"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-8966; reference:url,support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03787en_us; classtype:attempted-admin; sid:45748; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC guiDataDetail Java expression language injection attempt"; flow:to_server,established; content:"/imc/gencfg/tskcreate/guiDataDetail.xhtml"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_uri; pcre:"/[?&]beanName=[^&]*?new\s+(java|org|sun)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12523; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:45806; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC guiDataDetail Java expression language injection attempt"; flow:to_server,established; content:"/imc/gencfg/tskcreate/guiDataDetail.xhtml"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_client_body; pcre:"/(^|&)beanName=[^&]*?new(\s|%20)+(java|org|sun)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12523; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:45805; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Jenkins Java SignedObject deserialization command execution attempt"; flow:to_server,established; content:"/cli"; depth:4; nocase; http_uri; urilen:4; content:"Side: "; nocase; http_header; content:"Session: "; nocase; http_header; content:"SignedObject"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-1000353; reference:url,jenkins.io/security/advisory/2017-04-26/; classtype:attempted-admin; sid:45790; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt"; flow:to_server,established; content:"/imc/plat/operatorgroup/operatorGroupSelectContent.xhtml"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_uri; pcre:"/[?&]beanName=[^&]*?new\s+(java|org|sun)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12524; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:45775; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt"; flow:to_server,established; content:"/imc/plat/operatorgroup/operatorGroupSelectContent.xhtml"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_client_body; pcre:"/(^|&)beanName=[^&]*?new(\s|%20)+(java|org|sun)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12524; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:45774; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt"; flow:to_server,established; content:"userstat.pl"; fast_pattern:only; http_uri; content:"loginname"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?loginname((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,10316; classtype:web-application-attack; sid:45843; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt"; flow:to_server,established; content:"userstat.pl"; fast_pattern:only; http_uri; content:"loginname="; nocase; http_client_body; pcre:"/(^|&)loginname=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,10316; classtype:web-application-attack; sid:45842; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt"; flow:to_server,established; content:"userstat.pl"; fast_pattern:only; http_uri; content:"loginname="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]loginname=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,10316; classtype:web-application-attack; sid:45841; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt"; flow:to_server,established; content:"userstat.pl"; fast_pattern:only; http_uri; content:"loginname="; nocase; http_uri; pcre:"/[?&]loginname=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,10316; classtype:web-application-attack; sid:45840; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /bin/sh access"; flow:to_server,established; content:"|22|/bin/sh|22|"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:45834; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt"; flow:to_server,established; content:"/rptviewer/servlets/redirectviewer"; fast_pattern:only; http_uri; content:"parafile"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?parafile((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-8983; reference:url,support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03808en_us; classtype:web-application-attack; sid:45859; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt"; flow:to_server,established; content:"/rptviewer/servlets/redirectviewer"; fast_pattern:only; http_uri; content:"parafile="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]parafile=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-8983; reference:url,support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03808en_us; classtype:web-application-attack; sid:45858; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt"; flow:to_server,established; content:"/rptviewer/servlets/redirectviewer"; fast_pattern:only; http_uri; content:"parafile="; nocase; http_client_body; pcre:"/(^|&)parafile=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-8983; reference:url,support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03808en_us; classtype:web-application-attack; sid:45857; rev:1;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP SugarCRM RSSDashlet XML external entity information disclosure attempt"; flow:to_client,established; file_data; content:"ENTITY"; nocase; content:"file|3A 2F 2F|"; distance:0; fast_pattern; pcre:"/(\x21|%21)ENTITY((?!\x3e|%3e).)*?(SYSTEM|PUBLIC)((?!\x3e|%3e).)*?file\x3A\x2F\x2F/i"; metadata:service http; reference:cve,2014-3244; reference:url,www.sugarcrm.com; classtype:web-application-attack; sid:45918; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHPMailer command injection remote code execution attempt"; flow:to_server,established; content:"Host: "; http_header; content:" -be ${run{"; within:100; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-10033; reference:cve,2016-10034; reference:cve,2016-10045; reference:cve,2016-10074; reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html; classtype:web-application-attack; sid:45917; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt"; flow:to_server,established; content:"/testCredential.do"; fast_pattern:only; http_uri; pcre:"/(^|&)(UserName|Password|HostName)=[^&]*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|((\x3c|%3c)|(\x3e|%3e)|(\x24|%24))(\x28|%28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7890; reference:url,pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/; classtype:web-application-attack; sid:45913; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt"; flow:to_server,established; content:"/testCredential.do"; fast_pattern:only; http_uri; pcre:"/[?&](Password|HostName|UserName)=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7890; reference:url,pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/; classtype:web-application-attack; sid:45912; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt"; flow:to_server,established; content:"/testCredential.do"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](HostName|UserName|Password)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7890; reference:url,pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/; classtype:web-application-attack; sid:45911; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,7547] (msg:"SERVER-WEBAPP Potential Misfortune Cookie probe attempt"; flow:to_server,established; content:"C1073"; fast_pattern:only; pcre:"/^C1073\d{5}=\w*?\x00/Ci"; metadata:service http; reference:bugtraq,71744; reference:cve,2014-9222; classtype:attempted-admin; sid:45886; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC perfAccessMgrServlet arbitrary Java object deserialization attempt"; flow:to_server,established; content:"/imc/perfm/accessMgrServlet"; fast_pattern:only; http_uri; content:"|AC ED|"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-8962; reference:url,support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03787en_us; classtype:attempted-admin; sid:45885; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Reliance SCADA directory traversal attempt"; flow:to_server,established; content:"p="; nocase; http_uri; content:"l="; nocase; http_uri; content:"f="; nocase; http_uri; content:"../"; fast_pattern:only; http_uri; pcre:"/[?&]f=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,reliance-scada.com ; classtype:web-application-attack; sid:45872; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,3000] (msg:"SERVER-WEBAPP ZEIT Next.js /_next namespace directory traversal attempt"; flow:to_server,established; content:"GET /_next"; content:"../"; within:50; content:"HTTP/"; within:100; metadata:service http; reference:cve,2018-6184; reference:url,github.com/zeit/next.js; classtype:web-application-attack; sid:45959; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt"; flow:to_server,established; content:"/imc/icc/regex/iccSelectDeviceSeries.xhtml"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_uri; pcre:"/[?&]beanName=[^&]*?new\s+(java|org|sun)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12510; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:45958; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt"; flow:to_server,established; content:"/imc/icc/regex/iccSelectDeviceSeries.xhtml"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_client_body; pcre:"/(^|&)beanName=[^&]*?new(\s|%20)+(java|org|sun)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12510; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:45957; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt"; flow:to_server,established; content:"/imc/desktop/mediaForAction.xhtml"; fast_pattern:only; http_uri; content:"action="; nocase; http_uri; pcre:"/[?&]action=[^&]*?new\s+(java|org|sun)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12494; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:45954; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt"; flow:to_server,established; content:"/imc/desktop/mediaForAction.xhtml"; fast_pattern:only; http_uri; content:"action="; nocase; http_client_body; pcre:"/(^|&)action=[^&]*?new(\s|%20)+(java|org|sun)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100367; reference:cve,2017-12494; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:45953; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,2379] (msg:"SERVER-WEBAPP CoreOS etcd service private keys listing attempt"; flow:to_server,established; content:"GET /v2/keys/ HTTP/"; fast_pattern:only; metadata:service http; reference:url,elweb.co/the-security-footgun-in-etcd/; classtype:attempted-recon; sid:45996; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,2379] (msg:"SERVER-WEBAPP CoreOS etcd service private keys listing attempt"; flow:to_server,established; content:"GET /v2/keys/?recursive=true"; fast_pattern:only; metadata:service http; reference:url,elweb.co/the-security-footgun-in-etcd/; classtype:attempted-recon; sid:45995; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla component Jimtawl 2.2.5 arbitrary PHP file upload attempt"; flow:to_server,established; content:"option=com_jimtawl"; fast_pattern:only; content:"view=upload"; http_header; content:"task=upload"; http_header; content:"pop=true"; http_header; content:"tmpl=component"; http_header; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6580; reference:url,www.exploit-db.com/exploits/43958/; classtype:attempted-admin; sid:45984; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Pivotal Spring Data REST PATCH request remote code execution attempt"; flow:to_server,established; content:"PATCH"; http_method; content:"application/json-patch+json"; fast_pattern:only; http_header; content:"java.lang.Runtime"; content:".exec"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-8046; reference:url,spring.io/blog/2018/03/06/security-issue-in-spring-data-rest-cve-2017-8046; classtype:web-application-attack; sid:45976; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SugarCRM cross site scripting attempt"; flow:to_server,established; content:"index.php"; http_uri; content:"print="; fast_pattern:only; nocase; http_uri; pcre:"/[?&].*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2018-5715; classtype:web-application-attack; sid:45970; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SugarCRM cross site scripting attempt"; flow:to_server,established; content:"phprint.php"; fast_pattern:only; http_uri; pcre:"/[?&].*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2018-5715; classtype:web-application-attack; sid:45969; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla jextn-classifieds SQL injection attempt"; flow:to_server,established; content:"index.php"; http_uri; content:"sid="; nocase; http_client_body; pcre:"/(^|&)sid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; content:"option=com_jeclassifieds"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6575; classtype:web-application-attack; sid:46030; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla jextn-classifieds SQL injection attempt"; flow:to_server,established; content:"index.php"; http_uri; content:"sid="; nocase; http_uri; pcre:"/[?&]sid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; content:"option=com_jeclassifieds"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6575; classtype:web-application-attack; sid:46029; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla JE PayperVideo extension SQL injection attempt"; flow:to_server,established; content:"index.php"; http_uri; content:"option=com_jepaypervideo"; fast_pattern:only; http_uri; content:"view=myplans"; nocase; http_uri; content:"task=myplans.usersubscriptions"; nocase; http_uri; content:"usr_plan"; nocase; http_client_body; pcre:"/^usr_plan=[^&]*?[^\d\x20&]/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6578; classtype:web-application-attack; sid:46028; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EventManager page.php sql injection attempt SQL injection attempt"; flow:to_server,established; content:"/page.php"; fast_pattern:only; http_uri; content:"slug="; nocase; http_client_body; pcre:"/(^|&)slug=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6576; reference:url,attack.mitre.org/techniques/T1190; classtype:web-application-attack; sid:46027; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EventManager page.php sql injection attempt SQL injection attempt"; flow:to_server,established; content:"/page.php"; fast_pattern:only; http_uri; content:"slug="; nocase; http_uri; pcre:"/[?&]slug=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6576; reference:url,attack.mitre.org/techniques/T1190; classtype:web-application-attack; sid:46026; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP multiple vendor calendar application id parameter SQL injection attempt"; flow:to_server,established; content:"event.php"; fast_pattern:only; http_uri; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,437437; reference:cve,2006-3094; reference:cve,2018-6576; classtype:web-application-attack; sid:46025; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP multiple vendor calendar application id parameter SQL injection attempt"; flow:to_server,established; content:"event.php"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,437437; reference:cve,2006-3094; reference:cve,2018-6576; classtype:web-application-attack; sid:46024; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt"; flow:to_server,established; content:"option=com_jmsmusic"; fast_pattern:only; http_uri; content:"username="; nocase; http_client_body; pcre:"/(^|&)username=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6581; reference:url,www.exploit-db.com/exploits/43959/; classtype:web-application-attack; sid:46046; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt"; flow:to_server,established; content:"option=com_jmsmusic"; fast_pattern:only; http_uri; content:"username="; nocase; http_uri; pcre:"/[?&]username=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6581; reference:url,www.exploit-db.com/exploits/43959/; classtype:web-application-attack; sid:46045; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt"; flow:to_server,established; content:"option=com_jmsmusic"; fast_pattern:only; http_uri; content:"view=search"; nocase; http_uri; content:"artist="; nocase; http_client_body; pcre:"/(^|&)artist=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6581; reference:url,www.exploit-db.com/exploits/43959/; classtype:web-application-attack; sid:46044; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt"; flow:to_server,established; content:"option=com_jmsmusic"; fast_pattern:only; http_uri; content:"view=search"; nocase; http_uri; content:"artist="; nocase; http_uri; pcre:"/[?&]artist=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6581; reference:url,www.exploit-db.com/exploits/43959/; classtype:web-application-attack; sid:46043; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt"; flow:to_server,established; content:"option=com_jmsmusic"; fast_pattern:only; http_uri; content:"view=search"; nocase; http_uri; content:"keyword="; nocase; http_client_body; pcre:"/(^|&)keyword=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6581; reference:url,www.exploit-db.com/exploits/43959/; classtype:web-application-attack; sid:46042; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt"; flow:to_server,established; content:"option=com_jmsmusic"; fast_pattern:only; http_uri; content:"view=search"; nocase; http_uri; content:"keyword="; nocase; http_uri; pcre:"/[?&]keyword=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6581; reference:url,www.exploit-db.com/exploits/43959/; classtype:web-application-attack; sid:46041; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3033 (msg:"SERVER-WEBAPP Dell EMC Storage Manager EmConfigMigration servlet directory traversal attempt"; flow:to_server,established; content:"/EmConfigMigration/"; depth:24; pcre:"/\x2fEmConfigMigration\x2f[^\s]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,103467; reference:cve,2017-14384; reference:url,topics-cdn.dell.com/pdf/storage-sc2000_release%20notes24_en-us.pdf; classtype:web-application-attack; sid:46040; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt"; flow:to_server,established; content:"com_jereverseauction"; fast_pattern:only; http_uri; content:"view=product"; nocase; http_uri; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?(\x2f\x2a\x21|%2f%2a%21)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6579; reference:url,exploit-db.com/exploits/43950/; classtype:web-application-attack; sid:46089; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt"; flow:to_server,established; content:"com_jereverseauction"; fast_pattern:only; http_uri; content:"id"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?id((?!^--).)*?[\r\n]{2,}((?!^--).)*?\x2f\x2a\x21/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6579; reference:url,exploit-db.com/exploits/43950/; classtype:web-application-attack; sid:46088; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt"; flow:to_server,established; content:"com_jereverseauction"; fast_pattern:only; http_uri; content:"view=product"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?\x2f\x2a\x21/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6579; reference:url,exploit-db.com/exploits/43950/; classtype:web-application-attack; sid:46087; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping(\x5f|%5f)(ip|size|times)=[^&]*?%26/Ii"; metadata:ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46086; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping_"; nocase; http_uri; pcre:"/[?&]ping_(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46085; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]next_page=[^&]*?\x2e\x2e\x2f/Ui"; metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46084; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase; http_client_body; pcre:"/(^|&)next_page=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46083; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping"; nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46082; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi cross site scripting attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"action="; http_client_body; pcre:"/(^|&)(wait_time|ping_ip|ping_size|submit_type|traceroute_ip)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pim"; metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46081; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi cross site scripting attempt"; flow:to_server,established; content:"apply.cgi"; http_uri; content:"action="; distance:0; http_uri; pcre:"/[?&](wait_time|ping_ip|ping_size|submit_type|traceroute_ip)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46080; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt"; flow:to_server,established; content:"view=myplans"; nocase; http_uri; content:"task=myplans.usersubscriptions"; fast_pattern:only; http_uri; content:"usr_plan"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?usr_plan((?!^--).)*?[\r\n]{2,}((?!^--).)*?\x28\d+\x3d\d+\x2c/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6577; reference:cve,2018-6578; classtype:web-application-attack; sid:46064; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt"; flow:to_server,established; content:"view=myplans"; nocase; http_uri; content:"task=myplans.usersubscriptions"; fast_pattern:only; http_uri; content:"usr_plan="; nocase; http_client_body; pcre:"/(^|&)usr_plan=[^\x28]*?(\x28\d+\x3d\d+\x2c|%28\d+%3d\d+%2c)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6577; reference:cve,2018-6578; classtype:web-application-attack; sid:46063; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt"; flow:to_server,established; content:"view=myplans"; nocase; http_uri; content:"task=myplans.usersubscriptions"; fast_pattern:only; http_uri; content:"usr_plan="; nocase; http_uri; pcre:"/usr_plan=[^\x28]*?\x28\d+\x3d\d+\x2c/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6577; reference:cve,2018-6578; classtype:web-application-attack; sid:46062; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess directory traversal attempt"; flow:to_server,established; content:"/WADashboard/api/dashboard/v1/files/readFile"; fast_pattern:only; http_uri; content:"filepath"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?filepath((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:url,www.advantech.com/industrial-automation/webaccess; classtype:web-application-attack; sid:46114; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess directory traversal attempt"; flow:to_server,established; content:"/WADashboard/api/dashboard/v1/files/readFile"; fast_pattern:only; http_uri; content:"filepath="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]filepath=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:url,www.advantech.com/industrial-automation/webaccess; classtype:web-application-attack; sid:46113; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess directory traversal attempt"; flow:to_server,established; content:"/WADashboard/api/dashboard/v1/files/readFile"; fast_pattern:only; http_uri; content:"filepath="; nocase; http_client_body; pcre:"/(^|&)filepath=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:url,www.advantech.com/industrial-automation/webaccess; classtype:web-application-attack; sid:46112; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 15023 (msg:"SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt"; flow:to_server,established; content:"/SapsServices/FileTransferService/Binary"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; reference:url,www.laerdal.com/us/products/simulation-training/emergency-care-trauma/simman-als/; classtype:web-application-attack; sid:46100; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenEMR SQL injection attempt"; flow:to_server,established; content:"/openemr/library/ajax/addlistitem.php"; fast_pattern:only; http_uri; content:"listid="; nocase; http_uri; pcre:"/[?&]listid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,open-emr.org; classtype:web-application-attack; sid:46133; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenEMR SQL injection attempt"; flow:to_server,established; content:"/openemr/library/ajax/addlistitem.php"; fast_pattern:only; http_uri; content:"listid="; nocase; http_client_body; pcre:"/(^|&)listid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,open-emr.org; classtype:web-application-attack; sid:46132; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt"; flow:to_server,established; content:"/EGateway/EGateway.asmx"; fast_pattern:only; http_uri; content:"Soapaction: |22|http://micros-hosting.com/EGateway/ProcessDimeRequest|22|"; nocase; http_header; content:"application/dime"; nocase; http_header; content:"application/octet-stream"; nocase; http_client_body; content:"|00 24 00 24 00 6C 00 6F 00 67 00 5C|"; http_client_body; pcre:"/\x00\x24\x00\x24\x00\x6c\x00\x6f\x00\x67\x00\x5c.*?\x00\x5c/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-2636; classtype:web-application-attack; sid:46159; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt"; flow:to_server,established; content:"/EGateway/EGateway.asmx"; fast_pattern:only; http_uri; content:"Soapaction: |22|http://micros-hosting.com/EGateway/ProcessDimeRequest|22|"; nocase; http_header; content:"application/dime"; nocase; http_header; content:"application/octet-stream"; nocase; http_client_body; content:"|00 2E 00 2E 00|"; http_client_body; pcre:"/\x00\x2e\x00\x2e\x00[\x2f\x5c(\x5c\x00\x2f)(\x2e\x00\x2f\x00\x2e\x00\x2f)(\x2e\x00\x5c\x00\x2e\x00\x5c)]{1}/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-2636; classtype:web-application-attack; sid:46158; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt"; flow:to_server,established; content:"/EGateway/EGateway.asmx"; fast_pattern:only; http_uri; content:"Soapaction: |22|http://micros-hosting.com/EGateway/ProcessDimeRequest|22|"; nocase; http_header; content:"application/dime"; nocase; http_header; content:"application/octet-stream"; nocase; http_client_body; content:"ProcessDimeRequest"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-2636; classtype:web-application-attack; sid:46157; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/home_mgr.cgi"; fast_pattern:only; http_uri; content:"user"; nocase; http_client_body; pcre:"/(^|&)f(\x5f|%5f)user=[^&]*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|((\x3c|%3c)|(\x3e|%3e)|(\x24|%24))(\x28|%28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/3679; classtype:web-application-attack; sid:46162; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/home_mgr.cgi"; fast_pattern:only; http_uri; content:"f_user="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]f(\x5f|%5f)user=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/3679; classtype:web-application-attack; sid:46161; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud home_mgr.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/home_mgr.cgi"; fast_pattern:only; http_uri; content:"f_user="; nocase; http_uri; pcre:"/[?&]f_user=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blogs.securiteam.com/index.php/archives/3679; classtype:web-application-attack; sid:46160; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Mango Automation arbitrary JSP file upload attempt"; flow:to_server,established; content:"/rest/v1/excel-report-templates/upload"; fast_pattern:only; http_uri; content:"<%"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:46232; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DIAEnergie credential request attempt"; flow:to_server,established; content:"/DataHandler/WebApis/DIAE_usHandler.ashx"; fast_pattern:only; http_uri; content:"ttype=GetObject"; http_uri; content:"pUid="; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:46216; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?ping_ip((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46300; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping"; nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46299; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping(\x5f|%5f)ip=[^&]*?%26/Ii"; metadata:ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46298; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip="; nocase; http_uri; pcre:"/[?&]ping_ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46297; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E series denial of service attempt"; flow:to_server,established; content:"mfgtst.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:denial-of-service; sid:46287; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest NetVault Backup Server NVBUJobCountHistory SQL injection attempt"; flow:to_server,established; content:"|22|NVBUJobCountHistory|22|"; fast_pattern:only; http_client_body; content:"|22|where|22|"; nocase; http_client_body; pcre:"/\x22where\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x27\x3b\x23]|\x2f\x2a|\x2d\x2d)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,102252; reference:cve,2017-17420; classtype:web-application-attack; sid:46283; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt"; flow:to_server,established; content:"/fosagent/repl/download-snapshot"; fast_pattern:only; http_uri; content:"name="; nocase; http_client_body; pcre:"/name=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2017-11512; classtype:web-application-attack; sid:46346; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt"; flow:to_server,established; content:"/fosagent/repl/download-snapshot"; fast_pattern:only; http_uri; content:"name="; nocase; http_uri; content:".."; http_uri; pcre:"/name=[^&]*?\x2e\x2e[\x2f\x5c]/Ui"; metadata:service http; reference:cve,2017-11512; classtype:web-application-attack; sid:46345; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt"; flow:to_server,established; content:"/fosagent/repl/download-snapshot"; fast_pattern:only; http_uri; content:"name"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?name((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:cve,2017-11512; classtype:web-application-attack; sid:46344; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt"; flow:to_client,established; file_data; content:"administrator/index.php"; fast_pattern:only; content:"option=com_joomlaupdate"; nocase; content:"task=update.install"; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2014-7229; classtype:web-application-attack; sid:46341; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt"; flow:to_server,established; content:"administrator/components/com_joomlaupdate/restoration.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2014-7229; classtype:web-application-attack; sid:46340; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"option=com_saxumpicker"; fast_pattern:only; http_uri; content:"publicid="; nocase; http_uri; pcre:"/[?&]publicid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7178; classtype:web-application-attack; sid:46338; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"option=com_saxumpicker"; fast_pattern:only; http_client_body; content:"publicid="; nocase; http_client_body; pcre:"/(^|&)publicid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7178; classtype:web-application-attack; sid:46337; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla DT Register SQL injection attempt"; flow:to_server,established; content:"index.php"; nocase; http_uri; content:"task=edit"; fast_pattern:only; http_client_body; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6584; classtype:web-application-attack; sid:46334; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla DT Register SQL injection attempt"; flow:to_server,established; content:"index.php"; nocase; http_uri; content:"task=edit"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6584; classtype:web-application-attack; sid:46333; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SearchBlox unauthorized access attempt"; flow:to_server,established; content:"/searchblox/servlet/CollectionServlet"; fast_pattern:only; http_uri; content:"xml"; metadata:policy max-detect-ips drop, service http; reference:cve,2015-7919; reference:url,www.ixiacom.com/company/blog/ixia-ati-research-center-discovers-zero-day-searchblox-vulnerabilities; classtype:attempted-user; sid:46332; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SearchBlox unauthorized access attempt"; flow:to_server,established; content:"/searchblox/servlet/ReportListServlet"; fast_pattern:only; http_uri; content:"action="; metadata:policy max-detect-ips drop, service http; reference:cve,2015-7919; reference:url,www.ixiacom.com/company/blog/ixia-ati-research-center-discovers-zero-day-searchblox-vulnerabilities; classtype:attempted-user; sid:46331; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SearchBlox unauthorized access attempt"; flow:to_server,established; content:"/searchblox/servlet/CollectionServlet"; fast_pattern:only; http_uri; content:"action="; metadata:policy max-detect-ips drop, service http; reference:cve,2015-7919; reference:url,www.ixiacom.com/company/blog/ixia-ati-research-center-discovers-zero-day-searchblox-vulnerabilities; classtype:attempted-user; sid:46330; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SearchBlox unauthorized access attempt"; flow:to_server,established; content:"/searchblox/servlet/UserServlet"; fast_pattern:only; http_uri; content:"action="; metadata:policy max-detect-ips drop, service http; reference:cve,2015-7919; reference:url,www.ixiacom.com/company/blog/ixia-ati-research-center-discovers-zero-day-searchblox-vulnerabilities; classtype:attempted-user; sid:46329; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Jetspeed PageManagementService persistent XSS attempt"; flow:to_server,established; content:"/jetspeed/services/pagemanagement/info/.psml/_user/"; fast_pattern:only; http_uri; content:"title="; nocase; http_uri; pcre:"/[?&]title=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2016-0711; classtype:attempted-user; sid:46328; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HPE Intelligent Management Center UrlAccessController authentication bypass attempt"; flow:to_server,established; content:"/imc/"; nocase; http_uri; content:"java"; http_uri; content:"%2e%2e"; depth:50; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2017-8982; reference:url,support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03809en_us; classtype:web-application-attack; sid:46325; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt"; flow:to_server,established; content:"/fw_serv_add.cgi"; fast_pattern:only; http_uri; content:"userdefined="; nocase; http_client_body; pcre:"/userdefined=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:attempted-user; sid:46323; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt"; flow:to_server,established; content:"/wlg_sec_profile_main.cgi"; fast_pattern:only; http_uri; content:"ssid="; nocase; http_client_body; pcre:"/ssid=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:attempted-user; sid:46322; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal 8 remote code execution attempt"; flow:to_server,established; content:"element_parents="; fast_pattern:only; http_uri; content:"#value"; http_uri; content:"drupal_ajax"; http_uri; pcre:"/(%23|#)(submit|validate|access_callback|pre_render|post_render|lazy_builder)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-7600; reference:url,www.drupal.org/sa-core-2018-002; classtype:attempted-admin; sid:46316; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla restore.php PHP object injection attempt"; flow:to_server,established; content:"/administrator/components/com_joomlaupdate/restore.php"; fast_pattern:only; http_uri; content:"factory="; nocase; http_uri; content:"OjI2OiJraWNrc3RhcnQuc2V0dXAuc291cmNlZmlsZSI7"; content:"aHR0cDovL"; metadata:ruleset community, service http; reference:cve,2014-7228; classtype:web-application-attack; sid:46315; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/router-info.htm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46314; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-bin/upg_restore.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46313; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-bin/NETGEAR_WNR2000.cfg"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46312; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest NetVault Backup Server NVBUTransferHistory SQL injection attempt"; flow:to_server,established; content:"|22|NVBUTransferHistory|22|"; fast_pattern:only; http_client_body; content:"|22|where|22|"; nocase; http_client_body; pcre:"/\x22where\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x27\x3b\x23]|\x2f\x2a|\x2d\x2d)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17419; classtype:web-application-attack; sid:46311; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?SMB_(LOCATION|USERNAME)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46308; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB"; nocase; http_client_body; pcre:"/(^|&)SMB(\x5f|%5f)(LOCATION|USERNAME)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46307; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]SMB(\x5f|%5f)(LOCATION|USERNAME)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46306; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_uri; pcre:"/[?&]SMB_(LOCATION|USERNAME)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46305; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Antsle antman authentication bypass attempt"; flow:to_server,established; content:"/login"; nocase; http_uri; content:"password=%0a"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7739; classtype:web-application-attack; sid:46303; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest NetVault Backup Server NVBUEventHistory SQL injection attempt"; flow:to_server,established; content:"|22|NVBUEventHistory|22|"; fast_pattern:only; http_client_body; content:"|22|where|22|"; nocase; http_client_body; pcre:"/\x22where\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x27\x3b\x23]|\x2f\x2a|\x2d\x2d)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,102252; reference:cve,2017-17412; classtype:web-application-attack; sid:46302; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Afian FileRun SQL injection attempt"; flow:to_server,established; content:"section=cpanel"; fast_pattern:only; http_uri; content:"module="; nocase; http_uri; content:"page="; nocase; http_uri; content:"search="; nocase; http_client_body; pcre:"/(^|&)search=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7735; reference:url,www.feedback.filerun.com/communities/1/topics/189-critical-security-update-available; classtype:web-application-attack; sid:46380; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Afian FileRun SQL injection attempt"; flow:to_server,established; content:"section=cpanel"; fast_pattern:only; http_uri; content:"module="; nocase; http_uri; content:"page="; nocase; http_uri; content:"search="; nocase; http_uri; pcre:"/[?&]search=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7735; reference:url,www.feedback.filerun.com/communities/1/topics/189-critical-security-update-available; classtype:web-application-attack; sid:46379; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt"; flow:to_server,established; content:"/fosagent/repl/download-file"; fast_pattern:only; http_uri; content:"filepath="; nocase; http_client_body; pcre:"/(^|&)filepath=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:cve,2017-11511; classtype:web-application-attack; sid:46355; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt"; flow:to_server,established; content:"/fosagent/repl/download-file"; fast_pattern:only; http_uri; content:"filepath="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]filepath=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:cve,2017-11511; classtype:web-application-attack; sid:46354; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt"; flow:to_server,established; content:"/fosagent/repl/download-file"; fast_pattern:only; http_uri; content:"filepath"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?filepath((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:cve,2017-11511; classtype:web-application-attack; sid:46353; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt"; flow:to_server,established; content:"/nidp/download"; fast_pattern:only; http_uri; content:"fileInfo1"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?fileInfo1((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-14803; classtype:web-application-attack; sid:46350; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt"; flow:to_server,established; content:"/nidp/download"; fast_pattern:only; http_uri; content:"fileInfo1="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fileInfo1=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-14803; classtype:web-application-attack; sid:46349; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt"; flow:to_server,established; content:"/nidp/download"; fast_pattern:only; http_uri; content:"fileInfo1="; nocase; http_client_body; pcre:"/(^|&)fileInfo1=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-14803; classtype:web-application-attack; sid:46348; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MediaWiki index.php rs cross site scripting attempt"; flow:to_server,established; content:"/wiki/index.php"; fast_pattern:only; http_uri; content:"action=ajax"; nocase; http_uri; content:"rs="; nocase; http_uri; pcre:"/[?&]rs=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2007-0177; classtype:attempted-user; sid:46347; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moodle PoodLL Filter plugin cross site scripting attempt"; flow:to_server,established; content:"/filter_poodll_moodle"; http_uri; content:"/index.php"; distance:0; http_uri; content:"poodll_audio_url="; fast_pattern:only; http_uri; pcre:"/[?&]poodll_audio_url=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,96212; reference:cve,2017-5945; classtype:web-application-attack; sid:46408; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt"; flow:to_server,established; content:"/goform/Mail_Test"; fast_pattern:only; http_uri; content:"f_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]f(\x5f|%5f)(username|password|smtpserver|sender|sendto)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,gulftech.org/advisories/D-Link%20DNS-343%20ShareCenter%20Remote%20Root/128; classtype:web-application-attack; sid:46402; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt"; flow:to_server,established; content:"/goform/Mail_Test"; fast_pattern:only; http_uri; pcre:"/(^|&)f(\x5f|%5f)(username|password|smtpserver|sender|sendto)=[^&]*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,gulftech.org/advisories/D-Link%20DNS-343%20ShareCenter%20Remote%20Root/128; classtype:web-application-attack; sid:46401; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt"; flow:to_server,established; content:"/goform/Mail_Test"; fast_pattern:only; http_uri; content:"f_"; nocase; http_uri; pcre:"/[?&]f_(username|password|smtpserver|sender|sendto)=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,gulftech.org/advisories/D-Link%20DNS-343%20ShareCenter%20Remote%20Root/128; classtype:web-application-attack; sid:46400; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,9200] (msg:"SERVER-WEBAPP Elasticsearch snapshot directory traversal attempt"; flow:to_server,established; content:"GET /_snapshot/"; fast_pattern:only; pcre:"/GET\x20\x2f_snapshot\x2f[^\x0d]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/i"; metadata:service http; reference:bugtraq,75935; reference:cve,2015-5531; classtype:web-application-attack; sid:46450; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal unsafe internal attribute remote code execution attempt"; flow:to_server,established; content:"_triggering_element_name"; fast_pattern:only; http_client_body; content:"#type"; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7600; reference:cve,2018-7602; reference:url,www.drupal.org/sa-core-2018-002; reference:url,www.drupal.org/sa-core-2018-004; classtype:attempted-user; sid:46451; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt"; flow:to_server,established; content:"/Top_Unanswered_Customer_Questions.asp"; fast_pattern:only; http_uri; pcre:"/[?&]r\d=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3c|%3e|%28|%29|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30137; reference:cve,2008-2991; reference:url,adobe.com/support/security/bulletins/apsb08-16.html; classtype:attempted-user; sid:46465; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt"; flow:to_server,established; content:"/Top_Unanswered_Customer_Questions.asp"; fast_pattern:only; http_uri; pcre:"/[?&]r\d=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30137; reference:cve,2008-2991; reference:url,adobe.com/support/security/bulletins/apsb08-16.html; classtype:attempted-user; sid:46464; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt"; flow:to_server,established; content:"/Top_Unanswered_Customer_Questions.asp"; fast_pattern:only; http_uri; pcre:"/(^|&)r\d=[^&]*?([\x27\x22\x3b\x23\x28]|%27|%22|%3b|%23|%28|(\x2f|%2f)(\x2a|%2a)|(\x2d|%2d){2})/Pim"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30137; reference:cve,2008-2991; reference:url,adobe.com/support/security/bulletins/apsb08-16.html; classtype:web-application-attack; sid:46463; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt"; flow:to_server,established; content:"/Top_Unanswered_Customer_Questions.asp"; fast_pattern:only; http_uri; pcre:"/[?&]r\d=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30137; reference:cve,2008-2991; reference:url,adobe.com/support/security/bulletins/apsb08-16.html; classtype:web-application-attack; sid:46462; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt"; flow:to_server,established; content:"/Help_Errors.asp"; fast_pattern:only; http_uri; pcre:"/[?&]r\d=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3c|%3e|%28|%29|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30137; reference:cve,2008-2991; reference:url,adobe.com/support/security/bulletins/apsb08-16.html; classtype:attempted-user; sid:46461; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Node.js zlib createDeflateRaw denial of service attempt"; flow:to_server,established; content:"Sec-WebSocket-Extensions"; nocase; http_header; content:"permessage-deflate"; distance:0; http_header; content:"server_max_window_bits=8"; fast_pattern:only; http_header; metadata:service http; reference:cve,2017-14919; classtype:denial-of-service; sid:46454; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt"; flow:to_server,established; content:"/file/download"; fast_pattern:only; http_uri; content:"file"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?file((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,webport.se; classtype:web-application-attack; sid:46522; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt"; flow:to_server,established; content:"/file/download"; fast_pattern:only; http_uri; content:"file="; nocase; http_client_body; pcre:"/(^|&)file=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,webport.se; classtype:web-application-attack; sid:46521; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt"; flow:to_server,established; content:"/file/download"; fast_pattern:only; http_uri; content:"file="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]file=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,webport.se; classtype:web-application-attack; sid:46520; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt"; flow:to_server,established; content:"/set.cgi"; fast_pattern:only; http_uri; content:"n=TLNET_EN"; nocase; http_client_body; content:"v=1"; nocase; http_client_body; metadata:ruleset community, service http; reference:cve,2018-1146; classtype:policy-violation; sid:46519; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt"; flow:to_server,established; content:"/set.cgi"; fast_pattern:only; http_uri; content:"n=TLNET_EN"; nocase; http_uri; content:"v=1"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2018-1146; classtype:policy-violation; sid:46518; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri; content:"url"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?url((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1144; classtype:web-application-attack; sid:46517; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri; content:"url="; nocase; http_client_body; pcre:"/(^|&)url=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1144; classtype:web-application-attack; sid:46516; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri; content:"url="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]url=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1144; classtype:web-application-attack; sid:46515; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri; content:"url="; nocase; http_uri; pcre:"/[?&]url=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1144; classtype:web-application-attack; sid:46514; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/twonky_cmd.cgi"; fast_pattern:only; http_uri; content:"path"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?path((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1143; classtype:web-application-attack; sid:46513; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/twonky_cmd.cgi"; fast_pattern:only; http_uri; content:"path="; nocase; http_client_body; pcre:"/(^|&)path=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1143; classtype:web-application-attack; sid:46512; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/twonky_cmd.cgi"; fast_pattern:only; http_uri; content:"path="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]path=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1143; classtype:web-application-attack; sid:46511; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/twonky_cmd.cgi"; fast_pattern:only; http_uri; content:"path="; nocase; http_uri; pcre:"/[?&]path=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1143; classtype:web-application-attack; sid:46510; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Unitrends Enterprise Backup API command injection attempt"; flow:to_server,established; content:"/api/hosts"; fast_pattern:only; http_uri; content:"|22|ip|22|"; nocase; http_client_body; pcre:"/\x22ip\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6328; reference:url,support.unitrends.com/UnitrendsBackup/s/article/000006002; classtype:web-application-attack; sid:46509; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt"; flow:to_server,established; content:"|22|NVBUBackup|22|"; fast_pattern:only; http_client_body; content:"|22|where|22|"; nocase; http_client_body; pcre:"/\x22where\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x27\x3b\x23]|\x2f\x2a|\x2d\x2d)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17652; reference:cve,2017-17654; reference:cve,2017-17655; reference:cve,2017-17656; reference:cve,2017-17657; classtype:web-application-attack; sid:46489; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TwonkyMedia server directory listing attempt"; flow:to_server,established; content:"/rpc/dir"; fast_pattern:only; http_uri; content:"path="; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2018-7171; classtype:web-application-attack; sid:46485; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress VideoWhisper Live Streaming Integration plugin double extension file upload attempt"; flow:to_server,established; content:"/wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/"; fast_pattern:only; http_uri; content:".php."; http_uri; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-1905; classtype:web-application-attack; sid:46483; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"SERVER-WEBAPP PHP unserialize integer overflow attempt"; flow:to_client,established; file_data; content:"o:"; depth:10; content:"|3B|d:"; content:!"."; within:20; content:"|3B|"; within:20; distance:20; pcre:"/\x3bd\x3a\d{20,}?\x3b/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,95371; reference:cve,2017-5340; classtype:attempted-admin; sid:46470; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP PHP unserialize integer overflow attempt"; flow:to_server,established; file_data; content:"o:"; depth:10; content:"|3B|d:"; content:!"."; within:20; content:"|3B|"; within:20; distance:20; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,95371; reference:cve,2017-5340; classtype:attempted-admin; sid:46469; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt"; flow:to_server,established; content:"controller.php"; fast_pattern:only; http_uri; content:"document"; nocase; http_uri; content:"upload"; nocase; http_uri; content:"parent_id="; nocase; http_uri; content:"patient_id"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?patient_id((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/LibreHealthIO/lh-ehr; classtype:web-application-attack; sid:46529; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt"; flow:to_server,established; content:"controller.php"; fast_pattern:only; http_uri; content:"document"; nocase; http_uri; content:"upload"; nocase; http_uri; content:"parent_id="; nocase; http_uri; content:"patient_id="; nocase; http_client_body; pcre:"/(^|&)patient_id=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/LibreHealthIO/lh-ehr; classtype:web-application-attack; sid:46528; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt"; flow:to_server,established; content:"controller.php"; fast_pattern:only; http_uri; content:"document"; nocase; http_uri; content:"upload"; nocase; http_uri; content:"patient_id="; nocase; http_uri; content:"parent_id="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]patient_id=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/LibreHealthIO/lh-ehr; classtype:web-application-attack; sid:46527; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt"; flow:to_server,established; content:"/custom/ajax_download.php"; fast_pattern:only; http_uri; content:"fileName"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?fileName((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.open-emr.org; classtype:web-application-attack; sid:46526; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt"; flow:to_server,established; content:"/custom/ajax_download.php"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_client_body; pcre:"/(^|&)fileName=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.open-emr.org; classtype:web-application-attack; sid:46525; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt"; flow:to_server,established; content:"/custom/ajax_download.php"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fileName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.open-emr.org; classtype:web-application-attack; sid:46524; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1234 (msg:"SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt"; flow:to_server,established; content:"|02 57 03 02 32|"; depth:5; isdataat:1275; metadata:policy max-detect-ips drop, policy security-ips drop; reference:url,www.tenable.com/blog/tenable-research-advisory-critical-schneider-electric-indusoft-web-studio-and-intouch-machine; classtype:web-application-attack; sid:46600; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7756 (msg:"SERVER-WEBAPP UltiDev Cassini Webserver file download attempt"; flow:to_server,established; content:"ApplicationDetails.aspx"; fast_pattern:only; content:"__VIEWSTATE"; nocase; content:"__EVENTVALIDATION"; nocase; content:"Port+Selection"; nocase; content:"portTextBox"; nocase; content:"nameTextBox"; nocase; content:"descriptionTextBox"; nocase; content:"appIdTextBox"; nocase; content:"clrVersionDropDownList"; nocase; content:"submitImageButton.x"; nocase; content:"submitImageButton.y"; nocase; content:"physicalPathTextBox"; nocase; content:"defaultDocumentTextBox"; nocase; metadata:service http; reference:url,ultidev.com/products/Cassini/; classtype:web-application-attack; sid:46540; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetGear DGN2200B command injection attempt"; flow:to_server,established; content:"/pppoe.cgi"; fast_pattern:only; http_uri; content:"pppoe_username"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?pppoe_username((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:web-application-attack; sid:46537; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetGear DGN2200B command injection attempt"; flow:to_server,established; content:"/pppoe.cgi"; fast_pattern:only; http_uri; content:"username"; nocase; http_client_body; pcre:"/(^|&)pppoe(\x5f|%5f)username=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:web-application-attack; sid:46536; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetGear DGN2200B command injection attempt"; flow:to_server,established; content:"/pppoe.cgi"; fast_pattern:only; http_uri; content:"pppoe_username="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]pppoe(\x5f|%5f)username=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:web-application-attack; sid:46535; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetGear DGN2200B command injection attempt"; flow:to_server,established; content:"/pppoe.cgi"; fast_pattern:only; http_uri; content:"pppoe_username="; nocase; http_uri; pcre:"/[?&]pppoe_username=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:web-application-attack; sid:46534; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-WEBAPP DHCP cross site scripting attempt"; flow:to_server; content:"|63 82 53 63 35|"; content:"|03|"; within:1; distance:1; content:"|0C|"; distance:0; pcre:"/\x0c.[\x22\x27\x3c\x3e\x28\x29]|(script|onload|src)/i"; metadata:service dhcp; reference:cve,2014-0615; classtype:attempted-user; sid:46533; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SearchBlox suspicious configuration upload attempt"; flow:to_server,established; content:"searchblox/servlet/UserServlet"; fast_pattern:only; http_uri; content:"action=importConfig"; http_uri; content:"config.xml"; nocase; http_client_body; content:"root"; http_client_body; content:"url=|22|c:/|22|"; within:150; nocase; http_client_body; content:"scanner"; http_client_body; content:"type=|22|FILE|22|"; within:150; nocase; http_client_body; content:"name=|22|max-size|22|"; http_client_body; content:"value=|22|-1|22|/>"; within:150; http_client_body; content:"name=|22|max-age|22|"; http_client_body; content:"value=|22|-1|22|/>"; within:150; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,dreamreport.net; classtype:web-application-attack; sid:46532; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SearchBlox suspicious configuration upload attempt"; flow:to_server,established; content:"searchblox/servlet/UserServlet"; fast_pattern:only; http_uri; content:"action=importConfig"; http_uri; content:"config.xml"; nocase; http_client_body; content:"root"; http_client_body; content:"url=|22|/|22|"; within:150; nocase; http_client_body; content:"scanner"; http_client_body; content:"type=|22|FILE|22|"; within:150; nocase; http_client_body; content:"name=|22|max-size|22|"; http_client_body; content:"value=|22|-1|22|/>"; within:150; http_client_body; content:"name=|22|max-age|22|"; http_client_body; content:"value=|22|-1|22|/>"; within:150; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,dreamreport.net; classtype:web-application-attack; sid:46531; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dream Report ASPX file upload attempt"; flow:to_server,established; content:"/DRweb_Demo/WebAPI/WebCmd.svc/UploadFile"; fast_pattern:only; http_uri; content:"CjwlQC"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,dreamreport.net; classtype:web-application-attack; sid:46530; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GPON Router authentication bypass and command injection attempt"; flow:to_server,established; content:"dest_host"; fast_pattern:only; http_uri; pcre:"/[?&]dest_host=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-10562; reference:url,vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:web-application-attack; sid:46627; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GPON Router authentication bypass and command injection attempt"; flow:to_server,established; content:"dest_host"; fast_pattern:only; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?dest_host((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-10562; reference:url,vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:web-application-attack; sid:46626; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GPON Router authentication bypass and command injection attempt"; flow:to_server,established; content:"dest_host"; fast_pattern; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]dest(\x5f|%5f)host=[^&]*?%26/Ii"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-10562; reference:url,vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:web-application-attack; sid:46625; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GPON Router authentication bypass and command injection attempt"; flow:to_server,established; content:"dest_host"; fast_pattern:only; http_client_body; pcre:"/(^|&)dest(\x5f|%5f)host=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-10562; reference:url,vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:web-application-attack; sid:46624; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 40000 (msg:"SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt"; flow:to_server,established; file_data; content:"ZIPPER"; depth:15; content:"COMPRESS"; distance:0; content:"FILE"; distance:0; content:"name="; within:10; isdataat:500; pcre:"/FILE\s+?name\x3d\s*?[\x22\x27][^\x22\x27]{500}/"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-2394; classtype:attempted-user; sid:46623; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,40080] (msg:"SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt"; flow:to_server,established; file_data; content:"POST /ZIPPER"; fast_pattern:only; content:"COMPRESS"; content:"FILE"; distance:0; content:"name="; within:10; isdataat:500; pcre:"/FILE\s+?name\x3d\s*?[\x22\x27][^\x22\x27]{500}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-2385; reference:cve,2018-2386; reference:cve,2018-2391; reference:cve,2018-2394; reference:cve,2018-2396; classtype:attempted-user; sid:46622; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,40080] (msg:"SERVER-WEBAPP SAP Internet Graphics Server image converter arbitrary file upload attempt"; flow:to_server,established; content:"POST /IMGCONV"; fast_pattern:only; content:"<PUT_URL>file|3A|//"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-2395; reference:url,blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/; classtype:web-application-attack; sid:46621; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,40080] (msg:"SERVER-WEBAPP SAP Internet Graphics Server image converter information leak attempt"; flow:to_server,established; content:"POST /IMGCONV"; fast_pattern:only; content:"<GET_URL>file|3A|//"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-2395; reference:url,blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/; classtype:web-application-attack; sid:46620; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt"; flow:to_server,established; content:"/DigitalGuardian/Policies/PromptSkin.aspx"; fast_pattern:only; http_uri; content:"skinFile"; nocase; http_client_body; content:".asp"; distance:0; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]skinFile[\x22\x27]\x3b((?!^--).)*?filename\s*=\s*[\x22\x27]\S+?\x2easpx?[\x22\x27][\r\n]{2,}/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-10173; classtype:web-application-attack; sid:46666; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt"; flow:to_server,established; content:"/DigitalGuardian/Management/ServerSettingsPDFTemplates.aspx"; fast_pattern:only; http_uri; content:"inputFilePath"; nocase; http_client_body; content:".asp"; distance:0; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]inputFilePath[\x22\x27]\x3b((?!^--).)*?filename\s*=\s*[\x22\x27]\S+?\x2easpx?[\x22\x27][\r\n]{2,}/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-10173; classtype:web-application-attack; sid:46665; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt"; flow:to_server,established; content:"/login.cgi"; fast_pattern:only; http_uri; content:"cli="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]cli=[^&]*?%26/Ii"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Feb/53; classtype:web-application-attack; sid:46737; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt"; flow:to_server,established; content:"/login.cgi"; fast_pattern:only; http_uri; content:"cli="; nocase; http_uri; pcre:"/[?&]cli=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Feb/53; classtype:web-application-attack; sid:46736; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt"; flow:to_server,established; content:"/login.cgi"; fast_pattern:only; http_uri; content:"cli="; nocase; http_client_body; pcre:"/(^|&)cli=[^&]*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/Pim"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,seclists.org/fulldisclosure/2016/Feb/53; classtype:web-application-attack; sid:46735; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI database settings modification attempt"; flow:to_server,established; content:"/nagiosql/admin/settings.php"; fast_pattern:only; http_uri; content:"txtDBname=nagiosql"; nocase; metadata:ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46779; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri; content:"command_data"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?command_data((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46778; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri; content:"command"; nocase; http_client_body; pcre:"/(^|&)command(\x5f|%5f)data=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46777; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri; content:"command_data="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]command(\x5f|%5f)data=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46776; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri; content:"command_data="; nocase; http_uri; pcre:"/[?&]command_data=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46775; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI SQL injection attempt"; flow:to_server,established; content:"/nagiosql/admin/helpedit.php"; fast_pattern:only; http_uri; content:"selInfoKey1="; nocase; http_client_body; pcre:"/(^|&)selInfoKey1=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46774; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI SQL injection attempt"; flow:to_server,established; content:"/nagiosql/admin/helpedit.php"; fast_pattern:only; http_uri; content:"selInfoKey1="; nocase; http_uri; pcre:"/[?&]selInfoKey1=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46773; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DNS-325 ShareCenter photocenter_mgr.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/photocenter_mgr.cgi"; fast_pattern:only; http_uri; content:"dev"; nocase; http_client_body; pcre:"/(^|&)dev(\x5f|%5f)(name|type|pw)=[^&]*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,gulftech.org/advisories/D-Link%20DNS-325%20ShareCenter%20Multiple%20Vulnerabilities/129; classtype:web-application-attack; sid:46760; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DNS-325 ShareCenter photocenter_mgr.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/photocenter_mgr.cgi"; fast_pattern:only; http_uri; content:"dev_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]dev(\x5f|%5f)(name|type|pw)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,gulftech.org/advisories/D-Link%20DNS-325%20ShareCenter%20Multiple%20Vulnerabilities/129; classtype:web-application-attack; sid:46759; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DNS-325 ShareCenter photocenter_mgr.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/photocenter_mgr.cgi"; fast_pattern:only; http_uri; content:"dev_"; nocase; http_uri; pcre:"/[?&]dev_(name|type|pw)=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,gulftech.org/advisories/D-Link%20DNS-325%20ShareCenter%20Multiple%20Vulnerabilities/129; classtype:web-application-attack; sid:46758; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG NAS login_check.php command injection attempt"; flow:to_server,established; content:"/php/login_check.php"; fast_pattern:only; http_uri; content:"op_mode="; nocase; http_client_body; content:"password="; nocase; http_client_body; pcre:"/(^|&)password=[^&]*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-10818; reference:url,www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/; classtype:web-application-attack; sid:46753; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP .phar cross site scripting attempt"; flow:to_server,established; content:".phar/"; fast_pattern:only; http_uri; pcre:"/\x2ephar\x2f[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,102742; reference:bugtraq,104020; reference:cve,2018-10547; reference:cve,2018-5712; classtype:attempted-user; sid:46808; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BA Systems BAS Web information disclosure attempt"; flow:to_server,established; content:"/isc/get_sid_js.aspx"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-17974; classtype:attempted-user; sid:46806; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BA Systems BAS Web information disclosure attempt"; flow:to_server,established; content:"/isc/get_sid.aspx"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-17974; classtype:attempted-user; sid:46805; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Anti-Web directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/write.cgi"; fast_pattern:only; http_uri; content:"template"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?template((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-9097; classtype:web-application-attack; sid:46804; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Anti-Web directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/write.cgi"; fast_pattern:only; http_uri; content:"template="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]template=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-9097; classtype:web-application-attack; sid:46803; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Anti-Web directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/write.cgi"; fast_pattern:only; http_uri; content:"template="; nocase; http_client_body; pcre:"/(^|&)template=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-9097; classtype:web-application-attack; sid:46802; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/snmp_mgr.cgi"; fast_pattern:only; http_uri; pcre:"/(^|&)(uid|data|ip)=[^&]*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploitee.rs/index.php/Western_Digital_MyCloud; classtype:web-application-attack; sid:46801; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/snmp_mgr.cgi"; fast_pattern:only; http_uri; pcre:"/[?&](uid|data|ip)=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploitee.rs/index.php/Western_Digital_MyCloud; classtype:web-application-attack; sid:46800; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/snmp_mgr.cgi"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](uid|data|ip)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploitee.rs/index.php/Western_Digital_MyCloud; classtype:web-application-attack; sid:46799; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,9001] (msg:"SERVER-WEBAPP Ruby Net FTP library command injection attempt"; flow:to_server,established; content:"/download"; content:"uri=ftp://"; fast_pattern:only; content:"file="; nocase; pcre:"/[?&]file=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/i"; metadata:service http; reference:bugtraq,102204; reference:cve,2017-17405; reference:url,www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/; classtype:web-application-attack; sid:46791; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt"; flow:to_server,established; content:"/index.cgi"; nocase; http_uri; content:"res_config_action="; fast_pattern:only; content:"|22|host|22|"; nocase; http_uri; pcre:"/\x22host\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6211; reference:url,securelist.com/backdoors-in-d-links-backyard/85530/; classtype:web-application-attack; sid:46829; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt"; flow:to_server,established; content:"/index.cgi"; nocase; http_uri; content:"res_config_action="; fast_pattern:only; content:"host"; nocase; http_client_body; pcre:"/(\x22|%22)host(\x22|%22)(\s|%20)*(\x3a|%3a)(\s|%20)*(\x22|%22)((?!(?<!(..\x5c|%5c))(\x22|%22)).)*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/Psi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6211; reference:url,securelist.com/backdoors-in-d-links-backyard/85530/; classtype:web-application-attack; sid:46828; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd="; metadata:service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46826; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt"; flow:to_server,established; content:"/DesktopModules/DreamSlider/DownloadProvider.aspx"; fast_pattern:only; nocase; http_uri; content:"file="; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:46824; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Spring Security OAuth remote code execution attempt"; flow:to_server,established; content:"/oauth/authorize"; fast_pattern:only; http_uri; content:"${"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1260; classtype:attempted-admin; sid:46823; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud raid_cgi.php arbitrary command execution attempt"; flow:to_server,established; content:"/web/storage/raid_cgi.php"; fast_pattern:only; http_uri; content:"run_cmd="; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploitee.rs/index.php/Western_Digital_MyCloud; classtype:web-application-attack; sid:46822; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt"; flow:to_server,established; content:"/getConfigExportFile.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-3813; classtype:attempted-user; sid:46817; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/login_mgr.cgi"; fast_pattern:only; http_uri; content:"username="; nocase; http_client_body; pcre:"/(^|&)username=[^&]*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploitee.rs/index.php/Western_Digital_MyCloud; classtype:web-application-attack; sid:46816; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/login_mgr.cgi"; fast_pattern:only; http_uri; content:"username="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]username=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploitee.rs/index.php/Western_Digital_MyCloud; classtype:web-application-attack; sid:46815; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/login_mgr.cgi"; fast_pattern:only; http_uri; content:"username="; nocase; http_uri; pcre:"/[?&]username=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploitee.rs/index.php/Western_Digital_MyCloud; classtype:web-application-attack; sid:46814; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM QRadar SIEM command injection attempt"; flow:to_server,established; content:"/ForensicsAnalysisServlet"; fast_pattern:only; http_uri; content:"pcap"; nocase; http_client_body; pcre:"/(\x5b|%5b)pcap(\x5d|%5d)=[^&]*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1418; reference:url,blogs.securiteam.com/index.php/archives/3689; reference:url,www-01.ibm.com/support/docview.wss?uid=swg22015797; classtype:web-application-attack; sid:46852; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM QRadar SIEM command injection attempt"; flow:to_server,established; content:"/ForensicsAnalysisServlet"; fast_pattern:only; http_uri; content:"[pcap]="; nocase; http_uri; pcre:"/\x5bpcap\x5d=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1418; reference:url,blogs.securiteam.com/index.php/archives/3689; reference:url,www-01.ibm.com/support/docview.wss?uid=swg22015797; classtype:web-application-attack; sid:46851; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM QRadar SIEM ForensicsAnalysisServlet authentication bypass attempt"; flow:to_server,established; content:"/ForensicsAnalysisServlet"; fast_pattern:only; http_uri; content:"action=setSecurityTokens"; nocase; content:"forensicsManagedHostIps"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1418; reference:url,blogs.securiteam.com/index.php/archives/3689; reference:url,www-01.ibm.com/support/docview.wss?uid=swg22015797; classtype:web-application-attack; sid:46850; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IBM QRadar SIEM command injection attempt"; flow:to_server,established; content:"/ForensicsAnalysisServlet"; fast_pattern:only; http_uri; content:"[pcap]="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/(\x5b|%5b)pcap(\x5d|%5d)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1418; reference:url,blogs.securiteam.com/index.php/archives/3689; reference:url,www-01.ibm.com/support/docview.wss?uid=swg22015797; classtype:web-application-attack; sid:46849; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,9200] (msg:"SERVER-WEBAPP Elasticsearch directory traversal attempt"; flow:to_server,established; content:"GET /_plugin/head/"; content:"../"; within:25; metadata:service http; reference:cve,2015-3337; classtype:web-application-attack; sid:46881; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TYPO3 news module SQL injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"news"; nocase; http_client_body; content:"overwriteDemand"; within:50; http_client_body; content:"ord"; within:100; nocase; http_client_body; content:"substring"; within:15; nocase; http_client_body; pcre:"/(^|&)tx(\x5f|%5f)news(\x5f|%5f)pi1(\x5b|%5b)overwriteDemand(\x5d|%5d)(\x5b|%5b)\S+?(\x5d|%5d)=[^&]*?ord(\x28|%28)substring/Pim"; metadata:service http; reference:cve,2017-7581; reference:url,extensions.typo3.org/extension/news/; classtype:web-application-attack; sid:46866; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest NetVault Backup Server NVBUBackupOptionSet SQL injection attempt"; flow:to_server,established; content:"|22|NVBUBackupOptionSet|22|"; fast_pattern:only; http_client_body; content:"|22|where|22|"; nocase; http_client_body; pcre:"/\x22where\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x3b\x23]|\x2f\x2a|\x2d\x2d)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17653; classtype:web-application-attack; sid:46863; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt"; flow:to_server,established; content:"/web/addons/jqueryFileTree.php"; fast_pattern:only; http_uri; pcre:"/(^|&)(host|pwd|user|dir|lang)=[^&]*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploitee.rs/index.php/Western_Digital_MyCloud; classtype:web-application-attack; sid:46862; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt"; flow:to_server,established; content:"/web/addons/jqueryFileTree.php"; fast_pattern:only; http_uri; pcre:"/[?&](host|pwd|user|dir|lang)=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploitee.rs/index.php/Western_Digital_MyCloud; classtype:web-application-attack; sid:46861; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt"; flow:to_server,established; content:"/web/addons/jqueryFileTree.php"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](host|pwd|user|dir|lang)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploitee.rs/index.php/Western_Digital_MyCloud; classtype:web-application-attack; sid:46860; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Atlassian OAuth plugin multiple versions server side request forgery attempt"; flow:to_server,established; content:"plugins/servlet/oauth/users/icon-uri"; fast_pattern:only; http_uri; content:"consumerUri="; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]consumerUri=[^&]*?(http|ftp|file)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9506; reference:url,jira.atlassian.com/browse/FE-6885?src=confmacro; classtype:web-application-attack; sid:46898; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla component GeoContent typename parameter cross site scripting attempt"; flow:to_server,established; content:"index.php"; http_uri; content:"option=com_geocontent"; fast_pattern:only; http_uri; content:"task=layers.kml"; nocase; http_uri; content:"typename="; nocase; http_uri; pcre:"/[?&]typename=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; classtype:attempted-user; sid:46896; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest KACE Systems Management Appliance ajax_email_connection_test.php command injection attempt"; flow:to_server,established; content:"/common/ajax_email_connection_test.php"; fast_pattern:only; http_uri; content:"SERVER"; nocase; http_client_body; pcre:"/(^|&)TEST(\x5f|%5f)SERVER=[^&]*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11139; reference:url,www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities; classtype:web-application-attack; sid:46886; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup Login.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|method|22|"; nocase; http_client_body; content:"|22|Logon|22|"; distance:0; nocase; http_client_body; pcre:"/\x22(UserName|Password)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11143; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:46921; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup UsersService.pm update_pw method command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRUsers|22|"; nocase; http_client_body; content:"|22|update_pw|22|"; nocase; http_client_body; pcre:"/\x22(Name|newPass|oldPass)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11146; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:46974; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup UsersService.pm delete method command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRUsers|22|"; nocase; http_client_body; content:"|22|delete|22|"; nocase; http_client_body; content:"|22|user|22|"; nocase; http_client_body; pcre:"/\x22user\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11145; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:46973; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup UsersService.pm update method command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRUsers|22|"; nocase; http_client_body; content:"|22|update|22|"; nocase; http_client_body; pcre:"/\x22(old)?Roles\x22\s*\x3a\s*\x5b\s*(\x22((?!(?<!\x5c)\x22).)*?\x22\s*\x2c\s*)*?\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11144; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:46972; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup UsersService.pm update method command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRUsers|22|"; nocase; http_client_body; content:"|22|update|22|"; nocase; http_client_body; pcre:"/\x22(Name|oldName|Full_name|Email_addr|Phone|Description)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11144; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:46971; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup SchedulesService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; nocase; http_uri; content:"|22|DRSchedules|22|"; fast_pattern:only; http_client_body; pcre:"/\x22(container|start|stop|day)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11149; reference:cve,2018-11150; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:46982; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Spring Web Flow arbitrary code exeuction attempt"; flow:to_server,established; content:"execution="; nocase; http_uri; content:"&_"; nocase; http_client_body; content:"java.lang.ProcessBuilder"; distance:0; nocase; http_client_body; metadata:service http; reference:cve,2017-4971; classtype:attempted-user; sid:47007; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP XiongMai NVR login.htm buffer overflow attempt"; flow:to_server,established; content:"/login.htm"; depth:10; nocase; http_uri; content:"command=login&"; fast_pattern:only; pcre:"/command=login&([^&]*&)?[^&]{30}/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-10088; reference:url,www.xiongmaitech.com; classtype:attempted-admin; sid:46997; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup PasswordService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRPassword|22|"; nocase; http_client_body; pcre:"/\x22(admin_email|relay_host)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11151; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:47015; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup CompressionService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; nocase; http_uri; content:"|22|DRCompression|22|"; nocase; http_client_body; content:"|22|compressionLevel|22|"; fast_pattern:only; http_client_body; pcre:"/\x22compressionLevel\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11152; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:47017; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Struts URL validator denial of service attempt"; flow:to_server,established; content:"tp%3a%2f%2f"; nocase; http_client_body; content:"%2f%2f%2f%2f%2f"; within:100; nocase; http_client_body; pcre:"/(https?|ftp)(\x3a|%3a)%2f%2f[^&\x0d\x0a=]*?(%2f){5}/Pi"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-4465; reference:url,cwiki.apache.org/confluence/display/WW/S2-041; classtype:web-application-attack; sid:47061; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt"; flow:to_server,established; content:"download_lar.jsp"; fast_pattern:only; http_uri; content:"lar="; nocase; http_client_body; pcre:"/(^|&)lar=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5803; reference:url,www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20161109-01-security-notice-for-ca-unified-infrastructure-mgmt.html; classtype:web-application-attack; sid:47050; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt"; flow:to_server,established; content:"download_lar.jsp"; fast_pattern:only; http_uri; content:"lar"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?lar((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-5803; reference:url,www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/security-notices/ca20161109-01-security-notice-for-ca-unified-infrastructure-mgmt.html; classtype:web-application-attack; sid:47049; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt"; flow:to_server,established; content:"/tbl_find_replace.php"; fast_pattern:only; http_uri; content:"replaceWith="; nocase; content:"find="; nocase; http_uri; pcre:"/[?&]find=[^&]*?\x00/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-5734; reference:url,www.phpmyadmin.net/security/PMASA-2016-27/; classtype:web-application-attack; sid:47046; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt"; flow:to_server,established; content:"/tbl_find_replace.php"; fast_pattern:only; http_uri; content:"replaceWith="; nocase; content:"find="; nocase; http_client_body; pcre:"/(^|&)find=[^&]*?(%00|\x00)/Pim"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-5734; reference:url,www.phpmyadmin.net/security/PMASA-2016-27/; classtype:web-application-attack; sid:47045; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt"; flow:to_server,established; content:"/common/download_agent_installer.php"; fast_pattern:only; http_uri; pcre:"/[?&](orgid|version)=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11138; reference:url,support.quest.com/product-notification/noti-00000134; classtype:web-application-attack; sid:47042; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt"; flow:to_server,established; content:"/common/download_agent_installer.php"; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&](orgid|version)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11138; reference:url,support.quest.com/product-notification/noti-00000134; classtype:web-application-attack; sid:47041; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TheWebForum cross site scripting attempt"; flow:to_server,established; content:"/twf/register.php"; fast_pattern:only; http_uri; content:"www="; nocase; http_uri; pcre:"/[?&]www=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:bugtraq,16161; reference:cve,2006-0134; classtype:attempted-user; sid:47038; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRLicense|22|"; nocase; http_client_body; pcre:"/\x22(serviceTag|LicenseServer|(Admin|Company)Name|Email|Comments)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11153; reference:cve,2018-11154; reference:cve,2018-11155; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:47031; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess authentication bypass attempt attempt"; flow:to_server,established; content:"/WaExlViewer/openRpt.aspx"; fast_pattern:only; http_uri; content:"projName="; nocase; content:"nodeName="; nocase; content:"waPath="; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5152; reference:url,ics-cert.us-cert.gov/advisories/ICSA-17-012-01; classtype:web-application-attack; sid:47085; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt"; flow:to_server,established; content:"/detections/download_pdf.php"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filename\s*=\s*\x22[^\x22]*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:47081; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt"; flow:to_server,established; content:"/detections/download_pdf.php"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:47080; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt"; flow:to_server,established; content:"/detections/download_pdf.php"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]filename=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:47079; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt"; flow:to_server,established; content:"/detections/download_pdf.php"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; pcre:"/[?&]filename=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:47078; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomba component Timetable Schedule 3.6.8 SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"option=com_timetableschedule"; fast_pattern; http_uri; content:"eid="; nocase; http_uri; pcre:"/[?&]eid=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17394; reference:url,www.exploit-db.com/exploits/45478/; classtype:web-application-attack; sid:48126; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CMS Made Simple arbitrary PHP file upload attempt"; flow:to_server,established; content:"/cmsms/admin/moduleinterface.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1000094; classtype:attempted-admin; sid:48104; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt"; flow:to_server,established; content:"/goform/sylogapply"; fast_pattern:only; http_uri; content:"syslogIp="; nocase; http_uri; pcre:"/[?&]syslogIp=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17064; reference:url,support.dlink.com.cn/ProductInfo.aspx?m=DIR-816; classtype:web-application-attack; sid:48099; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt"; flow:to_server,established; content:"/goform/sylogapply"; fast_pattern:only; http_uri; content:"syslogIp="; nocase; http_client_body; pcre:"/(^|&)syslogIp=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17064; reference:url,support.dlink.com.cn/ProductInfo.aspx?m=DIR-816; classtype:web-application-attack; sid:48098; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt"; flow:to_server,established; content:"/goform/sylogapply"; fast_pattern:only; http_uri; content:"syslogIp="; nocase; http_uri; content:"26"; http_raw_uri; pcre:"/[?&]syslogIp=[^&]*?%(25)?26/Ii"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17064; reference:url,support.dlink.com.cn/ProductInfo.aspx?m=DIR-816; classtype:web-application-attack; sid:48097; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt"; flow:to_server,established; content:"/scripts/wgate/pbw2/"; fast_pattern:only; http_uri; content:"~theme="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]~theme=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,8516; reference:cve,2003-0748; classtype:web-application-attack; sid:48096; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt"; flow:to_server,established; content:"/scripts/wgate/pbw2/"; fast_pattern:only; http_uri; content:"~theme="; nocase; http_client_body; pcre:"/(^|&)~theme=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:bugtraq,8516; reference:cve,2003-0748; classtype:web-application-attack; sid:48095; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt"; flow:to_server,established; content:"/scripts/wgate/pbw2/"; fast_pattern:only; http_uri; content:"~theme"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?~theme((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:bugtraq,8516; reference:cve,2003-0748; classtype:web-application-attack; sid:48094; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WP plugin Wechat Broadcast remote file inclusion attempt"; flow:to_server,established; content:"/wechat-broadcast/wechat/Image.php"; fast_pattern:only; http_uri; content:"url="; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]url=[^&]*?(http|ftp)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-16283; reference:url,seclists.org/fulldisclosure/2018/Sep/32; classtype:web-application-attack; sid:48071; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WP plugin Wechat Broadcast directory traversal attempt"; flow:to_server,established; content:"/wechat-broadcast/wechat/Image.php"; fast_pattern:only; http_uri; content:"url="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]url=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-16283; reference:url,seclists.org/fulldisclosure/2018/Sep/32; classtype:web-application-attack; sid:48070; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt"; flow:to_server,established; content:"/localize-my-post/ajax/include.php"; fast_pattern:only; http_uri; content:"file="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]file=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-16299; reference:url,seclists.org/fulldisclosure/2018/Sep/33; classtype:web-application-attack; sid:48065; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt"; flow:to_server,established; content:"/localize-my-post/ajax/include.php"; fast_pattern:only; http_uri; content:"file="; nocase; http_client_body; pcre:"/(^|&)file=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-16299; reference:url,seclists.org/fulldisclosure/2018/Sep/33; classtype:web-application-attack; sid:48064; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP pfSense status_interfaces.php command injection attempt"; flow:to_server,established; content:"/status_interfaces.php"; fast_pattern:only; http_uri; pcre:"/(^|&)i(fdescr|pv)=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-16055; reference:url,www.pfsense.org/security/advisories/pfSense-SA-18_08.webgui.asc; classtype:web-application-attack; sid:48061; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Navigate CMS navigate_upload.php directory traversal attempt"; flow:to_server,established; content:"/navigate_upload.php"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]id=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17553; reference:url,www.navigatecms.com/en/blog/development/navigate_cms_update_2_8_5; classtype:web-application-attack; sid:48008; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Navigate CMS navigate_upload.php directory traversal attempt"; flow:to_server,established; content:"/navigate_upload.php"; fast_pattern:only; http_uri; content:"id"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?id((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17553; reference:url,www.navigatecms.com/en/blog/development/navigate_cms_update_2_8_5; classtype:web-application-attack; sid:48007; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Navigate CMS navigate_upload.php directory traversal attempt"; flow:to_server,established; content:"/navigate_upload.php"; fast_pattern:only; http_uri; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17553; reference:url,www.navigatecms.com/en/blog/development/navigate_cms_update_2_8_5; classtype:web-application-attack; sid:48006; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Navigate CMS navigate_upload.php arbitrary PHP file upload attempt"; flow:to_server,established; content:"/navigate_upload.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17553; reference:url,www.navigatecms.com/en/blog/development/navigate_cms_update_2_8_5; classtype:attempted-admin; sid:48005; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Navigate CMS login.php SQL injection attempt"; flow:to_server,established; content:"/login.php"; nocase; http_uri; content:"navigate-user="; fast_pattern:only; content:"navigate-user="; nocase; http_cookie; pcre:"/navigate-user=[^\x3b\r\n]*?([\x27\x23\x28]|%(25)?(27|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Ci"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17552; reference:url,www.navigatecms.com/en/blog/development/navigate_cms_update_2_8_5; classtype:web-application-attack; sid:48004; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt"; flow:to_server,established; content:"/rest/config/host/test_rancid_connection"; fast_pattern:only; http_uri; content:"26"; http_raw_uri; pcre:"/[?&](ip|rancid_(username|password|connection_type|autoenable))=[^&]*?%(25)?26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-16144; reference:url,www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities; classtype:web-application-attack; sid:47865; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt"; flow:to_server,established; content:"/rest/config/host/test_rancid_connection"; fast_pattern:only; http_uri; pcre:"/(^|&)(ip|rancid_(username|password|connection_type|autoenable))=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-16144; reference:url,www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities; classtype:web-application-attack; sid:47864; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt"; flow:to_server,established; content:"/rest/config/host/test_rancid_connection"; fast_pattern:only; http_uri; pcre:"/[?&](ip|rancid_(username|password|connection_type|autoenable))=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-16144; reference:url,www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities; classtype:web-application-attack; sid:47863; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Opsview Web Management Console testnotification command injection attempt"; flow:to_server,established; content:"/rest/config/notificationmethod/testnotification"; fast_pattern:only; http_uri; content:"|22|value|22|"; nocase; http_client_body; pcre:"/\x22value\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-16146; reference:url,www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities; classtype:web-application-attack; sid:47861; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla CW Tags Searchtext SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"searchtext"; fast_pattern:only; http_client_body; pcre:"/(^|&)searchtext(\x5b|%5b)(\x5d|%5d)=[^&]*?([\x27\x22\x3b\x23\x28]|%27|%22|%3b|%23|%28|(\x2f|%2f)(\x2a|%2a)|(\x2d|%2d){2})/Pim"; metadata:service http; reference:cve,2018-7313; reference:url,www.exploit-db.com/exploits/44158/; classtype:web-application-attack; sid:47859; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla CW Tags Searchtext SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"searchtext[]="; fast_pattern:only; http_uri; pcre:"/[?&]searchtext\x5b\x5d=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:service http; reference:cve,2018-7313; reference:url,www.exploit-db.com/exploits/44158/; classtype:web-application-attack; sid:47858; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Responsive Thumbnail Slider arbitrary PHP file upload attempt"; flow:to_server,established; content:"/wp-admin/admin.php"; fast_pattern:only; http_uri; content:"page=responsive_thumbnail_slider_image_management"; http_uri; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_responsive_thumbnail_slider_upload.rb; classtype:attempted-admin; sid:47832; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpmyadmin post-authentication local file inclusion attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"target="; fast_pattern:only; http_uri; content:"../"; http_uri; pcre:"/[?&]target=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-12613; reference:url,www.phpmyadmin.net/security/PMASA-2018-4/; classtype:web-application-attack; sid:47831; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SoftNAS StorageCenter snserv.php command injection attempt"; flow:to_server,established; content:"/softnas/snserver/snserv.php"; fast_pattern:only; http_uri; content:"recentVersions="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]recentVersions=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,104914; reference:cve,2018-14417; reference:url,docs.softnas.com/display/SD/Release%20Notes; classtype:web-application-attack; sid:47819; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SoftNAS StorageCenter snserv.php command injection attempt"; flow:to_server,established; content:"/softnas/snserver/snserv.php"; fast_pattern:only; http_uri; content:"recentVersions="; nocase; http_client_body; pcre:"/(^|&)recentVersions=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,104914; reference:cve,2018-14417; reference:url,docs.softnas.com/display/SD/Release%20Notes; classtype:web-application-attack; sid:47818; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SoftNAS StorageCenter snserv.php command injection attempt"; flow:to_server,established; content:"/softnas/snserver/snserv.php"; fast_pattern:only; http_uri; content:"recentVersions="; nocase; http_uri; pcre:"/[?&]recentVersions=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,104914; reference:cve,2018-14417; reference:url,docs.softnas.com/display/SD/Release%20Notes; classtype:web-application-attack; sid:47817; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CloudByte ElastiStor LicenseServlet arbitrary JSP file upload attempt"; flow:to_server,established; content:"/client/license"; depth:15; nocase; http_uri; content:"<%"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15675; reference:url,blogs.securiteam.com/index.php/archives/3737; classtype:attempted-admin; sid:47816; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CloudByte ElastiStor LicenseServlet directory traversal attempt"; flow:to_server,established; content:"/client/license"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filename\s*=\s*[^\r\n]*?\x2e\x2e[\x2f\x5c]/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15675; reference:url,blogs.securiteam.com/index.php/archives/3737; classtype:web-application-attack; sid:47815; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CloudByte ElastiStor imageUploadServlet directory traversal attempt"; flow:to_server,established; content:"/client/image"; fast_pattern:only; http_uri; content:"admin"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?admin(Typ|Nam)e((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15675; reference:url,blogs.securiteam.com/index.php/archives/3737; classtype:web-application-attack; sid:47814; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CloudByte ElastiStor imageUploadServlet directory traversal attempt"; flow:to_server,established; content:"/client/image"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filename\s*=\s*[^\r\n]*?\x2e\x2e[\x2f\x5c]/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15675; reference:url,blogs.securiteam.com/index.php/archives/3737; classtype:web-application-attack; sid:47813; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CloudByte ElastiStor imageUploadServlet arbitrary JSP file upload attempt"; flow:to_server,established; content:"adminImage"; fast_pattern:only; http_client_body; content:"/client/image"; depth:13; nocase; http_uri; content:"<%"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15675; reference:url,blogs.securiteam.com/index.php/archives/3737; classtype:attempted-admin; sid:47812; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Glassfish unauthenticated directory traversal attempt"; flow:to_server,established; content:"/theme/"; depth:10; offset:4; fast_pattern; content:"/theme/"; http_raw_uri; content:"../"; http_raw_uri; pcre:"/\/theme\/(META-INF\/?(prototype|dojo|json)|(com\/?(sun)?)?)?.*?(\x2e\x2e\x2f|\x25c0\x25af\x2e\x2e)/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-1000028; reference:url,www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904; classtype:web-application-attack; sid:47810; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt"; flow:to_server,established; content:"/emailSearch.jsp"; fast_pattern:only; http_uri; content:"SearchString="; nocase; http_uri; pcre:"/[?&]SearchString=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6230; classtype:web-application-attack; sid:47800; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt"; flow:to_server,established; content:"/emailSearch.jsp"; fast_pattern:only; http_uri; content:"SearchString="; nocase; http_client_body; pcre:"/(^|&)SearchString=[^&]*?([\x27\x22\x3b\x23\x28]|%27|%22|%3b|%23|%28|(\x2f|%2f)(\x2a|%2a)|(\x2d|%2d){2})/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6230; classtype:web-application-attack; sid:47799; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Email Encryption Gateway XML external entity injection attempt"; flow:to_server,established; content:"/configuration.jsp"; fast_pattern:only; http_uri; content:"pciExceptionXml"; nocase; http_client_body; content:"ENTITY"; nocase; http_client_body; pcre:"/(\x21|%21)ENTITY((?!\x3e|%3e).)*?(SYSTEM|PUBLIC)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6225; classtype:web-application-attack; sid:47798; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt"; flow:to_server,established; content:"/policies.jsp"; fast_pattern:only; http_uri; content:"hidEditId="; nocase; http_uri; pcre:"/[?&]hidEditId=[^&]*?[a-zA-Z]+?/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6228; classtype:web-application-attack; sid:47797; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt"; flow:to_server,established; content:"/policies.jsp"; fast_pattern:only; http_uri; content:"hidEditId="; nocase; http_client_body; pcre:"/(^|&)hidEditId=[^&]*?[a-zA-Z]+?/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6228; classtype:web-application-attack; sid:47796; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt"; flow:to_server,established; content:"/editPolicy.jsp"; fast_pattern:only; http_uri; content:"hidRuleID="; nocase; http_uri; pcre:"/[?&]hidRuleID=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6229; classtype:web-application-attack; sid:47795; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt"; flow:to_server,established; content:"/editPolicy.jsp"; fast_pattern:only; http_uri; content:"hidRuleID="; nocase; http_client_body; pcre:"/(^|&)hidRuleID=[^&]*?([\x27\x22\x3b\x23\x28]|%27|%22|%3b|%23|%28|(\x2f|%2f)(\x2a|%2a)|(\x2d|%2d){2})/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6229; classtype:web-application-attack; sid:47794; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Email Encryption Gateway cross site scripting attempt"; flow:to_server,established; content:"/keymanserverconfig.jsp"; fast_pattern:only; http_uri; pcre:"/[?&](deniedKeysExpireTimeout|keyAge)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2018-6226; classtype:attempted-user; sid:47793; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Email Encryption Gateway cross site scripting attempt"; flow:to_server,established; content:"/keymanserverconfig.jsp"; fast_pattern:only; http_uri; pcre:"/[?&](deniedKeysExpireTimeout|keyAge)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3c|%3e|%28|%29|script|onload|src)/Pi"; metadata:service http; reference:cve,2018-6226; classtype:attempted-user; sid:47792; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Email Encryption Gateway cross site scripting attempt"; flow:to_server,established; content:"/editPolicy.jsp"; fast_pattern:only; http_uri; content:"hidEmails="; nocase; http_uri; pcre:"/[?&]hidEmails=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2018-6227; classtype:attempted-user; sid:47791; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Email Encryption Gateway cross site scripting attempt"; flow:to_server,established; content:"/editPolicy.jsp"; fast_pattern:only; http_uri; content:"hidEmails="; nocase; http_client_body; pcre:"/[?&]hidEmails=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3c|%3e|%28|%29|script|onload|src)/Pi"; metadata:service http; reference:cve,2018-6227; classtype:attempted-user; sid:47790; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt"; flow:to_server,established; content:"/mimebuilderconfig.jsp"; fast_pattern:only; http_uri; pcre:"/[?&](decryptionXHeader|encryptionXHeader|meetingRequestEmailText|zdAttachmentPayloadTemplate|zdAttachmentTemplate|zdMainTemplate|zdMainTemplateZdv4)=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6226; classtype:web-application-attack; sid:47789; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Email Encryption Gateway SQL injection attempt"; flow:to_server,established; content:"/mimebuilderconfig.jsp"; fast_pattern:only; http_uri; pcre:"/(^|&)(zdMainTemplate|zdMainTemplateZdv4|decryptionXHeader|encryptionXHeader|meetingRequestEmailText|zdAttachmentPayloadTemplate|zdAttachmentTemplate)=[^&]*?([\x27\x22\x3b\x23\x28]|%27|%22|%3b|%23|%28|(\x2f|%2f)(\x2a|%2a)|(\x2d|%2d){2})/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6226; classtype:web-application-attack; sid:47788; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ClipBucket commonAjax SQL injection attempt"; flow:to_server,established; content:"/ajax/commonAjax.php"; fast_pattern:only; http_uri; pcre:"/(^|&)(email|username)=[^&]*?([\x27\x22\x3b\x23\x28]|%27|%22|%3b|%23|%28|(\x2f|%2f)(\x2a|%2a)|(\x2d|%2d){2})/Pim"; metadata:policy max-detect-ips drop, service http; reference:cve,2018-7666; classtype:web-application-attack; sid:47772; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ClipBucket vote_channel SQL injection attempt"; flow:to_server,established; content:"/actions/vote_channel.php"; fast_pattern:only; http_uri; content:"channelId="; nocase; http_client_body; pcre:"/(^|&)channelId=[^&]*?([\x27\x22\x3b\x23\x28]|%27|%22|%3b|%23|%28|(\x2f|%2f)(\x2a|%2a)|(\x2d|%2d){2})/Pim"; metadata:policy max-detect-ips drop, service http; reference:cve,2018-7666; classtype:web-application-attack; sid:47771; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ClipBucket edit_account arbitrary PHP file upload attempt"; flow:to_server,established; content:"/edit_account.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2018-7665; classtype:attempted-admin; sid:47770; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ClipBucket photo_uploader arbitrary PHP file upload attempt"; flow:to_server,established; content:"/actions/photo_uploader.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2018-7665; classtype:attempted-admin; sid:47769; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ClipBucket beats_uploader arbitrary PHP file upload attempt"; flow:to_server,established; content:"/actions/beats_uploader.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2018-7665; classtype:attempted-admin; sid:47768; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ClipBucket file_uploader command injection attempt"; flow:to_server,established; content:"/api/file_uploader.php"; fast_pattern:only; http_uri; content:"file_name"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?file_name((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, service http; reference:cve,2018-7664; classtype:web-application-attack; sid:47767; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup CustomerPortalService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRCustomerPortal|22|"; nocase; http_client_body; pcre:"/\x22(token|action)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11181; reference:cve,2018-11182; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:47744; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup CloudPortalService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRCloudPortal|22|"; nocase; http_client_body; content:"|22|registrationCode|22|"; nocase; http_client_body; pcre:"/\x22registrationCode\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11180; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:47712; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt"; flow:to_server,established; content:"/technicianAction.do"; fast_pattern:only; http_uri; content:"|22|loginName|22|"; nocase; http_client_body; pcre:"/\x22loginName\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3c|%3e|%28|%29|script|onload|src)/Pi"; metadata:service http; reference:cve,2018-9163; reference:url,www.manageengine.com/ad-recovery-manager/release-notes.html#5351; classtype:attempted-user; sid:47694; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt"; flow:to_server,established; content:"/technicianAction.do"; fast_pattern:only; http_uri; content:"|22|loginName|22|"; nocase; http_uri; pcre:"/\x22loginName\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2018-9163; reference:url,www.manageengine.com/ad-recovery-manager/release-notes.html#5351; classtype:attempted-user; sid:47693; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cogent DataHub SQL injection attempt"; flow:to_server,established; content:"Silverlight/GetPermissions.asp"; fast_pattern:only; http_uri; content:"username="; nocase; http_client_body; pcre:"/(^|&)username=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:service http; classtype:web-application-attack; sid:47676; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cogent DataHub SQL injection attempt"; flow:to_server,established; content:"Silverlight/GetPermissions.asp"; fast_pattern:only; http_uri; content:"username="; nocase; http_uri; pcre:"/[?&]username=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:service http; classtype:web-application-attack; sid:47675; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup EncryptionService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DREncryption|22|"; nocase; http_client_body; pcre:"/\x22(passphrase|encryption|mode|key_rotation_interval)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11176; reference:cve,2018-11177; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:47674; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup NetworkInterfaceService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRNetworkInterface|22|"; nocase; http_client_body; pcre:"/\x22(bandwidthValue|bandwidthUnit|targetIp)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11175; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:47673; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TerraMaster NAS logtable.php command injection attempt"; flow:to_server,established; content:"/include/ajax/logtable.php"; fast_pattern:only; http_uri; pcre:"/(^|&)(table|Event)=[^&]*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-13354; reference:url,blog.securityevaluators.com/terramaster-nas-vulnerabilities-discovered-and-exploited-b8e5243e7a63; classtype:web-application-attack; sid:47672; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup EmailAlertsService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DREmailAlerts|22|"; nocase; http_client_body; content:"|22|emailAddress|22|"; nocase; http_client_body; pcre:"/\x22emailAddress\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11174; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:47671; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2144 (msg:"SERVER-WEBAPP LSIS wXP arbitrary file upload attempt"; flow:to_server,established; content:"|6B|"; depth:1; content:"|0A 05 00 00 20 F5 00 8C 5A F5 00 8C 5A F5 00 8C 5A|"; within:22; distance:4; content:"|2E 00 2E 00 2F 00|"; distance:0; metadata:policy max-detect-ips drop; classtype:attempted-admin; sid:47670; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress plugin WP with Spritz directory traversal attempt"; flow:to_server,established; content:"/wp.spritz.content.filter.php"; fast_pattern:only; http_uri; content:"url="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]url=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/44544/; classtype:web-application-attack; sid:47669; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress plugin WP with Spritz remote file include attempt"; flow:to_server,established; content:"/wp.spritz.content.filter.php"; fast_pattern:only; http_uri; content:"url="; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]url=[^&]*?(http|ftp)/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/44544/; classtype:web-application-attack; sid:47668; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dicoogle directory traversal attempt"; flow:to_server,established; content:"exportFile"; fast_pattern:only; http_uri; content:"UID="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]UID=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,dicoogle.com; classtype:web-application-attack; sid:47664; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cogent DataHub ASP script injection attempt"; flow:to_server,established; content:"Silverlight/GetPermissions.asp"; http_uri; content:"log_file Plugin/WebServer/html/"; fast_pattern:only; http_uri; metadata:service http; classtype:attempted-admin; sid:47662; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt"; flow:to_server,established; content:"/horde/services/prefs.php"; fast_pattern:only; http_uri; content:"generate_email="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]generate(\x5f|%5f)email=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7413; reference:url,lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html; classtype:web-application-attack; sid:47661; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Horde Groupware Webmail encryptMessage edit.php command injection attempt"; flow:to_server,established; content:"/turba/edit.php"; fast_pattern:only; http_uri; content:"object[email]"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?object\x5bemail\x5d((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7413; reference:url,lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html; classtype:web-application-attack; sid:47660; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt"; flow:to_server,established; content:"/horde/services/prefs.php"; fast_pattern:only; http_uri; content:"generate_email"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?generate_email((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7413; reference:url,lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html; classtype:web-application-attack; sid:47659; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt"; flow:to_server,established; content:"/horde/services/prefs.php"; fast_pattern:only; http_uri; content:"generate"; nocase; http_client_body; pcre:"/(^|&)generate(\x5f|%5f)email=[^&]*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7413; reference:url,lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html; classtype:web-application-attack; sid:47658; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt"; flow:to_server,established; content:"/horde/services/prefs.php"; fast_pattern:only; http_uri; content:"generate_email="; nocase; http_uri; pcre:"/[?&]generate_email=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-7413; reference:url,lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html; classtype:web-application-attack; sid:47657; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt"; flow:to_server,established; content:"/administrator/index.php"; nocase; http_uri; content:"jform[params][admin_style]"; fast_pattern:only; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?jform\x5bparams\x5d\x5badmin_style\x5d((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6376; classtype:web-application-attack; sid:47655; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Struts remote code execution attempt"; flow:to_server; content:"|23|_memberAccess"; fast_pattern:only; http_uri; content:"ognl."; http_uri; pcre:"/ognl\x2e(OgnlContext|ClassResolver|TypeConverter|MemberAccess)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; classtype:attempted-user; sid:47649; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IceWarp Mail Server directory traversal attempt"; flow:to_server,established; content:"/webmail/old/calendar/minimizer/index.php"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?s(tyle|cript)((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-1503; classtype:web-application-attack; sid:47646; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IceWarp Mail Server directory traversal attempt"; flow:to_server,established; content:"/webmail/old/calendar/minimizer/index.php"; fast_pattern:only; http_uri; pcre:"/(^|&)s(tyle|cript)=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-1503; classtype:web-application-attack; sid:47645; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IceWarp Mail Server directory traversal attempt"; flow:to_server,established; content:"/webmail/old/calendar/minimizer/index.php"; fast_pattern:only; http_uri; content:"../"; http_uri; pcre:"/[?&]s(tyle|cript)=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-1503; classtype:web-application-attack; sid:47644; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IceWarp Mail Server directory traversal attempt"; flow:to_server,established; content:"/webmail/client/skins/default/css/css.php"; fast_pattern:only; http_uri; content:"file"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?file((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-1503; classtype:web-application-attack; sid:47643; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IceWarp Mail Server directory traversal attempt"; flow:to_server,established; content:"/webmail/client/skins/default/css/css.php"; fast_pattern:only; http_uri; content:"file="; nocase; http_client_body; pcre:"/(^|&)file=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-1503; classtype:web-application-attack; sid:47642; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP IceWarp Mail Server directory traversal attempt"; flow:to_server,established; content:"/webmail/client/skins/default/css/css.php"; fast_pattern:only; http_uri; content:"file="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]file=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-1503; classtype:web-application-attack; sid:47641; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-WEBAPP SSL certificate with null issuer rdnSequence fields detected"; flow:to_client,established; ssl_state:server_hello; content:"|30 07 06 03 55 04 06 13 00 31 09 30 07 06 03 55 04 08 13 00 31 09 30 07 06 03 55 04 07 13 00 31 09 30 07 06 03 55 04 0A 13 00 31 09 30 07 06 03 55 04 0B 13 00 31 09 30 07 06 03 55 04 03 13 00|"; fast_pattern:only; metadata:ruleset community, service ssl; classtype:misc-activity; sid:47640; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 40856 (msg:"SERVER-WEBAPP Piltz PASvisu denial of service attempt"; flow:to_server,established; content:"/license_update/export"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.pilz.com/en-US/eshop/00105002177122/PASvisu-HMI-Software; classtype:attempted-dos; sid:47622; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symfony HttpFoundation component potential security bypass attempt"; flow:to_server,established; content:"|0D 0A|X-Original-URL|3A 20|"; fast_pattern:only; metadata:service http; reference:cve,2018-14773; reference:url,symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers; classtype:web-application-attack; sid:47620; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Symfony HttpFoundation component potential security bypass attempt"; flow:to_server,established; content:"|0D 0A|X-Rewrite-URL|3A 20|"; fast_pattern:only; metadata:service http; reference:cve,2018-14773; reference:url,symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers; classtype:web-application-attack; sid:47619; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup ReplicationsService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRReplications|22|"; nocase; http_client_body; content:"|22|cname|22|"; nocase; http_client_body; pcre:"/\x22cname\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11166; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:47614; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt"; flow:to_server,established; content:"/media/com_biblestudy/backup/"; fast_pattern:only; http_uri; content:".sql"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:attempted-recon; sid:47613; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt"; flow:to_server,established; content:"WADashboard/api/dashboard/v1/files/deleteFile"; fast_pattern:only; http_uri; content:"filepath="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]filepath=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:url,advantech.com/industrial-automation/webaccess; classtype:web-application-attack; sid:47610; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt"; flow:to_server,established; content:"WADashboard/api/dashboard/v1/files/deleteFile"; fast_pattern:only; http_uri; content:"filepath="; nocase; http_client_body; pcre:"/(^|&)filepath=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:url,advantech.com/industrial-automation/webaccess; classtype:web-application-attack; sid:47609; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt"; flow:to_server,established; content:"WADashboard/api/dashboard/v1/files/writeFile"; fast_pattern:only; http_uri; content:"folderpath="; nocase; http_uri; content:"msg="; http_uri; content:"../"; nocase; http_uri; pcre:"/[?&]folderpath=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:url,advantech.com/industrial-automation/webaccess; classtype:web-application-attack; sid:47608; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt"; flow:to_server,established; content:"WADashboard/api/dashboard/v1/files/writeFile"; fast_pattern:only; http_uri; content:"folderpath="; nocase; http_client_body; content:"msg="; nocase; http_client_body; pcre:"/(^|&)folderpath=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:url,advantech.com/industrial-automation/webaccess; classtype:web-application-attack; sid:47607; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRDiagnostics|22|"; nocase; http_client_body; pcre:"/\x22(type|file_name)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|%60|%3b|%7c|%26|%23|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11164; reference:cve,2018-11165; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:47606; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Gridbox app cross site scripting attempt"; flow:to_server,established; content:"/index.php?"; http_uri; content:"option=com_gridbox"; fast_pattern:only; http_uri; content:"app="; nocase; http_uri; pcre:"/[?&]app=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11690; classtype:attempted-user; sid:47605; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress phar deserialization attempt"; flow:to_server,established; content:"/wp-admin/post.php"; http_uri; content:"thumb=phar"; fast_pattern:only; http_client_body; pcre:"/(^|&)thumb=phar(\x3a|%3a)(\x2f|%2f){2}/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:47603; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt"; flow:to_server,established; content:"query=--open-files-in-pager"; fast_pattern:only; content:"/tree/"; http_uri; content:"/search"; distance:0; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:47599; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4040 (msg:"SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt"; flow:to_server,established; content:"/coverArt.view?"; fast_pattern:only; content:"size="; nocase; pcre:"/[?&]size=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:service http; reference:cve,2017-9414; classtype:attempted-user; sid:47590; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4040 (msg:"SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt"; flow:to_server,established; content:"/avatar.view?"; fast_pattern:only; content:"id="; nocase; pcre:"/[?&]id=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:service http; reference:cve,2017-9414; classtype:attempted-user; sid:47589; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4040 (msg:"SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt"; flow:to_server,established; content:"/userChart.view?"; fast_pattern:only; content:"type="; nocase; pcre:"/[?&]type=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:service http; reference:cve,2017-9414; classtype:attempted-user; sid:47588; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Dolibarr Carte cross site scripting attempt"; flow:to_server,established; content:"adherents/cartes/carte.php"; fast_pattern:only; http_uri; content:"foruserlogin="; nocase; http_uri; pcre:"/[?&]foruserlogin=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2018-10095; classtype:attempted-user; sid:47584; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt"; flow:to_server,established; content:"POST /rest/repository/"; fast_pattern:only; content:"/user/"; nocase; http_uri; metadata:service http; reference:cve,2018-5955; classtype:policy-violation; sid:47583; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt"; flow:to_server,established; content:"/rest/repository/"; fast_pattern:only; http_uri; content:"name="; nocase; http_client_body; metadata:service http; reference:cve,2018-5955; classtype:policy-violation; sid:47582; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitStack unauthenticated REST API add user attempt"; flow:to_server,established; content:"/rest/user/"; fast_pattern:only; http_uri; content:"username="; nocase; http_client_body; content:"password="; nocase; http_client_body; metadata:service http; reference:cve,2018-5955; classtype:policy-violation; sid:47581; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Aist id SQL injection attempt"; flow:to_server,established; content:"/index.php?"; nocase; http_uri; content:"option=com_aist"; fast_pattern:only; http_uri; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-5993; classtype:web-application-attack; sid:47580; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Aist id SQL injection attempt"; flow:to_server,established; content:"/index.php?"; nocase; http_uri; content:"option=com_aist"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-5993; classtype:web-application-attack; sid:47579; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetGain Systems Enterprise Manager directory traversal attempt"; flow:to_server,established; content:"/upload_file_do.jsp"; fast_pattern:only; http_uri; content:"filename"; nocase; content:"Content-Disposition"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/sim"; metadata:service http; reference:cve,2017-16603; classtype:web-application-attack; sid:47578; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cobub Razor channel name SQL injection attempt"; flow:to_server,established; content:"index.php?/manage/channel/addchannel"; fast_pattern:only; http_uri; content:"channel_name="; nocase; http_uri; pcre:"/[?&]channel_name=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-8057; classtype:web-application-attack; sid:47577; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cobub Razor channel name SQL injection attempt"; flow:to_server,established; content:"index.php?/manage/channel/addchannel"; fast_pattern:only; http_uri; content:"channel"; nocase; http_client_body; pcre:"/(^|&)channel(\x5f|%5f)name=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-8057; classtype:web-application-attack; sid:47576; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt"; flow:to_server,established; content:"/umotion/modules/system/externalframe.php"; fast_pattern:only; http_uri; content:"context"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?context((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,104447; reference:cve,2018-7787; classtype:web-application-attack; sid:47563; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt"; flow:to_server,established; content:"/umotion/modules/system/externalframe.php"; fast_pattern:only; http_uri; content:"context="; nocase; http_client_body; pcre:"/(^|&)context=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,104447; reference:cve,2018-7787; classtype:web-application-attack; sid:47562; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt"; flow:to_server,established; content:"/umotion/modules/system/externalframe.php"; fast_pattern:only; http_uri; content:"context="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]context=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,104447; reference:cve,2018-7787; classtype:web-application-attack; sid:47561; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt"; flow:to_server,established; content:"/broadWeb/https/certUpdate.asp"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,102781; reference:cve,2018-5445; reference:url,ics-cert.us-cert.gov/advisories/ICSA-18-023-01; classtype:web-application-attack; sid:47560; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt"; flow:to_server,established; content:"/broadWeb/https/certUpdate.asp"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,102781; reference:cve,2018-5445; reference:url,ics-cert.us-cert.gov/advisories/ICSA-18-023-01; classtype:web-application-attack; sid:47559; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt"; flow:to_server,established; content:"/broadWeb/https/certUpdate.asp"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,102781; reference:cve,2018-5445; reference:url,ics-cert.us-cert.gov/advisories/ICSA-18-023-01; classtype:web-application-attack; sid:47558; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Epic MyChart SQL injection attempt"; flow:to_server,established; content:"/mychart/help.asp?"; fast_pattern:only; http_uri; content:"topic="; nocase; http_client_body; pcre:"/(^|&)topic=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6272; classtype:web-application-attack; sid:47555; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Epic MyChart SQL injection attempt"; flow:to_server,established; content:"/mychart/help.asp?"; fast_pattern:only; http_uri; content:"topic="; nocase; http_uri; pcre:"/[?&]topic=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6272; classtype:web-application-attack; sid:47554; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Epic MyChart SQL injection attempt"; flow:to_server,established; content:"/mchart/help.asp?"; fast_pattern:only; http_uri; content:"topic="; nocase; http_client_body; pcre:"/(^|&)topic=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6272; classtype:web-application-attack; sid:47553; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Epic MyChart SQL injection attempt"; flow:to_server,established; content:"/mchart/help.asp?"; fast_pattern:only; http_uri; content:"topic="; nocase; http_uri; pcre:"/[?&]topic=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6272; classtype:web-application-attack; sid:47552; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt"; flow:to_server,established; content:"/broadWeb/BEMS/include/chkLogin2.asp"; fast_pattern:only; http_uri; content:"user="; nocase; http_uri; pcre:"/[?&]user=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,102781; reference:cve,2018-5443; reference:url,ics-cert.us-cert.gov/advisories/ICSA-18-023-01; classtype:web-application-attack; sid:47551; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt"; flow:to_server,established; content:"/broadWeb/BEMS/include/chkLogin2.asp"; fast_pattern:only; http_uri; content:"user="; nocase; http_client_body; pcre:"/(^|&)user=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,102781; reference:cve,2018-5443; reference:url,ics-cert.us-cert.gov/advisories/ICSA-18-023-01; classtype:web-application-attack; sid:47550; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Easy Hosting Control Panel action cross site scripting attempt"; flow:to_server,established; content:"/ehcp/index.php"; fast_pattern:only; http_uri; content:"action="; nocase; http_uri; pcre:"/[?&]action=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2018-6362; classtype:attempted-user; sid:47549; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MicroFocus Secure Messaging Gateway command injection attempt"; flow:to_server,established; content:"/manage_domains_save_data.json.php"; fast_pattern:only; http_uri; pcre:"/(\x22|%22)(Domain|Selector)(\x22|%22)(\s|%20)*(\x3a|%3a)(\s|%20)*(\x22|%22)((?!(?<!(..\x5c|%5c))(\x22|%22)).)*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-12465; reference:url,support.microfocus.com/kb/doc.php?id=7023133; classtype:web-application-attack; sid:47545; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt"; flow:to_server,established; content:"/api/1/enginelist.php"; fast_pattern:only; http_uri; content:"appkey="; nocase; http_client_body; pcre:"/(^|&)appkey=[^&]*?([\x27\x22\x3b\x23\x28]|%27|%22|%3b|%23|%28|(\x2f|%2f)(\x2a|%2a)|(\x2d|%2d){2})/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-12464; reference:url,support.microfocus.com/kb/doc.php?id=7023132; classtype:web-application-attack; sid:47544; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt"; flow:to_server,established; content:"/api/1/enginelist.php"; fast_pattern:only; http_uri; content:"appkey="; nocase; http_uri; pcre:"/[?&]appkey=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-12464; reference:url,support.microfocus.com/kb/doc.php?id=7023132; classtype:web-application-attack; sid:47543; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRStorageGroup|22|"; nocase; http_client_body; pcre:"/\x22(Name|Compression_mode|passphrase|Rotate_period|group)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11159; reference:cve,2018-11160; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:47542; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt"; flow:to_server,established; content:"/client-report.php"; fast_pattern:only; http_uri; content:"client"; nocase; http_client_body; pcre:"/(^|&)client(\x5f|%5f)id=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, service http; reference:cve,2017-15367; classtype:web-application-attack; sid:47540; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt"; flow:to_server,established; content:"/client-report.php"; fast_pattern:only; http_uri; content:"client_id="; nocase; http_uri; pcre:"/[?&]client_id=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2017-15367; classtype:web-application-attack; sid:47539; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt"; flow:to_server,established; content:"/jobs.php"; fast_pattern:only; http_uri; pcre:"/(^|&)(((level|client|pool)(\x5f|%5f)id|start(\x5f|%5f)time|end(\x5f|%5f)time|jobs(\x5f|%5f)per(\x5f|%5f)page|status)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)|orderby=[^&]*?\x28)/Pim"; metadata:policy max-detect-ips drop, service http; reference:cve,2017-15367; classtype:web-application-attack; sid:47538; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt"; flow:to_server,established; content:"/jobs.php"; fast_pattern:only; http_uri; pcre:"/[?&](((level|client|pool)_id|start_time|end_time|jobs_per_page|status)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)|orderby=[^&]*?\x28)/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2017-15367; classtype:web-application-attack; sid:47537; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest NetVault Backup Server checksession authentication bypass attempt"; flow:to_server,established; content:"NVBUPhysicalClient"; fast_pattern:only; http_client_body; content:"checksession"; nocase; http_client_body; content:"false"; distance:0; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?checksession((?!^--).)*?[\r\n]{2,}((?!^--).)*?false/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1163; classtype:web-application-attack; sid:47514; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP RoundCube WebMail IMAP command injection attempt"; flow:to_server,established; content:"_action=plugin.move2archive"; fast_pattern:only; http_uri; content:"_uid="; http_uri; content:"%0D%0A"; distance:0; http_uri; pcre:"/_uid\x3D[^\x26\x0D\x0A]+\x250D\x250A/iU"; metadata:service http; reference:cve,2018-9846; classtype:attempted-user; sid:47510; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP RoundCube WebMail IMAP command injection attempt"; flow:to_client,established; file_data; content:"_action=plugin.move2archive"; fast_pattern:only; content:"_uid="; content:"%0D%0A"; distance:0; pcre:"/_uid\x3D[^\x26\x0D\x0A]+\x250D\x250A/smi"; metadata:service http; reference:cve,2018-9846; classtype:attempted-user; sid:47509; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt"; flow:to_server,established; content:"/sitecore/shell/default.aspx?"; fast_pattern:only; http_uri; content:"file"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?file((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7669; reference:url,kb.sitecore.net/articles/356221; classtype:web-application-attack; sid:47508; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt"; flow:to_server,established; content:"/sitecore/shell/default.aspx?"; fast_pattern:only; http_uri; content:"file="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]file=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7669; reference:url,kb.sitecore.net/articles/356221; classtype:web-application-attack; sid:47507; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt"; flow:to_server,established; content:"/sitecore/shell/default.aspx?"; fast_pattern:only; http_uri; content:"file="; nocase; http_client_body; pcre:"/(^|&)file=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7669; reference:url,kb.sitecore.net/articles/356221; classtype:web-application-attack; sid:47506; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla ProjectLog search SQL injection attempt"; flow:to_server,established; content:"option=com_projectlog"; fast_pattern:only; http_client_body; content:"search="; nocase; http_client_body; pcre:"/(^|&)search=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6024; classtype:web-application-attack; sid:47502; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla ProjectLog search SQL injection attempt"; flow:to_server,established; content:"option=com_projectlog"; fast_pattern:only; http_uri; content:"search="; nocase; http_uri; pcre:"/[?&]search=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6024; classtype:web-application-attack; sid:47501; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TestLink Open Source Test Management PHP code injection attempt"; flow:to_server,established; content:"/install/installNewDB.php"; fast_pattern:only; http_uri; content:"loginname"; nocase; http_client_body; pcre:"/(^|&)tl(\x5f|%5f)loginname=[^&]*?([\x60\x3b\x24\x28]|%60|%3b|%24|%28|include|require)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7466; classtype:web-application-attack; sid:47500; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TestLink Open Source Test Management PHP code injection attempt"; flow:to_server,established; content:"/install/installNewDB.php"; fast_pattern:only; http_uri; content:"tl_loginname="; nocase; http_uri; pcre:"/[?&]tl_loginname=[^&]*?([\x60\x3b\x24\x28]|include|require)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7466; classtype:web-application-attack; sid:47499; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla CheckList extension SQL injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"option=com_checklist"; fast_pattern:only; http_client_body; pcre:"/(^|&)(((title|tag|name|description)(\x5f|%5f)search)|filter(\x5f|%5f)order)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7318; classtype:web-application-attack; sid:47498; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla CheckList extension SQL injection attempt"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"option=com_checklist"; fast_pattern:only; http_uri; pcre:"/[?&]((title|tag|name|description)_search|filter_order)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7318; classtype:web-application-attack; sid:47497; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Easy File Sharing stack buffer overflow attempt"; flow:to_server,established; content:"/forum.ghp"; fast_pattern:only; http_uri; content:"UserID="; nocase; http_cookie; content:"UserID="; nocase; http_raw_header; isdataat:500,relative; content:!"|3B|"; within:500; http_raw_header; content:!"|0A|"; within:500; http_raw_header; metadata:policy max-detect-ips drop, service http; reference:cve,2018-9059; classtype:attempted-user; sid:47494; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kodi playlist creation persistent cross site scripting attempt"; flow:to_server,established; content:"/#playlist/"; fast_pattern:only; http_uri; pcre:"/\x2f\x23playlist\x2f[^\x0d]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2018-8831; classtype:attempted-user; sid:47473; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess gmicons.asp directory traversal attempt"; flow:to_server,established; content:"/gmicons.asp?act=submit"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy max-detect-ips drop, service http; reference:cve,2017-16736; reference:url,ics-cert.us-cert.gov/advisories/ICSA-18-004-02A; classtype:web-application-attack; sid:47472; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess gmicons.asp picfile arbitrary file upload attempt"; flow:to_server,established; content:"/gmicons.asp?act=submit"; fast_pattern:only; http_uri; content:"<%"; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2017-16736; reference:url,ics-cert.us-cert.gov/advisories/ICSA-18-004-02A; classtype:attempted-admin; sid:47471; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HomeMatic CCU2 remote arbitrary code execution attempt"; flow:to_server,established; urilen:9; content:"/Test.exe"; fast_pattern:only; http_uri; content:"exec"; nocase; http_client_body; metadata:service http; reference:cve,2018-7297; classtype:attempted-user; sid:47470; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Redaxo CMS addon SQL injection attempt"; flow:to_server,established; content:"page=myevents/event_add"; fast_pattern:only; http_uri; content:"myevents_id="; nocase; http_client_body; pcre:"/(^|&)myevents_id=[^&]*?([\x27\x22]|%27|%22)/Pim"; metadata:service http; classtype:web-application-attack; sid:47469; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Redaxo CMS addon SQL injection attempt"; flow:to_server,established; content:"page=myevents/event_add"; fast_pattern:only; http_uri; content:"myevents_id"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?myevents_id((?!^--).)*?[\r\n]{2,}((?!^--).)*?[\x27\x22]/Psim"; metadata:service http; classtype:web-application-attack; sid:47468; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Redaxo CMS addon SQL injection attempt"; flow:to_server,established; content:"page=myevents/event_add"; fast_pattern:only; http_uri; content:"myevents_id="; nocase; http_uri; pcre:"/[?&]myevents_id=[^&]*?[\x27\x22]/Ui"; metadata:service http; classtype:web-application-attack; sid:47467; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt"; flow:to_server,established; content:"/cgit/"; fast_pattern; http_uri; content:"/objects"; nocase; http_uri; content:"path="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]path=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-14912; classtype:web-application-attack; sid:47466; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt"; flow:to_server,established; content:"/cgit/"; fast_pattern; http_uri; content:"/objects"; nocase; http_uri; content:"path="; nocase; http_client_body; pcre:"/(^|&)path=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-14912; classtype:web-application-attack; sid:47465; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt"; flow:to_server,established; content:"/cgit/"; fast_pattern; http_uri; content:"/objects"; nocase; http_uri; content:"path"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/path((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-14912; classtype:web-application-attack; sid:47464; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zyxel EMG2926 command injection attempt"; flow:to_server,established; content:"/cgi-bin/luci/"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(ping_ip|nslookup_button)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6884; classtype:web-application-attack; sid:47460; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zyxel EMG2926 command injection attempt"; flow:to_server,established; content:"/cgi-bin/luci/"; fast_pattern:only; http_uri; pcre:"/(^|&)(ping(\x5f|%5f)ip|nslookup(\x5f|%5f)button)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6884; classtype:web-application-attack; sid:47459; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zyxel EMG2926 command injection attempt"; flow:to_server,established; content:"/cgi-bin/luci/"; fast_pattern:only; http_uri; pcre:"/[?&](ping_ip|nslookup_button)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-6884; classtype:web-application-attack; sid:47458; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9991 (msg:"SERVER-WEBAPP Weblog Expert Web Server denial of service attempt"; flow:to_server,established; content:"|0D 0A|Accept: */*"; nocase; isdataat:1000,relative; content:!"|0D|"; within:1000; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-7582; classtype:web-application-attack; sid:47437; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,50452] (msg:"SERVER-WEBAPP Raptr Plays.tv unauthenticated remote arbitrary file execution attempt"; flow:to_server,established; content:"POST /execute_installer"; fast_pattern:only; content:"%22installer%22"; metadata:service http; reference:cve,2018-6546; classtype:attempted-admin; sid:47425; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Site Editor WordPress plugin local file access attempt"; flow:to_server,established; content:"/ajax_shortcode_pattern.php?"; fast_pattern:only; http_uri; content:"ajax_path="; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2018-7422; classtype:web-application-attack; sid:47424; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP QCenter API date_config command injection attempt"; flow:to_server,established; content:"/qcenter/hawkeye/v1/date_config"; fast_pattern:only; http_uri; pcre:"/\x22(date|server|time)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-0709; reference:url,www.qnap.com/en-us/security-advisory/nas-201807-10; classtype:web-application-attack; sid:47423; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Core com_fields cross site scripting attempt"; flow:to_server,established; content:"/administrator/index.php"; http_uri; content:"option=com_fields"; fast_pattern:only; http_uri; content:"jform"; nocase; http_client_body; pcre:"/jform((\x5b|%5b)\S*?(\x5d|%5d))+?=[^&]*?(\x22|%22|\x27|%27|\x3c|%3c|\x3e|%3e|\x28|%28|\x29|%29|script|onload|src)/Pim"; metadata:service http; reference:cve,2018-6377; classtype:attempted-user; sid:47421; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Easy Hosting Control Panel cross site scripting attempt"; flow:to_server,established; content:"/ehcp/index.php"; fast_pattern:only; http_uri; content:"op="; nocase; http_uri; pcre:"/[?&]op=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2018-6361; classtype:attempted-user; sid:47419; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-WEBAPP Advantech WebAcess Dashboard Viewer arbitrary file disclosure attempt"; flow:to_server,established; content:"|79 27 00 00|"; depth:4; offset:28; metadata:service dcerpc; reference:url,advantech.com/industrial-automation/webaccess; classtype:attempted-recon; sid:47416; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP QCenter API command injection attempt"; flow:to_server,established; content:"/qcenter/hawkeye/v1/"; fast_pattern:only; http_uri; content:"|22|passwd|22|"; nocase; content:"|22|"; distance:0; base64_decode:bytes 64,offset 0,relative; base64_data; pcre:"/([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-0708; reference:cve,2018-0709; reference:url,www.qnap.com/en-us/security-advisory/nas-201807-10; classtype:attempted-admin; sid:47393; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt"; flow:to_server,established; content:"/qcenter/hawkeye/v1/network_config"; fast_pattern:only; http_uri; content:"|22|dns_servers|22|"; nocase; http_client_body; pcre:"/\x22dns_servers\x22\s*\x3a\s*\x5b\s*(\x22((?!(?<!\x5c)\x22).)*?\x22\s*\x2c\s*)*?\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-0708; reference:url,www.qnap.com/en-us/security-advisory/nas-201807-10; classtype:web-application-attack; sid:47392; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt"; flow:to_server,established; content:"/qcenter/hawkeye/v1/network_config"; fast_pattern:only; http_uri; pcre:"/\x22(gw|ip|mask)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-0708; reference:url,www.qnap.com/en-us/security-advisory/nas-201807-10; classtype:web-application-attack; sid:47391; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt"; flow:to_server,established; content:"/ws_utc/begin.do"; fast_pattern:only; http_uri; content:"<%"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-admin; sid:47390; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt"; flow:to_server,established; content:"/ws_utc/config.do"; fast_pattern:only; http_uri; content:"<%"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-admin; sid:47389; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt"; flow:to_server,established; content:"/ws_utc/resources/setting/keystore"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47388; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt"; flow:to_server,established; content:"/ws_utc/resources/setting/options/general"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47387; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt"; flow:to_server,established; content:"/ws_utc/css/config/keystore/"; fast_pattern:only; http_uri; content:".jsp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47386; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CCTV-DVR command injection attempt"; flow:to_server,established; content:"/language/"; depth:10; nocase; http_uri; content:"${IFS}"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html; classtype:attempted-admin; sid:47358; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP QCenter API set_VM_passwd command injection attempt"; flow:to_server,established; content:"/qcenter/hawkeye/v1/account"; fast_pattern:only; http_uri; content:"change_passwd"; nocase; http_uri; content:"|22|old_password|22|"; nocase; content:"|22|"; distance:0; base64_decode:bytes 64,offset 0,relative; base64_data; pcre:"/([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-0707; reference:url,www.qnap.com/en-us/security-advisory/nas-201807-10; classtype:attempted-admin; sid:47349; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP QCenter API set_VM_passwd command injection attempt"; flow:to_server,established; content:"/qcenter/hawkeye/v1/account"; fast_pattern:only; http_uri; content:"change_passwd"; nocase; http_uri; content:"|22|new_password|22|"; nocase; content:"|22|"; distance:0; base64_decode:bytes 64,offset 0,relative; base64_data; pcre:"/([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-0707; reference:url,www.qnap.com/en-us/security-advisory/nas-201807-10; classtype:attempted-admin; sid:47348; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP QCenter API account information disclosure attempt"; flow:to_server,established; content:"GET"; http_method; content:"/qcenter/hawkeye/v1/account"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-0706; reference:url,www.qnap.com/en-us/security-advisory/nas-201807-10; classtype:attempted-recon; sid:47347; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle PeopleSoft information disclosure attempt"; flow:to_server,established; content:"PeopleSoftServiceListeningConnector"; fast_pattern:only; http_uri; content:"Content-Type"; nocase; http_header; content:"xml"; within:20; nocase; http_header; content:"<!DOCTYPE"; nocase; http_client_body; content:"C:|5C|"; within:50; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2017-3548; classtype:attempted-user; sid:47229; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup StorageService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRStorage|22|"; nocase; http_client_body; content:"|22|service_tag|22|"; nocase; http_client_body; pcre:"/\x22service_tag\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11158; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:47216; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP phar extension remote code execution attempt"; flow:to_server,established; file_data; content:"|00 01 00 00 00 FF FF 00 00 01 00 00 00 00 00 00 00 00 00 FE FF FF FF 65 78 61 6D 70 6C 65 2E 70 68 70 1E 00 00 00 23 57|"; fast_pattern:only; http_client_body; metadata:service http; reference:cve,2016-4072; reference:url,bugs.php.net/bug.php?id=71860; reference:url,php.net/ChangeLog-7.php; classtype:attempted-user; sid:47207; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 51111 (msg:"SERVER-WEBAPP Cognex VisionView directory traversal attempt"; flow:to_server,established; content:"%5c../"; fast_pattern:only; pcre:"/^(GET|POST)[^&]*?%5c\x2e\x2e\x2f/i"; reference:url,cognex.com/products/machine-vision/vision-software/visionview; classtype:web-application-attack; sid:47159; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"SERVER-WEBAPP PHP unserialize integer overflow attempt"; flow:to_server,established; content:"o:"; depth:10; http_client_body; content:"|3B|a:"; http_client_body; content:!":{"; within:9; http_client_body; content:":{"; within:35; distance:10; http_client_body; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,95371; reference:cve,2017-5340; classtype:attempted-admin; sid:47156; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"SERVER-WEBAPP PHP unserialize integer overflow attempt"; flow:to_server,established; content:"o:"; depth:10; http_client_body; content:"|3B|d:"; http_client_body; content:!"."; within:20; http_client_body; content:"|3B|"; within:20; distance:20; http_client_body; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,95371; reference:cve,2017-5340; classtype:attempted-admin; sid:47155; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup EmailRelayHostService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; nocase; http_uri; content:"|22|DREmailRelayHost|22|"; fast_pattern:only; http_client_body; content:"|22|hostname|22|"; nocase; http_client_body; pcre:"/\x22hostname\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11156; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:47145; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP VAN SDN Controller default credentials authentication attempt"; flow:to_server,established; content:"/sdn/ui/app/login"; fast_pattern:only; http_uri; content:"username=sdn"; nocase; content:"password=skyline"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,korelogic.com/Resources/Advisories/KL-001-2018-008.txt; classtype:attempted-admin; sid:47138; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP VAN SDN Controller default token authentication attempt"; flow:to_server,established; content:"X-Auth-Token|3A|"; nocase; http_header; content:"AuroraSdnToken37"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,korelogic.com/Resources/Advisories/KL-001-2018-008.txt; classtype:attempted-admin; sid:47137; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP VAN SDN Controller uninstall action arbitrary command execution attempt"; flow:to_server,established; content:"X-Auth-Token|3A|"; nocase; http_header; content:"|22|action|22|"; nocase; http_client_body; content:"|22|uninstall|22|"; fast_pattern:only; http_client_body; content:"|22|name|22|"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,korelogic.com/Resources/Advisories/KL-001-2018-008.txt; classtype:attempted-admin; sid:47136; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LibreHealthIO LibreEHR directory traversal attempt"; flow:to_server,established; content:"/libreehr/interface/patient_file/download_template.php"; fast_pattern:only; http_uri; content:"form_filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/(^|&)form_filename((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/LibreHealthIO/lh-ehr; classtype:web-application-attack; sid:47106; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LibreHealthIO LibreEHR directory traversal attempt"; flow:to_server,established; content:"/libreehr/interface/patient_file/download_template.php"; fast_pattern:only; http_uri; content:"form_filename="; nocase; http_client_body; pcre:"/(^|&)form_filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/LibreHealthIO/lh-ehr; classtype:web-application-attack; sid:47105; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LibreHealthIO LibreEHR directory traversal attempt"; flow:to_server,established; content:"/libreehr/interface/patient_file/download_template.php"; fast_pattern:only; http_uri; content:"form_filename="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]form_filename=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/LibreHealthIO/lh-ehr; classtype:web-application-attack; sid:47104; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component eXtroForms SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"filter"; nocase; http_client_body; content:"option=com_extroform"; fast_pattern:only; http_uri; pcre:"/(^|&)filter(\x5f|%5f)(type(\x5f|%5f)id|pid(\x5f|%5f)id|search)=[^&]*?(OR|AND)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/45472/; classtype:web-application-attack; sid:48171; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component eXtroForms SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"filter"; nocase; http_client_body; content:"option=com_extroform"; fast_pattern:only; http_uri; pcre:"/(^|&)filter(\x5f|%5f)(type(\x5f|%5f)id|pid(\x5f|%5f)id|search)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/45472/; classtype:web-application-attack; sid:48170; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component Swap Factory SQL injection attempt"; flow:to_server,established; content:"index.php"; http_uri; content:"option=com_swapfactory"; fast_pattern:only; http_uri; content:"filter_order_Dir="; http_uri; pcre:"/[?&]filter_order_Dir=[^&]*?([\x31\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/iU"; metadata:service http; reference:cve,2018-17384; reference:url,packetstormsecurity.com/files/149529/Joomla-Swap-Factory-2.2.1-SQL-Injection.html; classtype:web-application-attack; sid:48166; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component Swap Factory SQL injection attempt"; flow:to_server,established; content:"index.php"; http_uri; content:"option=com_swapfactory"; fast_pattern:only; http_uri; content:"filter_order="; http_uri; pcre:"/[?&]filter_order=[^&]*?([\x31\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/iU"; metadata:service http; reference:cve,2018-17384; reference:url,packetstormsecurity.com/files/149529/Joomla-Swap-Factory-2.2.1-SQL-Injection.html; classtype:web-application-attack; sid:48165; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HPE Intelligent Management Center FileDownloadServlet directory traversal attempt"; flow:to_server,established; content:"/imc/webdm/mibbrowser/fileDownload"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]fileName=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5795; classtype:web-application-attack; sid:48164; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomba component Article Factory Manager SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"option=com_articleman"; fast_pattern; http_uri; content:"_date="; nocase; http_uri; pcre:"/[?&](m_)?(start|end)_date\x3D[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17380; reference:url,www.exploit-db.com/exploits/45477/; classtype:web-application-attack; sid:48161; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-816 diagnosis command injection attempt"; flow:to_server,established; content:"/goform/Diagnosis"; fast_pattern:only; http_uri; pcre:"/(^|&)(sendNum|overTime|pingAddr|trHops)=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17068; reference:url,support.dlink.com.cn/ProductInfo.aspx?m=DIR-816; classtype:web-application-attack; sid:48143; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-816 diagnosis command injection attempt"; flow:to_server,established; content:"/goform/Diagnosis"; fast_pattern:only; http_uri; pcre:"/[?&](sendNum|overTime|pingAddr|trHops)=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17068; reference:url,support.dlink.com.cn/ProductInfo.aspx?m=DIR-816; classtype:web-application-attack; sid:48142; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-816 diagnosis command injection attempt"; flow:to_server,established; content:"/goform/Diagnosis"; fast_pattern:only; http_uri; content:"26"; http_raw_uri; pcre:"/[?&](sendNum|overTime|pingAddr|trHops)=[^&]*?%(25)?26/Ii"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17068; reference:url,support.dlink.com.cn/ProductInfo.aspx?m=DIR-816; classtype:web-application-attack; sid:48141; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla component Reverse Auction Factory SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"option=com_rbids"; fast_pattern:only; http_uri; pcre:"/[?&](filter_(letter|order_Dir)|cat)=[^&]*?([\x2c\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17376; reference:url,www.exploit-db.com/exploits/45475/; classtype:web-application-attack; sid:48196; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component Collection Factory SQL injection attempt"; flow:to_server,established; content:"/collection-categories"; http_uri; content:"option=com_collectionfactory"; fast_pattern:only; http_uri; content:"filter_order"; http_uri; pcre:"/[?&]filter_order(_Dir)?=[^&]*?([\x2C\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/iU"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17383; reference:url,www.exploit-db.com/exploits/45474/; classtype:web-application-attack; sid:48195; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"option=com_aindexdictionaries"; fast_pattern:only; http_uri; content:"letter="; nocase; http_uri; pcre:"/[?&]letter=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17397; reference:url,www.exploit-db.com/exploits/45476/; classtype:web-application-attack; sid:48194; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"option=com_aindexdictionaries"; fast_pattern:only; http_uri; content:"letter="; nocase; http_client_body; pcre:"/(^|&)letter=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17397; reference:url,www.exploit-db.com/exploits/45476/; classtype:web-application-attack; sid:48193; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess SQL injection attempt"; flow:to_server,established; content:"/broadWeb/syslog/LogPg.asp"; fast_pattern:only; http_uri; pcre:"/\/broadWeb\/syslog\/LogPg\.asp[?&](user|proj)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16716; classtype:web-application-attack; sid:48177; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt"; flow:to_server,established; content:"/goform/form2systime.cgi"; fast_pattern:only; http_uri; content:"datetime="; nocase; http_uri; content:"26"; http_raw_uri; pcre:"/[?&]datetime=[^&]*?%(25)?26/Ii"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17066; reference:url,support.dlink.com.cn/ProductInfo.aspx?m=DIR-816; classtype:web-application-attack; sid:48174; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt"; flow:to_server,established; content:"/goform/form2systime.cgi"; fast_pattern:only; http_uri; content:"datetime="; nocase; http_client_body; pcre:"/(^|&)datetime=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17066; reference:url,support.dlink.com.cn/ProductInfo.aspx?m=DIR-816; classtype:web-application-attack; sid:48173; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt"; flow:to_server,established; content:"/goform/form2systime.cgi"; fast_pattern:only; http_uri; content:"datetime="; nocase; http_uri; pcre:"/[?&]datetime=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17066; reference:url,support.dlink.com.cn/ProductInfo.aspx?m=DIR-816; classtype:web-application-attack; sid:48172; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Webport SQL injection attempt"; flow:to_server,established; content:"/access/login"; fast_pattern:only; http_uri; pcre:"/(^|&)(usr|pwd)=[^&]*?([\x27\x22\x3b\x23\x28]|%27|%22|%3b|%23|%28|(\x2f|%2f)(\x2a|%2a)|(\x2d|%2d){2})/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,webport.se; classtype:web-application-attack; sid:48216; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Webport SQL injection attempt"; flow:to_server,established; content:"/access/login"; fast_pattern:only; http_uri; pcre:"/[?&](usr|pwd)=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,webport.se; classtype:web-application-attack; sid:48215; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNAP devices boardData command injection attempt"; flow:to_server,established; content:"/boardData"; fast_pattern:only; http_uri; content:"macAddress="; nocase; http_uri; pcre:"/[?&]macAddress=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-1555; reference:url,kb.netgear.com/30480/CVE-2016-1555-Notification; classtype:web-application-attack; sid:48208; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNAP devices boardData command injection attempt"; flow:to_server,established; content:"/boardData"; fast_pattern:only; http_uri; content:"macAddress="; nocase; http_uri; content:"26"; http_raw_uri; pcre:"/[?&]macAddress=[^&]*?%(25)?26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-1555; reference:url,kb.netgear.com/30480/CVE-2016-1555-Notification; classtype:web-application-attack; sid:48207; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNAP devices boardData command injection attempt"; flow:to_server,established; content:"/boardData"; fast_pattern:only; http_uri; content:"macAddress="; nocase; http_client_body; pcre:"/(^|&)macAddress=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-1555; reference:url,kb.netgear.com/30480/CVE-2016-1555-Notification; classtype:web-application-attack; sid:48206; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Component Responsive Portfolio SQL injection attempt"; flow:to_server,established; content:"/index.php"; http_uri; content:"filter"; nocase; http_client_body; content:"option=com_pofos"; fast_pattern:only; http_uri; pcre:"/(^|&)filter(\x5f|%5f)(type(\x5f|%5f)id|pid(\x5f|%5f)id|search)=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d|OR|AND)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/45491/; classtype:web-application-attack; sid:48236; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Syncope information disclosure by fiql"; flow:to_server,established; content:"/syncope/rest/users"; fast_pattern:only; http_uri; content:"fiql="; nocase; http_uri; pcre:"/[^&]*?(serialVersionUID|password|type|udynMembershipCond|securityAnswer|token(ExpireTime)?)=/Ri"; metadata:service http; reference:cve,2018-1322; reference:url,syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting; classtype:attempted-recon; sid:48234; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Syncope information disclosure by orderBy"; flow:to_server,established; content:"/syncope/rest/users"; fast_pattern:only; http_uri; content:"orderBy="; nocase; http_uri; pcre:"/[^&]*?(serialVersionUID|password|security(Question|Answer)|token(ExpireTime)?)/Ri"; metadata:service http; reference:cve,2018-1322; reference:url,syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting; classtype:attempted-recon; sid:48233; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Syncope XSL transform code injection attempt"; flow:to_server,established; content:"/syncope-console/wicket/bookmarkable/org.apache.syncope.client.console.pages.Reports"; fast_pattern:only; http_uri; content:"xmlEditorInfo="; http_client_body; content:"getRuntime"; distance:1; http_client_body; content:"exec"; distance:6; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1321; reference:url,syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements; classtype:web-application-attack; sid:48232; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Syncope XSL transform code injection attempt"; flow:to_server,established; content:"/syncope-console/wicket/bookmarkable/org.apache.syncope.client.console.pages.Reports"; fast_pattern:only; http_uri; content:"xmlEditorInfo="; http_client_body; content:"ENTITY"; distance:1; nocase; http_client_body; content:"xsl"; http_client_body; content:"template"; within:10; distance:1; http_client_body; pcre:"/(\x21|%21)ENTITY((?!\x3e|%3e).)*?(SYSTEM|PUBLIC)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1321; reference:url,attack.mitre.org/techniques/T1220; reference:url,syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements; classtype:web-application-attack; sid:48231; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/create_user.cgi"; fast_pattern:only; http_uri; pcre:"/[?&](password2?|(Unixuser|Full)name|HomeDir(ectory|Drive)|LogonScript|ProfilePath|Accountdesc|Flags)=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15551; classtype:web-application-attack; sid:48230; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/create_user.cgi"; fast_pattern:only; http_uri; pcre:"/(^|&)(password2?|(Unixuser|Full)name|HomeDir(ectory|Drive)|LogonScript|ProfilePath|Accountdesc|Flags)=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15551; classtype:web-application-attack; sid:48229; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/create_user.cgi"; fast_pattern:only; http_uri; content:"26"; http_raw_uri; pcre:"/[?&](password2?|(Unixuser|Full)name|HomeDir(ectory|Drive)|LogonScript|ProfilePath|Accountdesc|Flags)=[^&]*?%(25)?26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15551; classtype:web-application-attack; sid:48228; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rubedo CMS Directory Traversal Attempt directory traversal attempt"; flow:to_server,established; content:"/theme/default/"; fast_pattern:only; content:"/theme/default/"; http_raw_uri; pcre:"/\/theme\/default\/[[:alnum:]]*?\/(\x2e|%2e)(\x2e|%2e)(\x2f|%2f)/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-16836; reference:url,github.com/maroueneboubakri/CVE/tree/master/rubedo-cms; classtype:web-application-attack; sid:48256; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Idreamsoft iCMS admincp.php SQL injection attempt"; flow:to_server,established; content:"/admincp.php"; fast_pattern:only; http_uri; content:"id"; nocase; http_client_body; pcre:"/(^|&)id(\x5b|%(25)?5b)(\x5d|%(25)?5d)=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-12888; reference:url,github.com/idreamsoft/iCMS/issues/30; classtype:web-application-attack; sid:48252; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/save_passwd.cgi"; fast_pattern:only; http_uri; pcre:"/(^|&)(password2?|Unixusername)=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15549; classtype:web-application-attack; sid:48246; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/save_passwd.cgi"; fast_pattern:only; http_uri; pcre:"/[?&](password2?|Unixusername)=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15549; classtype:web-application-attack; sid:48245; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/save_passwd.cgi"; fast_pattern:only; http_uri; content:"26"; http_raw_uri; pcre:"/[?&](password2?|Unixusername)=[^&]*?%(25)?26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15549; classtype:web-application-attack; sid:48244; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Blueimp jQuery File Upload arbitrary PHP file upload attempt"; flow:to_server,established; content:"/server/php/"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9206; reference:url,www.vapidlabs.com/advisory.php?v=204; classtype:web-application-attack; sid:48263; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Imperva SecureSphere command injection attempt"; flow:to_server,established; content:"/pws/"; nocase; http_uri; content:"|22|installer-address|22|"; fast_pattern:only; http_client_body; pcre:"/\x22installer-address\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/45542/; classtype:web-application-attack; sid:48257; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cockpit CMS media API directory traversal attempt"; flow:to_server,established; content:"/cockpit/media/api"; fast_pattern:only; http_uri; content:"|22|path|22|"; nocase; http_client_body; pcre:"/\x22path\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?(\x2e|\x5cu002e){2}(\x2f|\x5c([\x2f\x5c]|u00(2f|5c)))/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15540; reference:url,github.com/agentejo/cockpit/commit/96b04ac3; classtype:web-application-attack; sid:48274; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cockpit CMS media API directory traversal attempt"; flow:to_server,established; content:"/cockpit/media/api"; fast_pattern:only; http_uri; content:"|22|paths|22|"; nocase; http_client_body; pcre:"/\x22paths\x22\s*\x3a\s*\x5b\s*(\x22((?!(?<!\x5c)\x22).)*?\x22\s*\x2c\s*)*?\x22((?!(?<!\x5c)\x22).)*?(\x2e|\x5cu002e){2}(\x2f|\x5c([\x2f\x5c]|u00(2f|5c)))/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15540; reference:url,github.com/agentejo/cockpit/commit/96b04ac3; classtype:web-application-attack; sid:48273; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear Router admin password access attempt"; flow:to_server,established; content:"next_file=passwordrecovered.htm"; fast_pattern:only; metadata:service http; classtype:policy-violation; sid:48272; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/hotspotlogin.cgi"; fast_pattern:only; http_uri; pcre:"/[?&](uamip|TelNum|challenge|uamport|userurl)=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17532; reference:url,github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection; classtype:web-application-attack; sid:48271; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/autologin.cgi"; fast_pattern:only; http_uri; content:"26"; http_raw_uri; pcre:"/[?&](reply|uamport|challenge|userurl|res|reason|uamip)=[^&]*?%(25)?26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17532; reference:url,github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection; classtype:web-application-attack; sid:48270; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/hotspotlogin.cgi"; fast_pattern:only; http_uri; pcre:"/(^|&)(uamip|TelNum|challenge|uamport|userurl)=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17532; reference:url,github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection; classtype:web-application-attack; sid:48269; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Teltonika RUT9XX hotspotlogin.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/hotspotlogin.cgi"; fast_pattern:only; http_uri; content:"26"; http_raw_uri; pcre:"/[?&](uamip|TelNum|challenge|uamport|userurl)=[^&]*?%(25)?26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17532; reference:url,github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection; classtype:web-application-attack; sid:48268; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/autologin.cgi"; fast_pattern:only; http_uri; pcre:"/(^|&)(reply|uamport|challenge|userurl|res|reason|uamip)=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17532; reference:url,github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection; classtype:web-application-attack; sid:48267; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Teltonika RUT9XX autologin.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/autologin.cgi"; fast_pattern:only; http_uri; pcre:"/[?&](reply|uamport|challenge|userurl|res|reason|uamip)=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17532; reference:url,github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-01_Teltonika_OS_Command_Injection; classtype:web-application-attack; sid:48266; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup DnsService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; fast_pattern:only; http_uri; content:"|22|DRDns|22|"; nocase; http_client_body; pcre:"/\x22(dns_suffix|primary_dns|secondary_dns)\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11183; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:48353; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup SupportPortalService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; nocase; http_uri; content:"|22|DRSupportPortal|22|"; fast_pattern:only; http_client_body; content:"|22|email|22|"; nocase; http_client_body; pcre:"/\x22email\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11185; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:48380; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PrestaShop PS_SAV_IMAP_URL command injection attempt"; flow:to_server,established; content:"/administration/index.php"; http_uri; content:"controller=AdminCustomerThreads"; fast_pattern:only; http_uri; content:"PS_SAV_IMAP_URL"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?PS_SAV_IMAP_URL((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.prestashop.com/en; classtype:attempted-user; sid:48417; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress wp_delete_attachment directory traversal attempt"; flow:to_server,established; content:"/wp-admin/post.php"; fast_pattern:only; http_uri; content:"thumb="; nocase; http_client_body; pcre:"/(^|&)thumb=[^&]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,104569; reference:cve,2018-12895; reference:url,blog.ripstech.com/2018/wordpress-file-delete-to-code-execution; classtype:web-application-attack; sid:48416; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager editDisplaynames.do SQL injection attempt"; flow:to_server,established; content:"/editDisplaynames.do"; fast_pattern:only; http_uri; content:"resids"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?resids((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15168; reference:url,github.com/x-f1v3/ForCve/issues/2; classtype:web-application-attack; sid:48415; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager editDisplaynames.do SQL injection attempt"; flow:to_server,established; content:"/editDisplaynames.do"; fast_pattern:only; http_uri; content:"resids="; nocase; http_uri; pcre:"/[?&]resids=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15168; reference:url,github.com/x-f1v3/ForCve/issues/2; classtype:web-application-attack; sid:48414; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Applications Manager editDisplaynames.do SQL injection attempt"; flow:to_server,established; content:"/editDisplaynames.do"; fast_pattern:only; http_uri; content:"resids="; nocase; http_client_body; pcre:"/(^|&)resids=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15168; reference:url,github.com/x-f1v3/ForCve/issues/2; classtype:web-application-attack; sid:48413; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,8060] (msg:"SERVER-WEBAPP ManageEngine Firewall Analyzer setManaged SQL injection attempt"; flow:to_server,established; content:"/device/setManaged"; depth:35; fast_pattern; nocase; content:"name="; nocase; pcre:"/(?<=[?&\r\n])name=[^&\r\n]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17283; reference:url,github.com/x-f1v3/ForCve/issues/4; classtype:web-application-attack; sid:48412; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,8060] (msg:"SERVER-WEBAPP ManageEngine Firewall Analyzer oputilsServlet unauthorized API key disclosure attempt"; flow:to_server,established; content:"/oputilsServlet"; depth:20; nocase; content:"action=getAPIKey"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17283; reference:url,github.com/x-f1v3/ForCve/issues/4; classtype:attempted-recon; sid:48411; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; nocase; http_uri; content:"|22|DRGlobalView|22|"; fast_pattern:only; http_client_body; content:"|22|RemoteHost|22|"; nocase; http_client_body; pcre:"/\x22RemoteHost\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11187; reference:cve,2018-11188; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:48428; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Quest DR Series Disk Backup DateTimeService.pm command injection attempt"; flow:to_server,established; content:"/ws/v1.0/jsonrpc"; nocase; http_uri; content:"|22|DRDateTime|22|"; fast_pattern:only; http_client_body; content:"|22|timezone|22|"; nocase; http_client_body; pcre:"/\x22timezone\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11186; reference:url,www.coresecurity.com/advisories/quest-dr-series-disk-backup-multiple-vulnerabilities; classtype:web-application-attack; sid:48427; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI magpie_debug.php command argument injection attempt"; flow:to_server,established; content:"/magpie_debug.php"; fast_pattern:only; http_uri; content:"url="; nocase; http_uri; pcre:"/[?&]url=[^&]*?[\x20\x09\x0a]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15708; reference:url,www.tenable.com/security/research/tra-2018-37; classtype:web-application-attack; sid:48443; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal open redirect external URL injection attempt"; flow:to_server,established; content:"/admin/config/search/path/add"; fast_pattern:only; http_uri; content:"source="; http_client_body; pcre:"/source=(%5c|%2f){2}.*&alias=/Pi"; metadata:policy max-detect-ips drop, service http; reference:url,www.drupal.org/sa-core-2018-006; classtype:attempted-admin; sid:48448; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress Portable phpMyAdmin plugin authentication bypass attempt"; flow:to_server,established; content:"/wp-content/plugins/portable-phpmyadmin/wp-pma-mod"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2012-5469; reference:url,www.exploit-db.com/exploits/23356/; classtype:web-application-attack; sid:48486; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Loytec LWEB-900 directory traversal attempt"; flow:to_server,established; content:"/lweb900"; fast_pattern:only; content:"/lweb900"; nocase; http_raw_uri; content:"../"; http_raw_uri; metadata:service http; reference:url,logicals.com; classtype:web-application-attack; sid:48485; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI cmdsubsys.php command injection attempt"; flow:to_server,established; content:"/nagiosxi/ajaxhelper.php"; fast_pattern:only; http_uri; pcre:"/(\x22|%22)(username|password)(\x22|%22)(\s|%20)*(\x3a|%3a)(\s|%20)*(\x22|%22)((?!(?<!(..\x5c|%5c))(\x22|%22)).)*?([\x60\x3b\x7c\x23]|%60|%3b|%7c|%23|%26|([\x3c\x3e\x24]|%3c|%3e|%24)(\x28|%28))/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15709; reference:url,www.tenable.com/security/research/tra-2018-37; classtype:web-application-attack; sid:48484; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 40856 (msg:"SERVER-WEBAPP Pilz PASvisu arbitrary file upload attempt"; flow:to_server,established; content:"/download"; fast_pattern:only; content:"filename"; nocase; content:"Content-Disposition"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:48563; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt"; flow:to_server,established; content:"/superset/import_dashboards"; fast_pattern:only; http_uri; content:"cposix|0A|"; http_client_body; content:"|0A 28|S'"; within:25; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-8021; classtype:attempted-user; sid:48551; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt"; flow:to_server,established; content:"/superset/import_dashboards"; fast_pattern:only; http_uri; content:"csubprocess|0A|"; http_client_body; content:"|0A 28|S'"; within:25; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-8021; classtype:attempted-user; sid:48550; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt"; flow:to_server,established; content:"/superset/import_dashboards"; fast_pattern:only; http_uri; content:"cos|0A|"; http_client_body; content:"|0A 28|S'"; within:25; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-8021; classtype:attempted-user; sid:48549; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress arbitrary file deletion attempt"; flow:to_server,established; content:"/wp-admin/admin.php"; http_uri; content:"page=wc.status"; fast_pattern:only; http_uri; content:"handle="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]handle=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; reference:url,blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/; classtype:web-application-attack; sid:48573; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TRENDnet TEW-673GRU apply.cgi start_arpping command injection attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; pcre:"/(^|&)(lan_(ipaddr|bridge|eth)|dhcpd_(start|end))=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-19239; reference:url,seclists.org/fulldisclosure/2018/Dec/21; classtype:web-application-attack; sid:48744; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tridium Niagara default administrator account login attempt"; flow:to_server,established; content:"/niagara/"; fast_pattern:only; http_uri; content:"Authorization|3A|"; nocase; content:"Basic"; distance:0; nocase; base64_decode:bytes 64, offset 0, relative; base64_data; pcre:"/^administrator\x3a\x20$/"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-16748; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-admin; sid:48740; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt"; flow:to_server,established; content:"/admin/managetracing/search/search"; fast_pattern:only; http_uri; pcre:"/(^|&)(search|domain|sender)=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26|0a)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-20323; reference:url,pentest.blog/advisory-mailcleaner-community-edition-remote-code-execution/; classtype:web-application-attack; sid:48737; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt"; flow:to_server,established; content:"/admin/managetracing/search/search"; fast_pattern:only; http_uri; content:"26"; http_raw_uri; pcre:"/[?&](search|domain|sender)=[^&]*?%(25)?26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-20323; reference:url,pentest.blog/advisory-mailcleaner-community-edition-remote-code-execution/; classtype:web-application-attack; sid:48736; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt"; flow:to_server,established; content:"/admin/managetracing/search/search"; fast_pattern:only; http_uri; pcre:"/[?&](search|domain|sender)=[^&]*?([\x60\x3b\x7c\x23\x0a]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-20323; reference:url,pentest.blog/advisory-mailcleaner-community-edition-remote-code-execution/; classtype:web-application-attack; sid:48735; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-WEBAPP SmarterStats remote code execution attempt"; flow:to_server,established; content:"/Client/frmSeoSettings.aspx"; fast_pattern:only; http_uri; reference:cve,2011-2159; reference:url,xss.cx/examples/smarterstats-60-oscommandinjection-directorytraversal-xml-sqlinjection.html.html; classtype:web-application-attack; sid:48731; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-WEBAPP SmarterStats remote code execution attempt"; flow:to_server,established; content:"/Client/frmImportSettings.aspx"; fast_pattern:only; http_uri; reference:cve,2011-2159; reference:url,xss.cx/examples/smarterstats-60-oscommandinjection-directorytraversal-xml-sqlinjection.html.html; classtype:web-application-attack; sid:48730; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-WEBAPP SmarterStats remote code execution attempt"; flow:to_server,established; content:"/Admin/frmSite.aspx?SiteId=1&popup=true"; fast_pattern:only; http_uri; reference:cve,2011-2159; reference:url,xss.cx/examples/smarterstats-60-oscommandinjection-directorytraversal-xml-sqlinjection.html.html; classtype:web-application-attack; sid:48729; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-WEBAPP SmarterStats remote code execution attempt"; flow:to_server,established; content:"/Admin/frmReportSettings.aspx"; fast_pattern:only; http_uri; reference:cve,2011-2159; reference:url,xss.cx/examples/smarterstats-60-oscommandinjection-directorytraversal-xml-sqlinjection.html.html; classtype:web-application-attack; sid:48728; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-WEBAPP SmarterStats remote code execution attempt"; flow:to_server,established; content:"/Admin/Defaults/frmServerDefaults.aspx"; fast_pattern:only; http_uri; reference:cve,2011-2159; reference:url,xss.cx/examples/smarterstats-60-oscommandinjection-directorytraversal-xml-sqlinjection.html.html; classtype:web-application-attack; sid:48727; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-WEBAPP SmarterStats remote code execution attempt"; flow:to_server,established; content:"/Admin/Defaults/frmDefaultSiteSettings.aspx"; fast_pattern:only; http_uri; reference:cve,2011-2159; reference:url,xss.cx/examples/smarterstats-60-oscommandinjection-directorytraversal-xml-sqlinjection.html.html; classtype:web-application-attack; sid:48726; rev:1;)
# alert tcp $HOME_NET 9999 -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP SmarterStats remote code execution attempt"; flow:to_client,established; content:"Server: SmarterTools"; content:!"Content-Type"; within:150; isdataat:50; reference:cve,2011-2159; reference:url,xss.cx/examples/smarterstats-60-oscommandinjection-directorytraversal-xml-sqlinjection.html.html; classtype:web-application-attack; sid:48725; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt"; flow:to_server,established; content:"/api/console/api_server"; fast_pattern:only; http_uri; content:"apis="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]apis=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17246; reference:url,elastic.co/blog/kibana-local-file-inclusion-flaw-cve-2018-17246; classtype:web-application-attack; sid:48815; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt"; flow:to_server,established; content:"<Cmd name=|22|FILE|22|"; nocase; content:"<par"; within:300; nocase; content:"../"; within:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.deltaww.com; classtype:web-application-attack; sid:48826; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt"; flow:to_server,established; content:"/tools/ping"; depth:11; nocase; http_uri; content:"address="; nocase; http_client_body; pcre:"/(^|&)address=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26|0a)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-3497; reference:url,seclists.org/fulldisclosure/2019/Jan/23; classtype:web-application-attack; sid:48843; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt"; flow:to_server,established; content:"/tools/ping"; depth:11; nocase; http_uri; content:"address="; nocase; http_uri; content:"26"; http_raw_uri; pcre:"/[?&]address=[^&]*?%(25)?26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-3497; reference:url,seclists.org/fulldisclosure/2019/Jan/23; classtype:web-application-attack; sid:48842; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt"; flow:to_server,established; content:"/tools/ping"; depth:11; nocase; http_uri; content:"address="; nocase; http_uri; pcre:"/[?&]address=[^&]*?([\x60\x3b\x7c\x23\x0a]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-3497; reference:url,seclists.org/fulldisclosure/2019/Jan/23; classtype:web-application-attack; sid:48841; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt"; flow:to_server,established; content:"/tools/controller/diagnostic_tools_controller"; fast_pattern:only; http_uri; content:"pingIPAddress="; nocase; http_client_body; pcre:"/(^|&)pingIPAddress=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26|0a)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-3496; reference:url,seclists.org/fulldisclosure/2019/Jan/23; classtype:web-application-attack; sid:48840; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt"; flow:to_server,established; content:"/tools/controller/diagnostic_tools_controller"; fast_pattern:only; http_uri; content:"pingIPAddress="; nocase; http_uri; pcre:"/[?&]pingIPAddress=[^&]*?([\x60\x3b\x7c\x23\x0a]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-3496; reference:url,seclists.org/fulldisclosure/2019/Jan/23; classtype:web-application-attack; sid:48839; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt"; flow:to_server,established; content:"/tools/controller/diagnostic_tools_controller"; fast_pattern:only; http_uri; content:"pingIPAddress="; nocase; http_uri; content:"26"; http_raw_uri; pcre:"/[?&]pingIPAddress=[^&]*?%(25)?26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-3496; reference:url,seclists.org/fulldisclosure/2019/Jan/23; classtype:web-application-attack; sid:48838; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt"; flow:to_server,established; content:"/public/index.php"; fast_pattern:only; http_uri; content:"function="; nocase; http_uri; content:"invokefunction"; nocase; http_uri; content:"vars"; nocase; http_uri; pcre:"/[?&]vars\[1\]\[\]=[^&]*?[\x20\x09\x0a]/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-20062; reference:url,www.exploit-db.com/exploits/45978; classtype:web-application-attack; sid:48837; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Control Manager TMCM SQL injection attempt"; flow:to_server,established; content:"/WebApp/reporting.aspx"; fast_pattern:only; http_uri; content:"WID="; nocase; http_client_body; pcre:"/(^|&)WID=[^&]*?([\x27\x22\x3b\x23\x28]|%27|%22|%3b|%23|%28|(\x2f|%2f)(\x2a|%2a)|(\x2d|%2d){2})/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-3606; classtype:web-application-attack; sid:48900; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Coaster CMS stored cross site scripting attempt"; flow:to_server,established; content:"/admin/pages/edit/"; fast_pattern:only; http_uri; content:"block"; nocase; http_client_body; content:"33"; within:4; distance:1; http_client_body; pcre:"/block(\x5b|%5b)33(\x5d|%5d)(\x22|\x27)[^&]*?[\x22\x27\x3c\x3e\x28\x29](script|on|svg|span \s*class|iframe)/Pi"; metadata:service http; reference:cve,2018-17876; reference:url,packetstormsecurity.com/files/149647/Coaster-CMS-5.5.0-Cross-Site-Scripting.html; classtype:attempted-user; sid:49093; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC perfAddorModDeviceMonitorBean Java expression language injection attempt"; flow:to_server,established; content:"/imc/perfm/monitor/perfAddorModDeviceMonitor"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_client_body; pcre:"/(^|&)beanName=[^&]*?(\x28|%(25)?28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-12520; reference:url,support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:49127; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC perfAddorModDeviceMonitorBean Java expression language injection attempt"; flow:to_server,established; content:"/imc/perfm/monitor/perfAddorModDeviceMonitor"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_uri; pcre:"/[?&]beanName=[^&]*?\x28/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-12520; reference:url,support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:49126; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC faultEventSelectBean Java expression language injection attempt"; flow:to_server,established; content:"/imc/fault/browser/faultEventSelectFactWithRecover"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_uri; pcre:"/[?&]beanName=[^&]*?\x28/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-12519; reference:url,support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:49121; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP IMC faultEventSelectBean Java expression language injection attempt"; flow:to_server,established; content:"/imc/fault/browser/faultEventSelectFactWithRecover"; fast_pattern:only; http_uri; content:"beanName="; nocase; http_client_body; pcre:"/(^|&)beanName=[^&]*?(\x28|%(25)?28)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-12519; reference:url,support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us; classtype:attempted-admin; sid:49120; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Easy Shop local file inclusion attempt"; flow:to_server,established; content:"ajax.loadImage"; fast_pattern:only; http_uri; pcre:"/[?&]file=[^&]*?(Li4v|Li5c)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,exploit-db.com/exploits/46219; classtype:web-application-attack; sid:49098; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,5480] (msg:"SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt"; flow:to_server,established; content:"passwd=smc"; fast_pattern:only; content:"user=smc"; nocase; content:"/SE/app HTTP/"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1216; classtype:attempted-user; sid:49191; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress login reconnaissance attempt"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (X11|3B| Ubuntu|3B| Linux x86_64|3B| rv:62.0) Gecko/20100101 Firefox/62.0"; fast_pattern:only; http_header; content:"/wp-login.php"; http_uri; detection_filter:track by_dst, count 15, seconds 60; metadata:service http; reference:url,blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html; classtype:suspicious-login; sid:49249; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress login reconnaissance attempt"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.0|3B| rv:34.0) Gecko/20100101 Firefox/34.0"; fast_pattern:only; http_header; content:"/wp-login.php"; http_uri; detection_filter:track by_dst, count 15, seconds 60; metadata:service http; reference:url,blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html; classtype:suspicious-login; sid:49248; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt"; flow:to_server,established; content:"?misc="; fast_pattern:only; http_uri; content:"&dl="; http_uri; content:"/index.php/"; http_uri; content:!"Referer"; http_header; content:"POST"; http_method; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:49282; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal Core 8 PHP object injection RCE attempt"; flow:to_server,established; content:"/node"; fast_pattern:only; http_uri; content:"|22|options|22|"; nocase; http_client_body; pcre:"/\x22options\x22\s*\x3a\s*\x22((?!(?<!\x5c)\x22).)*?(?-i)O\x3a/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-6340; classtype:web-application-attack; sid:49257; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2030 (msg:"SERVER-WEBAPP CentOS Web Panel persistent cross site scripting attempt"; flow:to_server,established; content:"acc=feature_manager"; fast_pattern:only; content:"name="; pcre:"/name=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3c|%3e|%28|%29|script|onload|src)/i"; metadata:service http; reference:cve,2019-7646; reference:url,exploit-db.com/exploits/46349; classtype:attempted-user; sid:49322; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2030 (msg:"SERVER-WEBAPP CentOS Web Panel persistent cross site scripting attempt"; flow:to_server,established; content:"module=mail_add-new"; fast_pattern:only; content:"ifpost="; pcre:"/ifpost=[^&]*?[\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3c|%3e|%28|%29|script|onload|src/i"; metadata:service http; reference:cve,2019-7646; reference:url,exploit-db.com/exploits/46349; classtype:attempted-user; sid:49321; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2030 (msg:"SERVER-WEBAPP CentOS Web Panel persistent cross site scripting attempt"; flow:to_server,established; content:"module=new_account"; fast_pattern:only; content:"email="; pcre:"/email=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3c|%3e|%28|%29|script|onload|src)/i"; metadata:service http; reference:cve,2019-7646; reference:url,exploit-db.com/exploits/46349; classtype:attempted-user; sid:49320; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2030 (msg:"SERVER-WEBAPP CentOS Web Panel persistent cross site scripting attempt"; flow:to_server,established; content:"module=add_package"; fast_pattern:only; content:"ifpost=yes"; pcre:"/ifpost=yes[^&]*?[\x22\x27\x3c\x3e\x28\x29]|%22|%27|%3c|%3e|%28|%29|script|onload|src/i"; metadata:service http; reference:cve,2019-7646; reference:url,exploit-db.com/exploits/46349; classtype:attempted-user; sid:49319; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Smart Protection Server SQL injection attempt"; flow:to_server, established; content:"wcs_bwlists_handler.php"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(ru|ip4|cn|dn)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-10350; classtype:web-application-attack; sid:49303; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Smart Protection Server SQL injection attempt"; flow:to_server, established; content:"wcs_bwlists_handler.php"; fast_pattern:only; http_uri; pcre:"/(^|&)(ru|ip4|cn|dn)=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-10350; classtype:web-application-attack; sid:49302; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Smart Protection Server SQL injection attempt"; flow:to_server,established; content:"wcs_bwlists_handler.php"; fast_pattern:only; http_uri; pcre:"/[?&](ru|ip4|cn|dn)=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-10350; classtype:web-application-attack; sid:49301; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NoneCms V1.3 PHP code execution attempt"; flow:to_server,established; content:"s=index/think/Request/input"; fast_pattern:only; http_uri; content:"/noneCms/public/"; nocase; http_uri; content:"filter="; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-20062; reference:url,github.com/nangge/noneCms/issues/21; classtype:web-application-attack; sid:49298; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rockwell Automation Allen-Bradley PowerMonitor 1000 cross site scripting attempt"; flow:to_server,established; content:"/Security/Security.shtm"; fast_pattern:only; http_uri; content:"/Security/cgi-bin/security"; nocase; http_client_body; pcre:"/Security\x2fcgi-bin\x2fsecurity\x7c\d+\x7c\d+\x7c[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%(25)?(22|27|3c|3e|28|29)|script|onload|src)/Pi"; metadata:service http; reference:cve,2018-19615; classtype:attempted-user; sid:49326; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [8500,8501] (msg:"SERVER-WEBAPP Adobe ColdFusion unauthorized serialized object attempt"; flow:to_server,established; content:"POST /flashservices/gateway"; fast_pattern:only; content:"InitialContext.doLookup"; content:"rmi://"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-7091; reference:url,helpx.adobe.com/security/products/coldfusion/apsb19-10.html; classtype:attempted-user; sid:49399; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/info.cgi?syslog"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:service http; reference:url,www.alcyon.nl/blog/sitecom-nas-md-253-and-md-254-risk-mitigation/; classtype:web-application-attack; sid:49435; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/info.cgi?syslog"; fast_pattern:only; http_uri; pcre:"/(^|&)*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Pim"; metadata:service http; reference:url,www.alcyon.nl/blog/sitecom-nas-md-253-and-md-254-risk-mitigation/; classtype:web-application-attack; sid:49434; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/info.cgi?syslog"; fast_pattern:only; http_uri; content:"../"; http_uri; pcre:"/[?&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:url,www.alcyon.nl/blog/sitecom-nas-md-253-and-md-254-risk-mitigation/; classtype:web-application-attack; sid:49433; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt"; flow:to_server,established; content:"/modcp.php"; fast_pattern:only; http_uri; content:"banreason="; nocase; http_uri; pcre:"/[?&]banreason=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2018-14724; reference:url,exploit-db.com/exploits/46347; classtype:attempted-user; sid:49430; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt"; flow:to_server,established; content:"/modcp.php"; fast_pattern:only; http_uri; content:"banreason="; nocase; http_client_body; pcre:"/[?&]banreason=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%(25)?(22|27|3c|3e|28|29)|script|onload|src)/Pi"; metadata:service http; reference:cve,2018-14724; reference:url,exploit-db.com/exploits/46347; classtype:attempted-user; sid:49429; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt"; flow:to_server,established; urilen:23; content:"/get_getnetworkconf.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-20377; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials/; classtype:attempted-recon; sid:49418; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt"; flow:to_server,established; content:"/"; fast_pattern:only; http_uri; content:"user_pwd"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?user_pwd((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:service http; reference:cve,2010-4284; classtype:web-application-attack; sid:49415; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt"; flow:to_server,established; content:"/"; fast_pattern:only; http_uri; content:"user"; nocase; http_client_body; pcre:"/(^|&)user(\x5f|%(25)?5f)pwd=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:service http; reference:cve,2010-4284; classtype:web-application-attack; sid:49414; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt"; flow:to_server,established; content:"/"; fast_pattern:only; http_uri; content:"user_pwd="; nocase; http_uri; pcre:"/[?&]user_pwd=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:service http; reference:cve,2010-4284; classtype:web-application-attack; sid:49413; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8755 (msg:"SERVER-WEBAPP Simple Scada directory traversal attempt"; flow:to_server,established; content:"/%5c../%5c../%5c../"; nocase; metadata:service http; reference:url,simple-scada.com; classtype:web-application-attack; sid:49408; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt"; flow:to_server,established; content:"/WADashboard/login?cont=dashboardViewer"; fast_pattern:only; http_uri; content:"username"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?username((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:service http; reference:cve,2017-16716; classtype:web-application-attack; sid:49407; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt"; flow:to_server,established; content:"/WADashboard/login?cont=dashboardViewer"; fast_pattern:only; http_uri; content:"username="; nocase; http_client_body; pcre:"/(^|&)username=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:service http; reference:cve,2017-16716; classtype:web-application-attack; sid:49406; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt"; flow:to_server,established; content:"/WADashboard/login?cont=dashboardViewer"; fast_pattern:only; http_uri; content:"username="; nocase; http_uri; pcre:"/[?&]username=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:service http; reference:cve,2017-16716; classtype:web-application-attack; sid:49405; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP Zip Upload command injection attempt"; flow:to_server,established; content:"/cgi-bin/filemanager/utilRequest.cgi"; fast_pattern:only; http_uri; content:"ame"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(upload_n|fileN)ame((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Psim"; metadata:service http; classtype:web-application-attack; sid:49493; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP Zip Upload command injection attempt"; flow:to_server,established; content:"/cgi-bin/filemanager/utilRequest.cgi"; fast_pattern:only; http_uri; pcre:"/(^|&)(upload(\x5f|%(25)?5f)n|fileN)ame=[^&]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:service http; classtype:web-application-attack; sid:49492; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP Zip Upload command injection attempt"; flow:to_server,established; content:"/cgi-bin/filemanager/utilRequest.cgi"; fast_pattern:only; http_uri; content:"ame="; nocase; http_uri; content:"26"; http_raw_uri; pcre:"/[?&](upload(\x5f|%(25)?5f)n|fileN)ame=[^&]*?%(25)?26/Ii"; metadata:service http; classtype:web-application-attack; sid:49491; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP Zip Upload command injection attempt"; flow:to_server,established; content:"/cgi-bin/filemanager/utilRequest.cgi"; fast_pattern:only; http_uri; content:"ame="; nocase; http_uri; pcre:"/[?&](upload_n|fileN)ame=[^&]*?([\x60\x3b\x7c\x23]|[\x3c\x3e\x24]\x28)/Ui"; metadata:service http; classtype:web-application-attack; sid:49490; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt"; flow:to_server,established; content:"/plugins/content/cwattachments/cwattachments/helpers/download.php"; fast_pattern:only; http_uri; content:"id"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?id((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-14592; reference:url,www.cwjoomla.com/download-cw-article-attachments; classtype:web-application-attack; sid:49465; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt"; flow:to_server,established; content:"/plugins/content/cwattachments/cwattachments/helpers/download.php"; fast_pattern:only; http_uri; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-14592; reference:url,www.cwjoomla.com/download-cw-article-attachments; classtype:web-application-attack; sid:49464; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt"; flow:to_server,established; content:"/plugins/content/cwattachments/cwattachments/helpers/download.php"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-14592; reference:url,www.cwjoomla.com/download-cw-article-attachments; classtype:web-application-attack; sid:49463; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress comment cross site request forgery attempt"; flow:to_server,established; content:"/wp-comments-post.php"; fast_pattern:only; http_uri; content:"comment="; nocase; http_client_body; content:"|22|"; within:100; http_client_body; content:"onmouseover"; within:150; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/; classtype:attempted-user; sid:49448; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ruby on Rails render file directory traversal attempt"; flow:to_server,established; content:"../"; fast_pattern:only; http_header; content:"Accept|3A|"; nocase; http_header; pcre:"/^Accept\x3a[^\r\n]*?\x2e\x2e\x2f/Him"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-5418; classtype:web-application-attack; sid:49503; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ruby on Rails render file directory traversal attempt"; flow:to_server,established; content:"..|5C|"; fast_pattern:only; http_header; content:"Accept|3A|"; nocase; http_header; pcre:"/^Accept\x3a[^\r\n]*?\x2e\x2e\x5c/Him"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-5418; classtype:web-application-attack; sid:49502; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Jenkins Groovy metaprogramming remote code execution attempt"; flow:to_server,established; content:"/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile"; fast_pattern:only; http_uri; content:"value="; nocase; http_uri; content:"@grab"; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-1003000; reference:cve,2019-1003001; reference:cve,2019-1003002; reference:url,jenkins.io/security/advisory/2019-01-08; classtype:attempted-admin; sid:49499; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Jenkins Groovy metaprogramming remote code execution attempt"; flow:to_server,established; content:"org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition"; fast_pattern:only; http_client_body; content:"@grab"; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-1003000; reference:cve,2019-1003001; reference:cve,2019-1003002; reference:url,jenkins.io/security/advisory/2019-01-08; classtype:attempted-admin; sid:49498; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt"; flow:to_server,established; content:"/config/jmx"; nocase; http_uri; content:"set-property"; nocase; http_client_body; content:"jmx.serviceUrl"; nocase; http_client_body; content:"service|3A|jmx|3A|rmi|3A|//"; within:25; fast_pattern; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-0192; reference:url,www.securityfocus.com/bid/107318; classtype:attempted-admin; sid:49557; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP elFinder PHP connector command injection attempt"; flow:to_server,established; content:"/php/connector.minimal.php"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filename\s*=\s*\x22[^\x22]*?([\x60\x3b\x7c\x23\x26]|%(25)?(60|3b|7c|23|26|0a)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-9194; reference:url,github.com/Studio-42/elFinder/releases/tag/2.1.48; classtype:web-application-attack; sid:49538; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP elFinder PHP connector arbitrary PHP file upload attempt"; flow:to_server,established; content:"/php/connector.minimal.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-9194; reference:url,github.com/Studio-42/elFinder/releases/tag/2.1.48; classtype:attempted-admin; sid:49537; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt"; flow:to_client,established; file_data; content:"analytics_campaign"; fast_pattern:only; content:"analytics_medium"; nocase; content:"<pre>"; depth:5; nocase; content:"<script"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-9978; reference:url,github.com/warfare-plugins/social-warfare/commit/5709e948bf0cd372bf3f42c962e432e65c1f1aad; classtype:web-application-attack; sid:49528; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt"; flow:to_server,established; content:"swp_url="; fast_pattern:only; http_uri; content:"load_options"; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-9978; reference:url,github.com/warfare-plugins/social-warfare/commit/5709e948bf0cd372bf3f42c962e432e65c1f1aad; classtype:web-application-attack; sid:49527; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TPLink TD W8151N SQL injection attempt"; flow:to_server,established; content:"/Forms/status_1"; fast_pattern:only; http_uri; content:"flagFresh="; nocase; http_uri; pcre:"/[?&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)[^&]?=/Ui"; metadata:service http; classtype:web-application-attack; sid:49526; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TPLink TD W8151N SQL injection attempt"; flow:to_server,established; content:"/Forms/status_1"; fast_pattern:only; http_uri; content:"flagFresh="; nocase; http_client_body; pcre:"/(^|&)*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})[^&]?=/Pim"; metadata:service http; classtype:web-application-attack; sid:49525; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TPLink TD W8151N SQL injection attempt"; flow:to_server,established; content:"/Forms/status_1"; fast_pattern:only; http_uri; content:"flagFresh"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?((?!^--).)*?([\x27\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})((?!^--).)*?[\r\n]{2,}/Psim"; metadata:service http; classtype:web-application-attack; sid:49524; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zyxel ZyWALL information disclosure attempt"; flow:to_server,established; content:"cgi-bin/export-cgi/images/"; fast_pattern:only; http_uri; content:"category=config"; http_uri; content:"arg0="; http_uri; content:".conf"; within:30; http_uri; metadata:service http; classtype:attempted-recon; sid:49523; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Magecart infected page outbound request attempt"; flow:to_server,established; content:"/checkout/onepage/"; fast_pattern:only; http_header; content:".js?v="; http_uri; urilen:<21; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:49522; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt"; flow:to_server,established; content:"/WebApp/reporting.aspx"; fast_pattern:only; http_uri; content:"userscope"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?userscope((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-3606; reference:url,success.trendmicro.com/solution/1119158; classtype:web-application-attack; sid:49605; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt"; flow:to_server,established; content:"/WebApp/reporting.aspx"; fast_pattern:only; http_uri; content:"userscope="; nocase; http_uri; pcre:"/(^|&)userscope=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-3606; reference:url,success.trendmicro.com/solution/1119158; classtype:web-application-attack; sid:49604; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Control Manager SQL injection attempt"; flow:to_server,established; content:"/WebApp/reporting.aspx"; fast_pattern:only; http_uri; content:"userscope="; nocase; http_client_body; pcre:"/(^|&)userscope=[^&]*?([\x27\x22\x3b\x23\x28]|%27|%22|%3b|%23|%28|(\x2f|%2f)(\x2a|%2a)|(\x2d|%2d){2})/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-3606; classtype:web-application-attack; sid:49603; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Fiberhome AN5506-04-F RP2669 cross site scripting attempt"; flow:to_server,established; content:"/goform/setUser"; fast_pattern:only; http_uri; content:"account_user="; nocase; http_client_body; pcre:"/[?&]account(\x5f|%(25)?5f)user=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%(25)?(22|27|3c|3e|28|29)|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-9556; reference:url,www.exploit-db.com/exploits/46498; classtype:attempted-user; sid:49598; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CMSsite 1.0 SQL injection attempt"; flow:to_server,established; content:"/category.php"; fast_pattern:only; http_uri; content:"cat_id="; nocase; http_uri; pcre:"/[?&]cat_id=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/VictorAlagwu/CMSsite/commit/d2aa15d0ef96d80f20752621e3b5a21e83c4a7fb; classtype:web-application-attack; sid:49587; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP ElectronJS Exodus remote code execution attempt"; flow:to_server,established; file_data; content:"--renderer-cmd-prefix="; fast_pattern:only; content:"window.location"; pcre:"/window\.location\s+=\s+(\x27|\x22)\w+:\/\/.*?--renderer-cmd-prefix/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-1000006; reference:url,exploit-db.com/exploits/44357; classtype:attempted-user; sid:49582; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP ElectronJS Exodus remote code execution attempt"; flow:to_server,established; file_data; content:"--gpu-launcher="; fast_pattern:only; content:"window.location"; pcre:"/window\.location\s+=\s+(\x27|\x22)\w+:\/\/.*?--gpu-launcher/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-1000006; reference:url,exploit-db.com/exploits/44357; classtype:attempted-user; sid:49581; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP ElectronJS Exodus remote code execution attempt"; flow:to_client,established; file_data; content:"--renderer-cmd-prefix="; fast_pattern:only; content:"window.location"; pcre:"/window\.location\s+=\s+(\x27|\x22)\w+:\/\/.*?--renderer-cmd-prefix/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1000006; reference:url,exploit-db.com/exploits/44357; classtype:attempted-user; sid:49580; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP ElectronJS Exodus remote code execution attempt"; flow:to_client,established; file_data; content:"--gpu-launcher="; fast_pattern:only; content:"window.location"; pcre:"/window\.location\s+=\s+(\x27|\x22)\w+:\/\/.*?--gpu-launcher/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1000006; reference:url,exploit-db.com/exploits/44357; classtype:attempted-user; sid:49579; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP ElectronJS Exodus remote code execution attempt"; flow:to_client,established; content:"--renderer-cmd-prefix="; fast_pattern:only; http_header; content:"Location"; http_header; pcre:"/Location:\s+\w+:\/\/.*?--renderer-cmd-prefix/Hi"; metadata:policy max-detect-ips drop, service http; reference:cve,2018-1000006; reference:url,exploit-db.com/exploits/44357; classtype:attempted-user; sid:49578; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP ElectronJS Exodus remote code execution attempt"; flow:to_client,established; content:"--gpu-launcher="; fast_pattern:only; http_header; content:"Location"; http_header; pcre:"/Location:\s+\w+:\/\/.*?--gpu-launcher/Hi"; metadata:policy max-detect-ips drop, service http; reference:cve,2018-1000006; reference:url,exploit-db.com/exploits/44357; classtype:attempted-user; sid:49577; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress image edit directory traversal attempt"; flow:to_server,established; content:"/blog/wp-admin/post.php"; fast_pattern:only; http_uri; content:"meta_input[_wp_attached_file]"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?meta_input\x5b_wp_attached_file\x5d((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-8942; classtype:web-application-attack; sid:49647; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress image edit directory traversal attempt"; flow:to_server,established; content:"/blog/wp-admin/post.php"; fast_pattern:only; http_uri; content:"meta_input[_wp_attached_file]="; nocase; http_client_body; pcre:"/(^|&)meta_input\x5b_wp_attached_file\x5d=[^&]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-8942; classtype:web-application-attack; sid:49646; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress image edit directory traversal attempt"; flow:to_server,established; content:"/blog/wp-admin/post.php"; fast_pattern:only; http_uri; content:"meta_input[_wp_attached_file]="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]meta_input\x5b_wp_attached_file\x5d=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-8942; classtype:web-application-attack; sid:49645; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt"; flow:to_server,established; content:"/Pacs/nocache.php"; fast_pattern:only; http_uri; content:"path"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?path((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,softneta.com/products/meddream-pacs-server/downloads.html; classtype:web-application-attack; sid:49644; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt"; flow:to_server,established; content:"/Pacs/nocache.php"; fast_pattern:only; http_uri; content:"path="; nocase; http_client_body; pcre:"/(^|&)path=[^&]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,softneta.com/products/meddream-pacs-server/downloads.html; classtype:web-application-attack; sid:49643; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt"; flow:to_server,established; content:"/Pacs/nocache.php"; fast_pattern:only; http_uri; content:"path="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]path=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,softneta.com/products/meddream-pacs-server/downloads.html; classtype:web-application-attack; sid:49642; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CMS Made Simple Showtime2 Module arbitrary PHP file upload attempt"; flow:to_server,established; content:"/admin/moduleinterface.php"; fast_pattern:only; http_uri; content:"Showtime2"; nocase; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-9692; reference:url,forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285; classtype:attempted-admin; sid:49635; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt"; flow:to_server,established; content:"/WADashboard/api/dashboard/v1/files/download"; fast_pattern:only; http_uri; content:"project"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?project((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15706; reference:url,www.advantech.com; classtype:web-application-attack; sid:49622; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt"; flow:to_server,established; content:"/WADashboard/api/dashboard/v1/files/download"; fast_pattern:only; http_uri; content:"project="; nocase; http_client_body; pcre:"/(^|&)project=[^&]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15706; reference:url,www.advantech.com; classtype:web-application-attack; sid:49621; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt"; flow:to_server,established; content:"/WADashboard/api/dashboard/v1/files/download"; fast_pattern:only; http_uri; content:"project="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]project=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15706; reference:url,www.advantech.com; classtype:web-application-attack; sid:49620; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Flexpaper and Flowpaper potential arbitrary file deletion attempt"; flow:to_server,established; content:"/php/change_config.php"; fast_pattern:only; http_uri; content:"SWF_Directory="; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11686; reference:url,redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/; classtype:web-application-attack; sid:49669; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Flexpaper and Flowpaper deletion of configuration file attempt"; flow:to_server,established; content:"/php/change_config.php"; fast_pattern:only; http_uri; content:"SWF_Directory=config"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11686; reference:url,redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/; classtype:web-application-attack; sid:49668; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Flexpaper and Flowpaper command injection attempt"; flow:to_server,established; content:"/php/setup.php"; fast_pattern:only; http_uri; content:"PDF2SWF_PATH="; http_uri; content:"step="; http_uri; pcre:"/(^|[?&])PDF2SWF(\x5f|%(25)?5f)PATH=[^&\r\n]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Uim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11686; reference:url,redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/; classtype:web-application-attack; sid:49667; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2222 (msg:"SERVER-WEBAPP DirectAdmin admin account creation attempt"; flow:to_server,established; content:"/CMD_ACCOUNT_ADMIN"; fast_pattern:only; content:"action=create"; nocase; content:"passwd="; nocase; content:"username="; nocase; metadata:service http; reference:cve,2019-9625; classtype:attempted-admin; sid:49665; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CMSsite 1.0 SQL injection attempt"; flow:to_server,established; content:"/search.php"; fast_pattern:only; http_uri; content:"search"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?search((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/VictorAlagwu/CMSsite; classtype:web-application-attack; sid:49663; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP CMSsite 1.0 SQL injection attempt"; flow:to_server,established; content:"/search.php"; fast_pattern:only; http_uri; content:"search="; nocase; http_client_body; pcre:"/(^|&)search=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/VictorAlagwu/CMSsite; classtype:web-application-attack; sid:49662; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Horde Groupware Webmail Contact Management add.php directory traversal attempt"; flow:to_server,established; content:"/turba/add.php"; fast_pattern:only; http_uri; content:"object[photo][img][file]"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?object\x5bphoto\x5d\x5bimg\x5d\x5bfile\x5d((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.ratiosec.com/2019/horde-groupware-webmail-authenticated-arbitrary-file-injection-to-rce/; classtype:web-application-attack; sid:49715; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Horde Groupware Webmail Contact Management add.php arbitrary PHP file upload attempt"; flow:to_server,established; content:"/turba/add.php"; fast_pattern:only; http_uri; content:"<?"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-9858; reference:url,www.ratiosec.com/2019/horde-groupware-webmail-authenticated-arbitrary-file-injection-to-rce/; classtype:attempted-admin; sid:49714; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt"; flow:to_server,established; content:"HsgJHMgPSAkZigidGNwOi8veyRpcH06eyRwb3J0fSIpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,exploit-db.com/exploits/43434; classtype:web-application-attack; sid:49769; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DNS-320L ShareCenter PHP code injection attempt"; flow:to_server,established; content:"/cgi-bin/login_mgr.cgi"; fast_pattern:only; http_uri; content:"name="; nocase; http_client_body; pcre:"/(^|&)name=[^&]*?([\x60\x3b\x24\x28]|%(25)?(60|3b|24|28)|include|require)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,exploit-db.com/exploits/43434; classtype:web-application-attack; sid:49768; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt"; flow:to_server,established; content:"yuzo_related_post_css_and_style="; fast_pattern:only; http_client_body; pcre:"/yuzo(\x5f|%(25)?5f)related(\x5f|%(25)?5f)post(\x5f|%(25)?5f)css(\x5f|%(25)?5f)and(\x5f|%(25)?5f)style=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|%(25)?(22|27|3c|3e|28|29)|script|onload|src)/Pi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild/; classtype:web-application-attack; sid:49796; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Yuzo Related Posts plugin cross site scripting attempt"; flow:to_server,established; content:"yuzo_related_post_css_and_style="; fast_pattern:only; http_uri; pcre:"/[?&]yuzo_related_post_css_and_style=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild/; classtype:web-application-attack; sid:49795; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP All in One Video Downloader SQL injection attempt"; flow:to_server,established; content:"/admin/"; fast_pattern:only; http_uri; content:"id"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?id((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/46077; classtype:web-application-attack; sid:49849; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP All in One Video Downloader SQL injection attempt"; flow:to_server,established; content:"/admin/"; fast_pattern:only; http_uri; content:"view=page-edit"; nocase; http_client_body; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/46077; classtype:web-application-attack; sid:49848; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP All in One Video Downloader SQL injection attempt"; flow:to_server,established; content:"/admin/"; fast_pattern:only; http_uri; content:"view=page-edit"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/46077; classtype:web-application-attack; sid:49847; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; content:"/ipecs-cm/download"; fast_pattern:only; http_uri; content:"file"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?file(name|path)((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49842; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; content:"/ipecs-cm/download"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; content:"filename"; nocase; http_client_body; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49841; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; content:"/ipecs-cm/download"; fast_pattern:only; http_uri; content:"file"; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]file(name|path)=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49840; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; content:"/ipecs-cm/download"; fast_pattern:only; http_uri; content:"file"; nocase; http_client_body; pcre:"/(^|&)file(name|path)=[^&]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49839; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tpshop remote file include attempt"; flow:to_server,established; content:"/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php"; fast_pattern:only; http_uri; content:"down_url="; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]down_url=[^&]*?(http|ftp)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-9919; reference:url,seclists.org/fulldisclosure/2018/May/11; classtype:web-application-attack; sid:49838; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tpshop remote file include attempt"; flow:to_server,established; content:"/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php"; fast_pattern:only; http_uri; content:"down_url="; nocase; http_client_body; pcre:"/(^|&)down_url=[^&]*?(http|ftp)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-9919; reference:url,seclists.org/fulldisclosure/2018/May/11; classtype:web-application-attack; sid:49837; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/connectivity.php"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?(username|password)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49836; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/connectivity.php"; fast_pattern:only; http_uri; pcre:"/[?&](username|password)=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49835; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/connectivity.php"; fast_pattern:only; http_uri; pcre:"/(^|&)(username|password)=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49834; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/getrecord.php"; fast_pattern:only; http_uri; content:"val"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?val((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49833; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/getrecord.php"; fast_pattern:only; http_uri; content:"val="; nocase; http_uri; pcre:"/[?&]val=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49832; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/getrecord.php"; fast_pattern:only; http_uri; content:"val="; nocase; http_client_body; pcre:"/(^|&)val=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49831; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/getcmsdata.php"; fast_pattern:only; http_uri; content:"pt"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?pt((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49830; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/getcmsdata.php"; fast_pattern:only; http_uri; content:"pt="; nocase; http_uri; pcre:"/[?&]pt=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49829; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/getcmsdata.php"; fast_pattern:only; http_uri; content:"pt="; nocase; http_client_body; pcre:"/(^|&)pt=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49828; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/cms_getpagetitle.php"; fast_pattern:only; http_uri; content:"catid="; nocase; http_uri; pcre:"/[?&]catid=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49827; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/cms_getpagetitle.php"; fast_pattern:only; http_uri; content:"catid"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?catid((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49826; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/cms_getpagetitle.php"; fast_pattern:only; http_uri; content:"catid="; nocase; http_client_body; pcre:"/(^|&)catid=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49825; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/edit.php"; fast_pattern:only; http_uri; content:"id"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?id((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49824; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/edit.php"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49823; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/admin/edit.php"; fast_pattern:only; http_uri; content:"id="; nocase; http_client_body; pcre:"/(^|&)id=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49822; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/rooms/ajax_refresh_subtotal"; fast_pattern:only; http_uri; content:"hosting_id="; nocase; http_uri; pcre:"/[?&]hosting_id=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49821; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/rooms/ajax_refresh_subtotal"; fast_pattern:only; http_uri; content:"hosting_id"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?hosting_id((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|(?<!^)\x2d{2})/Psim"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49820; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DoD IT Solutions Homey BnB script SQL injection attempt"; flow:to_server,established; content:"/rooms/ajax_refresh_subtotal"; fast_pattern:only; http_uri; content:"hosting"; nocase; http_client_body; pcre:"/(^|&)hosting(\x5f|%(25)?5f)id=[^&]*?([\x27\x22\x3b\x23\x28]|%(25)?(27|22|3b|23|28)|(\x2f|%(25)?2f)(\x2a|%(25)?2a)|(\x2d|%(25)?2d){2})/Pim"; metadata:policy max-detect-ips drop, service http; reference:url,www.exploit-db.com/exploits/46616; classtype:web-application-attack; sid:49819; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP Trend Micro DDEI directory traversal attempt"; flow:to_server,established; content:"/detections/write_new_html_with_svg.php"; fast_pattern:only; content:"filename"; nocase; content:"Content-Disposition"; nocase; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:49818; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP Trend Micro DDEI directory traversal attempt"; flow:to_server,established; content:"/detections/write_new_html_with_svg.php"; fast_pattern:only; content:"filename="; nocase; pcre:"/(^|&)filename=[^&]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/im"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:49817; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt"; flow:to_server,established; content:"WebControls.ItemPickerDialog"; fast_pattern:only; http_uri; content:"/Picker.aspx"; nocase; http_uri; content:"Microsoft.SharePoint"; nocase; http_uri; content:"hiddenSpanData"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-0604; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604; classtype:attempted-user; sid:49861; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,9500,9502] (msg:"SERVER-WEBAPP Oracle Business Intelligence and XML Publisher XML external entity injection attempt"; flow:to_server,established; content:"/xmlpserver/ReportTemplateService.xls"; fast_pattern:only; http_uri; content:"DOCTYPE"; nocase; http_client_body; pcre:"/(\x21|%(25)?21)DOCTYPE((?!\x3e|%(25)?3e).)*?(SYSTEM|PUBLIC)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-2616; reference:url,www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html; classtype:web-application-attack; sid:49899; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Zimbra SSRF privilege escalation attempt"; flow:to_server,established; content:"/service/proxy/?target"; nocase; http_uri; content:":7071/service/admin/soap/AuthRequest"; distance:0; nocase; http_uri; content:":7071"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-9621; reference:url,blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html; classtype:attempted-admin; sid:49898; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt"; flow:to_server,established; content:"/goform/SysToolRestoreSet"; fast_pattern:only; http_uri; content:"CMD=SYS_CONF"; nocase; http_client_body; content:"GO="; nocase; http_client_body; content:"CCMD="; nocase; http_client_body; metadata:service http; reference:cve,2015-5996; reference:url,www.kb.cert.org/vuls/id/630872/; classtype:attempted-admin; sid:49938; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt"; flow:to_server,established; content:"/goform/SysToolReboot"; fast_pattern:only; http_uri; content:"CMD=SYS_CONF"; nocase; http_client_body; content:"GO="; nocase; http_client_body; content:"CCMD="; nocase; http_client_body; metadata:service http; reference:cve,2015-5996; reference:url,www.kb.cert.org/vuls/id/630872/; classtype:attempted-admin; sid:49937; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products HTML5 ping DDoS attempt"; flow:to_server,established; content:"Content-Type: text/ping"; fast_pattern:only; http_header; detection_filter:track by_dst, count 1000, seconds 10; metadata:service http; reference:url,imperva.com/blog/the-ping-is-the-thing-popular-html5-feature-used-to-trick-chinese-mobile-users-into-joining-latest-ddos-attack/; classtype:denial-of-service; sid:49928; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt"; flow:to_server,established; content:"/SGPAdmin/tsmRequest"; fast_pattern:only; http_uri; content:"name=|22|cmd|22|"; nocase; http_client_body; content:"query"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?query((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-3915; classtype:web-application-attack; sid:49926; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt"; flow:to_server,established; content:"/SGPAdmin/tsmRequest"; fast_pattern:only; http_uri; content:"cmd=dataonly:"; nocase; http_client_body; content:"query="; nocase; http_client_body; pcre:"/(^|&)query=[^\x3a]*?([\x60\x3b\x7c\x23\x26]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-3915; classtype:web-application-attack; sid:49925; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt"; flow:to_server,established; content:"/SGPAdmin/tsmRequest"; fast_pattern:only; http_uri; content:"cmd=dataonly:"; nocase; http_uri; content:"query="; nocase; http_uri; content:"26"; http_raw_uri; pcre:"/[?&]query=[^\x3a]*?%(25)?26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-3915; classtype:web-application-attack; sid:49924; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt"; flow:to_server,established; content:"/SGPAdmin/userRequest"; fast_pattern:only; http_uri; content:"cmd="; nocase; http_client_body; content:!"runasync"; http_client_body; content:"query="; nocase; http_client_body; pcre:"/(^|&)query=[^\x3a]*?([\x60\x3b\x7c\x23\x26]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-3915; classtype:web-application-attack; sid:49923; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt"; flow:to_server,established; content:"/SGPAdmin/userRequest"; fast_pattern:only; http_uri; content:"name=|22|cmd|22|"; nocase; http_client_body; content:!"runasync"; http_client_body; content:"query"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?query((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26\x23]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-3915; classtype:web-application-attack; sid:49922; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt"; flow:to_server,established; content:"/SGPAdmin/userRequest"; fast_pattern:only; http_uri; content:"cmd="; nocase; http_uri; content:!"runasync"; http_uri; content:"query="; nocase; http_uri; content:"26"; http_raw_uri; pcre:"/[?&]query=[^\x3a]*?%(25)?26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-3915; classtype:web-application-attack; sid:49921; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP generic cross site scripting via url attempt"; flow:to_server,established; content:"<IMG SRC="; nocase; http_uri; content:"javascript:alert("; within:20; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:url,www.owasp.org/index.php/Script_in_IMG_tags; classtype:attempted-recon; sid:49920; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP generic session fixation attempt"; flow:to_server,established; content:"<meta http-equiv=Set-Cookie content="; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:url,www.owasp.org/index.php/Session_fixation; classtype:attempted-recon; sid:49919; rev:1;)