# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#--------------------
# SERVER-OTHER RULES
#--------------------

# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt"; flow:to_server,established; content:"/%5C.."; fast_pattern:only; content:"/%5C.."; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22960; reference:bugtraq,67244; reference:bugtraq,99515; reference:cve,2007-0450; reference:cve,2014-0130; reference:cve,2017-10974; reference:cve,2017-16744; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; reference:url,weblog.rubyonrails.org/2014/5/6/Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/; classtype:web-application-attack; sid:17391; rev:16;)
# alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any (msg:"SERVER-OTHER Trillian AIM XML tag handling heap buffer overflow attempt"; flow:to_client,established; content:"*|02|"; depth:2; content:"|00 04 00 07|"; within:4; distance:4; content:"<>"; distance:0; isdataat:1023; content:!"|00|"; within:1023; metadata:policy max-detect-ips drop; reference:bugtraq,32645; reference:cve,2008-5403; reference:url,dev.aol.com/aim/oscar/; classtype:attempted-user; sid:16514; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER multiple products blacknurse ICMP denial of service attempt"; icode:3; itype:3; detection_filter:track by_src,count 250,seconds 1; metadata:ruleset community; reference:cve,2011-1871; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-083; classtype:attempted-dos; sid:19678; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"SERVER-OTHER BrightStor ARCserve backup tape engine buffer overflow attempt"; flow:established, to_server; dce_iface:dc246bf0-7a7a-11ce-9f88-00805fe43838; dce_opnum:45; isdataat:500; metadata:policy max-detect-ips drop; reference:bugtraq,21221; reference:cve,2006-6076; classtype:attempted-admin; sid:18285; rev:6;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"SERVER-OTHER Oracle Java Runtime Environment .hotspotrc file load exploit attempt"; flow:to_server,established; content:".|00|h|00|o|00|t|00|s|00|p|00|o|00|t|00|r|00|c|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,secunia.com/advisories/45173; classtype:attempted-user; sid:19601; rev:5;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"SERVER-OTHER Oracle Java Runtime Environment .hotspot_compiler file load exploit attempt"; flow:to_server,established; content:".|00|h|00|o|00|t|00|s|00|p|00|o|00|t|00|_|00|c|00|o|00|m|00|p|00|i|00|l|00|e|00|r|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,secunia.com/advisories/45173; classtype:attempted-user; sid:19602; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-OTHER Novell Client NetIdentity Agent remote arbitrary pointer dereference code execution attempt"; flow:to_server,established; content:"|EC 6B 4D 0F 47 DE 0B 4A 7A 53 54 6C 69 63 4E 45 6E 58 44 46 4C 53 48 70 53 6E 64 65 58 76 57 56|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,34400; reference:cve,2009-1350; classtype:attempted-admin; sid:29536; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-OTHER Novell Client NetIdentity Agent remote arbitrary pointer dereference code execution attempt"; flow:to_server,established; content:"|02 00 00 00 FF FF FF FF 60 07 A0 00 5C 07 A0 00 68 07 A0 00 6A 4A 59 D9 EE D9 74 24|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,34400; reference:cve,2009-1350; classtype:attempted-admin; sid:18589; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-OTHER Novell Client NetIdentity Agent remote arbitrary pointer dereference code execution attempt"; flow:to_server,established; content:"|02 00 00 00 FF FF FF FF|PPPPAAAA"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,34400; reference:cve,2009-1350; classtype:attempted-admin; sid:17057; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-OTHER Novell NetIdentity Agent XTIERRPCPIPE remote code execution attempt"; flow:to_server,established; content:"|02 00 00 00 00 00 00 00 40 09 B9 00|"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,34400; reference:cve,2009-1350; classtype:attempted-admin; sid:17056; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntp monlist denial of service attempt"; flow:to_server,no_stream; content:"|17 00 03 2A|"; depth:4; detection_filter:track by_dst, count 1000, seconds 5; metadata:service ntp; reference:cve,2013-5211; reference:url,attack.mitre.org/techniques/T1209; classtype:attempted-dos; sid:29393; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER McAfee LHA Type-2 file handling overflow attempt"; flow:to_server,established; content:"IcMtbGgwLRgAAAAFAAAA+rttMCABCHRlc3RmaWxl+BtVBQBQtIGUAQFVVVVV"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,12832; reference:cve,2005-0644; classtype:attempted-user; sid:17736; rev:10;)
# alert udp any 19 <> any 7 (msg:"SERVER-OTHER UDP echo+chargen bomb"; flow:to_server; metadata:ruleset community; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"SERVER-OTHER RealNetworks Audio Server denial of service attempt"; flow:to_server,established; content:"|FF F4 FF FD 06|"; fast_pattern:only; metadata:ruleset community; reference:cve,1999-0271; reference:nessus,10183; classtype:attempted-dos; sid:276; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; reference:nessus,10461; classtype:attempted-dos; sid:277; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SERVER-OTHER Bay/Nortel Nautica Marlin"; flow:to_server; dsize:0; metadata:ruleset community; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"SERVER-OTHER Ascend Route"; flow:to_server; content:"NAMENAME"; depth:50; offset:25; metadata:ruleset community; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"SERVER-OTHER Winnuke attack"; flow:stateless; flags:U+; metadata:ruleset community; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"SERVER-OTHER MSDTC attempt"; flow:to_server,established; dsize:>1023; metadata:ruleset community; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"SERVER-OTHER iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; metadata:ruleset community; reference:bugtraq,6844; reference:cve,1999-1566; reference:nessus,10111; classtype:misc-attack; sid:1605; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"SERVER-OTHER DB2 dos attempt"; flow:to_server,established; dsize:1; metadata:ruleset community; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cisco denial of service attempt"; flow:to_server,established; dsize:1; content:"|13|"; metadata:ruleset community, service http; classtype:web-application-attack; sid:1545; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP invalid identification payload attempt"; flow:to_server; content:"|05|"; depth:1; offset:16; byte_test:1,!&,1,19; byte_test:1,>,8,32; byte_test:2,>,0,30; byte_test:2,<,10,30; byte_test:2,!=,8,30; metadata:ruleset community; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt"; flow:to_server; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; metadata:ruleset community; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 646 (msg:"SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt"; flow:to_server; content:"|00 00|"; depth:2; offset:12; reference:bugtraq,13389; reference:cve,2005-1279; reference:url,www.frsirt.com/english/advisories/2005/0410; classtype:attempted-dos; sid:4141; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 646 (msg:"SERVER-OTHER tcpdump tcp LDP print zero length message denial of service attempt"; flow:stateless; content:"|00 00|"; depth:2; offset:12; reference:bugtraq,13389; reference:cve,2005-1279; reference:url,www.frsirt.com/english/advisories/2005/0410; classtype:attempted-dos; sid:4140; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9191 (msg:"SERVER-OTHER CA eTrust key handling dos -- password"; flow:to_server,established; content:"|01 06 00 00 00|"; depth:5; offset:2; byte_test:4,<,4,128,relative, little; metadata:policy max-detect-ips drop; reference:bugtraq,22743; reference:cve,2007-1005; classtype:denial-of-service; sid:11186; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-OTHER Oracle TNS Service_CurLoad command"; flow:to_server,established; content:"COMMAND=SERVICE_CURLOAD"; fast_pattern:only; reference:bugtraq,5678; reference:cve,2002-1118; classtype:attempted-dos; sid:12594; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER utf8 filename transfer attempt"; flow:to_server,established; content:"filename*=utf-8"; fast_pattern:only; metadata:service smtp; reference:bugtraq,15408; reference:cve,2005-3573; classtype:suspicious-filename-detect; sid:12597; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"SERVER-OTHER Spiffit UDP denial of service attempt"; flow:to_server,no_stream; dsize:10; content:"@0"; fast_pattern:only; pcre:"/@0\x00*$/sm"; detection_filter:track by_src, count 10, seconds 100; reference:cve,1999-0194; classtype:attempted-dos; sid:9622; rev:10;)
# alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"SERVER-OTHER BGP spoofed connection reset attempt"; flow:established,no_stream; flags:RSF*; detection_filter:track by_dst,count 10,seconds 10; metadata:ruleset community; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:15;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 2775 (msg:"SERVER-OTHER Curse of Silence Nokia SMS DoS attempt"; flow:to_server,established; content:"|02|03|3A|"; content:"|09|052|3A|2|09|"; distance:0; content:"|09|033|3A|"; pcre:"/\x09033\x3a(?=[^\s]+\x40[^\s]+)[^\x20\x09]{33}/"; reference:bugtraq,33072; classtype:attempted-dos; sid:15572; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-OTHER IBM DB2 database server SQLSTT denial of service attempt"; flow:to_server,established; content:"|24 14|"; content:"|D0|"; within:1; distance:-8; byte_test:1,!&,1,0,relative; byte_test:1,!&,2,0,relative; byte_test:1,&,4,0,relative; byte_test:1,!&,8,0,relative; metadata:policy max-detect-ips drop; reference:cve,2009-0173; classtype:denial-of-service; sid:16364; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x53 command denial of service attempt"; flow:to_server,established; content:"S"; depth:1; dsize:<4; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-dos; sid:15892; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"SERVER-OTHER SolarWinds TFTP Server Read request denial of service attempt"; flow:to_server; content:"|00 01|"; depth:2; pcre:"/^[^\x00]*?[\x01-\x1F\x7F-\xFF]/R"; reference:bugtraq,40333; reference:cve,2010-2115; classtype:attempted-dos; sid:18933; rev:3;)
# alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"SERVER-OTHER ntp mode 7 denial of service attempt"; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; reference:bugtraq,37255; reference:cve,2009-3563; reference:url,attack.mitre.org/techniques/T1209; classtype:attempted-dos; sid:16350; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER SpamAssassin GTube string denial of service attempt"; flow:to_server,established; content:"XJS|2A|C4JDBQADN1|2E|NSBN3|2A|2IDNEN|2A|GTUBE|2D|STANDARD|2D|ANTI|2D|UBE|2D|TEST|2D|EMAIL|2A|C|2E|34X"; nocase; metadata:service smtp; reference:cve,2004-0796; classtype:attempted-dos; sid:20741; rev:4;)
# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"SERVER-OTHER vsFTPd denial of service attempt"; flow:to_client,established,no_stream; content:"220"; depth:3; content:"vsFTPd"; nocase; isdataat:6; content:!"|0D 0A|"; within:6; content:"1."; byte_test:1,<=,2,0,relative,string,dec; byte_test:1,<,2,2,relative,string,dec; detection_filter:track by_src, count 50, seconds 30; metadata:service ftp; reference:cve,2004-2259; classtype:attempted-dos; sid:21445; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [7145,7144] (msg:"SERVER-OTHER EMC RepliStor denial of service attempt"; flow:to_server,established; content:"|54 93 00 00|"; depth:4; byte_test:4,>,0xFFFF,12,relative,little; reference:cve,2009-3744; classtype:attempted-dos; sid:21485; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"SERVER-OTHER Blue Coat Systems WinProxy telnet denial of service attempt"; flow:to_server,established; isdataat:750; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:32; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; within:32; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; within:32; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; within:32; pcre:"/\xff{32}$/"; metadata:service telnet; reference:cve,2005-3654; classtype:attempted-dos; sid:21662; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER CA BrightStor ARCserve Backup denial of service attempt"; flow:to_server,established; content:"|00 06 09 82|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; byte_jump:4,16,relative,align; content:"|00 00|"; within:2; distance:-2; reference:cve,2007-5332; classtype:attempted-dos; sid:21763; rev:2;)
# alert udp $HOME_NET 68 -> $HOME_NET 67 (msg:"SERVER-OTHER ISC dhcpd discover hostname overflow attempt"; flow:to_server; content:"|01 01 06 00|"; depth:4; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:18; distance:6; content:"|63 82 53 63 35 01 01|"; distance:0; fast_pattern; content:"|0C 40|"; distance:0; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; reference:bugtraq,10590; reference:cve,2004-0460; classtype:attempted-dos; sid:21952; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8200 (msg:"SERVER-OTHER Multiple Vendors SOAP large array parameter DoS attempt"; flow:to_server,established; content:"SOAP-ENC:"; nocase; pcre:"/^(arraytype|position)\x3d\x22[^\x5b]*?\x5b[^\x5d]{7}/iR"; metadata:service http; reference:bugtraq,9877; reference:cve,2004-1815; classtype:attempted-dos; sid:23359; rev:2;)
# alert udp $HOME_NET 68 -> 255.255.255.255 67 (msg:"SERVER-OTHER DHCP discover broadcast flood attempt"; flow:to_server,no_stream; content:"|63 82 53 63 35|"; fast_pattern:only; detection_filter:track by_dst, count 1000, seconds 1; metadata:service dhcp; reference:bugtraq,53649; reference:url,funoverip.net/2010/12/dhcp-denial-of-service-with-scapy/; classtype:denial-of-service; sid:23998; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A|"; depth:1; byte_test:1,!&,0x80,0,relative; content:"|00|"; within:1; distance:2; metadata:service kerberos; reference:cve,2011-0283; reference:url,attack.mitre.org/techniques/T1097; classtype:denial-of-service; sid:24372; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 2427 (msg:"SERVER-OTHER VxWorks RPC request to MGCP service attempt"; content:"|00 00 00 00 00 00 00 02 00 01 86 A0 00 01 97 7C 00 00 00 00|"; depth:24; offset:4; byte_jump:4,4,relative; byte_jump:4,4,relative; content:"|00|"; within:1; classtype:denial-of-service; sid:24522; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 37452 (msg:"SERVER-OTHER Quest NetVault SmartDisk libnvbasics.dll denial of service attempt"; flow:to_server,established; content:"|01 00 00 00 C8|"; depth:5; offset:8; byte_extract:4,0,sizeOfEntries,relative,little; isdataat:!sizeOfEntries; reference:bugtraq,48029; reference:url,telussecuritylabs.com/threats/show/TSL20110602-02; classtype:denial-of-service; sid:20690; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 37452 (msg:"SERVER-OTHER Quest NetVault SmartDisk libnvbasics.dll denial of service attempt"; flow:to_server,established; byte_test:4,>,1000000000,0,little; isdataat:!5; reference:bugtraq,48029; reference:url,telussecuritylabs.com/threats/show/TSL20110602-02; classtype:denial-of-service; sid:24627; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"SERVER-OTHER Cisco IOS syslog message flood denial of service attempt"; flow:to_server,no_stream; content:"%%%%%X"; fast_pattern:only; detection_filter:track by_dst, count 50, seconds 1; metadata:service syslog; reference:bugtraq,3096; reference:cve,2001-1097; classtype:attempted-dos; sid:25101; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 464 (msg:"SERVER-OTHER MIT Kerberos kpasswd process_chpw_request denial of service attempt"; flow:to_server,established; content:"|A1 03 02 01 05 A2 03 02 01|"; depth:9; offset:10; content:!"|FF 80|"; depth:2; offset:6; reference:bugtraq,47310; reference:cve,2011-0285; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-004.txt; classtype:attempted-dos; sid:26769; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER MIT Kerberos libkdb_ldap principal name handling denial of service attempt"; flow:to_server,no_stream; content:"|A1 03 02 01 05 A2|"; depth:12; content:"|1B|"; within:50; pcre:"/[^\xa2\x1b]+?[*()\x5c#\x22+,\x3b<>]/R"; detection_filter:track by_src, count 25, seconds 5; metadata:service kerberos; reference:bugtraq,46265; reference:bugtraq,46271; reference:cve,2011-0281; reference:cve,2011-0282; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt; classtype:attempted-dos; sid:26759; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Foswiki/Twiki MAKETEXT command execution attempt"; flow:to_server,established; content:"WIKISID="; http_cookie; content:"MAKETEXT"; http_client_body; content:"sh"; distance:0; http_client_body; metadata:service http; reference:bugtraq,56950; reference:cve,2012-6329; classtype:attempted-admin; sid:26906; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Apache Struts2 skillName remote code execution attempt"; flow:to_server,established; content:"edit.action?"; http_uri; content:"skillName=|7B 28 23|"; fast_pattern:only; http_uri; pcre:"/skillName\x3D\x7B\x28\x23/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,60082; reference:cve,2013-1965; classtype:attempted-admin; sid:26772; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER SSL TLS deflate compression weakness brute force attempt"; flow:to_server,established,no_stream; flowbits:isset,tls.deflate; dsize:1<>1000; detection_filter:track by_src,count 500,seconds 1; metadata:service ssl; reference:bugtraq,55704; reference:cve,2012-4929; reference:url,attack.mitre.org/techniques/T1110; classtype:attempted-recon; sid:26645; rev:5;)
# alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER SSL TLS DEFLATE compression detected"; flow:to_client,established; ssl_state:server_hello; ssl_version:tls1.0,tls1.1; content:"|16 03|"; depth:2; byte_test:1,&,1,78; flowbits:set,tls.deflate; flowbits:noalert; metadata:service ssl; classtype:misc-activity; sid:26644; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Adobe ColdFusion adminapi information disclosure attempt"; flow:to_server,established; content:"/CFIDE/adminapi/customtags/l10n.cfm"; fast_pattern; nocase; http_uri; content:"../"; distance:0; http_uri; metadata:service http; reference:bugtraq,59773; reference:cve,2013-3336; reference:url,www.adobe.com/support/security/advisories/apsa13-03.html; classtype:attempted-recon; sid:26621; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"SERVER-OTHER PostgreSQL database name command line injection attempt"; flow:to_server,established; content:"user|00|"; depth:5; offset:8; content:"database|00|-"; within:70; pcre:"/^.{8}user\x00[^\x00]+?\x00database\x00-[^\x00]+?\x00/"; metadata:service http; reference:cve,2013-1899; reference:url,www.postgresql.org/support/security/faq/2013-04-04/; classtype:attempted-user; sid:26586; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Autonomy Ultraseek cs.html url parameter with url - possible malicious redirection attempt"; flow:to_server,established; content:"/cs.html?url=http://"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2009-0347; classtype:misc-attack; sid:26542; rev:3;)
# alert tcp $EXTERNAL_NET 5900 -> $HOME_NET any (msg:"SERVER-OTHER UltraVNC Listening mode stack buffer overflow attempt"; flow:to_client,established; content:"RFB 0"; depth:5; content:".016|0A|"; within:5; distance:2; isdataat:1100,relative; content:!"|00|"; within:1100; distance:2; metadata:service vnc-server; reference:cve,2008-0610; classtype:attempted-user; sid:26455; rev:2;)
# alert tcp $EXTERNAL_NET 5900 -> $HOME_NET any (msg:"SERVER-OTHER UltraVNC Listening mode stack buffer overflow attempt"; flow:to_client,established; content:"RFB 0"; depth:5; content:".014|0A|"; within:5; distance:2; isdataat:1100,relative; content:!"|00|"; within:1100; distance:2; metadata:service vnc-server; reference:cve,2008-0610; classtype:attempted-user; sid:26454; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 19810 (msg:"SERVER-OTHER Bopup Communications server buffer overflow attempt"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; isdataat:300,relative; reference:bugtraq,43836; reference:cve,2009-2227; classtype:attempted-user; sid:26394; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6661 (msg:"SERVER-OTHER BigAnt Document Service DUPF command arbitrary file upload attempt"; flow:to_server,established; content:"cmdid: "; fast_pattern:only; content:"DUPF"; depth:4; content:"filename:"; distance:0; nocase; content:"/../"; distance:0; metadata:policy max-detect-ips drop; reference:bugtraq,57214; reference:cve,2012-6274; classtype:attempted-admin; sid:26390; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6661 (msg:"SERVER-OTHER BigAnt Document Service DUPF command arbitrary file upload attempt"; flow:to_server,established; content:"cmdid: "; fast_pattern:only; content:"DUPF"; depth:4; content:"filename:"; distance:0; nocase; content:"|5C|..|5C|"; distance:0; metadata:policy max-detect-ips drop; reference:bugtraq,57214; reference:cve,2012-6274; classtype:attempted-admin; sid:26389; rev:5;)
# alert tcp any any -> $HOME_NET 23 (msg:"SERVER-OTHER Polycom HDX authorization bypass attempt"; flow:to_server,established; content:"setenv othbootargs |22|devboot=bogus|22|"; fast_pattern:only; metadata:service telnet; reference:bugtraq,58523; classtype:attempted-admin; sid:26386; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Squid proxy Accept-Language denial of service attempt"; flow:to_server,established; content:"Accept-Language|3A 20 2C|"; fast_pattern:only; http_header; metadata:service http; reference:bugtraq,58316; reference:cve,2013-1839; classtype:denial-of-service; sid:26379; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [13838] (msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra snmp request buffer overflow attempt"; flow:to_server,established; content:"set|3A|/lhn/public/network/snmp/traps/testTrap"; fast_pattern:only; byte_test:4,>,1066,8; metadata:policy security-ips drop; reference:cve,2012-3284; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03661318; classtype:attempted-admin; sid:26336; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [13838] (msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra diag request buffer overflow attempt"; flow:to_server,established; content:"set|3A|/lhn/public/system/diag/getListSupportTest/"; fast_pattern:only; byte_test:4,>=,4143,8; metadata:policy security-ips drop; reference:cve,2012-3283; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03661318; classtype:attempted-admin; sid:26334; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [13838] (msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra diag request buffer overflow attempt"; flow:to_server,established; content:"set|3A|/lhn/public/system/diag/getListSafeTest/"; fast_pattern:only; byte_test:4,>=,4140,8; metadata:policy security-ips drop; reference:cve,2012-3283; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03661318; classtype:attempted-admin; sid:26333; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; content:"picEditor.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"clipval="; http_client_body; content:"newimage="; http_client_body; content:"../"; distance:0; http_client_body; metadata:service http; reference:cve,2008-0506; classtype:attempted-admin; sid:26316; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; content:"picEditor.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"quality="; http_client_body; content:"newimage="; http_client_body; content:"../"; distance:0; http_client_body; metadata:service http; reference:cve,2008-0506; classtype:attempted-admin; sid:26315; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; content:"picEditor.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"angle="; http_client_body; content:"newimage="; http_client_body; content:"../"; distance:0; http_client_body; metadata:service http; reference:cve,2008-0506; classtype:attempted-admin; sid:26314; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"SERVER-OTHER MongoDB nativeHelper.apply method command injection attempt"; flow:to_server,established; content:"nativeHelper.apply("; fast_pattern:only; pcre:"/nativeHelper\.apply\(\s*?\{\s*?[\x22\x27]\s*?x\s*?[\x22\x27]\s*?:\s*?(0x)?\d/i"; reference:bugtraq,58695; reference:cve,2013-1892; classtype:attempted-admin; sid:26262; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 998 (msg:"SERVER-OTHER Novell ZENworks Configuration Management Preboot service code overflow attempt"; flow:to_server,established; content:"|00 00 00 21|"; depth:4; byte_test:4,>,0x200,0,relative,big; reference:bugtraq,40486; classtype:attempted-admin; sid:26180; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2207 (msg:"SERVER-OTHER HP Linux Imaging and Printing Project hpssd daemon command injection attempt"; flow:to_server,established; content:"email-to-address"; nocase; content:"&"; distance:0; pcre:"/^email-to-address(es)?=[^\r\n]*?[\x3b\x26]/mi"; reference:bugtraq,26054; reference:cve,2007-5208; classtype:attempted-admin; sid:26108; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2207 (msg:"SERVER-OTHER HP Linux Imaging and Printing Project hpssd daemon command injection attempt"; flow:to_server,established; content:"email-from-address="; nocase; content:"&"; distance:0; pcre:"/^email-from-address=[^\r\n]*?[\x3b\x26]/mi"; reference:bugtraq,26054; reference:cve,2007-5208; classtype:attempted-admin; sid:26107; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [3600:3699,3900:3999] (msg:"SERVER-OTHER SAP NetWeaver Message Server buffer overflow attempt"; flow:to_server,established; content:"**MESSAGE**|00|"; depth:12; offset:4; content:"|05|"; within:1; distance:55; content:"AD-EYECATCH|00|"; within:12; distance:42; content:"|15|"; within:1; distance:24; byte_test:1,>,78,6,relative; reference:cve,2013-1593; reference:url,service.sap.com/sap/support/notes/1800603; classtype:attempted-admin; sid:26074; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [3600:3699,3900:3999] (msg:"SERVER-OTHER SAP NetWeaver Message Server buffer overflow attempt"; flow:to_server,established; content:"**MESSAGE**|00|"; depth:12; offset:4; byte_test:1,>=,0x0c,55,relative; byte_test:1,<=,0x0d,55,relative; byte_test:4,>,256,106,relative; reference:cve,2013-1592; reference:url,service.sap.com/sap/support/notes/1800603; classtype:attempted-admin; sid:26073; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER SSLv3 plaintext recovery attempt"; flow:to_client,established,only_stream; isdataat:53; isdataat:!54; ssl_version:sslv3; content:"|15 03 00 00 30|"; depth:5; detection_filter:track by_dst, count 100, seconds 5; metadata:service ssl; reference:cve,2013-0169; classtype:attempted-recon; sid:25828; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER TLSv1.2 plaintext recovery attempt"; flow:to_client,established,only_stream; isdataat:53; isdataat:!54; ssl_version:tls1.2; content:"|15 03 03 00 30|"; depth:5; detection_filter:track by_dst, count 100, seconds 5; metadata:service ssl; reference:cve,2013-0169; classtype:attempted-recon; sid:25827; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER TLSv1.1 plaintext recovery attempt"; flow:to_client,established,only_stream; isdataat:53; isdataat:!54; ssl_version:tls1.1; content:"|15 03 02 00 30|"; depth:5; detection_filter:track by_dst, count 100, seconds 5; metadata:service ssl; reference:cve,2013-0169; classtype:attempted-recon; sid:25826; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER TLSv1.0 plaintext recovery attempt"; flow:to_client,established,only_stream; isdataat:53; isdataat:!54; ssl_version:tls1.0; content:"|15 03 01 00 30|"; depth:5; detection_filter:track by_dst, count 100, seconds 5; metadata:service ssl; reference:cve,2013-0169; classtype:attempted-recon; sid:25825; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,5555] (msg:"SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt"; flow:to_server,established; content:"SOAPAction|3A|"; fast_pattern:only; http_header; pcre:"/SOAPAction\x3A\s*?\x22[^\x22\x23]+?\x23([^\x22]{2048}|[^\x22]+$)/Hsi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-0230; reference:cve,2013-1462; classtype:attempted-admin; sid:25780; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 19813 (msg:"SERVER-OTHER HP Data Protector Media Operations directory traversal attempt"; flow:to_client,established; content:"|10|"; content:!"|00 00 00 00|"; within:4; distance:3; content:"|10 00 00 00|"; within:4; distance:11; content:".."; within:50; reference:bugtraq,50531; classtype:attempted-user; sid:25658; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 19813 (msg:"SERVER-OTHER HP Data Protector Media Operations directory traversal attempt"; flow:to_server,established; content:"|03|"; content:!"|00 00 00 00|"; within:4; distance:3; content:"|10 00 00 00|"; within:4; distance:11; content:".."; within:50; reference:bugtraq,50531; classtype:attempted-user; sid:25657; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector exec_cmd buffer overflow attempt"; flow:to_server,established; content:"|FE FF|"; depth:2; offset:4; content:"|32 00|"; distance:0; content:"|32 00 30 00|"; distance:0; isdataat:2046,relative; content:!"|00 00 00 00|"; within:2046; reference:bugtraq,48488; reference:cve,2011-1866; classtype:attempted-admin; sid:25656; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector exec_cmd buffer overflow attempt"; flow:to_server,established; content:"|FF FE|"; depth:2; offset:4; content:"|32 00|"; content:"|32 30 00|"; distance:0; isdataat:2046,relative; content:!"|00 00|"; within:2046; reference:bugtraq,48488; reference:cve,2011-1866; classtype:attempted-admin; sid:25655; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector exec_cmd buffer overflow attempt"; flow:to_server,established; content:!"|FF FE|"; depth:2; offset:4; content:!"|FE FF|"; depth:2; offset:4; content:"|32 00|"; content:"|32 30 00|"; distance:0; isdataat:1023,relative; content:!"|00 00|"; within:1023; reference:bugtraq,48488; reference:cve,2011-1866; classtype:attempted-admin; sid:25654; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [5001,5002] (msg:"SERVER-OTHER Sybase Open Server TDS login packet stack memory corruption attempt"; flow:to_server,established; flowbits:isset,sybase.tds.connection; content:"|02 01|"; depth:2; content:"|00 00 00 00|"; within:4; distance:2; byte_test:1,>,6,59,relative; metadata:policy max-detect-ips drop; reference:url,www.sybase.com/detail?id=1094235; classtype:attempted-admin; sid:25603; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [5001,5002] (msg:"SERVER-OTHER Sybase Open Server TDS login request"; flow:to_server,established; content:"|02 00 02 00 00 00 00 00|"; depth:8; content:"|06 04 08|"; within:3; distance:126; content:"DBISQL"; within:6; distance:11; content:"jConnect"; within:8; distance:316; fast_pattern; flowbits:set,sybase.tds.connection; flowbits:noalert; reference:url,en.wikipedia.org/wiki/Tabular_Data_Stream; classtype:protocol-command-decode; sid:25602; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStor Device Manager command injection attempt"; flow:to_server,established; content:"|75|"; depth:1; content:"nsrmm"; distance:0; pcre:"/nsrmm[^\x00]*?([\x3b\x7c\x26\x60]|\x24\x28)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57472; reference:cve,2013-0928; classtype:attempted-admin; sid:25585; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStor Device Manager command injection attempt"; flow:to_server,established; content:"|75|"; depth:1; content:"mmpool"; distance:0; pcre:"/mmpool[^\x00]*?([\x3b\x7c\x26\x60]|\x24\x28)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57472; reference:cve,2013-0928; classtype:attempted-admin; sid:25584; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStor Device Manager command injection attempt"; flow:to_server,established; content:"|75|"; depth:1; content:"mmlocate"; distance:0; pcre:"/mmlocate[^\x00]*?([\x3b\x7c\x26\x60]|\x24\x28)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57472; reference:cve,2013-0928; classtype:attempted-admin; sid:25583; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStor Device Manager command injection attempt"; flow:to_server,established; content:"|75|"; depth:1; content:"nsrjb"; distance:0; pcre:"/nsrjb[^\x00]*?([\x3b\x7c\x26\x60]|\x24\x28)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57472; reference:cve,2013-0928; classtype:attempted-admin; sid:25581; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"SERVER-OTHER RaySharp CCTV derivative command injection attempt"; flow:to_server,established; content:"REMOTE HI_SRDK_NET_SetPppoeAttr"; depth:40; fast_pattern; content:"udhcpc"; distance:0; pcre:"/\x3b\s*udhcpc\s*\x3b.*\x26/smi"; reference:url,community.rapid7.com/community/metasploit/blog/2013/01/23/ray-sharp-cctv-dvr-password-retrieval-remote-root; reference:url,console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html; classtype:attempted-admin; sid:25557; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"SERVER-OTHER RaySharp CCTV derivative user credential retrieval attempt"; flow:to_server,established; content:"|01 00 00 00 0E 0F 00 00 00 00 00 00 00 00 00 00 14 00 00 00|"; depth:20; offset:10; reference:url,community.rapid7.com/community/metasploit/blog/2013/01/23/ray-sharp-cctv-dvr-password-retrieval-remote-root; reference:url,console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html; classtype:attempted-admin; sid:25556; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Rails JSON to YAML parsing deserialization attempt"; flow:to_server,established; content:"application/json"; http_header; content:"!ruby/hash"; content:"NamedRouteCollection"; within:140; metadata:service http; reference:cve,2013-0333; classtype:attempted-user; sid:25552; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER Citrix Access Gateway legacy authentication attempt"; flow:to_server,established; content:"SESSION_TOKEN"; content:"LoginType=Explicit&username="; fast_pattern:only; content:"&password=%7c"; metadata:service ssl; reference:cve,2010-4566; reference:url,exploit-db.com/exploits/15806; classtype:attempted-admin; sid:25474; rev:3;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt"; flow:to_client; content:"|31 32 33 34 35 36 37 38 39 09 63 63 63 63 63 63 63 63 63 09 64 64 64 64|"; fast_pattern:only; metadata:service dns; reference:cve,2011-1889; classtype:attempted-admin; sid:25381; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CakePHP unserialize method vulnerability exploitation attempt"; flow:to_server,established; content:"data%5b_Token%5d%5bkey%5d="; http_client_body; content:"&data%5b_Token%5d%5bfields%5d="; within:50; http_client_body; content:"&_method=POST"; distance:0; http_client_body; content:"..%2Fgzc%2Fpnpur%2Fcrefvfgrag%2Fpnxr_pber_svyr_znc"; fast_pattern:only; http_client_body; metadata:service http; reference:cve,2010-4335; classtype:attempted-admin; sid:25370; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Ruby on Rails authlogic session cookie SQL injection attempt"; flow:to_server,established; content:"user_credentials="; content:"_session="; content:"user_credentials="; http_cookie; content:"_session="; http_cookie; base64_decode:relative; base64_data; content:"user_credentials_id"; pcre:"/(SELECT|UPDATE|INSERT)[^\x3b]+?--/iR"; metadata:service http; reference:cve,2012-6496; reference:url,blog.phusion.nl/2013/01/03; classtype:web-application-attack; sid:25285; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8088 (msg:"SERVER-OTHER Digium Asterisk oversized Content-Length memory corruption attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; byte_test:10,>,200000,0,relative,string; metadata:service http; reference:cve,2012-5976; reference:cve,2013-2686; reference:url,downloads.Asterisk.org/pub/security/AST-2013-002.html; reference:url,downloads.asterisk.org/pub/security/AST-2012-014; classtype:attempted-admin; sid:25276; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Adobe ColdFusion Admin API arbitrary command execution attempt"; flow:to_server,established; content:"/CFIDE/Administrator/scheduler/scheduleedit.cfm"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-0625; reference:cve,2013-0629; reference:cve,2013-0631; reference:url,forums.adobe.com/message/4962104; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; reference:url,www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat; classtype:attempted-user; sid:25267; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Adobe ColdFusion Admin API arbitrary command execution attempt"; flow:to_server,established; content:"/CFIDE/adminapi/administrator.cfc"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-0625; reference:cve,2013-0629; reference:cve,2013-0631; reference:url,forums.adobe.com/message/4962104; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; reference:url,www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat; classtype:attempted-user; sid:25266; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10051 (msg:"SERVER-OTHER Zabbix Server arbitrary command execution attempt"; flow:to_server,established; content:"Command|AD|0|AD|"; depth:10; nocase; content:"sh"; within:10; nocase; reference:bugtraq,37989; reference:cve,2009-4498; classtype:attempted-admin; sid:25103; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10050 (msg:"SERVER-OTHER Zabbix Agent net.tcp.listen command injection attempt"; flow:to_server,established; content:"net.tcp.listen|5B|"; depth:15; nocase; pcre:"/^net\x2etcp\x2elisten\x5b\s*?\d+?\s*?[\x22\x27]\s*?\x3b/i"; reference:cve,2009-4502; classtype:attempted-admin; sid:25102; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30000 (msg:"SERVER-OTHER SAP Business One License Manager buffer overflow attempt"; flow:to_server,established; content:"GIOP|01 00 01 00|"; depth:8; isdataat:1024,relative; reference:bugtraq,35933; reference:cve,2009-4988; classtype:attempted-admin; sid:25059; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6988 (msg:"SERVER-OTHER IBM Director CIM server alert indication request dll injection attempt"; flow:to_server,established; content:"/CIMListener/"; fast_pattern:only; http_uri; content:"M-POST"; http_method; content:"/CIMListener/|5C 5C|"; nocase; http_raw_uri; metadata:service http; reference:bugtraq,34065; reference:cve,2009-0880; classtype:attempted-admin; sid:25058; rev:2;)
# alert udp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER Free Software Foundation GnuTLS record application integer overflow attempt"; content:"|17 FE FF|"; depth:3; content:"|00 20|"; within:2; distance:8; metadata:policy max-detect-ips drop, service ssl; reference:cve,2012-1573; classtype:attempted-admin; sid:24996; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER lighthttpd connection header denial of service attempt"; flow:to_server,established; content:"Connection|3A|"; http_header; content:",,"; distance:0; fast_pattern; http_header; pcre:"/^Connection\x3A\s*[^\r\n]*?\x2c\x2c/Hsmi"; metadata:service http; reference:cve,2012-5533; classtype:denial-of-service; sid:24805; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1811 (msg:"SERVER-OTHER HP Intelligent Management Center uam.exe stack buffer overflow attempt"; flow:to_server; content:"|F7 10 3D 21|"; depth:4; content:"|02 02|"; within:2; distance:18; isdataat:4000,relative; metadata:policy security-ips drop; reference:bugtraq,55271; reference:cve,2012-3274; classtype:attempted-admin; sid:24538; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1811 (msg:"SERVER-OTHER HP Intelligent Management Center uam.exe stack buffer overflow attempt"; flow:to_server; content:"|F7 10 3D 21|"; depth:4; content:"|01 02|"; within:2; distance:18; isdataat:4000,relative; metadata:policy security-ips drop; reference:bugtraq,55271; reference:cve,2012-3274; classtype:attempted-admin; sid:24537; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1811 (msg:"SERVER-OTHER HP Intelligent Management Center uam.exe stack buffer overflow attempt"; flow:to_server; content:"|F7 10 3D 21|"; depth:4; content:"|01 01|"; within:2; distance:18; isdataat:4000,relative; metadata:policy security-ips drop; reference:bugtraq,55271; reference:cve,2012-3274; classtype:attempted-admin; sid:24536; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services opcode buffer overflow attempt"; flow:to_server; content:"|02 40|"; depth:2; offset:2; content:"|01 00 00|"; within:38; isdataat:256,relative; content:!"|00 00|"; within:256; reference:bugtraq,45914; reference:bugtraq,49803; classtype:attempted-user; sid:24513; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services opcode buffer overflow attempt"; flow:to_server,established; content:"|02 40|"; depth:2; offset:2; content:"|01 00 00|"; within:38; isdataat:256,relative; content:!"|00 00|"; within:256; reference:bugtraq,45914; reference:bugtraq,49803; classtype:attempted-user; sid:24512; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 03 00 00 00 04|"; within:8; distance:8; byte_test:4,>,0x10000,504,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24333; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 55 00 00 00 16|"; within:8; distance:8; byte_test:4,>,0x10000,467,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24332; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 55 00 00 00 01|"; within:8; distance:8; byte_test:4,>,0x10000,405,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24331; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 41 00 00 00 12|"; within:8; distance:8; byte_test:4,>,0x10000,375,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24330; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 14 00 00 07 E7|"; within:8; distance:8; byte_test:4,>,0x10000,252,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24328; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 14 00 00 07 F8|"; within:8; distance:8; byte_test:4,>,0x10000,136,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24327; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 2D 00 00 11 94|"; within:8; distance:8; byte_test:4,>,0x10000,100,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24326; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 32 00 00 00 3C|"; within:8; distance:8; byte_test:4,>,0x10000,517,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24325; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 32 00 00 00 2A|"; within:8; distance:8; byte_test:4,>,0x10000,80,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24324; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Fortinet FortiOS appliedTags field cross site scripting attempt"; flow:to_client,established; file_data; content:"/firewall/policy"; fast_pattern:only; http_uri; pcre:"/<span\s+class=[\x22\x27\x60]tag_list[\x22\x27\x60]\s+id=[\x22\x27\x60]appliedTags[\x22\x27\x60]>\s*?<span\s+class=[\x22\x27\x60]object_tag\s+object_tag_remove[\x22\x27\x60]\s+mkey=[^>]+>\s*?<[^>]+?[\x22\x27\x60]\s*?</smi"; metadata:service http; reference:bugtraq,51708; classtype:attempted-user; sid:24290; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER telephone URI to USSD code for factory reset"; flow:to_client,established; file_data; content:"tel|3A 2A|2767|2A|3855"; fast_pattern:only; metadata:service http; reference:url,twitter.com/pof/status/250540790491787264; reference:url,www.youtube.com/watch?v=Q2-0B04HPhs; classtype:attempted-dos; sid:24250; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector client EXEC_CMD command execution attempt"; flow:to_server,established; content:"|FE FF 00 32|"; depth:4; offset:4; content:"|30|"; distance:0; content:"|30|"; within:10; pcre:"/(\x5C\x5C|\x2F\x2F)|(\x2E\x2E[\x2F\x5C]){1,5}/"; reference:bugtraq,46234; reference:cve,2011-0923; classtype:attempted-user; sid:24223; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector client EXEC_CMD command execution attempt"; flow:to_server,established; content:"|FF FE 32 00|"; depth:4; offset:4; content:"|30|"; distance:0; content:"|30|"; within:10; pcre:"/(\x5C\x5C|\x2F\x2F)|(\x2E\x2E[\x2F\x5C]){1,5}/"; reference:bugtraq,46234; reference:cve,2011-0923; classtype:attempted-user; sid:24222; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector client EXEC_CMD command execution attempt"; flow:to_server,established; content:"|20 32 00 20|"; depth:4; offset:4; content:"|20 30 00 20 30 00 20|"; distance:0; pcre:"/^(\x5C\x5C|\x2F\x2F)|(\x2E\x2E[\x2F\x5C]){1,5}/R"; reference:bugtraq,46234; reference:cve,2011-0923; classtype:attempted-user; sid:24221; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|"; depth:2; content:"|02 02 02 32 06 00 00 00|"; within:8; distance:2; isdataat:104,relative; content:"|60 03|"; within:2; distance:104; isdataat:210,relative; content:!"|00|"; within:1500; distance:210; metadata:policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23983; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|"; depth:2; content:"|02 02 02 32 06 00 00 00|"; within:8; distance:2; isdataat:104,relative; content:"|50 03|"; within:2; distance:104; isdataat:210,relative; content:!"|00|"; within:1500; distance:210; metadata:policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23982; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|"; depth:2; content:"|02 02 02 32 06 00 00 00|"; within:8; distance:2; isdataat:104,relative; content:"|40 03|"; within:2; distance:104; isdataat:210,relative; content:!"|00|"; within:1500; distance:210; metadata:policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23981; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|"; depth:2; content:"|02 02 02 32 06 00 00 00|"; within:8; distance:2; isdataat:104,relative; content:"|30 03|"; within:2; distance:104; isdataat:210,relative; content:!"|00|"; within:1500; distance:210; metadata:policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23980; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|"; depth:2; content:"|02 02 02 32 06 00 00 00|"; within:8; distance:2; isdataat:104,relative; content:"|10 03|"; within:2; distance:104; isdataat:210,relative; content:!"|00|"; within:1500; distance:210; metadata:policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23979; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Ubisoft Uplay browser plugin backdoor attempt"; flow:to_client,established; file_data; content:"|2E|open|28|"; content:"-orbit_product_id 1"; distance:0; content:"-orbit_exe_path"; content:"-uplay_steam_mode"; content:"-uplay_dev_mode"; content:"-uplay_dev_mode_auto_play"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4177; reference:url,news.ycombinator.com/item?id=4311264; reference:url,seclists.org/fulldisclosure/2012/Jul/375; classtype:attempted-user; sid:23624; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1582 (msg:"SERVER-OTHER IBM Tivoli name overflow attempt"; flow:to_server,established; content:"|26 A5|"; depth:2; offset:2; byte_test:2,>,128,2,relative; metadata:policy max-detect-ips drop; reference:cve,2009-3853; classtype:attempted-user; sid:23456; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services stack buffer overflow attempt"; flow:to_server,established; content:"|06 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:22; classtype:attempted-admin; sid:23397; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [1234,2049] (msg:"SERVER-OTHER Novell Netware XNFS.NLM NFS v2 xdrdecodeString heap buffer overflow attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00|"; depth:19; offset:4; pcre:"/^[\x04\x09\x0a\x0b\x0d\x0e\x0f]/R"; byte_jump:4,5,relative; byte_jump:4,4,relative; byte_test:4,>,255,32,relative; metadata:policy max-detect-ips drop; reference:bugtraq,50804; reference:cve,2011-4191; classtype:misc-attack; sid:23366; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [1234,2049] (msg:"SERVER-OTHER Novell Netware XNFS.NLM NFS v3 xdrdecodeString heap buffer overflow attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00|"; depth:19; offset:4; pcre:"/^[\x03\x08\x09\x0a\x0c\x0d\x0e]/R"; byte_jump:4,5,relative; byte_jump:4,4,relative; byte_test:4,>,255,4,relative; metadata:policy max-detect-ips drop; reference:bugtraq,50804; reference:cve,2011-4191; classtype:misc-attack; sid:23365; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [1234,2049] (msg:"SERVER-OTHER Novell Netware XNFS.NLM v2 xdrdecodeString heap buffer overflow attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 0D|"; depth:20; offset:4; byte_jump:4,4,relative; byte_jump:4,4,relative; byte_jump:4,32,relative; byte_test:4,>,255,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,50804; reference:cve,2011-4191; classtype:misc-attack; sid:23364; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [1234,2049] (msg:"SERVER-OTHER Novell Netware XNFS.NLM xdrdecodeString heap buffer overflow attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 0B|"; depth:20; offset:4; byte_jump:4,4,relative; byte_jump:4,4,relative; byte_jump:4,32,relative; byte_test:4,>,10496,32,relative; metadata:policy max-detect-ips drop; reference:bugtraq,50804; reference:cve,2011-4191; classtype:misc-attack; sid:23363; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Wireshark console.lua file load exploit attempt"; flow:to_server,established; content:"|2F|console.lua"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,49528; reference:cve,2011-3360; reference:url,www.wireshark.org/security/wnpa-sec-2011-15.html; classtype:attempted-user; sid:23239; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Lync Online wlanapi.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wlanapi.dll"; nocase; http_uri; pcre:"/\x2Fwlanapi\x2Edll([\?\x5C\x2F]|$)/miU"; content:!"Host: msdl.microsoft.com|0D 0A|"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2012-1849; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-039; classtype:attempted-user; sid:23165; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|ncrypt.dll"; nocase; http_uri; pcre:"/\x2Fncrypt\x2Edll([\?\x5C\x2F]|$)/miU"; content:!"Host: msdl.microsoft.com|0D 0A|"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2012-1849; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-039; classtype:attempted-user; sid:23164; rev:8;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER known malicious SSL certificate derived from Microsoft CA detected"; flow:to_client,established; ssl_state:server_hello; content:"|30 82 01 0A 02 82 01 01 00 A6 89 43 6F C6 CA 9D 42 AD BD 28 D5 46 49 E0 55 F2 CC 38 E0 3D C0 7C BA 1D CA|"; fast_pattern:only; metadata:service ssl; reference:url,technet.microsoft.com/en-us/security/advisory/2718704; classtype:misc-attack; sid:23090; rev:3;)
# alert tcp $EXTERNAL_NET 8300 -> $HOME_NET any (msg:"SERVER-OTHER Novell Groupwise HTTP response message parsing overflow"; flow:to_client,established; isdataat:512; content:"NM_A_SZ_TRANSACTION_ID"; fast_pattern:only; pcre:"/[^\x0a]{512}/"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-2703; classtype:attempted-user; sid:21917; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8181,8443,14300] (msg:"SERVER-OTHER Symantic multiple products VRTSweb code execution"; flow:to_server, established; content:"<command "; nocase; content:"installdir=|22 5C 5C|"; distance:0; nocase; reference:bugtraq,37012; reference:cve,2009-3027; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091209_00; classtype:attempted-admin; sid:21407; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6014 (msg:"SERVER-OTHER IBM Tivoli kuddb2 denial of service attempt"; flow:to_server,established; content:"|00 05 03 31 41|"; depth:5; metadata:policy max-detect-ips drop; reference:cve,2010-0472; classtype:attempted-dos; sid:21351; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024,5555] (msg:"SERVER-OTHER HP OpenView Storage Data Protector stack overflow attempt"; flow:to_server,established; content:"|32 36 37 00|"; depth:4; offset:4; isdataat:80,relative; pcre:"/^([^\x00]+\x00){3}([^\x00]{64}|[^\x00]+\x00[^\x00]{256})/R"; reference:bugtraq,37250; reference:cve,2009-3844; classtype:attempted-admin; sid:21350; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024,5555] (msg:"SERVER-OTHER HP OpenView Storage Data Protector stack overflow attempt"; flow:to_server,established; content:"|FF FE 32 00 36 00 37 00 00 00|"; depth:10; offset:4; isdataat:80,relative; pcre:"/^([\x01\x20]\x00)?((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)?){3}((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){64}|(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){256})/R"; reference:bugtraq,37250; reference:cve,2009-3844; classtype:attempted-admin; sid:21349; rev:5;)
# alert tcp $EXTERNAL_NET 24800 -> $HOME_NET any (msg:"SERVER-OTHER Synergy clipboard format client integer overflow attempt"; flow:established,to_client; flowbits:isset,synergy; content:"DCLP"; pcre:"/^.{13}\x00\x00\x00[\x00\x01\x02]/R"; byte_test:4,>,3,9,big,relative; classtype:attempted-user; sid:21331; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 24800 (msg:"SERVER-OTHER Synergy clipboard format server integer overflow attempt"; flow:to_server,established; flowbits:isset,synergy; content:"DCLP"; pcre:"/^.{13}\x00\x00\x00[\x00\x01\x02]/R"; byte_test:4,>,3,9,big,relative; classtype:attempted-user; sid:21330; rev:3;)
# alert tcp $EXTERNAL_NET 24800 -> $HOME_NET any (msg:"SERVER-OTHER Synergy clipboard format client integer overflow attempt"; flow:established,to_client; flowbits:isset,synergy; content:"DCLP"; pcre:"/^.{9}\x00\x00\x00\x01(?!\x00\x00\x00[\x00\x01\x02])/R"; classtype:attempted-user; sid:21329; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 24800 (msg:"SERVER-OTHER Synergy clipboard format server integer overflow attempt"; flow:to_server,established; flowbits:isset,synergy; content:"DCLP"; pcre:"/^.{9}\x00\x00\x00\x01(?!\x00\x00\x00[\x00\x01\x02])/R"; classtype:attempted-user; sid:21328; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 37452 (msg:"SERVER-OTHER Quest NetVault SmartDisk libnvbasics.dll DOS attempt"; flow:to_server,established; content:"|17 04 00 20 13 04 00 20 01 00 00 00 C8 06 00 00 20 6F 78 3B|"; fast_pattern:only; reference:url,aluigi.org/poc/percolator_1.zip; classtype:denial-of-service; sid:21315; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1099 (msg:"SERVER-OTHER Oracle Java RMI services remote object execution attempt"; flow:to_server,established; content:"|F6 B6 89 8D 8B F2 86 43|"; fast_pattern:only; content:"java.rmi.server"; content:"http|3A 2F 2F|"; nocase; metadata:policy max-detect-ips drop, service java_rmi; reference:cve,2015-2342; reference:url,www.exploit-db.com/exploits/17535; classtype:misc-attack; sid:21268; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Embarcadero Interbase connect request buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 01|"; byte_jump:4,12,relative,align; pcre:"/^.{8}[\x01\x02\x04\x05\x07]/sR"; byte_test:1,>,0x80,0,relative; reference:url,www.securityfocus.com/bid/47644; classtype:misc-attack; sid:21263; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Xitami if-modified-since header buffer overflow attempt"; flow:to_server,established; content:"If-Modified-Since"; nocase; http_header; pcre:"/If\x2DModified\x2DSince\x3A[^\x0D]{50}/iH"; metadata:service http; reference:bugtraq,25772; reference:cve,2007-5067; classtype:attempted-user; sid:21261; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER multiple vendors host buffer overflow attempt"; flow:to_server,established; content:"Host|3A|"; fast_pattern:only; http_header; pcre:"/Host\x3a\s+[^\r\n]{253}/iH"; metadata:service http; reference:bugtraq,6870; reference:cve,2003-0178; reference:cve,2013-4115; classtype:web-application-attack; sid:21248; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER IBM Lotusnotes s_viewname buffer overflow attempt"; flow:to_server,established; content:"PresetFields="; fast_pattern:only; http_uri; pcre:"/PresetFields=[^\x26]*?(s_viewname|Foldername)\x3b\x28[^\x29]{100}/iU"; metadata:service http; reference:bugtraq,6871; reference:cve,2003-0178; classtype:web-application-attack; sid:21247; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"SERVER-OTHER Remote Desktop Protocol brute force attempt"; flow:to_server,established,no_stream; content:"|E0|"; depth:1; offset:5; content:"mstshash="; distance:0; nocase; detection_filter:track by_src, count 10, seconds 15; metadata:service rdp; reference:cve,2015-0079; reference:url,attack.mitre.org/techniques/T1076; reference:url,attack.mitre.org/techniques/T1110; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-030; classtype:misc-activity; sid:21232; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 3217 (msg:"SERVER-OTHER Avaya WinPDM Unite host router buffer overflow attempt"; flow:to_server; content:"UTP/1 To|3A|"; nocase; content:!"|0D 0A|"; within:260; pcre:"/^UTP\x2f1 To\x3a\s*[^\s]+\s+[^\n]{256}/smi"; reference:bugtraq,47947; classtype:attempted-user; sid:21105; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1315,1964,2315] (msg:"SERVER-OTHER IBM solidDB solid.exe authentication bypass attempt"; flow:to_server,established; content:"|04 03 02 01|"; depth:4; offset:11; byte_test:2,=,1,3,little; byte_jump:4,23,little,align,post_offset -1; content:"|02 00 00 00|"; within:4; reference:bugtraq,47137; reference:url,www-304.ibm.com/support/docview.wss?uid=swg21474552; classtype:attempted-user; sid:20876; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector buffer overflow attempt"; flow:to_server,established; content:"|FF FE 32 00 00 00|"; depth:6; offset:4; content:"|20 00 61 00 00 00 20 00 00 00|"; fast_pattern:only; pcre:"/\x20\x00\x61\x00\x00\x00\x20\x00\x00\x00([^\x00].|.[^\x00]){255}/Osmi"; reference:bugtraq,48486; reference:cve,2011-1865; classtype:attempted-admin; sid:20761; rev:5;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"SERVER-OTHER Yahoo Messenger possible file transfer spoofing"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; pcre:"/YMSG.{6}\x00\x4d.*?\x32\x37\xc0\x80(.{24,39}[\x2e\s])\.\w+\xc0\x80/i"; reference:cve,2005-0243; classtype:attempted-user; sid:20748; rev:4;)
# alert ip any any -> $HOME_NET any (msg:"SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt"; ip_proto:2; content:"A"; depth:1; byte_test:1,>,64,12,relative; reference:bugtraq,9952; reference:cve,2004-0176; reference:url,secunia.com/advisories/11185; classtype:attempted-admin; sid:20747; rev:4;)
# alert ip any any -> $HOME_NET any (msg:"SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt"; ip_proto:2; content:"A"; depth:1; byte_test:1,>,16,11,relative; reference:bugtraq,9952; reference:cve,2004-0176; reference:url,secunia.com/advisories/11185; classtype:attempted-admin; sid:20746; rev:4;)
# alert udp any any -> $HOME_NET 2055 (msg:"SERVER-OTHER Ethereal Netflow dissector buffer overflow attempt"; flow:to_server; content:"|00 09|"; depth:2; byte_test:2,>,64,24,big,relative; reference:bugtraq,9952; reference:cve,2004-0176; reference:url,secunia.com/advisories/11185/; classtype:attempted-admin; sid:20745; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Check Point vpn-1 ISAKMP buffer overflow attempt"; flow:to_server; content:"|08 07 07 30 28 31 0B 30 09 06 03 55 04 06 13|"; depth:15; offset:501; reference:cve,2004-0040; classtype:attempted-user; sid:20738; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6129 (msg:"SERVER-OTHER Dameware Mini Remote Control username buffer overflow"; flow:to_server,established; content:"|10 27|"; depth:2; content:"|00|"; within:1; distance:202; isdataat:361,relative; content:!"|00|"; within:362; reference:bugtraq,14707; reference:cve,2005-2842; classtype:attempted-admin; sid:20662; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER sl.php script injection"; flow:to_client,established; file_data; content:"script src=http|3A 2F 2F|"; nocase; content:"|2F|sl.php"; within:50; fast_pattern; nocase; metadata:service http; reference:url,isc.sans.edu/diary.html?storyid=12127; classtype:misc-activity; sid:20660; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1707 (msg:"SERVER-OTHER Sage SalesLogix database credential disclosure attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00|"; depth:10; content:"|00 00 00|"; within:3; distance:1; pcre:"/(GetConnection|ProcessQueueFile)\x00/Ri"; content:"|00 00 00 00 00 00|"; reference:bugtraq,11450; reference:cve,2004-1612; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; classtype:attempted-admin; sid:20618; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7144 (msg:"SERVER-OTHER Peercast Basic HTTP authentication buffer overflow attempt"; flow:to_server,established; content:"GET"; depth:3; content:"Authorization|3A| Basic"; distance:0; nocase; isdataat:128,relative; content:!"|0A|"; within:128; metadata:service http; reference:cve,2008-2040; reference:url,bugs.debian.org/cgi-bin/bugreport.cgi?bug=478573; classtype:attempted-user; sid:20616; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER BOOTP overflow"; flow:to_server; dsize:>300; content:"|01 01 06 00|"; depth:4; content:!"|63 82 53 63|"; distance:0; reference:cve,1999-0799; classtype:attempted-admin; sid:20611; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"SERVER-OTHER Sunway ForceControl SNMP NetDBServer stack buffer overflow attempt"; flow:to_server,established; content:"|EB 50 EB 50|"; depth:4; byte_test:2,=,83,0,little,relative; byte_test:1,>,64,10,little,relative; reference:url,secunia.com/advisories/46146; reference:url,www.exploit-db.com/exploits/17885; classtype:attempted-user; sid:20609; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9850 (msg:"SERVER-OTHER Novell Groupwise internet agent http uri buffer overflow attempt"; flow:to_server,established; content:"/gwia|2E|css?"; fast_pattern; nocase; isdataat:239,relative; content:!"|20| HTTP"; within:239; nocase; metadata:service http; reference:cve,2011-0334; classtype:attempted-user; sid:20608; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1761 (msg:"SERVER-OTHER Novell ZENworks Remote Management overflow attempt"; flow:to_server,established; content:"|00 01 00 06|"; depth:4; content:"|00 06|"; within:22; distance:6; content:"|7F FF|"; within:6; distance:2; metadata:policy max-detect-ips drop; reference:bugtraq,13678; reference:cve,2005-1543; classtype:attempted-admin; sid:20576; rev:6;)
# alert tcp $EXTERNAL_NET 20031 -> $HOME_NET any (msg:"SERVER-OTHER BakBone NetVault client heap overflow attempt"; flow:to_client,established; stream_size:server,>,32784; byte_test:4,>,32784,0,little; metadata:policy max-detect-ips drop; reference:bugtraq,12967; reference:cve,2005-1009; classtype:attempted-admin; sid:20546; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"SERVER-OTHER CA BrightStor cheyenneds mailslot overflow"; flow:to_server,established; content:"m|00|a|00|i|00|l|00|s|00|l|00|o|00|t|00 5C 00|c|00|h|00|e|00|y|00|e|00|n|00|n|00|e|00|d|00|s|00|"; nocase; isdataat:44,relative; content:!"|00 00|"; within:40; distance:4; reference:bugtraq,20364; reference:cve,2006-5142; classtype:attempted-admin; sid:20442; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"SERVER-OTHER CA BrightStor cheyenneds mailslot overflow"; flow:to_server; content:"m|00|a|00|i|00|l|00|s|00|l|00|o|00|t|00 5C 00|c|00|h|00|e|00|y|00|e|00|n|00|n|00|e|00|d|00|s|00|"; nocase; isdataat:44,relative; content:!"|00 00|"; within:40; distance:4; reference:bugtraq,20364; reference:cve,2006-5142; classtype:attempted-admin; sid:20441; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"SERVER-OTHER CA BrightStor cheyenneds mailslot overflow"; flow:to_server,established; content:"mailslot|5C|cheyenneds"; nocase; isdataat:24,relative; content:!"|00|"; within:20; distance:4; reference:bugtraq,20364; reference:cve,2006-5142; classtype:attempted-admin; sid:20440; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9092 (msg:"SERVER-OTHER PointBase 4.6 database DoS"; flow:to_server,established; content:"sun.misc.MessageUtils::toStderr"; fast_pattern:only; content:"CREATE FUNCTION"; nocase; pcre:"/CREATE FUNCTION\s+([^\s\x28]+).*?\1\s*\x28null/smi"; reference:cve,2003-1573; classtype:attempted-dos; sid:20251; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1025:1200,1500:1502] (msg:"SERVER-OTHER IBM Tivoli Storage Manager Client Remote Heap Buffer Overflow"; flow:to_server,established; content:"|00 00 08 A5|"; byte_test:2,>,0xc350,6,relative; metadata:policy max-detect-ips drop; reference:cve,2008-4801; classtype:attempted-admin; sid:20250; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Oracle Java Web Start BasicService arbitrary command execution attempt"; flow:to_client,established; file_data; content:"javax.jnlp.BasicService"; fast_pattern:only; content:"file|3A 5C 5C|"; nocase; content:"showDocument"; distance:0; metadata:service http; reference:cve,2008-4910; classtype:attempted-user; sid:20249; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Oracle Java calendar deserialize vulnerability"; flow:to_client,established; file_data; content:"|50 4B 05 06 00 00 00 00 06 00 06 00 93 01 00 00 65 16 00 00 00 00|"; fast_pattern:only; metadata:service http; reference:cve,2008-5353; classtype:attempted-user; sid:20238; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER SSL CBC encryption mode weakness brute force attempt"; flow:to_server,established,no_stream; isdataat:1; isdataat:!1001; detection_filter:track by_src,count 100,seconds 1; metadata:service ssl; reference:cve,2011-3389; reference:url,attack.mitre.org/techniques/T1110; reference:url,technet.microsoft.com/en-us/security/advisory/2588513; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-006; reference:url,vnhacker.blogspot.com/2011/09/beast.html; classtype:attempted-recon; sid:20212; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SERVER-OTHER Nortel Networks Multiple UNIStim VoIP Products Remote Eavesdrop Attempt"; flow:stateless,no_stream; content:"|02 01 16 1A 30 FF 00 00 08 01 00 B8 B8 06 06 81 14 50 14 51 14 50 14 50 C0 A8 0B C9 00 00|"; offset:4; detection_filter:track by_src, count 10, seconds 1; reference:bugtraq,26120; reference:cve,2007-5637; classtype:attempted-recon; sid:20138; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER ALTAP Salamander PE Viewer PDB Filename Buffer Overflow"; flow:to_client,established; file_data; content:"|B8 81 01 10 FF 25 BC 81 01 10 FF 25 C0 81 01 10 FF 25 68 81 01 10 FF 25 C4 81 01 10 FF 25 C8 81|"; fast_pattern:only; metadata:service http; reference:cve,2007-3314; reference:url,vuln.sg/salamander25-en.html; classtype:attempted-user; sid:20084; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [514,2401] (msg:"SERVER-OTHER CVS annotate command buffer overflow attempt"; flow:to_server,established; content:"Entry|20 2F|"; content:"annotate|0A|"; distance:0; fast_pattern; pcre:"/Entry\x20\x2f[^\x2f]*\x2f[^\x2f]{68}/"; reference:bugtraq,13217; reference:cve,2005-0573; classtype:attempted-dos; sid:20060; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 912 (msg:"SERVER-OTHER VMWare authorization service user credential parsing DoS attempt"; flow:to_server,established; content:"USER"; depth:4; content:"PASS"; distance:0; pcre:"/(USER|PASS)[^\x80-\xff]*[\x80-\xff]/"; reference:bugtraq,36630; reference:cve,2009-3707; classtype:attempted-dos; sid:20058; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2690 (msg:"SERVER-OTHER HP OpenView Network Node Manager denial of service attempt"; flow:to_server, established; content:"|02 00|"; depth:2; byte_test:2, &, 0x8000, 1, relative, little; byte_test:2, <, 0xfffb, 1, relative, little; reference:cve,2009-3840; classtype:denial-of-service; sid:20054; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7210 (msg:"SERVER-OTHER SAP MaxDB malformed handshake request buffer overflow attempt"; flow:to_server,established; content:"|63 00 00 00 03 2F 00 00 01 00 00 00 FF FF FF FF 00 00 04 00 63 00 00 00 00 02 4B 00 04 09 00 00 44 20 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 6D 61 08 F1 A0 00 00 00 00 00 00 00 00 00 00 00 07 49|"; depth:66; isdataat:512,relative; content:!"|00|"; within:512; reference:bugtraq,38769; reference:cve,2010-1185; classtype:attempted-admin; sid:20051; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Trend Micro Control Manager CasLogDirectInsertHandler.cs cross site request forgery attempt"; flow:to_client,established; file_data; content:"SrcDataFile="; nocase; content:"|2E|xml"; distance:0; nocase; content:"SchemaFile="; nocase; content:"|2E|xml"; distance:0; nocase; content:"MsgType="; distance:0; nocase; metadata:service http; reference:url,esupport.trendmicro.com/solution/en-us/1058280.aspx; classtype:attempted-user; sid:20048; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 (msg:"SERVER-OTHER Symantec Alert Management System modem string buffer overflow attempt"; flow:to_server,established; content:"ModemString|00|"; byte_test:2,>,32,0,relative; content:"|0B 00 32|400,E,7,1|00|"; within:13; distance:2; metadata:policy max-detect-ips drop; reference:cve,2010-0110; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00; classtype:attempted-user; sid:19892; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8080,8081] (msg:"SERVER-OTHER HP Operations Manager Server Default Credientials in use attempt"; flow:to_server,established; content:"Authorization|3A 20|Basic|20|b3Z3ZWJ1c3I6T3ZXKmJ1c3Ix"; metadata:policy max-detect-ips drop; reference:cve,2009-4189; classtype:default-login-attempt; sid:19815; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Alucar php shell download attempt"; flow:to_client,established; file_data; content:"dHA6Ly9YZ3IwdXBWbi5vcmc8L2E+IHwgPGEgaHJlZj0naHR0cDovL2hjZWdyb3VwLm5ldCc+SEBjaytDckBjaz1FbmoweSE8L2E+IHwgRGVzaWduIGJ5OkFsdUNhUiB8IF0t"; fast_pattern:only; metadata:service http; reference:bugtraq,47374; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:attempted-user; sid:19661; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2398 (msg:"SERVER-OTHER Novell ZENworks Handheld Management upload directory traversal attempt"; flow:to_server,established; byte_jump:4,14,little; content:"|06|"; within:1; distance:17; byte_extract:4,4,messageID,relative,little; content:"|2E 2E|"; within:messageID; distance:4; reference:bugtraq,48467; classtype:attempted-admin; sid:19609; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2400 (msg:"SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt"; flow:to_server,established; content:"|02 00 00 00 01 00 01 00|"; fast_pattern:only; flowbits:set,zenworks_opcode; flowbits:noalert; reference:bugtraq,46024; reference:cve,2011-0742; classtype:attempted-admin; sid:19323; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER banner.txt access - possible compromised multi-mesh injection server"; flow:to_server,established; content:"/banner.txt"; nocase; http_uri; flowbits:set,http.multimesh; flowbits:noalert; metadata:service http; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:misc-activity; sid:19299; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER cssminibar.js script injection"; flow:to_server,established; content:"/cssminibar.js"; nocase; http_uri; flowbits:set,http.multimesh; metadata:service http; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:attempted-user; sid:19298; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER sidename.js script injection"; flow:to_server,established; content:"/sidename.js"; nocase; http_uri; flowbits:set,http.multimesh; metadata:service http; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:attempted-user; sid:19297; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER CA Discovery Serice Overflow Attempt"; isdataat:100; content:"|9C|"; depth:1; content:!"|00|"; within:100; metadata:policy max-detect-ips drop; reference:cve,2006-6379; classtype:attempted-admin; sid:19090; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER CA Discovery Service Overflow Attempt"; isdataat:100; content:"|9B|"; depth:1; content:!"|00|"; within:100; metadata:policy max-detect-ips drop; reference:cve,2006-6379; classtype:attempted-admin; sid:19089; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER CA Discovery Service Overflow Attempt"; flow:to_server, established; isdataat:100; content:"|9C|"; depth:1; content:!"|00|"; within:100; metadata:policy max-detect-ips drop; reference:cve,2006-6379; classtype:attempted-admin; sid:19088; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER CA Discovery Service Overflow Attempt"; flow:to_server, established; isdataat:100; content:"|9B|"; depth:1; content:!"|00|"; within:100; metadata:policy max-detect-ips drop; reference:cve,2006-6379; classtype:attempted-admin; sid:19087; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER LDAP Novell eDirectory evtFilteredMonitorEventsRequest function heap overflow attempt"; flow:to_server,established; content:"2.16.840.1.113719.1.27.100."; pcre:"/^(79|84)\x81(\x82..|\x83...|\x84....)\x30(\x82..|\x83...|\x84....)\x02(\x04|\x81\x04|\x82\x00\x04|\x83\x00\x00\x04|\x84\x00\x00\x00\x04)[\x10-\xff]/R"; metadata:policy max-detect-ips drop, service ldap; reference:cve,2006-4509; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=427; classtype:attempted-admin; sid:18769; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER ActFax Server LPD/LPR Remote Buffer Overflow"; flow:to_server,established; isdataat:500; content:"|7D 4B 4A 00|"; depth:4; offset:257; reference:url,www.exploit-db.com/exploits/16176/; classtype:attempted-admin; sid:18763; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"SERVER-OTHER Tecnomatix FactoryLink CSService null pointer attempt"; flow:to_server,established; content:"|00 00 00 00 04 00 00 00 04 00 00 00 00 03 00 00 00 04|"; fast_pattern:only; content:"LEN|00|"; depth:4; nocase; reference:bugtraq,46934; classtype:attempted-dos; sid:18617; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SERVER-OTHER GoodTech SSH Server SFTP Processing Buffer Overflow"; flow:to_server,established; content:"|85 79 28 23 7B C0 0E E2 F3 A9 E1 63 F2 ED 19 63|"; fast_pattern:only; reference:bugtraq,31879; reference:cve,2008-4726; classtype:attempted-user; sid:18598; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt"; flow:to_server,established; content:"|17 03 01 04 00 5E 4E 64 80 C8 08 94 6D 3F 7C 86 41 B7 C9 BA 2A 26 21 83 D7 95 14 7A 3C 4E E4 1D B1 42 0B 5D 60|"; depth:37; metadata:policy max-detect-ips drop, service ssl; reference:bugtraq,27387; reference:cve,2008-0401; classtype:attempted-user; sid:18582; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt"; flow:to_server,established; content:"|17 03 01 09 00 47 AE 1F 40 B1 9E 05 B1 F2 1A F9 09 A9 21 16 F9 FA 66 44 22 7E B9 92 49 D4 84 1A 0F 68 20 30 E8|"; depth:37; metadata:policy max-detect-ips drop, service ssl; reference:bugtraq,27387; reference:cve,2008-0401; classtype:attempted-user; sid:18581; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Multiple Vendors iacenc.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|iacenc.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42730; reference:cve,2010-3138; reference:cve,2010-3150; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-014; classtype:attempted-user; sid:18531; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1761 (msg:"SERVER-OTHER Novell ZENworks Remote Management overflow attempt"; flow:to_server,established; content:"|00 06 05 01 10 E6 01 00 34 5A F4 77 80 95 F8 77|"; content:"|00 01 00 06|"; within:4; content:"|00 06|"; within:4; distance:6; content:"|7F FF|"; within:4; distance:6; metadata:policy max-detect-ips drop; reference:bugtraq,13678; reference:cve,2005-1543; classtype:attempted-admin; sid:18512; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7144 (msg:"SERVER-OTHER PeerCast format string exploit attempt"; flow:established, to_server; content:"/html/en/index.html"; nocase; content:"|25|1265|24|"; within:50; fast_pattern; reference:bugtraq,13808; reference:cve,2005-1806; classtype:attempted-admin; sid:18509; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER HP DDMI Agent spoofing - command execution"; flow:to_server,established; content:"SOAPMethodName|3A| urn|3A|aiagent|23|executeProcess"; nocase; metadata:service http; reference:bugtraq,35250; reference:cve,2009-1419; classtype:attempted-admin; sid:18397; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3690 (msg:"SERVER-OTHER Subversion 1.0.2 get-dated-rev buffer overflow attempt"; flow:to_server,established; content:"get-dated-rev"; fast_pattern:only; pcre:"/get-dated-rev\s*\x28\s*([^\x29]{75}|[\s\x20-\x28\x2A-\x7E]{0,74}[^\s\x20-\x7E])/ims"; reference:bugtraq,10386; reference:cve,2004-0397; classtype:attempted-user; sid:18312; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia Network Backup Client Buffer Overflow Type 84 Attempt"; flow:to_server,established; content:"|00 54|"; depth:2; byte_test:2,>,255,4,relative; metadata:policy max-detect-ips drop; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-user; sid:18292; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia Network Backup Client Buffer Overflow Type 77 Attempt"; flow:to_server,established; content:"|00 4D|"; depth:2; byte_test:2,>,23,4,relative; metadata:policy max-detect-ips drop; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-user; sid:18291; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [3985,3986] (msg:"SERVER-OTHER Unisys Business Information Server stack buffer overflow attempt"; flow:to_server,established; content:"|16 07|"; depth:2; byte_test:2,>,24,2,big; metadata:policy max-detect-ips drop; reference:bugtraq,35494; reference:cve,2009-1628; classtype:attempted-admin; sid:18248; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Thinkpoint fake antivirus binary download"; flow:to_client,established; file_data; content:"|30 B6 AD D9 C7 B7 41 8E 75 6E 65 78 70 30 65 B4 26 6D|"; content:"|BA 3A 0D 0A 4F E8 7A 65 7E 66 B5 05 EF AD 61 49 C9 80 75 6D 58|"; within:100; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99; classtype:trojan-activity; sid:17817; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1339 (msg:"SERVER-OTHER CA BrightStor ARCServe logger servie null-pointer dereference attempt"; flow:to_server, established; content:"|00 00 00 00 00 00 00 02 00 06 09 82 00 00 00 01 00 00 00 01|"; content:"|FF FF FF FF|"; distance:8; metadata:policy max-detect-ips drop; reference:cve,2007-2772; classtype:attempted-admin; sid:17643; rev:4;)
alert tcp $EXTERNAL_NET 41523 -> $HOME_NET any (msg:"SERVER-OTHER Products Discovery Service Buffer Overflow"; flow:to_client,established; flowbits:set,CA.response; content:"|9B 17 F6 4A 1D 01 E7 52 11 C3 61 7B 9B B0 62 52|"; fast_pattern:only; isdataat:990; metadata:policy max-detect-ips alert; reference:bugtraq,20364; reference:cve,2006-5143; classtype:attempted-user; sid:17621; rev:7;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"SERVER-OTHER Squid proxy DNS response spoofing attempt"; flow:to_client,no_stream; content:"|C0 10 00 02 00 01 00 01 51 80 00 05 02 6E 73 C0 10|"; detection_filter:track by_src, count 500, seconds 30; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,13592; reference:cve,2005-1519; classtype:attempted-dos; sid:17495; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8443 (msg:"SERVER-OTHER Symantec Backup Exec System Recovery Manager unauthorized file upload attempt"; flow:to_server,established; content:"|17 03 00 02 01 87 09 6B 5D 64 67 5D 86 54 D0 F4 27 EF 2B 32 CA A3 D3 FA 97 AA 40 14 ED 27 15 D2 9B 06 EA 07 09 7D B8 D2 61 69 CD 6D 74 52 F9 8A|"; depth:48; nocase; metadata:service ssl; reference:cve,2008-0457; reference:url,seer.entsupport.symantec.com/docs/297171.htm; classtype:misc-activity; sid:17445; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Palo Alto Networks Firewall editUser.esp XSS attempt"; flow:to_server,established; content:"/esp/editUser.esp"; fast_pattern; nocase; http_uri; content:"role="; nocase; http_uri; pcre:"/[\x3f\x26]role=[^\x26]*?[^\x26a-z0-9\x5b\x5d\x2d]/Usmi"; metadata:service http; reference:cve,2010-0475; classtype:web-application-attack; sid:16689; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER IBM WebSphere application server cross site scripting attempt"; flow:to_server, established; content:"/ibm/console/"; nocase; http_uri; content:"<script"; distance:0; nocase; http_uri; metadata:service http; reference:bugtraq,34001; reference:cve,2009-0855; classtype:misc-attack; sid:16686; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Green Dam URL handling overflow attempt"; flow:to_client,established; file_data; content:"<=2035"; fast_pattern:only; content:"window.location="; content:"'.html'|3B|"; within:30; nocase; content:"classid=|22|"; distance:0; nocase; content:".dll|23|"; within:100; nocase; metadata:service http; reference:url,secunia.com/advisories/35435; classtype:attempted-user; sid:16598; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SERVER-OTHER Squid Proxy http version number overflow attempt"; flow:to_server,established; content:" http/"; nocase; pcre:"/^[^\s]+\s+[^\s]+\s+http\x2f(\d+\x2e)?\d{10}/i"; metadata:policy max-detect-ips drop; reference:bugtraq,33604; reference:cve,2009-0478; classtype:attempted-user; sid:16521; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Entry line flag remote heap overflow attempt"; flow:to_server,established; content:"Entry"; fast_pattern:only; cvs:invalid-entry; reference:bugtraq,10384; reference:cve,2004-0396; classtype:attempted-admin; sid:16437; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER Oracle Internet Directory heap corruption attempt"; flow:to_server,established; content:"|82 82 82 82 82 82 82 82 82 82 82 82 82 82 82 82|"; fast_pattern:only; metadata:service ldap; classtype:attempted-admin; sid:16374; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Kaspersky Online Scanner trojaned Dll download attempt"; flow:to_server,established; content:"kos-main.jar"; nocase; http_uri; content:!"Host|3A| www.kaspersky.com|0D 0A|"; nocase; http_header; metadata:service http; reference:url,intevydis.com/blog/?p=77; classtype:trojan-activity; sid:16141; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER KAME racoon X509 certificate verification bypass attempt"; flow:to_server; content:"|AA FF|Fk|09 89 01 B9 B2 F4 E2|^Pdx|17 05 10 02 01 00 00 00 00|"; depth:24; reference:bugtraq,10546; reference:cve,2004-0607; classtype:attempted-user; sid:16080; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER Tripwire format string vulnerability ftp exploit attempt"; flow:to_server,established; content:"STOR asd%nmv|0D 0A|"; fast_pattern:only; metadata:service ftp; reference:bugtraq,10454; reference:cve,2004-0536; classtype:attempted-admin; sid:16077; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"SERVER-OTHER Tripwire format string vulnerability nfs exploit attempt"; flow:to_server; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 00 00 09|"; within:4; distance:12; content:"|CA BA EB FE CB|F|00 00 02 00 00 00 08 03 00 00 08 03 00 00 CB|F|00 00 AF|H|C3 8E 00 00 00 00 00 00 00 07|asd%nmv"; reference:bugtraq,10454; reference:cve,2004-0536; classtype:attempted-admin; sid:16076; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 783 (msg:"SERVER-OTHER SpamAssassin spamd vpopmail and paranoid options code execution attempt"; flow:to_server,established; content:"user"; fast_pattern:only; pcre:"/^user\s*\x3a[^\r\n]*[\x3b\x26\x7c]/mi"; reference:bugtraq,18290; reference:cve,2006-2447; classtype:attempted-user; sid:16040; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"SERVER-OTHER Norton Internet Security NBNS response processing stack overflow attempt"; flow:to_server; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:cve,2004-0444; classtype:attempted-admin; sid:16015; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 3401 (msg:"SERVER-OTHER Squid ASN.1 header parsing denial of service attempt"; flow:to_server; content:"0|84 FF FF FF|"; byte_test:1,>,0xf9,0,relative; reference:bugtraq,11385; reference:cve,2004-0918; classtype:attempted-dos; sid:15989; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Check Point VPN-1 ASN.1 Decoding heap overflow attempt"; flow:to_server; content:"|84 FF FF FF FE|"; fast_pattern:only; pcre:"/[\x04\x0c\x14\x16\x1c\x1e\x24\x34]\x84\xff{3}\xfe/"; reference:bugtraq,10820; reference:cve,2004-0699; classtype:attempted-dos; sid:15979; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER single byte encoded name response"; content:"|00 03 80| |00 01 00 01 00 00 00 00 01|V|01|"; byte_test:1, &, 128, 2; byte_test:2, >, 0, 4; byte_test:2, >, 0, 6; pcre:"/^.{12}(\x01.){20}/"; reference:cve,2004-0444; classtype:misc-attack; sid:15972; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [514,1999,2401] (msg:"SERVER-OTHER CVS Argumentx command double free attempt"; flow:to_server,established; content:"Argumentx"; fast_pattern:only; pcre:!"/^Argument[^x\x0a]+\x0aArgumentx/mi"; reference:bugtraq,10499; reference:cve,2004-0416; classtype:attempted-admin; sid:15971; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3690 (msg:"SERVER-OTHER Subversion svn pProtocol string parsing heap overflow attempt"; flow:to_server,established; content:"|28| 2 |28| edit-pipeline |29| 4294967295|3A|AAAA"; reference:bugtraq,10519; reference:cve,2004-0413; classtype:attempted-admin; sid:15970; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Symantec Multiple Products ISAKMPd denial of service attempt"; flow:to_server; content:"|A8|`|87|o|15 A9|0|F4 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00|0|00 00 00 14 00 00 00 01 00 00 00 05 00 00 7F FF|"; reference:bugtraq,11039; reference:cve,2004-0369; classtype:attempted-dos; sid:15969; rev:5;)
# alert udp any any -> any 5190 (msg:"SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt"; flow:to_server; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:15967; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12168 (msg:"SERVER-OTHER CA Multiple Products Console Server login credentials handling overflow attempt"; flow:to_server,established; content:"|96|8|9E 04|"; depth:8; offset:4; byte_test:4,>,83,0; byte_test:1,&,192,20; metadata:policy max-detect-ips drop; reference:bugtraq,23906; reference:cve,2007-2522; classtype:attempted-user; sid:15943; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 4244 (msg:"SERVER-OTHER MSN Messenger IRC bot calling home attempt"; flow:to_server,established; content:"PASS gooback"; classtype:trojan-activity; sid:15939; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"SERVER-OTHER protos h323 buffer overflow"; flow:to_server,established; content:"|00 00 00 01 80 88 19 08 16|aaaaaaaaaaaaaaaaaa"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html; classtype:attempted-admin; sid:15937; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x34 command buffer overflow attempt"; flow:to_server,established; isdataat:400; content:"4"; depth:1; isdataat:400,relative; content:!"|0A|"; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15891; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x33 command buffer overflow attempt"; flow:to_server,established; isdataat:400; content:"3"; depth:1; isdataat:400,relative; content:!"|0A|"; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15890; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x32 command buffer overflow attempt"; flow:to_server,established; isdataat:400; content:"2"; depth:1; isdataat:400,relative; content:!"|0A|"; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15889; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x31 command buffer overflow attempt"; flow:to_server,established; isdataat:400; content:"1"; depth:1; isdataat:400,relative; content:!"|0A|"; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15888; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x05 command buffer overflow attempt"; flow:to_server,established; isdataat:400; content:"|05|"; depth:1; isdataat:400,relative; content:!" "; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15887; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x04 command buffer overflow attempt"; flow:to_server,established; content:"|04|"; depth:1; content:" "; distance:0; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15886; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x03 command buffer overflow attempt"; flow:to_server,established; content:"|03|"; depth:1; isdataat:1458,relative; content:!"|0A|"; within:1458; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15885; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x02 command buffer overflow attempt"; flow:to_server,established; content:"|02|"; depth:1; isdataat:400,relative; content:!"|0A|"; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15884; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x01 command buffer overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; isdataat:400,relative; content:!"|0A|"; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15883; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1718 (msg:"SERVER-OTHER McAfee E-Business Server remote preauth code execution attempt"; flow:to_server,established; content:"|01|?/|05|%*"; depth:6; isdataat:300,relative; content:!"|0D 0A|"; within:300; reference:cve,2008-0127; reference:url,www.infigo.hr/en/in_focus/advisories/INFIGO-2008-01-06; classtype:attempted-admin; sid:15882; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SERVER-OTHER Squid NTLM fakeauth_auth Helper denial of service attempt"; flow:to_server,established; content:"Proxy-Authorization|3A|"; nocase; http_header; content:"TlRMTVNTUAADAAAAGAAYAFcAAAAYABgAbwAAAAQABABIAAAABwAHAEwAAAAEAAQAUwAAAAAAAACHAAAABoIAAgUAkwgAAAAPQUxJRgNTVE9JQU5BTElG0rctVCv8MHcFVYLyVeJ+Bz+VWpKGpuw68j7CBi5V2JlRVrF65wtddQTYeTHCnpF3"; fast_pattern:only; http_header; metadata:service http; reference:bugtraq,12220; reference:cve,2005-0097; classtype:attempted-dos; sid:15579; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"SERVER-OTHER DCERPC NCADG-IP-UDP lsarpc LsarLookupSids translated_names overflow attempt"; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:15; dce_stub_data; byte_test:4,>,255,36,dce; metadata:policy max-detect-ips drop; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:15508; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SERVER-OTHER Oracle Java System sockd authentication buffer overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; byte_jump:1, 0, relative; content:"|FF|"; within:1; isdataat:300,relative; metadata:policy max-detect-ips drop; reference:cve,2007-2881; classtype:attempted-admin; sid:15482; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix Server RTSP Request Proxy-Require header heap buffer overflow attempt"; flow:to_server,established; content:"Proxy-Require"; fast_pattern:only; pcre:"/^Proxy-Require\s*\x3a\s*[^\x0a]{33}/mi"; metadata:policy max-detect-ips drop, service rtsp; reference:bugtraq,33059; reference:cve,2008-5911; classtype:attempted-admin; sid:15479; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1500 (msg:"SERVER-OTHER IBM Tivoli Storage Manager Express Backup message length heap corruption attempt"; flow:to_server,established; flowbits:isset,tivoli.backup; content:"*|A5|"; offset:4; byte_test:2,<,0x17,-4,relative,big; metadata:policy max-detect-ips drop; reference:bugtraq,34077; reference:cve,2008-4563; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21377388; classtype:attempted-admin; sid:15437; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6988 (msg:"SERVER-OTHER IBM Director CIM server consumer name handling denial of service attempt"; flow:to_server,established; content:"POST"; fast_pattern; content:"HTTP"; distance:1; nocase; pcre:"/^.*POST\s+\x2f[^\s\x2f]{9,}\x2f[^\s]{235}/i"; reference:bugtraq,34061; reference:cve,2009-0879; classtype:attempted-dos; sid:15435; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SERVER-OTHER Sun One web proxy server overflow attempt"; flow:to_server,established; content:"|01 06|"; depth:2; content:"PPPPPPPPPPPPXXXXXXXXXXXX"; metadata:policy max-detect-ips drop; reference:bugtraq,24165; reference:cve,2007-2881; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-102927-1; classtype:attempted-admin; sid:15422; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"SERVER-OTHER Multiple vendors CUPS HPGL filter remote code execution attempt"; flow:to_server,established; content:"PW"; fast_pattern:only; pcre:"/PW\x2D?\x2E?[0-9]+\s*,\s/"; byte_test:4,>=,1024,0,relative,string,dec; metadata:policy max-detect-ips drop; reference:bugtraq,31688; reference:cve,2008-3641; classtype:attempted-user; sid:15186; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt"; flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:"IHDR"; content:"|06|"; within:1; distance:9; byte_test:4,>,1431655765,-6,relative; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32518; reference:cve,2008-5286; reference:url,www.cups.org/str.php?L2974; classtype:attempted-admin; sid:15146; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER CA ARCserve LGServer handshake buffer overflow attempt"; flow:to_server,established; content:"00000000"; depth:8; content:"AAAAAAAAAAAAAA"; within:14; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,30472; reference:cve,2008-3175; classtype:attempted-admin; sid:14773; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4888 (msg:"SERVER-OTHER Symantec Veritas Foundation Service NULL service authentication attempt"; flow:to_server,established; content:"NTLMSSP|00 03 00 00 00|"; nocase; content:"|00 00|"; within:2; distance:24; reference:cve,2007-2279; classtype:attempted-admin; sid:14741; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [898,1024:] (msg:"SERVER-OTHER Oracle Java web console format string attempt"; flow:to_server,established; content:"com.sun.management.viperimpl.services.authentication.AuthenticationPrincipal"; fast_pattern:only; content:"UserDesc"; nocase; content:"t|00|"; distance:0; isdataat:100,relative; content:"%"; within:50; reference:cve,2007-1681; classtype:attempted-user; sid:14615; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt"; flow:to_server,established; dsize:>61; content:"|00 06 09|~"; depth:4; offset:16; pcre:"/.{4}\x00\x00\x00(\xF0|\xEF|\xE8|\xF5|\xED).{36}(?!_[^_]{1,64}_[^_]{1,64}_)/smiR"; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,23635; reference:cve,2007-2139; classtype:attempted-admin; sid:14607; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland Interbase open_marker_file overflow attempt"; flow:to_server,established; content:"|00 00 00 13|"; byte_test:4,>,1024,4,relative; reference:bugtraq,25917; reference:cve,2007-5244; classtype:attempted-user; sid:14602; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8100,3600] (msg:"SERVER-OTHER SAP Message Server Heap buffer overflow attempt"; flow:to_server,established; content:"GET /msgserver/html/group?group="; nocase; isdataat:498,relative; content:!" "; within:498; metadata:service http; reference:bugtraq,24765; reference:cve,2007-3624; classtype:attempted-user; sid:14600; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt - 2"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; content:"text/xml"; nocase; http_header; content:"xsl|3A|version"; fast_pattern:only; http_header; content:"crypto|3A|rc4_"; nocase; http_header; pcre:"/crypto\x3Arc4_(encrypt|decrypt)\x28\x27[^\x27]{129}/smiH"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30467; reference:cve,2008-2935; reference:url,attack.mitre.org/techniques/T1220; classtype:attempted-user; sid:14041; rev:16;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; content:"text/xml"; within:20; nocase; http_header; content:"xsl|3A|transform"; fast_pattern:only; http_header; content:"crypto|3A|rc4_"; nocase; http_header; pcre:"/crypto\x3Arc4_(encrypt|decrypt)\x28\x27[^\x27]{129}/smiH"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30467; reference:cve,2008-2935; reference:url,attack.mitre.org/techniques/T1220; classtype:attempted-user; sid:14040; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland Interbase operation buffer overflow"; flow:to_server,established; content:"|00 00 00 13|"; depth:4; byte_test:4, >, 1024, 4, relative; reference:cve,2007-5243; classtype:attempted-admin; sid:13842; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland Interbase create operation buffer overflow"; flow:to_server,established; content:"|00 00 00 14|"; depth:4; byte_test:4, >, 540, 4, relative; reference:cve,2007-5243; classtype:attempted-admin; sid:13841; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland Interbase service attach operation buffer overflow"; flow:to_server,established; content:"|00 00 00|R"; depth:4; byte_test:4, >, 152, 4, relative; reference:cve,2007-5243; classtype:attempted-admin; sid:13840; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland Software InterBase ibserver.exe Service Attach Request buffer overflow attempt"; flow:to_server,established; content:"|00 00 00|R"; depth:4; byte_test:4,>,848,8; metadata:policy max-detect-ips drop; reference:bugtraq,28730; reference:cve,2008-1910; classtype:attempted-admin; sid:13804; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix RTSP long setup request exploit attempt"; flow:to_server,established; content:"SETUP"; depth:5; nocase; isdataat:256,relative; content:!"|0A|"; within:256; metadata:service rtsp; reference:bugtraq,6454; reference:cve,2002-1643; classtype:attempted-user; sid:13695; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix RTSP long get request exploit attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; isdataat:200; content:!"|0A|"; depth:200; metadata:service rtsp; reference:bugtraq,6454; reference:cve,2002-1643; classtype:attempted-user; sid:13694; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Zango adware installation request"; flow:to_server,established; content:"Zango/Setup.exe"; http_uri; metadata:service http; reference:url,www.ftc.gov/os/caselist/0523130/index.shtm; classtype:policy-violation; sid:13632; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER CA Brightstor discovery service alternate buffer overflow attempt"; flow:to_server,established; content:"|99 99 99 99 99 99 99 99 99 99|"; pcre:"/\x99{40}\xeb\x12\x01\x99{4}\x18A{5}.{4}A{6}/sm"; reference:cve,2005-0260; classtype:attempted-admin; sid:13620; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Argument overflow"; flow:to_server,established; content:"Event"; nocase; content:"ac1db1tch3z/blackhat4life"; reference:cve,2004-0396; classtype:attempted-admin; sid:13616; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Argument overflow attempt"; flow:to_server,established; content:"Event"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:cve,2004-0396; classtype:attempted-admin; sid:13615; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Argument overflow attempt"; flow:to_server,established; content:"Argument"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:cve,2004-0396; classtype:attempted-admin; sid:13614; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2439 (msg:"SERVER-OTHER Sybase SQL Anywhere Mobilink remoteID string buffer overflow"; flow:to_server,established; content:"|03 22 00|"; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; byte_test:2,>,128,0,relative,little; metadata:policy max-detect-ips drop; reference:bugtraq,27914; reference:cve,2008-0912; reference:url,aluigi.altervista.org/adv/mobilinkhof-adv.txt; classtype:attempted-admin; sid:13555; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2439 (msg:"SERVER-OTHER Sybase SQL Anywhere Mobilink version string buffer overflow"; flow:to_server,established; content:"|03|"; content:"|03 22 00|"; distance:0; byte_jump:2,0,relative,little; byte_test:2,>,128,0,relative,little; metadata:policy max-detect-ips drop; reference:bugtraq,27914; reference:cve,2008-0912; reference:url,aluigi.altervista.org/adv/mobilinkhof-adv.txt; classtype:attempted-admin; sid:13554; rev:9;)
# alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any (msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; content:"misc/ultravox"; content:"<name>"; distance:0; nocase; isdataat:266,relative; content:!"</name>"; within:256; pcre:"/Content-Type\x3A\s*misc\/ultravox.+?(\r?\n){2}\x5A.9\x01/is"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0065; classtype:attempted-user; sid:13521; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"SERVER-OTHER CA BrightStor cheyenneds mailslot overflow"; flow:to_server; content:"mailslot|5C|cheyenneds"; nocase; isdataat:24,relative; content:!"|00|"; within:20; distance:4; reference:bugtraq,20364; reference:cve,2006-5142; classtype:attempted-admin; sid:13415; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 407 (msg:"SERVER-OTHER Motorola Timbuktu crafted login request buffer overflow attempt"; flow:to_server; content:"|00 01|"; depth:2; content:"|00 23 07|"; depth:3; offset:6; byte_test:1,>,31,30; metadata:policy max-detect-ips drop; reference:bugtraq,25454; reference:cve,2007-4221; reference:url,ftp-xo.netopia.com/evaluation/docs/timbuktu/win/865/relnotes/TB2Win865Evalrn.pdf; classtype:attempted-admin; sid:13222; rev:7;)
# alert udp $EXTERNAL_NET 554 -> $HOME_NET any (msg:"SERVER-OTHER Apple Quicktime UDP RTSP sdp type buffer overflow attempt"; flow:to_client; content:"RTSP"; depth:4; fast_pattern; content:"Content-Type"; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/Content-Type\s*\x3A[^\n\x3A]{256}/smi"; metadata:policy max-detect-ips drop; reference:bugtraq,26549; reference:cve,2007-6166; classtype:attempted-user; sid:12742; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-OTHER ASN.1 constructed bit string"; flow:to_server,established; content:"|FF|SMB"; depth:8; content:"+|06 01 05 05 02|"; content:"AAAAAAAAAA"; within:10; distance:21; reference:bugtraq,9633; reference:cve,2003-0818; reference:cve,2005-1935; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; classtype:attempted-admin; sid:12710; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix RTSP long describe request exploit attempt"; flow:to_server,established; content:"DESCRIBE"; depth:8; nocase; isdataat:200; content:!"|0A|"; depth:200; metadata:service rtsp; reference:bugtraq,6454; reference:cve,2002-1643; classtype:attempted-user; sid:12422; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix RTSP long transport header"; flow:to_server,established; content:"SETUP"; depth:5; nocase; content:"Transport|3A|"; nocase; isdataat:256,relative; content:!"|0A|"; within:256; metadata:service rtsp; reference:bugtraq,6454; reference:cve,2002-1643; classtype:attempted-user; sid:12421; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Apple mDNSresponder excessive HTTP headers"; flow:to_client; content:"HTTP"; depth:16; pcre:"/^.*HTTP.*\r\n(.+\x3a\s+.+\r\n){31,}/"; metadata:service http; reference:bugtraq,25159; reference:cve,2007-3744; classtype:attempted-admin; sid:12357; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1526,1625] (msg:"SERVER-OTHER IBM Informix Dynamic Server long username buffer overflow attempt"; flow:to_server,established; content:"sqlexec "; depth:20; isdataat:127,relative; content:!" "; within:127; reference:bugtraq,19264; reference:cve,2006-3853; reference:cve,2006-3854; classtype:attempted-admin; sid:12220; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland interbase string length buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 13|"; depth:4; isdataat:1032; content:!"|00|"; within:1024; distance:8; metadata:policy max-detect-ips drop; reference:bugtraq,25048; reference:cve,2007-3566; classtype:attempted-admin; sid:12217; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER CA BrightStor ARCserve LGServer stack buffer overflow attempt"; flow:to_server,established; byte_test:10,>,284,0,big,dec,string; isdataat:295; content:!"~~"; depth:284; offset:10; metadata:policy max-detect-ips drop; reference:bugtraq,22342; reference:cve,2007-0449; classtype:attempted-admin; sid:12079; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER niprint_lpd module attack attempt"; flow:to_server,established; content:"|EB|3"; depth:2; isdataat:53; content:"6B@|00|"; depth:4; offset:49; reference:bugtraq,8968; reference:cve,2003-1141; classtype:attempted-admin; sid:11682; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER Openview Omni II command bypass attempt"; flow:to_server,established; content:"|00 00 00|.2|00| a|00| 0|00| 0|00| 0|00| A|00| 28|00|"; depth:25; pcre:"/^[^\x00]*\x2e\x2e/R"; reference:bugtraq,11032; reference:cve,2001-0311; classtype:attempted-admin; sid:11681; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 44334 (msg:"SERVER-OTHER Kerio Personal Firewall authentication buffer overflow attempt"; flow:to_server,established; isdataat:1000; pcre:"/^[^\x00]{1000}/m"; reference:bugtraq,7180; reference:cve,2003-0220; classtype:attempted-admin; sid:11266; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"SERVER-OTHER Sentinel license manager buffer overflow attempt"; flow:to_server; dsize:>836; reference:bugtraq,12742; reference:cve,2005-0353; classtype:attempted-admin; sid:11265; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-OTHER MaxDB WebDBM get buffer overflow"; flow:to_server,established; content:"GET"; isdataat:500,relative; content:!"|0A|"; within:500; metadata:policy max-detect-ips drop; reference:bugtraq,13368; reference:cve,2005-0684; classtype:attempted-admin; sid:11196; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER CA Brightstor discovery service buffer overflow attempt"; flow:to_server; content:"|B0 8E 80 23|"; content:!"|00|"; within:1399; isdataat:1400; reference:bugtraq,12491; reference:cve,2005-0260; classtype:attempted-admin; sid:10134; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 11000 (msg:"SERVER-OTHER bomberclone buffer overflow attempt"; flow:to_server; content:"|00 00 00 00|8|03|A"; depth:7; isdataat:764; reference:bugtraq,16697; reference:cve,2006-0460; classtype:attempted-user; sid:10125; rev:8;)
# alert tcp $EXTERNAL_NET 5900 -> $HOME_NET any (msg:"SERVER-OTHER VNC password request buffer overflow attempt"; flow:to_client,established; content:"|00 00 00 00 00 00 04 06|"; depth:8; isdataat:1029,relative; metadata:policy max-detect-ips drop; reference:bugtraq,17378; reference:bugtraq,2305; reference:cve,2001-0167; reference:cve,2006-1652; classtype:web-application-attack; sid:10087; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7144 (msg:"SERVER-OTHER Peercast URL Parameter overflow attempt"; flow:to_server,established; content:"/stream/?"; http_uri; isdataat:700; pcre:"/^[^\n]{700}/si"; metadata:service http; reference:bugtraq,17040; reference:cve,2006-1148; classtype:attempted-user; sid:10064; rev:10;)
# alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"SERVER-OTHER Putty Server key exchange buffer overflow attempt"; flow:to_client,established,no_stream; content:"SSH-"; depth:4; isdataat:1000,relative; pcre:"/SSH-0*([2-9]\d*|1\d+)\.[^-]*-[^\n]*\n\x00\x00.{3}\x14.{1000}/s"; reference:bugtraq,6407; reference:cve,2002-1359; reference:url,www.rapid7.com/advisories/R7-0009.html; classtype:attempted-user; sid:10010; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER HP-UX lpd command execution attempt"; flow:to_server,established; content:"|02|"; depth:1; pcre:"/^\x02[^\x0a\x20]*\x60[^\x0a\x20]*?\x0a/smi"; reference:bugtraq,15136; reference:cve,2005-3277; classtype:attempted-admin; sid:9790; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER Computer Associates Product Discovery Service type 9C remote buffer overflow attempt UDP"; flow:to_server; content:"|9C|"; depth:1; isdataat:256,relative; content:!"|00|"; within:256; metadata:policy max-detect-ips drop; reference:bugtraq,21502; reference:cve,2006-6379; classtype:attempted-admin; sid:9636; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER Computer Associates Product Discovery Service type 9B remote buffer overflow attempt UDP"; flow:to_server; content:"|9B|"; depth:1; isdataat:256,relative; content:!"|00|"; within:256; metadata:policy max-detect-ips drop; reference:bugtraq,21502; reference:cve,2006-6379; classtype:attempted-admin; sid:9635; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER Computer Associates Product Discovery Service type 9C remote buffer overflow attempt TCP"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:256,relative; content:!"|00|"; within:256; metadata:policy max-detect-ips drop; reference:bugtraq,21502; reference:cve,2006-6379; classtype:attempted-admin; sid:9634; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2000 (msg:"SERVER-OTHER Shixxnote font buffer overflow attempt"; flow:to_server,established; content:"~~"; depth:2; offset:8; isdataat:33,relative; content:!"~"; within:32; content:"~"; distance:32; reference:bugtraq,11409; reference:cve,2004-1595; classtype:attempted-user; sid:8729; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [80,8000] (msg:"SERVER-OTHER IceCast header buffer overflow attempt"; flow:to_server,established; content:"GET / HTTP/1.0|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|"; fast_pattern:only; reference:bugtraq,11271; reference:cve,2004-1561; reference:url,archives.neohapsis.com/archives/bugtraq/2004-09/0366.html; classtype:attempted-admin; sid:8703; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [80,8000] (msg:"SERVER-OTHER IceCast header buffer overflow attempt"; flow:to_server,established; content:"|EB 0C| / HTTP/1.1 "; nocase; pcre:"/\xeb\x0c \/ HTTP\/1\.1\s+\S+/smi"; reference:bugtraq,11271; reference:cve,2004-1561; reference:url,archives.neohapsis.com/archives/bugtraq/2004-09/0366.html; classtype:attempted-admin; sid:8702; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion sourcewindow.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/docs/sourcewindow.cfm"; nocase; http_uri; metadata:service http; reference:bugtraq,3154; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,1999-0922; classtype:attempted-recon; sid:8493; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion openfile.cfm access"; flow:to_server,established; content:"/cfdocs/expeval/openfile.cfm"; nocase; http_uri; metadata:service http; reference:bugtraq,3154; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:8492; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion eval.cfm access"; flow:to_server,established; content:"/cfdocs/expeval/eval.cfm"; nocase; http_uri; metadata:service http; reference:bugtraq,3154; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:8491; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion viewexample.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/viewexample.cfm"; nocase; http_uri; metadata:service http; reference:bugtraq,3154; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:8490; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_DELETE access"; flow:to_server,established; content:"CFADMIN_REGISTRY_DELETE|28 29|"; fast_pattern:only; metadata:service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:8489; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_GET access"; flow:to_server,established; content:"CFADMIN_REGISTRY_GET|28 29|"; fast_pattern:only; metadata:service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:8488; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_SET access"; flow:to_server,established; content:"CFADMIN_REGISTRY_SET|28 29|"; fast_pattern:only; metadata:service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:8487; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFNEWINTERNALREGISTRY access"; flow:to_server,established; content:"CFNEWINTERNALREGISTRY|28 29|"; fast_pattern:only; metadata:service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:8486; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFNEWINTERNALADMINSECURITY access"; flow:to_server,established; content:"CFNEWINTERNALADMINSECURITY|28 29|"; fast_pattern:only; metadata:service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:8485; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5800 (msg:"SERVER-OTHER UltraVNC VNCLog buffer overflow"; flow:to_server,established; content:"GET"; depth:3; nocase; pcre:"/GET\s\x2f[^\r\n]{900}/smi"; metadata:policy max-detect-ips drop; reference:bugtraq,17378; reference:cve,2006-1652; classtype:attempted-admin; sid:8060; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt"; flow:to_server,established; content:"fp40reg.dll"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; isdataat:300,relative; pcre:"/^Host\x3A\s[^\r\n]{300}/smi"; metadata:service http; reference:bugtraq,9008; reference:cve,2003-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-051; classtype:attempted-admin; sid:6411; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt"; flow:to_server,established; content:"fp30reg.dll"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; isdataat:300,relative; pcre:"/^Host\x3A\s[^\r\n]{300}/smi"; metadata:service http; reference:bugtraq,9008; reference:cve,2003-0822; reference:cve,2003-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-051; classtype:attempted-admin; sid:6410; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt"; flow:to_server,established; content:"shtml.dll"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; pcre:"/^Host\x3A\s[^\r\n]{300,}/smiH"; metadata:service http; reference:bugtraq,9008; reference:cve,2003-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-051; classtype:attempted-admin; sid:6409; rev:13;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 13724 (msg:"SERVER-OTHER VERITAS NetBackup vnetd connection attempt"; flow:to_server,established; content:"6|00|bpspsserver|00|"; flowbits:set,vnetd.bpspsserver.connection; flowbits:noalert; classtype:protocol-command-decode; sid:6010; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"SERVER-OTHER pcAnywhere buffer overflow attempt"; flow:to_server,established; content:"o"; depth:1; byte_test:1,>,96,1; byte_test:1,<,101,1; byte_test:2,>,512,3; isdataat:510,relative; reference:bugtraq,15646; reference:cve,2005-3934; classtype:attempted-dos; sid:5317; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"SERVER-OTHER Ethereal Distcc SOUT buffer overflow attempt"; flow:stateless; content:"SOUT"; nocase; byte_test:8,>,2147483647,0,relative,string,hex; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:attempted-dos; sid:4641; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"SERVER-OTHER Ethereal Distcc SERR buffer overflow attempt"; flow:stateless; content:"SERR"; nocase; byte_test:8,>,2147483647,0,relative,string,hex; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:attempted-dos; sid:4640; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"SERVER-OTHER Ethereal Distcc ARGV buffer overflow attempt"; flow:stateless; content:"ARGV"; nocase; byte_test:8,>,2147483647,0,relative,string,hex; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:attempted-dos; sid:4639; rev:2;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER RSVP Protocol zero length object DoS attempt"; ip_proto:46; content:"|01|"; depth:1; offset:11; byte_test:1,<,4,13; pcre:"/^.{10}[\x14\x15]\x01.[\x00-\x03]/sm"; reference:url,www.frsirt.com/english/advisories/2005/0411; classtype:attempted-dos; sid:4638; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1761 (msg:"SERVER-OTHER Novell ZenWorks Remote Management Agent large login packet DoS attempt"; flow:to_server,established; content:"|00 01|"; depth:2; offset:16; byte_jump:2,0,relative; byte_jump:2,0,relative; byte_test:2,>,1499,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,13678; reference:cve,2005-1543; classtype:attempted-dos; sid:4129; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-OTHER IBM DB2 DTS empty format string dos attempt"; flow:to_server,established; content:"SELECT"; fast_pattern:only; pcre:"/SELECT\s*(TO_(DATE|CHAR)|(VARCHAR|TIMESTAMP)_FORMAT)\s*\('[^']*'\s*,\s*''\)/smi"; reference:bugtraq,11400; reference:cve,2005-4869; reference:url,www-1.ibm.com/support/docview.wss?uid=swg1IY61781; classtype:attempted-dos; sid:3675; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"SERVER-OTHER PPTP echo request buffer overflow attempt"; flow:to_server,established; content:"|1A 2B 3C 4D|"; depth:4; offset:2; byte_test:2,<,2,0; reference:bugtraq,7316; reference:cve,2003-0213; reference:nessus,11540; reference:url,www.debian.org/security/2003/dsa-295; classtype:attempted-admin; sid:3664; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"SERVER-OTHER ARCserve universal backup agent option 03 buffer overflow attempt"; flow:to_server,established; content:"|00 03|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6; byte_test:2,<,1705,6; metadata:policy max-detect-ips drop; reference:bugtraq,13102; reference:cve,2005-1018; reference:nessus,18041; classtype:attempted-admin; sid:3663; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"SERVER-OTHER ARCserve universal backup agent option 03 little endian buffer overflow attempt"; flow:to_server,established; content:"|03 00|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6,little; byte_test:2,<,1705,6,little; metadata:policy max-detect-ips drop; reference:bugtraq,13102; reference:cve,2005-1018; reference:nessus,18041; classtype:attempted-admin; sid:3662; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"SERVER-OTHER ARCserve universal backup agent option 00 buffer overflow attempt"; flow:to_server,established; content:"|00 00|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6; byte_test:2,<,1705,6; metadata:policy max-detect-ips drop; reference:bugtraq,13102; reference:cve,2005-1018; reference:nessus,18041; classtype:attempted-admin; sid:3661; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"SERVER-OTHER ARCserve universal backup agent option 00 little endian buffer overflow attempt"; flow:to_server,established; content:"|00 00|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6,little; byte_test:2,<,1705,6,little; metadata:policy max-detect-ips drop; reference:bugtraq,13102; reference:cve,2005-1018; reference:nessus,18041; classtype:attempted-admin; sid:3660; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"SERVER-OTHER ARCserve universal backup agent option 1000 buffer overflow attempt"; flow:to_server,established; content:"|03 E8|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6; byte_test:2,<,1705,6; metadata:policy max-detect-ips drop; reference:bugtraq,13102; reference:cve,2005-1018; reference:nessus,18041; classtype:attempted-admin; sid:3659; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS pserver annotate revision overflow attempt"; flow:to_server,established; content:"|0A|annotate|0A|"; fast_pattern:only; pcre:"/^Entry \/file\/[0-9.]{71,}\/\/.*\x0aannotate\x0a/smi"; reference:bugtraq,13217; reference:cve,2005-0753; reference:nessus,18097; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142; classtype:attempted-dos; sid:3652; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"SERVER-OTHER CVS rsh annotate revision overflow attempt"; flow:to_server,established; content:"|0A|annotate|0A|"; fast_pattern:only; pcre:"/^Entry \/file\/[0-9.]{71,}\/\/.*\x0aannotate\x0a/smi"; reference:bugtraq,13217; reference:cve,2005-0753; reference:nessus,18097; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142; classtype:attempted-dos; sid:3651; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"SERVER-OTHER Computer Associates license PUTOLF directory traversal attempt"; flow:to_server,established; content:"PUTOLF"; pcre:"/(0x)?[0-9a-f]+\s+PUTOLF\s+((0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*))\s+\S+\s+\S+\s+((0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*))\s+\S*\.\.[\x2f\x5c]/i"; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3637; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 699 (msg:"SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt"; flow:to_server; content:"|01 01 1A|"; depth:3; offset:28; content:"|00 00 15 9F|"; depth:4; offset:32; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^(\x03|[\x14-\x17]).{19}(\x25|\x26).{15}(\x0A|\x34)/smi"; reference:bugtraq,12759; reference:cve,2005-0699; reference:nessus,19120; classtype:attempted-admin; sid:3541; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 699 (msg:"SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt"; flow:to_server; content:"|01|"; depth:1; content:"|01 01 1A|"; depth:3; offset:32; content:"|00 00 15 9F|"; depth:4; offset:36; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^\x01.{23}(\x25|\x26).{15}(\x0A|\x34)/smi"; reference:bugtraq,12759; reference:cve,2005-0699; reference:nessus,19120; classtype:attempted-admin; sid:3540; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 699 (msg:"SERVER-OTHER RADIUS MSID overflow attempt"; flow:to_server; content:"|01 01 1F|"; depth:3; offset:28; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^(\x03|[\x14-\x17]).{19}(\x25|\x26)/smi"; reference:bugtraq,12759; reference:cve,2005-0699; reference:nessus,19120; classtype:attempted-admin; sid:3539; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 699 (msg:"SERVER-OTHER RADIUS registration MSID overflow attempt"; flow:to_server; content:"|01|"; depth:1; content:"|01 01 1F|"; depth:3; offset:32; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^\x01.{23}(\x25|\x26)/smi"; reference:bugtraq,12759; reference:cve,2005-0699; reference:nessus,19120; classtype:attempted-admin; sid:3538; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP msg 0x99 client domain overflow"; flow:to_server; content:"|99|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3531; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP msg 0x99 client name overflow"; flow:to_server; content:"|99|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3530; rev:7;)
# alert tcp $EXTERNAL_NET 10202 -> $HOME_NET any (msg:"SERVER-OTHER Computer Associates license GETCONFIG client overflow attempt"; flow:to_client,established; content:"GETCONFIG SELF "; depth:15; offset:3; nocase; isdataat:200,relative; content:!"<EOM>"; within:204; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3529; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"SERVER-OTHER Computer Associates license invalid GCR NETWORK attempt"; flow:to_server,established; content:"GCR NETWORK<"; depth:12; offset:3; nocase; pcre:!"/^\S+\s+\S+\s+\S+/Ri"; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-dos; sid:3525; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"SERVER-OTHER Computer Associates license invalid GCR CHECKSUMS attempt"; flow:to_server,established; content:"GCR CHECKSUMS<"; depth:14; offset:3; nocase; pcre:!"/^(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+/Ri"; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-dos; sid:3524; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"SERVER-OTHER Computer Associates license GCR CHECKSUMS overflow attempt"; flow:to_server,established; content:"GCR CHECKSUMS<"; depth:14; offset:3; nocase; pcre:"/(0x)?[0-9a-f]+\s+\S{65}|(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S{65}|(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S{65}|(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S{65}/Ri"; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3521; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP product info msg 0x9c client domain overflow"; flow:to_server; content:"|9C|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3485; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP product info msg 0x9c client name overflow"; flow:to_server; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3484; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP product info msg 0x9b client domain overflow"; flow:to_server; content:"|9B|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3483; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP product info msg 0x9b client name overflow"; flow:to_server; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3482; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP slot info msg client domain overflow"; flow:to_server; content:"|98|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3481; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP slot info msg client name overflow"; flow:to_server; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3480; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER ARCserve backup TCP product info msg 0x9c client name overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3479; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER ARCserve backup TCP product info msg 0x9c client domain overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3478; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER ARCserve backup TCP product info msg 0x9b client name overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3477; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER ARCserve backup TCP product info msg 0x9b client domain overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3476; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER ARCserve backup TCP slot info msg client domain overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3475; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER ARCserve backup TCP slot info msg client name overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3474; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve discovery service overflow"; flow:to_server; dsize:>966; reference:bugtraq,12491; reference:cve,2005-0260; classtype:attempted-admin; sid:3472; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia backup client type 84 overflow attempt"; flow:to_server,established; content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|00|"; depth:255; offset:8; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-user; sid:3458; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5001 (msg:"SERVER-OTHER Bontago Game Server Nickname buffer overflow"; flow:to_server,established; content:"|FF 01 00 00 00 00 01|"; isdataat:512,relative; metadata:ruleset community; reference:bugtraq,12603; reference:cve,2005-0501; reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt; classtype:attempted-user; sid:3455; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia client backup generic info probe"; flow:to_server,established; content:"ARKFS|00|root|00|root"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-recon; sid:3454; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia client backup system info probe"; flow:to_server,established; content:"ARKADMIN_GET_"; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-recon; sid:3453; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt"; flow:to_client,established; file_data; content:"aim|3A|goaway?message="; nocase; isdataat:500,relative; pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:ruleset community, service http; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:3085; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"SERVER-OTHER Unreal Tournament secure overflow attempt"; flow:to_server; content:"|5C|secure|5C|"; fast_pattern:only; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; metadata:ruleset community; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:8;)
# alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"SERVER-OTHER Volition Freespace 2 buffer overflow attempt"; flow:to_client; content:"|00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; metadata:ruleset community; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; fast_pattern:only; content:"ExecuteFile"; nocase; metadata:ruleset community; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:8;)
# alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"SERVER-OTHER eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; fast_pattern:only; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; metadata:ruleset community; reference:bugtraq,10039; reference:cve,2004-1892; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; fast_pattern:only; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; metadata:ruleset community; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; metadata:ruleset community, service kerberos; reference:cve,2003-0072; reference:nessus,11512; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2579; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos principal name overflow UDP"; flow:to_server; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; metadata:ruleset community, service kerberos; reference:cve,2003-0072; reference:nessus,11512; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2578; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"SERVER-OTHER rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; fast_pattern:only; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; metadata:ruleset community; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2561; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2560; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2559; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2558; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2557; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2556; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2555; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2554; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2553; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2552; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2551; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; fast_pattern:only; content:"WriteToFile"; nocase; metadata:ruleset community; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,9972; reference:cve,2004-1857; reference:nessus,12120; classtype:web-application-activity; sid:2548; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9971; reference:cve,2004-1856; classtype:web-application-activity; sid:2547; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"SERVER-OTHER AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; metadata:ruleset community; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-OTHER esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:"<SNAPQUOTE>"; nocase; isdataat:1024,relative; content:!"</SNAPQUOTE>"; within:1052; nocase; metadata:ruleset community; reference:bugtraq,9978; reference:cve,2004-1868; classtype:attempted-admin; sid:2490; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-OTHER esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:"<STREAMQUOTE>"; nocase; isdataat:1040,relative; content:!"</STREAMQUOTE>"; within:1040; nocase; metadata:ruleset community; reference:bugtraq,9978; reference:cve,2004-1868; classtype:attempted-admin; sid:2489; rev:9;)
# alert ip any any -> any any (msg:"SERVER-OTHER Ethereal EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; metadata:ruleset community; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:10;)
# alert ip any any -> any any (msg:"SERVER-OTHER Ethereal IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; metadata:ruleset community; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:10;)
# alert ip any any -> any any (msg:"SERVER-OTHER Ethereal IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; metadata:ruleset community; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:10;)
# alert udp any 4000 -> any any (msg:"SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm"; flow:to_server; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; metadata:ruleset community; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt"; flow:to_server; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; metadata:ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP initial contact notification without SPI attempt"; flow:to_server; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; metadata:ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP delete hash with empty hash attempt"; flow:to_server; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; metadata:ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP third payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP second payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP first payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"SERVER-OTHER ebola USER overflow attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s[^\n]{49}/smi"; metadata:ruleset community; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"SERVER-OTHER ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s[^\n]{49}/smi"; metadata:ruleset community; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR"; metadata:ruleset community; reference:bugtraq,9178; reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack; sid:2318; rev:8;)
# alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"SERVER-OTHER BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; metadata:ruleset community; reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043; classtype:bad-unknown; sid:2159; rev:15;)
# alert tcp any any <> any 179 (msg:"SERVER-OTHER BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; metadata:ruleset community; reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"SERVER-OTHER rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; metadata:ruleset community; classtype:misc-activity; sid:2047; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp hostname format string attempt"; flow:to_server; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; metadata:ruleset community; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"SERVER-OTHER xfs overflow attempt"; flow:to_server,established; isdataat:512; content:"B|00 02|"; depth:3; metadata:ruleset community; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:11;)
# alert udp $EXTERNAL_NET any -> 255.255.255.255 27155 (msg:"SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt"; flow:to_server; content:"gstsearch"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,6100; reference:cve,2002-2137; classtype:misc-activity; sid:1966; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp invalid hardware type"; flow:to_server; content:"|01|"; depth:1; byte_test:1,>,7,1; metadata:ruleset community; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp hardware address length overflow"; flow:to_server; content:"|01|"; depth:1; byte_test:1,>,6,2; metadata:ruleset community; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:9;)
# alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful kadmind buffer overflow attempt"; flow:to_client,established; content:"*GOBBLE*"; depth:8; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901; rev:16;)
# alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful kadmind buffer overflow attempt"; flow:to_client,established; content:"*GOBBLE*"; depth:8; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; fast_pattern:only; metadata:ruleset community, service ssl; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:9;)
# alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"SERVER-OTHER SSH server banner overflow"; flow:to_client,established; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s?[^\n]{200}/ism"; metadata:ruleset community; reference:bugtraq,5287; reference:cve,2002-1059; reference:nessus,15822; classtype:misc-attack; sid:1838; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; metadata:ruleset community; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"SERVER-OTHER Alcatel PABX 4400 connection attempt"; flow:to_server,established; content:"|00 01|C"; depth:3; metadata:ruleset community; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SERVER-OTHER gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0639; reference:nessus,11031; classtype:misc-attack; sid:1812; rev:13;)
# alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful gobbles ssh exploit uname"; flow:to_client,established; content:"uname"; metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0640; reference:nessus,11031; classtype:misc-attack; sid:1811; rev:17;)
# alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful gobbles ssh exploit GOBBLE"; flow:to_client,established; content:"*GOBBLE*"; metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0640; classtype:successful-admin; sid:1810; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"SERVER-OTHER cachefsd buffer overflow attempt"; flow:to_server,established; isdataat:720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:1751; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion sendmail.cfm access"; flow:to_server,established; content:"/sendmail.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0760; reference:cve,2001-0535; classtype:attempted-recon; sid:1659; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"SERVER-OTHER Xtramail Username overflow attempt"; flow:to_server,established; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; metadata:ruleset community; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:1636; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt"; flow:to_server,established; content:"Mode=debug"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0760; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"SERVER-OTHER CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; metadata:ruleset community; reference:bugtraq,3517; reference:cve,2001-0803; reference:nessus,10833; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:14;)
# alert tcp any any -> any 6666:7000 (msg:"SERVER-OTHER CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; fast_pattern:only; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; metadata:ruleset community; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"SERVER-OTHER rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; metadata:ruleset community; reference:bugtraq,3474; reference:cve,2001-0838; reference:nessus,10790; classtype:misc-attack; sid:1323; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; fast_pattern:only; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:16;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER readme.eml download attempt"; flow:to_server,established; content:"/readme.eml"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"SERVER-OTHER AIX pdnsd overflow"; flow:to_server,established; isdataat:1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; metadata:ruleset community; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access"; flow:to_server,established; content:"/fp4areg.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2906; reference:cve,2001-0341; reference:nessus,10699; classtype:web-application-activity; sid:1249; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access"; flow:to_server,established; content:"/fp30reg.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2906; reference:cve,2001-0341; reference:cve,2003-0822; reference:nessus,10699; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-035; classtype:web-application-activity; sid:1248; rev:30;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"SERVER-OTHER MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1252; reference:cve,2000-0446; reference:nessus,10422; classtype:attempted-admin; sid:1240; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage _vti_inf.html access"; flow:to_server,established; content:"/_vti_inf.html"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage register.htm access"; flow:to_server,established; content:"/_private/register.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:968; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage dvwssr.dll access"; flow:to_server,established; content:"/dvwssr.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:nessus,10369; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-025; classtype:web-application-activity; sid:967; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage .... request"; flow:to_server,established; content:"..../"; http_uri; metadata:ruleset community, service http; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage writeto.cnf access"; flow:to_server,established; content:"/_vti_pvt/writeto.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage users.pwd access"; flow:to_server,established; content:"/users.pwd"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:964; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage svcacl.cnf access"; flow:to_server,established; content:"/_vti_pvt/svcacl.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage shtml.exe access"; flow:to_server,established; content:"/_vti_bin/shtml.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage services.cnf access"; flow:to_server,established; content:"/_vti_pvt/services.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.stp access"; flow:to_server,established; content:"/_vti_pvt/service.stp"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:960; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.pwd"; flow:to_server,established; content:"/service.pwd"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.cnf access"; flow:to_server,established; content:"/_vti_pvt/service.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage registrations.txt access"; flow:to_server,established; content:"/_private/registrations.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:957; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage register.txt access"; flow:to_server,established; content:"/_private/register.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:956; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage access.cnf access"; flow:to_server,established; content:"/_vti_pvt/access.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage form_results.htm access"; flow:to_server,established; content:"/_private/form_results.htm"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage administrators.pwd access"; flow:to_server,established; content:"/administrators.pwd"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage author.exe access"; flow:to_server,established; content:"/_vti_bin/_vti_aut/author.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:952; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage authors.pwd access"; flow:to_server,established; content:"/authors.pwd"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage cfgwiz.exe access"; flow:to_server,established; content:"/cfgwiz.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:950; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage registrations.htm access"; flow:to_server,established; content:"/_private/registrations.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:949; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage form_results access"; flow:to_server,established; content:"/_private/form_results.txt"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage orders.txt access"; flow:to_server,established; content:"/_private/orders.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:947; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access"; flow:to_server,established; content:"/scripts/Fpadmcgi.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:946; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpadmin.htm access"; flow:to_server,established; content:"/admisapi/fpadmin.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:945; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpremadm.exe access"; flow:to_server,established; content:"/fpremadm.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:944; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access"; flow:to_server,established; content:"/fpsrvadm.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:943; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage orders.htm access"; flow:to_server,established; content:"/_private/orders.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:942; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage contents.htm access"; flow:to_server,established; content:"/admcgi/contents.htm"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:941; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage shtml.dll access"; flow:to_server,established; content:"/_vti_bin/shtml.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-060; classtype:web-application-activity; sid:940; rev:28;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage posting"; flow:to_server,established; content:"POST"; content:"/author.dll"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-100; classtype:web-application-activity; sid:939; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access "; flow:to_server,established; content:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:936; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion startstop DOS access"; flow:to_server,established; content:"/cfide/administrator/startstop.html"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,247; reference:cve,1999-0756; classtype:web-application-attack; sid:935; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion onrequestend.cfm access"; flow:to_server,established; content:"/onrequestend.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; content:"/application.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access"; flow:to_server,established; content:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:931; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion snippets attempt"; flow:to_server,established; content:"/cfdocs/snippets/"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:930; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:929; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exampleapp access"; flow:to_server,established; content:"/cfdocs/exampleapp/"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2001-0535; classtype:attempted-recon; sid:928; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:927; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:926; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion mainframeset access"; flow:to_server,established; content:"/cfdocs/examples/mainframeset.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:925; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:924; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:923; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion displayfile access"; flow:to_server,established; content:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:922; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:921; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:920; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:919; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion expeval access"; flow:to_server,established; content:"/cfdocs/expeval/"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0477; reference:cve,1999-0760; classtype:attempted-user; sid:918; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:917; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:916; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:915; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion beaninfo access"; flow:to_server,established; content:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:914; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfappman access"; flow:to_server,established; content:"/cfappman/index.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:913; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion parks access"; flow:to_server,established; content:"/cfdocs/examples/parks/detail.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:912; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exprcalc access"; flow:to_server,established; content:"/cfdocs/expeval/exprcalc.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; reference:cve,1999-0760; classtype:attempted-recon; sid:911; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion fileexists.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/fileexists.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:910; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:909; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion administrator access"; flow:to_server,established; content:"/cfide/administrator/index.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1314; reference:cve,2000-0538; reference:nessus,10581; classtype:attempted-recon; sid:908; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion addcontent.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2001-0535; classtype:attempted-recon; sid:907; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getfile.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,229; reference:cve,1999-0800; reference:cve,2001-0535; classtype:attempted-recon; sid:906; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:905; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exampleapp application.cfm"; flow:to_server,established; content:"/cfdocs/exampleapp/email/application.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:904; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfcache.map access"; flow:to_server,established; content:"/cfcache.map"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:18;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"SERVER-OTHER ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; metadata:ruleset community; classtype:bad-unknown; sid:514; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"SERVER-OTHER gopher proxy"; flow:to_server,established; content:"ftp|3A|"; fast_pattern:only; content:"@/"; metadata:ruleset community; classtype:bad-unknown; sid:508; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"SERVER-OTHER Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; metadata:ruleset community; classtype:bad-unknown; sid:505; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:22;)
# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"SERVER-OTHER NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; metadata:ruleset community, service ftp; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"SERVER-OTHER CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; metadata:ruleset community; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-OTHER VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; metadata:ruleset community; reference:bugtraq,1610; reference:cve,2000-0766; reference:nessus,10354; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER delegate proxy overflow"; flow:to_server,established; isdataat:1000; content:"whois|3A|//"; nocase; metadata:ruleset community; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"SERVER-OTHER SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; metadata:ruleset community; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01|    |02|a"; metadata:ruleset community, service dns; reference:bugtraq,2302; reference:cve,2001-0010; reference:nessus,10605; classtype:attempted-admin; sid:303; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service dns; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records"; flow:to_server,established; content:"../../../"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1761 (msg:"SERVER-OTHER Novell ZENWorks Remote Management overflow attempt"; flow:to_server,established; content:"|00 06|"; depth:2; content:"|00 06|"; within:2; distance:6; content:"|7F FF|"; within:2; distance:6; metadata:policy max-detect-ips drop; reference:bugtraq,13678; reference:cve,2005-1543; classtype:attempted-admin; sid:27001; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt"; flow:to_server; content:"|06 00 FF 07 06 10 00 00 00 00 00 00 00 00|"; depth:14; content:"|00 00 00 00|"; within:4; distance:2; content:"|00 00 00 08 00|"; within:5; distance:4; fast_pattern; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:cve,2013-4782; reference:cve,2013-4783; reference:cve,2013-4784; reference:url,www.fish2.com/ipmi/cipherzero.html; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; classtype:attempted-admin; sid:27210; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A 83|"; depth:2; content:"|00|"; within:1; distance:3; metadata:service kerberos; reference:cve,2011-0283; reference:url,attack.mitre.org/techniques/T1097; classtype:denial-of-service; sid:27195; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A 82|"; depth:2; content:"|00|"; within:1; distance:2; metadata:service kerberos; reference:cve,2011-0283; reference:url,attack.mitre.org/techniques/T1097; classtype:denial-of-service; sid:27194; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A 81|"; depth:2; content:"|00|"; within:1; distance:1; metadata:service kerberos; reference:cve,2011-0283; reference:url,attack.mitre.org/techniques/T1097; classtype:denial-of-service; sid:27193; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Citrix XenApp password buffer overflow attempt"; flow:to_server,established; content:"scripts/wpnbr.dll"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"<RequestValidateCredentials>"; http_client_body; content:"<Password"; distance:0; http_client_body; content:"encoding=|22|ctx1|22|>"; within:18; http_client_body; isdataat:300,relative; content:!"</Password>"; within:300; http_client_body; metadata:service http; reference:bugtraq,48898; reference:url,support.citrix.com/article/CTX129430; classtype:attempted-admin; sid:27236; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt"; flow:to_server,established; content:"cn="; depth:20; content:"dc="; within:20; content:"|A3 06 04 01|"; within:75; content:"|04 01|"; within:10; content:"|04 01|"; within:10; content:"|04 01|"; within:10; metadata:service ldap; reference:cve,2013-1282; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-032; classtype:denial-of-service; sid:27234; rev:5;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-OTHER Adobe ColdFusion JRun error page getWriter denial of service attempt"; flow:to_client,established,only_stream; content:"500"; http_stat_code; content:"JRun Servlet Error"; fast_pattern:only; detection_filter:track by_dst, count 50, seconds 1; metadata:service http; reference:bugtraq,61039; reference:cve,2013-3349; reference:url,www.adobe.com/support/security/bulletins/apsb13-19.html; classtype:attempted-dos; sid:27225; rev:4;)
alert tcp $HOME_NET 8575 -> $EXTERNAL_NET any (msg:"SERVER-OTHER Adobe ColdFusion websocket invoke method access"; flow:to_client,established; content:"|22|ns|22 3A 22|coldfusion.websocket"; nocase; content:"|22|reqType|22 3A 22|invoke|22|"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,61042; reference:cve,2013-3350; reference:url,www.adobe.com/support/security/bulletins/apsb13-19.html; classtype:policy-violation; sid:27224; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt"; flow:to_server,no_stream; content:"|06 00 FF 07 06 10|"; depth:6; detection_filter:track by_dst, count 100, seconds 1; reference:cve,2013-4786; reference:url,attack.mitre.org/techniques/T1110; classtype:attempted-admin; sid:27240; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"SERVER-OTHER IPMI default username - USERID"; flow:to_server; content:"|06 00 FF 07 06 12|"; depth:6; content:"USERID"; distance:0; fast_pattern; nocase; reference:cve,2013-4786; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:27239; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"SERVER-OTHER IPMI default username - admin"; flow:to_server; content:"|06 00 FF 07 06 12|"; depth:6; content:"admin"; distance:0; fast_pattern; nocase; reference:cve,2013-4786; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:27238; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"SERVER-OTHER IPMI default username - root"; flow:to_server; content:"|06 00 FF 07 06 12|"; depth:6; content:"root"; distance:0; fast_pattern; nocase; reference:cve,2013-4786; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:27237; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER GuildFTPd LIST command heap overflow attempt"; flow:to_server,established; dsize:>74; content:"list "; depth:5; nocase; pcre:"/^list [\w]{70}/i"; metadata:service ftp; reference:bugtraq,31729; reference:cve,2008-4572; classtype:attempted-admin; sid:27270; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER GuildFTPd CWD command heap overflow attempt"; flow:to_server,established; dsize:>74; content:"cwd "; depth:4; nocase; content:"/./././././././."; fast_pattern:only; pcre:"/(\/\.){70}/i"; metadata:service ftp; reference:bugtraq,31729; reference:cve,2008-4572; classtype:attempted-admin; sid:27269; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5001:5002 (msg:"SERVER-OTHER Sybase Open Server function pointer array code execution attempt"; flow:to_server,established; content:"|FF|"; content:"DBISQ"; within:5; distance:15; content:"jConnect"; within:8; distance:317; reference:bugtraq,48934; reference:url,www.sybase.com/detail?id=1094235; classtype:attempted-admin; sid:27579; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER OpenX POST to known backdoored file"; flow:to_server,established; content:"POST"; nocase; http_method; content:"file_to_serve=flowplayer/3.1.1/flowplayer-3.1.1.min.js"; fast_pattern:only; http_uri; content:"deliveryLog|3A|vastServeVideoPlayer|3A|player"; nocase; http_uri; metadata:service http; reference:cve,2013-4211; reference:url,isc.sans.edu/diary/OpenX+Ad+Server+Backdoor/16303; classtype:attempted-admin; sid:27578; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Joomla media.php arbitrary file upload attempt"; flow:to_server,established; content:"option=com_media"; nocase; http_uri; content:"task=file.upload"; nocase; http_uri; content:"filename="; nocase; http_client_body; content:".php."; within:50; nocase; http_client_body; pcre:"/filename=[\x22\x27][^\x22\x27]+?\.php\.[\x22\x27]/smiP"; metadata:service http; reference:bugtraq,61582; reference:cve,2013-5576; reference:url,developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads; reference:url,joomlacode.org/gf/project/joomla/tracker/action=TrackerItemEdit&tracker_item_id=31626; classtype:attempted-admin; sid:27623; rev:5;)
# alert tcp $DNS_SERVERS 53 -> $EXTERNAL_NET any (msg:"SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt"; flow:to_client,established; content:"|FF FD|"; offset:12; byte_test:2,>=,4,6,relative; byte_test:2,<=,15,6,relative; pcre:"/\S+?\x00\xff\xfd/i"; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,61479; reference:cve,2013-4854; reference:url,kb.isc.org/article/AA-01015; reference:url,kb.isc.org/article/AA-01016; classtype:denial-of-service; sid:27666; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [13838] (msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra login request buffer overflow attempt"; flow:to_server,established; content:"login|3A 2F|"; depth:7; offset:32; content:"global$agent|2F|"; within:14; byte_test:4,>,1000,8; metadata:policy max-detect-ips drop; reference:bugtraq,60884; reference:cve,2013-2343; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03661318; classtype:attempted-admin; sid:27646; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft SharePoint denial of service attempt"; flow:to_server,established; content:"/_vti_bin/ws.asmx?wsdl"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-0081; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-067; classtype:web-application-attack; sid:27819; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft SharePoint denial of service attempt"; flow:to_server,established; content:"/_vti_bin/ws.asmx?disco"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-0081; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-067; classtype:web-application-attack; sid:27818; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CA Total Defense Suite UNCWS ReportFilterID/reportTemplateID SQL injection attempt"; flow:to_server, established; content:"POST"; nocase; http_method; content:"/UNCWS/Management.asmx"; fast_pattern:only; http_uri; content:"report"; nocase; http_client_body; content:"ID"; within:10; nocase; http_client_body; pcre:"/<\s*report(Filter|Template)ID\s*>[^<]*?[\x3b\x29]/iP"; metadata:service http; reference:cve,2011-1655; classtype:attempted-admin; sid:28102; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CA Total Defense Suite UNCWS reGenerateReports/DeleteReports SQL injection attempt"; flow:to_server, established; content:"POST"; nocase; http_method; content:"/UNCWS/Management.asmx"; fast_pattern:only; http_uri; content:"ReportIDs="; nocase; http_client_body; pcre:"/<\s*ReportIDs\s*>[^<]*?[\x3b\x29]/iP"; metadata:service http; reference:cve,2011-1655; classtype:attempted-admin; sid:28101; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CA Total Defense Suite UNCWS deleteReportFilter SQL injection attempt"; flow:to_server, established; content:"POST"; nocase; http_method; content:"/UNCWS/Management.asmx/deleteReportFilter"; fast_pattern:only; http_uri; content:"reportFilterID="; nocase; http_client_body; pcre:"/reportFilterID=[^&]*?[\x3b\x29]/iP"; metadata:service http; reference:cve,2011-1655; classtype:attempted-admin; sid:28100; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CA Total Defense Suite UNCWS reGenerateReports/DeleteReports SQL injection attempt"; flow:to_server, established; content:"POST"; nocase; http_method; content:"/UNCWS/Management.asmx/DeleteReports"; fast_pattern:only; http_uri; content:"ReportIDs="; nocase; http_client_body; pcre:"/ReportIDs=[^&]*?[\x3b\x29]/iP"; metadata:service http; reference:cve,2011-1655; classtype:attempted-admin; sid:28099; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CA Total Defense Suite UNCWS reGenerateReports/DeleteReports SQL injection attempt"; flow:to_server, established; content:"POST"; nocase; http_method; content:"/UNCWS/Management.asmx/reGenerateReports"; fast_pattern:only; http_uri; content:"ReportIDs="; nocase; http_client_body; pcre:"/ReportIDs=[^&]*?[\x3b\x29]/iP"; metadata:service http; reference:cve,2011-1655; classtype:attempted-admin; sid:28098; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Microsoft SharePoint XSS attempt"; flow:to_server,established; content:"/Lists/Links/AllItems.aspx"; nocase; http_uri; content:"UrlFieldUrl="; nocase; http_client_body; content:"javascript|3B|"; within:50; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-084; classtype:attempted-admin; sid:28201; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1984 (msg:"SERVER-OTHER Quest Software Big Brother attempted arbitrary file upload "; flow:to_server,established; content:"ack "; depth:4; content:".."; within:16; distance:10; classtype:attempted-user; sid:28150; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1984 (msg:"SERVER-OTHER Quest Software Big Brother attempted arbitrary file deletion"; flow:to_server,established; content:"page "; depth:5; content:".."; within:3; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; classtype:attempted-user; sid:28149; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [6542] (msg:"SERVER-OTHER EMC Replication Manager irccd remote command execution attempt"; flow:to_server,established; content:"EMC_"; depth:4; content:"<ir_runProgramCommand"; distance:0; nocase; reference:bugtraq,46235; reference:cve,2011-0647; classtype:attempted-admin; sid:28393; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/ComputerMgmt/sysDetPanelSummary.do"; fast_pattern:only; http_uri; pcre:"/uid=\s?\D{1,3}/i"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28827; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/ComputerMgmt/sysDetPanelSummary.do?sysDetPanelSummary="; fast_pattern:only; http_uri; pcre:"/[?&]sysDetPanelSummary=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28826; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/ComputerMgmt/sysDetPanelQry.do?sysDetPanelQry="; fast_pattern:only; http_uri; pcre:"/[?&]sysDetPanelQry=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28825; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/ComputerMgmt/sysDetPanelQry.do"; fast_pattern:only; http_uri; pcre:"/uid=\s?\D{1,3}/i"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28824; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/ComputerMgmt/sysDetPanelBoolPie.do?uid="; fast_pattern:only; http_uri; pcre:"/uid=\s?\D{1,3}/Ui"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28823; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/console/createDashboardContainer.do?monitorUrl="; fast_pattern:only; http_uri; pcre:"/[?&]monitorUrl=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28822; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/core/loadDisplayType.do"; fast_pattern:only; http_uri; pcre:"/[?&]instanceId=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28821; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Nagios core config manager tfpassword sql injection attempt"; flow:to_server,established; content:"/nagiosql/"; fast_pattern:only; http_uri; content:"tfpassword="; nocase; http_client_body; pcre:"/tfpassword=[^&]*?(%27%29|\x27\x29)/imsP"; metadata:service http; reference:cve,2013-6875; reference:url,attack.mitre.org/techniques/T1190; classtype:web-application-attack; sid:28908; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Squid HTTP Host header port parameter denial of service attempt"; flow:to_server,established; content:"Host|3A| "; fast_pattern:only; http_header; pcre:"/Host\x3a\s*.*?:\D/H"; metadata:policy max-detect-ips drop, service http; reference:cve,2013-4123; classtype:attempted-user; sid:28955; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cisco Prime Data Center Network Manager arbitrary file read attempt"; flow:to_server,established; content:"/downloadServlet"; fast_pattern:only; http_uri; content:"showFile="; http_uri; content:".."; distance:0; http_uri; metadata:service http; reference:bugtraq,62483; reference:cve,2013-5487; classtype:web-application-attack; sid:29266; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"SERVER-OTHER Novell NetWare AFP denial of service attempt"; flow:to_server,established,no_stream; content:"|0D 0A 0D 0A|"; fast_pattern:only; content:!"|00|"; depth:1; content:!"|01|"; depth:1; detection_filter:track by_src, count 1000, seconds 4; reference:bugtraq,37616; reference:cve,2010-0317; classtype:attempted-dos; sid:29362; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Mediawiki DjVu and PDF handling code execution attempt"; flow:to_server,established; content:"thumb.php"; http_uri; pcre:"/thumb\.php.*?[whp]=[^\x26]*?(\x60|\x24\x28)/Ui"; metadata:service http; reference:cve,2014-1610; classtype:attempted-admin; sid:29582; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt"; flow:to_server,established; dsize:>61; content:"|00 00 06 09|"; depth:4; offset:16; pcre:"/.{4}\x00\x00\x00(\xF0|\xEF|\xE8|\xF5|\xED).{36}(?!_[^_]{1,64}_[^_]{1,64}_)/smiR"; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,23635; reference:cve,2007-2139; classtype:attempted-admin; sid:29581; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2954 (msg:"SERVER-OTHER OpenView Network Node Manager ovalarmsrv opcode 81 integer overflow attempt"; flow:to_server,established; content:"81"; depth:2; pcre:"/^81\s+([0-9]+\s+){2}([2-9][0-9]{8}|[0-9]{10})/m"; metadata:policy max-detect-ips drop; reference:bugtraq,34738; reference:cve,2008-2438; classtype:attempted-admin; sid:29532; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2954 (msg:"SERVER-OTHER OpenView Network Node Manager ovalarmsrv opcode 25 integer overflow attempt"; flow:to_server,established; content:"25"; depth:2; pcre:"/^25\s+([0-9]+\s+){2}([2-9][0-9]{8}|[0-9]{10})/m"; metadata:policy max-detect-ips drop; reference:bugtraq,34738; reference:cve,2008-2438; classtype:attempted-admin; sid:29531; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2954 (msg:"SERVER-OTHER OpenView Network Node Manager ovalarmsrv opcode 54 integer overflow attempt"; flow:to_server,established; content:"54"; depth:2; pcre:"/^54\s+[0-9]+\s+([2-9][0-9]{8}|[0-9]{10})/m"; metadata:policy max-detect-ips drop; reference:bugtraq,34738; reference:cve,2008-2438; classtype:attempted-admin; sid:29530; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2954 (msg:"SERVER-OTHER OpenView Network Node Manager ovalarmsrv opcode 47 integer overflow attempt"; flow:to_server,established; content:"47"; depth:2; pcre:"/^47\s+[0-9]+\s+([2-9][0-9]{8}|[0-9]{10})/m"; metadata:policy max-detect-ips drop; reference:bugtraq,34738; reference:cve,2008-2438; classtype:attempted-admin; sid:29529; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2954 (msg:"SERVER-OTHER OpenView Network Node Manager ovalarmsrv opcode 46 integer overflow attempt"; flow:to_server,established; content:"46"; depth:2; pcre:"/^46\s+[0-9]+\s+([2-9][0-9]{8}|[0-9]{10})/m"; metadata:policy max-detect-ips drop; reference:bugtraq,34738; reference:cve,2008-2438; classtype:attempted-admin; sid:29528; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13841 (msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra information disclosure attempt"; flow:to_server,established; content:"|02 80 1D 00 00 00 00 00 00|"; depth:13; reference:bugtraq,57754; reference:cve,2012-3282; classtype:misc-activity; sid:29517; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13841 (msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra information disclosure attempt"; flow:to_server,established; content:"|02 00 00 00 00 00 00 00 00|"; depth:13; reference:bugtraq,57754; reference:cve,2012-3282; classtype:misc-activity; sid:29516; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 0A|"; content:"|FF FF FF FF|"; within:4; distance:16; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29591; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 0A FF FF FF FF|"; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29590; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 7 buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 07|"; byte_test:4,<,0xF00,0,relative,big; byte_jump:4,0,relative,big; content:"|00 00 00 00|"; within:4; byte_test:4,>=,0x7fffffff,0,relative,big; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29589; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 7 buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 07 FF FF FF FF|"; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29588; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 06|"; byte_test:4,<,0xF00,0,relative,big; byte_jump:4,0,relative,big; content:"|00 00 00 00 FF FF FF FF|"; within:8; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29587; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 06 FF FF FF FF|"; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29586; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 3 buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 03 FF FF FF FF|"; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29585; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector Backup Client Service code execution attempt"; flow:to_server,established; content:"|FE FF|"; depth:2; offset:4; content:"|00 32 00 00 00|"; within:9; content:"|00 00 00|"; distance:0; isdataat:254,relative; content:!"|00 00 00|"; within:254; metadata:policy max-detect-ips drop; reference:cve,2011-0922; classtype:suspicious-filename-detect; sid:29603; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2400 (msg:"SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt"; flow:to_server,established; content:"|01 00 00 00 01 00 01 00|"; fast_pattern:only; flowbits:set,zenworks_opcode; flowbits:noalert; reference:bugtraq,46024; reference:cve,2011-0742; classtype:attempted-admin; sid:29607; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector Backup Client Service code execution attempt"; flow:to_server,established; content:"|32 00|"; depth:7; offset:4; isdataat:254,relative; content:!"|00 20 32 37 00|"; within:254; metadata:policy max-detect-ips drop; reference:cve,2011-0922; classtype:suspicious-filename-detect; sid:29630; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2400 (msg:"SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt"; flow:to_server,established; flowbits:isset,zenworks_opcode; content:"|22|"; depth:1; byte_extract:1,13,offsetvar; byte_test:4,>,436,offsetvar; reference:bugtraq,46024; reference:cve,2011-0742; classtype:attempted-admin; sid:29629; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2400 (msg:"SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt"; flow:to_server,established; flowbits:isset,zenworks_opcode; content:"|0C|"; depth:1; byte_extract:1,13,offsetvar; byte_test:4,>,436,offsetvar; reference:bugtraq,46024; reference:cve,2011-0742; classtype:attempted-admin; sid:29628; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2400 (msg:"SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt"; flow:to_server,established; flowbits:isset,zenworks_opcode; content:"|0B|"; depth:1; byte_extract:1,13,offsetvar; byte_test:4,>,436,offsetvar; metadata:policy max-detect-ips drop; reference:bugtraq,46024; reference:cve,2011-0742; classtype:attempted-admin; sid:29627; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2400 (msg:"SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt"; flow:to_server,established; flowbits:isset,zenworks_opcode; content:"|0A|"; depth:1; byte_extract:1,13,offsetvar; byte_test:4,>,436,offsetvar; reference:bugtraq,46024; reference:cve,2011-0742; classtype:attempted-admin; sid:29626; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5498 (msg:"SERVER-OTHER IBM Cognos TM1 Server tm1admsd.exe buffer overflow attempt"; flow:to_server,established; content:"|00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03|"; fast_pattern:only; reference:bugtraq,52847; reference:cve,2012-0202; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21590314; classtype:attempted-admin; sid:29611; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [5495,5498] (msg:"SERVER-OTHER IBM Cognos TM1 Server tm1admsd.exe buffer overflow attempt"; flow:to_server,established; content:"|00 08|"; depth:2; offset:6; isdataat:1000,relative; reference:bugtraq,52847; reference:cve,2012-0202; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21590314; classtype:attempted-admin; sid:29610; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER D-Link IP Cameras access the ASCII video stream via image luminance"; flow:to_server,established; content:"/md/lums.cgi"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-1601; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-user; sid:29795; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER D-Link IP Cameras access to the video stream via HTTP"; flow:to_server,established; content:"/upnp/asf-mp4.asf"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-1600; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-user; sid:29794; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER D-Link IP Cameras execution of commands from administration web interface"; flow:to_server,established; content:"/cgi-bin/rtpd.cgi|3F|"; fast_pattern:only; http_uri; urilen:>18; metadata:service http; reference:cve,2013-1599; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-user; sid:29793; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER Novell iPrint Server remote code execution attempt"; flow:established,to_server; content:"|01|"; depth:1; isdataat:124,relative; content:!"|0A|"; within:124; reference:bugtraq,46309; reference:cve,2010-4328; classtype:attempted-user; sid:29792; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStore buffer overflow attempt"; flow:to_server,established; content:"r"; depth:1; isdataat:28,relative; content:!"|00|"; within:28; reference:cve,2013-0930; classtype:attempted-admin; sid:29942; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStore buffer overflow attempt"; flow:to_server,established; content:"A"; depth:1; isdataat:28,relative; content:!"|00|"; within:28; reference:cve,2013-0930; classtype:attempted-admin; sid:29941; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3500 (msg:"SERVER-OTHER EMC AlphaStore buffer overflow attempt"; flow:to_server,established; content:"O"; depth:1; content:"|7E|"; distance:0; isdataat:256,relative; content:!"|00|"; within:256; reference:cve,2013-0946; classtype:attempted-admin; sid:29940; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3500 (msg:"SERVER-OTHER EMC AlphaStore buffer overflow attempt"; flow:to_server,established; content:"O"; depth:1; content:"|7E|"; distance:0; content:"|2C|"; distance:0; isdataat:32,relative; content:!"|2C|"; within:32; reference:cve,2013-0946; classtype:attempted-admin; sid:29939; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 4322 (msg:"SERVER-OTHER InduSoft Web Studio Remote Agent buffer overflow attempt"; flow:to_server,established; content:"|15|"; depth:1; isdataat:104,relative; content:!"|00|"; within:104; reference:cve,2011-4052; classtype:attempted-user; sid:29938; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [3200:3299] (msg:"SERVER-OTHER SAP NetWeaver Dispatcher DiagTraceR3Info buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 10 06 20|"; depth:13; offset:11; content:!"|00 0C|"; within:17; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,53424; reference:cve,2012-2611; classtype:attempted-admin; sid:29937; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Python socket.recvfrom_into remote buffer overflow attempt"; flow:to_server,established; content:"|08 59 38 08|"; depth:4; offset:4; content:"|08 59 38 08|"; within:4; distance:8; content:"|1C 59 38 08|"; within:250; reference:bugtraq,65379; reference:cve,2014-1912; reference:url,bugs.python.org/issue20246; classtype:attempted-user; sid:29968; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Python socket.recvfrom_into remote buffer overflow attempt"; flow:to_server,established; content:"|08 79 AE B7|"; depth:4; offset:4; content:"|08 79 AE B7|"; within:4; distance:8; content:"|E0 B7 05 08|"; within:250; reference:bugtraq,65379; reference:cve,2014-1912; reference:url,bugs.python.org/issue20246; classtype:attempted-user; sid:29967; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER Ubiquiti airCam RTSP service buffer overflow attempt"; flow:to_server; content:"DESCRIBE rtsp://"; depth:16; isdataat:256,relative; content:!"|20|"; within:256; content:!"|3A|"; within:256; content:"|3A|"; distance:256; metadata:service rtsp; reference:bugtraq,60487; reference:cve,2013-1606; reference:url,packetstormsecurity.com/files/121986/Ubiquiti-airCam-RTSP-Service-Buffer-Overflow.html; classtype:attempted-admin; sid:29966; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER multiple products HTTP HEAD request buffer overflow attempt"; flow:to_server,established; content:"HEAD |2F|"; depth:6; isdataat:1000,relative; content:!"HTTP|2F|1"; within:1000; metadata:service http; reference:cve,2002-2268; reference:cve,2012-5876; classtype:attempted-user; sid:29958; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt"; flow:to_server,established; urilen:>200,norm; content:"Content-Length: 0"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2002-2268; reference:cve,2014-4158; classtype:attempted-user; sid:29957; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER Ubiquiti airCam RTSP service buffer overflow attempt"; flow:to_server; content:"DESCRIBE rtsp://"; depth:16; isdataat:256,relative; content:!"|20|"; within:256; content:!"|3A|"; within:256; content:"|3A|"; distance:256; metadata:service rtsp; reference:bugtraq,60487; reference:cve,2013-1606; reference:url,packetstormsecurity.com/files/121986/Ubiquiti-airCam-RTSP-Service-Buffer-Overflow.html; classtype:attempted-admin; sid:29953; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [443,5003,50500,54345] (msg:"SERVER-OTHER HP LoadRunner XDR handling heap buffer overflow"; flow:to_server,established; content:"|00 00 00 19|"; depth:4; fast_pattern; isdataat:60; content:"|FF FF FF|"; distance:45; byte_test:1,>,244,0,relative; byte_test:1,<,253,0,relative; reference:cve,2013-4799; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03862772; classtype:attempted-user; sid:29952; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4559 (msg:"SERVER-OTHER HylaFAX plus LDAP authentication username buffer overflow attempt"; flow:established, to_server; content:"USER "; depth:5; content:!"|0A|"; within:256; metadata:service ftp; reference:bugtraq,62729; reference:cve,2013-5680; classtype:attempted-admin; sid:29951; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER TP-Link TL-WR740N wireless router remote denial of service attempt"; flow:to_server,established; urilen:4; content:"/..."; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,58623; reference:url,www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5135.php; classtype:attempted-dos; sid:29950; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"SERVER-OTHER Borland VisiBroker Smart Agent heap overflow attempt"; flow:to_server; content:"DSRequest"; depth:20; offset:10; nocase; byte_test:4, =, 4294967295, 1, relative; reference:bugtraq,28084; reference:cve,2008-7126; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; classtype:attempted-user; sid:30032; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|5|00|7|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1300,relative; content:!"|00 00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6195; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30097; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|1|00|9|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1300,relative; content:!"|00 00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6195; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30096; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|1|00|6|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1300,relative; content:!"|00 00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6195; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30095; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|1|00|4|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1300,relative; content:!"|00 00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6195; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30094; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [19985,19988] (msg:"SERVER-OTHER HP AIO Archive Query Server stack buffer overflow attempt"; flow:to_server,established; content:"GIOP|01 01|"; depth:6; fast_pattern; content:"|00|"; within:1; distance:1; content:"|00 00 00|"; within:3; distance:13; byte_jump:4,0,relative; byte_jump:4,2,relative; byte_jump:4,0,relative; content:"|0D|"; within:1; distance:6; byte_test:1,>,9,0,relative; byte_test:1,>,0x11,1,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,64557; reference:cve,2013-6189; classtype:attempted-admin; sid:30207; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [19985,19988] (msg:"SERVER-OTHER HP AIO Archive Query Server stack buffer overflow attempt"; flow:to_server,established; content:"GIOP|01 01|"; depth:6; fast_pattern; content:"|00|"; within:1; distance:1; content:"|00 00 00|"; within:3; distance:13; byte_jump:4,0,relative; byte_jump:4,2,relative; byte_jump:4,0,relative; content:"|0D|"; within:1; distance:6; byte_test:1,<,2,0,relative; byte_test:1,>,0x11,1,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,64557; reference:cve,2013-6189; classtype:attempted-admin; sid:30206; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [19985,19988] (msg:"SERVER-OTHER HP AIO Archive Query Server stack buffer overflow attempt"; flow:to_server,established; content:"GIOP|01 01|"; depth:6; fast_pattern; content:"|00|"; within:1; distance:1; content:"|00 00 00|"; within:3; distance:13; byte_jump:4,0,relative; byte_jump:4,2,relative; byte_jump:4,0,relative; content:"|0D 06|"; within:2; distance:6; byte_test:1,>,0x11,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,64557; reference:cve,2013-6189; classtype:attempted-admin; sid:30205; rev:2;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"SERVER-OTHER Cisco Catalyst telnet memory leak denial of service attempt"; flow:to_server,established,no_stream; content:"AAA"; nocase; detection_filter:track by_src, count 10, seconds 1; metadata:service telnet; reference:bugtraq,2072; reference:url,www.cisco.com/en/US/products/hw/routers/ps295/products_security_notice09186a008020ce3f.html; classtype:attempted-dos; sid:30339; rev:2;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"SERVER-OTHER Cisco 677-678 telnet buffer overflow attempt"; flow:to_server,established; content:"%%%%%XX%%%%%?????????????????a~"; fast_pattern:only; metadata:service telnet; reference:url,www.cisco.com/en/US/products/hw/routers/ps295/products_security_notice09186a008020ce3f.html; classtype:attempted-dos; sid:30338; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"SERVER-OTHER Cisco Catalyst SSH protocol mismatch denial of service attempt"; flow:to_server,established; content:"a%a%a%a%a%a%a%"; fast_pattern:only; metadata:service ssh; reference:bugtraq,2117; reference:url,www.cisco.com/en/US/products/hw/routers/ps295/products_security_notice09186a008020ce3f.html; classtype:attempted-dos; sid:30337; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER McAfee Asset Manager downloadReport information disclosure attempt"; flow:to_server,established; content:"/servlet/downloadReport"; fast_pattern:only; http_uri; content:"reportFileName="; http_uri; pcre:"/reportFileName=[^&]*\x2e\x2e/U"; metadata:service http; reference:bugtraq,66302; reference:cve,2014-2588; classtype:attempted-recon; sid:30330; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER McAfee Asset Manager downloadReport information disclosure attempt"; flow:to_server,established; content:"/servlet/downloadReport"; fast_pattern:only; http_uri; content:"reportFileName="; http_client_body; pcre:"/reportFileName=[^&]*(\x2e\x2e|%2e%2e)/P"; metadata:service http; reference:bugtraq,66302; reference:cve,2014-2588; classtype:attempted-recon; sid:30329; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,5555] (msg:"SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt"; flow:to_server,established; content:"SOAPAction|3A|"; isdataat:1024,relative; content:!"|22|"; within:1024; metadata:service http; reference:cve,2013-0230; classtype:attempted-admin; sid:30507; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"SERVER-OTHER Zilab Chat and Instant Messaging server connection heap overflow attempt"; flow:to_server,established; content:"|0F 02|"; depth:2; byte_test:4,>,0xFFF,8,relative,little; reference:bugtraq,27940; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; classtype:attempted-user; sid:30489; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"SERVER-OTHER Zilab Chat and Instant Messaging server channel join heap overflow attempt"; flow:to_server,established; content:"|13 01|"; depth:2; byte_test:4,>,160,0,relative,little; reference:bugtraq,27940; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; classtype:attempted-user; sid:30488; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"SERVER-OTHER Zilab Chat and Instant Messaging server heap overflow attempt"; flow:to_server,established; content:"|11 01|"; depth:2; byte_test:4,>,512,0,relative,little; reference:bugtraq,27940; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; classtype:attempted-user; sid:30487; rev:1;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 03|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30517; rev:9;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 02|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30516; rev:9;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 01|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30515; rev:9;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 00|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30514; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 03|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30513; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 02|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30512; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 01|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30511; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 00|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30510; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 03|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30523; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 02|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30522; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 01|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30521; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 00|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30520; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established; dsize:69; content:"|18 03 03 00 40|"; depth:5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30525; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established; dsize:8; content:"|18 03 02 00 03 01 40 00|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30524; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL Heartbleed masscan access exploitation attempt"; flow:to_server,established; content:"[masscan/1.0]"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30549; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Wordpress linenity theme LFI attempt"; flow:to_server, established; content:"/wp-content/themes/linenity/functions/download.php"; http_uri; content:"imgurl="; distance:0; http_uri; content:"../"; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,66921; classtype:attempted-admin; sid:30769; rev:2;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30788; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30787; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30786; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30785; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30784; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30783; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30782; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30781; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30780; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30779; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30778; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30777; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER SAP NetWeaver dir content listing attempt"; flow:to_server, established; content:"/sap/bc/soap/rfc"; fast_pattern:only; http_uri; content:"SOAPAction: urn:sap-com:document:sap:rfc:functions"; http_header; content:"RZL_READ_DIR_LOCAL"; http_client_body; content:"<FILE_TBL>"; http_client_body; content:"<NAME>"; distance:0; http_client_body; content:"/"; within:100; http_client_body; content:"</NAME>"; within:100; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:30928; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER UNIX platform forwardslash directory traversal"; flow:to_server,established; content:"/..%2F"; fast_pattern:only; content:"/..%2F"; http_raw_uri; metadata:service http; reference:bugtraq,67244; reference:cve,2014-0130; reference:url,weblog.rubyonrails.org/2014/5/6/Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/; classtype:web-application-attack; sid:31013; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CMSimple remote file inclusion attempt"; flow:to_server, established; content:"plugins/filebrowser/classes/required_classes.php"; fast_pattern; http_uri; content:"=http"; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/download/32930; classtype:attempted-admin; sid:30996; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Oracle Demantra arbitrary file retrieval with authentication bypass attempt"; flow:to_server,established; content:"/../../"; fast_pattern:only; content:"/demantra/"; depth:10; http_uri; content:"/../../GraphServlet"; offset:10; http_raw_uri; metadata:service http; reference:bugtraq,64836; reference:cve,2013-5880; classtype:attempted-user; sid:31045; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-OTHER F5 BIG-IP iControl API hostname command injection attempt"; flow:to_server,established; content:"/iControl/iControlPortal.cgi"; fast_pattern:only; content:"urn:iControl:System/Inet"; nocase; content:"<hostname>"; nocase; pcre:"/<hostname>.{0,250}[\x60\x3b\x7c\x24\x28\x26]/sim"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,67278; reference:cve,2014-2928; reference:url,support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html; classtype:attempted-admin; sid:31068; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg:"SERVER-OTHER Vino VNC multiple client authentication denial of service attempt"; flow:to_server,established,no_stream; content:"RFB 003."; depth:8; detection_filter:track by_src, count 1, seconds 1; reference:cve,2013-5745; classtype:attempted-dos; sid:31082; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER TrendMicro InterScan Viruswall directory traversal attempt"; flow:to_server,established; content:"/ishttpd/localweb/java/?"; nocase; http_uri; content:"../"; distance:0; http_uri; metadata:service http; reference:cve,2004-1859; reference:url,www.securityfocus.com/bid/9966; classtype:misc-activity; sid:31102; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Sharetronix cross site request forgery attempt"; flow:to_server,established; content:"POST"; http_method; content:"admin/administrators"; fast_pattern:only; http_uri; content:"admin="; depth:6; nocase; http_client_body; pcre:"/^admin=[a-z0-9-_]{3,30}/Pi"; metadata:service http; reference:bugtraq,67681; reference:cve,2014-3414; classtype:attempted-admin; sid:31101; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Beetel 450TC2 CSRF attempt"; flow:to_server,established; content:"Forms/tools_admin_1"; fast_pattern:only; http_uri; content:"uiViewTools_Password="; depth:21; http_client_body; content:"&uiViewTools_PasswordConfirm="; distance:0; http_client_body; metadata:service http; reference:bugtraq,67169; reference:cve,2014-3792; classtype:attempted-admin; sid:31162; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER AuraCMS LFI attempt"; flow:to_server, established; content:"filemanager.php"; http_uri; content:"viewdir="; distance:0; http_uri; content:"../"; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/33555; classtype:attempted-admin; sid:31161; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [4433,443,10000:] (msg:"SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt"; flow:to_client; content:"|16 FE|"; depth:2; content:"|00 0C 00 00 00 00 00 00 00 00 00 00 00 00|"; within:14; distance:9; detection_filter:track by_src, count 20, seconds 5; reference:cve,2014-0221; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31181; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [4433,443] (msg:"SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt"; flow:to_client; content:"|16 FE FF|"; depth:3; content:"|01|"; within:1; distance:10; byte_extract:3,0,frag,relative; byte_test:3,!=,frag,5,relative; detection_filter:track by_src, count 20, seconds 1; reference:cve,2014-0221; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31180; rev:6;)
# alert tcp $EXTERNAL_NET [25,443,465,587,636,992,993,995,2484,8443] -> $HOME_NET any (msg:"SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt"; flow:to_client,established; content:"|16 03 03|"; depth:3; content:"|02|"; within:1; distance:2; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_test:1,>,32,33,relative; metadata:service ssl; reference:bugtraq,67741; reference:cve,2014-3466; reference:url,gnutls.org/security.html#GNUTLS-SA-2014-3; classtype:attempted-user; sid:31179; rev:4;)
# alert tcp $EXTERNAL_NET [25,443,465,587,636,992,993,995,2484,8443] -> $HOME_NET any (msg:"SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt"; flow:to_client,established; content:"|16 03 02|"; depth:3; content:"|02|"; within:1; distance:2; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_test:1,>,32,33,relative; metadata:service ssl; reference:bugtraq,67741; reference:cve,2014-3466; reference:url,gnutls.org/security.html#GNUTLS-SA-2014-3; classtype:attempted-user; sid:31178; rev:4;)
# alert tcp $EXTERNAL_NET [25,443,465,587,636,992,993,995,2484,8443] -> $HOME_NET any (msg:"SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt"; flow:to_client,established; content:"|16 03 01|"; depth:3; content:"|02|"; within:1; distance:2; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_test:1,>,32,33,relative; metadata:service ssl; reference:bugtraq,67741; reference:cve,2014-3466; reference:url,gnutls.org/security.html#GNUTLS-SA-2014-3; classtype:attempted-user; sid:31177; rev:4;)
# alert tcp $EXTERNAL_NET [25,443,465,587,636,992,993,995,2484,8443] -> $HOME_NET any (msg:"SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt"; flow:to_client,established; content:"|16 03 02 01 50 45 32 49 E7 23 DF BD 9B 4E CA 35 D6 7D 32 8C 15 F0 EF 74 79 58 F5 87 2B 2B 96 02 F5 7C 2B A3|"; fast_pattern:only; metadata:service ssl; reference:bugtraq,67741; reference:cve,2014-3466; reference:url,gnutls.org/security.html#GNUTLS-SA-2014-3; classtype:attempted-user; sid:31176; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Xerox DocuShare SQL injection attempt"; flow:to_server,established; content:"/docushare/dsweb/ResultBackgroundJobMultiple/"; fast_pattern:only; http_uri; pcre:"/\/docushare\/dsweb\/ResultBackgroundJobMultiple\/\d*[^\d]/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,66922; classtype:attempted-admin; sid:31300; rev:3;)
# alert udp $EXTERNAL_NET 7001 -> $HOME_NET 7000 (msg:"SERVER-OTHER OpenAFS GetStatistics buffer overflow attempt"; flow:to_server; content:"|01|"; depth:1; offset:20; content:"|00 01 00 06 00 00 00|"; within:7; distance:7; content:!"|10|"; within:1; reference:bugtraq,66776; reference:cve,2014-0159; classtype:denial-of-service; sid:31338; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5666 (msg:"SERVER-OTHER Nagios NRPE command execution attempt"; flow:to_server,established; content:"|00 02 00 01|"; depth:4; content:"|0A|"; distance:6; reference:bugtraq,66969; reference:cve,2014-2913; classtype:attempted-admin; sid:31337; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Samsung TV denial of service attempt"; flow:to_server,established; urilen:>300; content:"Content-Length: 0|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2013-4890; classtype:attempted-dos; sid:31406; rev:3;)
alert tcp any any -> $HTTP_SERVERS 443 (msg:"SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_server,established; content:"|16 03 01|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 03|"; within:2; distance:3; byte_test:2,!=,0,33,relative; flowbits:set,tlsv1.2_handshake; flowbits:noalert; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31484; rev:1;)
alert tcp any any -> $HTTP_SERVERS 443 (msg:"SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_server,established; content:"|16 03 01|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 02|"; within:2; distance:3; byte_test:2,!=,0,33,relative; flowbits:set,tlsv1.1_handshake; flowbits:noalert; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31483; rev:1;)
alert tcp any any -> $HTTP_SERVERS 443 (msg:"SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_server,established; content:"|16 03 01|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 01|"; within:2; distance:3; byte_test:2,!=,0,33,relative; flowbits:set,tlsv1.0_handshake; flowbits:noalert; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31482; rev:1;)
alert tcp any any -> $HTTP_SERVERS 443 (msg:"SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 00|"; within:2; distance:3; byte_test:2,!=,0,33,relative; flowbits:set,ssl_handshake; flowbits:noalert; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31481; rev:1;)
# alert tcp $HTTP_SERVERS 443 -> any any (msg:"SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_client,established; flowbits:isset,tlsv1.2_handshake; content:"|14 03 03 00 01 01 14 03 03 00 01 01|"; fast_pattern:only; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31480; rev:2;)
# alert tcp $HTTP_SERVERS 443 -> any any (msg:"SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_client,established; flowbits:isset,tlsv1.1_handshake; content:"|14 03 02 00 01 01 14 03 02 00 01 01|"; fast_pattern:only; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31479; rev:2;)
# alert tcp $HTTP_SERVERS 443 -> any any (msg:"SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_client,established; flowbits:isset,tlsv1.0_handshake; content:"|14 03 01 00 01 01 14 03 01 00 01 01|"; fast_pattern:only; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31478; rev:2;)
# alert tcp $HTTP_SERVERS 443 -> any any (msg:"SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_client,established; flowbits:isset,ssl_handshake; content:"|14 03 00 00 01 01 14 03 00 00 01 01|"; fast_pattern:only; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31477; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER D-Link Multiple Products HNAP request buffer overflow attempt"; flow:to_server,established; urilen:6<>7,norm; content:"/HNAP1"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"Content-Length|3A|"; http_raw_header; byte_test:10,>,10000,0,relative,string,dec; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,67651; reference:cve,2014-3936; classtype:attempted-admin; sid:31529; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt"; flow:to_server,established; content:"/autopass/cs/pdfupload"; fast_pattern:only; http_uri; content:"multipart"; http_header; content:"filename"; nocase; http_client_body; pcre:"/filename\s*?=\s*?[\x22\x27]?[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,67989; reference:cve,2013-6221; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04333125; classtype:attempted-admin; sid:31526; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt"; flow:to_server,established; content:"/autopass/cs/pdfupload"; fast_pattern:only; http_uri; content:"urlencoded"; http_header; content:"filename="; nocase; http_client_body; pcre:"/filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,67989; reference:cve,2013-6221; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04333125; classtype:attempted-admin; sid:31525; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cougar-LG configuration file access attempt"; flow:to_server,established; content:"/lg/"; nocase; http_uri; content:"lg.conf"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2014-3928; reference:url,s3.eurecom.fr/cve/CVE-2014-3928.txt; classtype:attempted-recon; sid:31709; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cougar-LG SSH key path access attempt"; flow:to_server,established; content:"/lg/"; nocase; http_uri; content:"/.ssh"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2014-3929; reference:url,s3.eurecom.fr/cve/CVE-2014-3929.txt; classtype:attempted-recon; sid:31708; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER FCKeditor textinputs cross site scripting attempt"; flow:to_server,established; content:"/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"; fast_pattern:only; http_uri; content:"<script>"; http_client_body; metadata:service http; reference:cve,2014-4037; classtype:web-application-attack; sid:31704; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cistron-LG configuration file access attempt"; flow:to_server,established; content:"/lg/"; nocase; http_uri; content:"/lg.cfg"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2014-3930; reference:url,s3.eurecom.fr/cve/CVE-2014-3930.txt; classtype:attempted-recon; sid:31727; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt"; flow:to_server; content:"|05|"; depth:54; content:"|0C|"; within:1; distance:4; content:"|30|"; distance:0; content:"|1B|"; within:1; distance:18; pcre:"/\x1B.(\d{1,3}\.){3}\d/"; metadata:service kerberos; reference:bugtraq,37486; reference:cve,2009-3295; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt; classtype:attempted-dos; sid:31765; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt"; flow:to_server,established; content:"|05|"; depth:54; content:"|0C|"; within:1; distance:4; content:"|30|"; distance:0; content:"|1B|"; within:1; distance:18; pcre:"/\x1B.(\d{1,3}\.){3}\d/"; metadata:service kerberos; reference:bugtraq,37486; reference:cve,2009-3295; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt; classtype:attempted-dos; sid:31764; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Multi-Router Looking Glass remote command injection attempt"; flow:to_server, established; content:"lg.cgi"; http_uri; content:"router="; depth:7; http_client_body; content:"arg="; distance:0; http_client_body; pcre:"/^router=.*?arg=[a-z\d\.]*[^a-z\d\.&]/iP"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-3927; reference:url,www.s3.eurecom.fr/cve/CVE-2014-3927.txt; classtype:attempted-admin; sid:31741; rev:1;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER MRLG fastping echo reply memory corruption attempt"; icode:0; itype:0; content:!"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; content:!"0123456789abcdefghijklmnopqrstuv"; depth:32; content:!"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; depth:36; byte_test:4,>,1000000,8,little; reference:cve,2014-3931; reference:url,mrlg.op-sec.us/; reference:url,s3.eurecom.fr/cve/CVE-2014-3931.txt; classtype:misc-attack; sid:31767; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cougar-LG addr parameter XSS attempt"; flow:to_server, established; content:"lg.cgi"; fast_pattern:only; http_uri; content:"router="; depth:250; http_client_body; content:"query="; depth:250; http_client_body; content:"addr="; depth:250; http_client_body; pcre:"/addr\s*?\x3d\s*?[a-z\d\.]*?[^a-z\d\.&]/smiP"; metadata:service http; reference:cve,2014-3926; reference:url,www.s3.eurecom.fr/cve/CVE-2014-3926.txt; classtype:misc-attack; sid:31766; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 631 (msg:"SERVER-OTHER Apple CUPS web interface cross site scripting attempt"; flow:to_server,established; content:"<SCRIPT"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,75106; reference:cve,2014-2856; reference:cve,2015-1159; reference:url,cups.org/blog.php?L1082; classtype:web-application-attack; sid:31860; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET [696,7426] (msg:"SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt"; flow:stateless; content:"|A9 02 00 00|-S"; depth:6; isdataat:20,relative; content:!"|3B|"; within:20; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:cve,2014-2624; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04378450; classtype:attempted-admin; sid:32085; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET [696,7426] (msg:"SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt"; flow:stateless; content:"|A9 02 00 00|-S"; depth:6; content:"|3B|"; distance:0; isdataat:256,relative; content:!"|3B|"; within:256; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:cve,2014-2624; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04378450; classtype:attempted-admin; sid:32084; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"1|00|0|00|9|00|1|00 00 00|"; depth:10; offset:6; content:"|2E 00 2E 00|"; distance:0; reference:bugtraq,68856; reference:cve,2014-5160; classtype:attempted-admin; sid:32076; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt"; flow:to_server,established,only_stream; ssl_version:sslv3; ssl_state:client_hello; content:"|16 03 00|"; fast_pattern:only; detection_filter:track by_src,count 100,seconds 1; metadata:service ssl; reference:cve,2014-3566; reference:cve,2014-3568; reference:url,attack.mitre.org/techniques/T1110; classtype:attempted-recon; sid:32205; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt"; flow:to_server,established,only_stream; ssl_version:sslv3; ssl_state:client_hello; content:"|16 03 00|"; fast_pattern:only; detection_filter:track by_src,count 100,seconds 1; metadata:service ssl; reference:cve,2014-3566; reference:cve,2014-3568; reference:url,attack.mitre.org/techniques/T1110; classtype:attempted-recon; sid:32204; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 305 directory traversal attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"3|00|0|00|5|00 00 00|"; depth:8; offset:6; content:"|2E 00 2E 00|"; distance:0; reference:bugtraq,68855; reference:cve,2014-5160; classtype:attempted-admin; sid:32199; rev:3;)
# alert udp any any -> $HOME_NET 514 (msg:"SERVER-OTHER rsyslog remote PRI out of bounds attempt"; flow:to_server; content:"<"; depth:1; content:">"; within:8; distance:3; byte_test:10,>,191,1,string,dec; metadata:service syslog; reference:cve,2014-3634; reference:cve,2014-3683; reference:url,www.rsyslog.com/remote-syslog-pri-vulnerability; classtype:denial-of-service; sid:32240; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Firebird database invalid state integer overflow attempt"; flow:to_server,established; content:"|01 00 00 00 13 00 00 00 02 00 00 00 1D 00 00 00 09|C:|5C|rt.fdb"; depth:26; offset:3; metadata:policy max-detect-ips drop; reference:bugtraq,27403; reference:cve,2008-0387; classtype:attempted-dos; sid:32224; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Firebird database invalid state integer overflow attempt"; flow:to_server,established; content:"|00 00 00 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A|"; depth:32; metadata:policy max-detect-ips drop; reference:bugtraq,27403; reference:cve,2008-0387; classtype:attempted-dos; sid:32223; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 998 (msg:"SERVER-OTHER Novell ZENworks PreBoot directory traversal attempt"; flow:to_server,established; content:"|00 00 00 21|"; depth:4; content:"|5C 00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; distance:4; fast_pattern; reference:cve,2013-3706; reference:url,www.novell.com/support/kb/doc.php?id=7014663; classtype:attempted-admin; sid:32277; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Generic JPEG stored cross site scripting attempt"; flow:to_server,established; file_data; flowbits:isset,file.jpeg; content:!"|FF D8 FF E0|"; depth:4; content:"new Image()"; nocase; content:".src="; within:10; nocase; content:"document.cookie"; within:100; metadata:service smtp; reference:url,www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_%28OTG-INPVAL-002%29; classtype:web-application-attack; sid:32322; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Generic JPEG stored cross site scripting attempt"; flow:to_client,established; file_data; flowbits:isset,file.jpeg; content:!"|FF D8 FF E0|"; depth:4; content:"new Image()"; nocase; content:".src="; within:10; nocase; content:"document.cookie"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_%28OTG-INPVAL-002%29; classtype:web-application-attack; sid:32321; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"1091|00|"; depth:5; offset:4; content:".."; distance:0; pcre:"/1091\x00[^\x00]*?\x2e\x2e[\x2f\x5c]/"; reference:bugtraq,68856; reference:cve,2014-5160; classtype:attempted-admin; sid:32346; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 40003 (msg:"SERVER-OTHER AlienVault OSSIM framework backup_restore action command injection attempt"; flow:to_server,established; content:"action=|22|backup_restore|22|"; fast_pattern:only; content:"bbdd"; nocase; pcre:"/bbdd(host|user|passwd)=\x22[^\s]*?([\x60\x3b\x7c]|\x24\x28)/i"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,68998; reference:cve,2014-5158; reference:url,www.alienvault.com/forums/discussion/2559/security-advisory-multiple-vulnerabilities; classtype:attempted-admin; sid:32342; rev:3;)
# alert tcp $EXTERNAL_NET 3010 -> $HOME_NET any (msg:"SERVER-OTHER Citrix NetScaler stack buffer overflow attempt"; flow:to_client,established; content:"|00 00 A5 A5|"; depth:4; offset:2; isdataat:606,relative; content:!"|00|"; within:606; reference:url,console-cowboys.blogspot.com/2014/09/scaling-netscaler.html; classtype:attempted-admin; sid:32376; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET [696,7426] (msg:"SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt"; flow:stateless; content:"|A9 02 00 00|-L"; depth:6; isdataat:278,relative; content:!"|00|"; within:278; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:cve,2014-2624; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04378450; classtype:attempted-admin; sid:32371; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt"; flow:to_server,established; file_data; content:"aim|3A|goaway?message="; nocase; isdataat:500,relative; pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:ruleset community, service smtp; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:32370; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [25,443,465,587,5061] (msg:"SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt"; flow:to_server; ssl_version:!sslv2; ssl_state:client_hello; content:"|16 03|"; depth:2; content:"|00 0E|"; within:2; distance:60; isdataat:100,relative; detection_filter:track by_dst, count 20, seconds 10; metadata:service ssl; reference:bugtraq,70584; reference:cve,2014-3513; reference:url,www.openssl.org/news/secadv_20141015.txt; classtype:attempted-dos; sid:32382; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [25,443,465,587,5061] (msg:"SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt"; flow:to_server,established,only_stream; ssl_version:!sslv2; ssl_state:client_hello; content:"|16 03|"; depth:2; content:"|00 0E|"; within:2; distance:60; isdataat:100,relative; detection_filter:track by_dst, count 20, seconds 10; metadata:service ssl; reference:bugtraq,70584; reference:cve,2014-3513; reference:url,www.openssl.org/news/secadv_20141015.txt; classtype:attempted-dos; sid:32381; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt"; flow:to_server,established,only_stream; content:"|16 03 03|"; depth:3; content:"|01|"; within:1; distance:2; content:"|FF 01 00 01 00 00 23|"; distance:0; detection_filter:track by_src, count 20, seconds 30; metadata:service ssl; reference:bugtraq,70586; reference:cve,2014-3567; classtype:attempted-dos; sid:32468; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt"; flow:to_server,established,only_stream; content:"|16 03 02|"; depth:3; content:"|01|"; within:1; distance:2; content:"|FF 01 00 01 00 00 23|"; distance:0; detection_filter:track by_src, count 20, seconds 30; metadata:service ssl; reference:bugtraq,70586; reference:cve,2014-3567; classtype:attempted-dos; sid:32467; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt"; flow:to_server,established,only_stream; content:"|16 03 01|"; depth:3; content:"|01|"; within:1; distance:2; content:"|FF 01 00 01 00 00 23|"; distance:0; detection_filter:track by_src, count 20, seconds 30; metadata:service ssl; reference:bugtraq,70586; reference:cve,2014-3567; classtype:attempted-dos; sid:32466; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"SERVER-OTHER OpenSSL TLS large number of session tickets sent - possible dos attempt"; flow:to_server,established,only_stream; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|FF 01 00 01 00 00 23|"; distance:0; detection_filter:track by_src, count 20, seconds 30; metadata:service ssl; reference:bugtraq,70586; reference:cve,2014-3567; classtype:attempted-dos; sid:32465; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET [696,7426] (msg:"SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt"; flow:stateless; content:"|A9 02 00 00|-T"; depth:6; isdataat:276,relative; content:!"|00|"; within:276; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:cve,2014-2624; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04378450; classtype:attempted-admin; sid:32403; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET [696,7426] (msg:"SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt"; flow:stateless; content:"|A9 02 00 00|-D"; depth:6; isdataat:270,relative; content:!"|00|"; within:270; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:cve,2014-2624; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04378450; classtype:attempted-admin; sid:32530; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER Hikvision DVR RTSP request buffer overflow attempt"; flow:to_server,established; content:"PLAY rtsp://"; depth:12; fast_pattern; nocase; content:"|0D 0A|Authorization|3A|"; isdataat:512,relative; content:!"|0A|"; within:512; metadata:service rtsp; reference:cve,2014-4880; classtype:attempted-admin; sid:32601; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET [696,7426] (msg:"SERVER-OTHER HP Network Node Manager ovopi.dll buffer overflow attempt"; flow:stateless; content:"|A9 02 00 00|-p"; depth:6; isdataat:285,relative; content:!"|00|"; within:283; distance:2; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:cve,2014-2624; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04378450; classtype:attempted-admin; sid:32628; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5357:5358 (msg:"SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt"; flow:to_server,established; content:"Mime-Version:"; content:!" 1.0"; within:4; isdataat:100,relative; content:!"|0D 0A|"; within:102; metadata:service http; reference:cve,2009-2512; classtype:denial-of-service; sid:32673; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER Cisco ios ftp proxy overflow attempt"; flow:to_server,established; content:"PASS"; isdataat:52,relative; metadata:service ftp-data; reference:cve,2005-2841; classtype:attempted-user; sid:32672; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Siemens Simatic S7-300 PLC remote memory dump"; flow:to_server,established; content:"/tools/MemoryDump?"; fast_pattern:only; http_uri; content:"Address="; nocase; http_uri; content:"Hex="; nocase; http_uri; content:"Length="; nocase; http_uri; content:"Mode="; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-654382.pdf; classtype:web-application-attack; sid:32775; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Siemens Simatic S7-300 PLC backdoor login attempt"; flow:to_server,established; content:"/login?"; nocase; http_uri; content:"User=basisk"; nocase; http_uri; content:"Password=basisk"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-654382.pdf; classtype:suspicious-login; sid:32774; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt"; flow:to_server,established,only_stream; ssl_version:tls1.2; ssl_state:client_keyx; content:"|16 03 03|"; fast_pattern:only; detection_filter:track by_src,count 100,seconds 1; metadata:service ssl; reference:cve,2014-8730; reference:url,attack.mitre.org/techniques/T1110; classtype:attempted-recon; sid:32760; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt"; flow:to_server,established,only_stream; ssl_version:tls1.1; ssl_state:client_keyx; content:"|16 03 02|"; fast_pattern:only; detection_filter:track by_src,count 100,seconds 1; metadata:service ssl; reference:cve,2014-8730; reference:url,attack.mitre.org/techniques/T1110; classtype:attempted-recon; sid:32759; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt"; flow:to_server,established,only_stream; ssl_version:tls1.0; ssl_state:client_keyx; content:"|16 03 01|"; fast_pattern:only; detection_filter:track by_src,count 100,seconds 1; metadata:service ssl; reference:cve,2014-8730; reference:url,attack.mitre.org/techniques/T1110; classtype:attempted-recon; sid:32758; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER TLSv1.2 POODLE CBC padding brute force attempt"; flow:to_server,established,only_stream; ssl_version:tls1.2; ssl_state:client_keyx; content:"|16 03 03|"; fast_pattern:only; detection_filter:track by_src,count 100,seconds 1; metadata:service ssl; reference:cve,2014-8730; reference:url,attack.mitre.org/techniques/T1110; classtype:attempted-recon; sid:32757; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER TLSv1.1 POODLE CBC padding brute force attempt"; flow:to_server,established,only_stream; ssl_version:tls1.1; ssl_state:client_keyx; content:"|16 03 02|"; fast_pattern:only; detection_filter:track by_src,count 100,seconds 1; metadata:service ssl; reference:cve,2014-8730; reference:url,attack.mitre.org/techniques/T1110; classtype:attempted-recon; sid:32756; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt"; flow:to_server,established,only_stream; ssl_version:tls1.0; ssl_state:client_keyx; content:"|16 03 01|"; fast_pattern:only; detection_filter:track by_src,count 100,seconds 1; metadata:service ssl; reference:cve,2014-8730; reference:url,attack.mitre.org/techniques/T1110; classtype:attempted-recon; sid:32755; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 7131 (msg:"SERVER-OTHER Ecava IntegraXor HMI /res buffer overflow attempt"; flow:to_server,established; content:"GET"; depth:3; content:"/res?"; fast_pattern; content:".dll"; within:50; content:!"|0D 0A|"; within:250; reference:cve,2014-0753; classtype:attempted-user; sid:32748; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8001 (msg:"SERVER-OTHER Lianja SQL Server db_netserver Buffer Overflow attempt"; flow:to_server,established; content:"000052E1"; depth:8; isdataat:1400; reference:cve,2013-3563; classtype:attempted-user; sid:32737; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd configure buffer overflow attempt"; flow:to_server; content:"|16 08|"; depth:2; dsize:>400; metadata:service ntp; reference:cve,2014-9295; reference:url,attack.mitre.org/techniques/T1209; classtype:attempted-user; sid:32890; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER XCat Blind XPath Injection attempt"; flow:established,to_server; content:"|27|) and doc((document-uri((/))))=(/)"; fast_pattern:only; http_uri; content:"USER-AGENT|3A| Python"; http_header; metadata:service http; reference:url,www.owasp.org/index.php/XPATH_Injection; classtype:web-application-attack; sid:32955; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER XCat Blind XPath Injection attempt"; flow:established,to_server; content:"|27|) and count(("; fast_pattern:only; http_uri; content:"USER-AGENT|3A| Python"; http_header; metadata:service http; reference:url,www.owasp.org/index.php/XPATH_Injection; classtype:web-application-attack; sid:32954; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER XCat Blind XPath Injection attempt"; flow:established,to_server; content:"|27|) and string"; fast_pattern:only; http_uri; content:"USER-AGENT|3A| Python"; http_header; metadata:service http; reference:url,www.owasp.org/index.php/XPATH_Injection; classtype:web-application-attack; sid:32953; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [9004,9010] (msg:"SERVER-OTHER BMC Track-It FileStorageService directory traversal attempt"; flow:to_server,established; content:"TrackIt.Core.FileStorageService"; fast_pattern:only; content:".NET|01 00|"; depth:6; content:"|12 06|Create"; distance:0; content:"|2E 2E|"; distance:0; pcre:"/\x2e\x2e[\x2f\x5c]/"; reference:bugtraq,70264; reference:cve,2014-4872; classtype:attempted-admin; sid:33197; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL fragmented protocol downgrade attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:!sslv2; content:"|16 03|"; fast_pattern:only; content:"|00|"; depth:1; offset:3; byte_test:1,<,6,4; metadata:service ssl; reference:cve,2014-3511; reference:url,openssl.org/news/secadv_20140806.txt; classtype:policy-violation; sid:33561; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1718 (msg:"SERVER-OTHER McAfee E-Business Server remote preauth code execution attempt"; flow:to_server,established; content:"|01 FF FF 00 00|"; depth:5; isdataat:500,relative; content:!"|0D 0A|"; within:500; reference:url,www.securityfocus.com/archive/1/485992; classtype:attempted-user; sid:33565; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER SAP Sybase ESP xmlrpc unsafe pointer dereference attempt"; flow:established,to_server; content:"/RPC2"; nocase; content:"<methodCall"; distance:0; nocase; content:"<methodName"; within:200; nocase; content:"Connection"; within:100; nocase; content:"."; within:5; metadata:service http; reference:cve,2014-3457; classtype:web-application-attack; sid:33636; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"SERVER-OTHER GnuTLS TLSA record heap buffer overflow attempt"; flow:to_client; content:"|00 34 00 01|"; byte_extract:2,-6,name,relative; content:"|00 34 00 01|"; distance:0; byte_test:2,=,name,-6,relative; content:"|00 34 00 01|"; distance:0; byte_test:2,=,name,-6,relative; content:"|00 34 00 01|"; distance:0; byte_test:2,=,name,-6,relative; content:"|00 34 00 01|"; distance:0; byte_test:2,=,name,-6,relative; metadata:service dns; reference:cve,2013-4466; classtype:attempted-user; sid:33596; rev:1;)
# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"SERVER-OTHER GnuTLS TLSA record heap buffer overflow attempt"; flow:to_client,established; content:"|00 34 00 01|"; byte_extract:2,-6,name,relative; content:"|00 34 00 01|"; distance:0; byte_test:2,=,name,-6,relative; content:"|00 34 00 01|"; distance:0; byte_test:2,=,name,-6,relative; content:"|00 34 00 01|"; distance:0; byte_test:2,=,name,-6,relative; content:"|00 34 00 01|"; distance:0; byte_test:2,=,name,-6,relative; metadata:service dns; reference:cve,2013-4466; classtype:attempted-user; sid:33595; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3465 (msg:"SERVER-OTHER HP Client Automation command injection attempt"; flow:to_server,established; content:"|00|"; content:"|00|hide hide"; distance:0; content:"|09|"; within:2; pcre:"/\x00hide hide[\x22\x09]+([a-z0-9\x5c\x2e\x3a]+\x2eexe|sh)/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,72612; reference:cve,2015-1497; classtype:attempted-admin; sid:33665; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt"; flow:to_client,established; content:"HTTP/1.0 -"; depth:11; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35812; reference:cve,2009-2622; classtype:denial-of-service; sid:33655; rev:2;)
# alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSH maxstartup threshold connection exhaustion denial of service attempt"; flow:to_client,established,no_stream; content:"SSH-"; depth:4; content:"-OpenSSH_"; within:15; detection_filter:track by_dst, count 9, seconds 3; metadata:service ssh; reference:cve,2010-5107; classtype:attempted-dos; sid:33654; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHPMoAdmin remote code execution attempt"; flow:to_server,established; content:"/moadmin.php"; fast_pattern:only; http_uri; content:"object="; http_client_body; pcre:"/(^|&)object=[^&]*?(eval|passthru|shell_exec|system|exec|proc_open|popen)/Pm"; metadata:service http; reference:cve,2015-2208; reference:url,www.exploit-db.com/exploits/36251; classtype:attempted-admin; sid:33685; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP unserialize use after free attempt"; flow:to_server,established; content:"<?php"; content:"serialize"; content:"unserialize"; within:100; fast_pattern; content:"serialize"; within:50; metadata:service http; reference:cve,2014-8142; classtype:attempted-user; sid:33683; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER PHP unserialize use after free attempt"; flow:to_client,established; file_data; content:"<?php"; content:"serialize"; content:"unserialize"; within:100; fast_pattern; content:"serialize"; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-8142; classtype:attempted-user; sid:33682; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Cisco CNS Network Registrar denial of service attempt"; flow:to_server,established; content:"|0C 00 00 00 01 02 03 04 0B 00 00 00|"; fast_pattern:only; reference:cve,2004-1164; classtype:denial-of-service; sid:33680; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Cisco CNS Network Registrar denial of service attempt"; flow:to_server,established; content:"|0C 00 00 00 02 04 14 13 0B 00 00 00|"; fast_pattern:only; reference:cve,2004-1164; classtype:denial-of-service; sid:33679; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 (msg:"SERVER-OTHER Symantec AMS Intel handler service overly large size3 dos attempt"; flow:to_server,established; content:"|FF FF FF FF|"; depth:4; content:"CNFG"; within:4; distance:30; content:"ALHD"; within:4; distance:9; byte_jump:2,10,relative,little; byte_jump:2,0,relative,little; byte_jump:2,5,relative,little; content:!"|00|"; within:1; distance:-1; metadata:policy max-detect-ips drop; reference:cve,2010-3268; classtype:attempted-dos; sid:33672; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 (msg:"SERVER-OTHER Symantec AMS Intel handler service overly large size2 dos attempt"; flow:to_server,established; content:"|FF FF FF FF|"; depth:4; content:"CNFG"; within:4; distance:30; content:"ALHD"; within:4; distance:9; byte_jump:2,10,relative,little; byte_jump:2,0,relative,little; content:!"|00|"; within:1; distance:-1; metadata:policy max-detect-ips drop; reference:cve,2010-3268; classtype:attempted-dos; sid:33671; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 (msg:"SERVER-OTHER Symantec AMS Intel handler service overly large size1 dos attempt"; flow:to_server,established; content:"|FF FF FF FF|"; depth:4; content:"CNFG"; within:4; distance:30; content:"ALHD"; within:4; distance:9; byte_jump:2,10,relative,little; content:!"|00|"; within:1; distance:-1; metadata:policy max-detect-ips drop; reference:cve,2010-3268; classtype:attempted-dos; sid:33670; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Exchange Server custom DLP policy name cross-site scripting attempt"; flow:to_server,established; content:"|7B 22|properties|22|:|7B 22|Parameters|22|:|7B 22|__type|22|:|22|JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel|22|,|22|Name|22|:|22|"; fast_pattern:only; http_client_body; pcre:"/Microsoft\.Exchange\.Management\.ControlPanel\x22\x2C\x22Name\x22:\x22[^\x22]*\x22(?!\s*,\s*\x22Template)/P"; metadata:service http; reference:cve,2015-1629; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-026; classtype:attempted-user; sid:33810; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Sharepoint user display name XSS attempt"; flow:to_server,established; content:"useredit.aspx?"; fast_pattern:only; http_uri; content:"ID="; nocase; http_uri; content:"TextField="; http_client_body; pcre:"/TextField=[^&]*([\x22\x27\x28\x29\x3c\x3e]|script|onload|src)/Pi"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1633; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-022; classtype:attempted-user; sid:33809; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Sharepoint Server Newsfeed XSS attempt"; flow:established,to_server; content:"/my/_layouts/"; fast_pattern:only; http_header; content:"|22|"; http_uri; content:"("; within:30; http_uri; metadata:service http; reference:cve,2015-1636; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-022; classtype:web-application-attack; sid:33808; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 2B|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33806; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 2A|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33805; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 29|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33804; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 28|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33803; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 27|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33802; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 26|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33801; rev:4;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 2B|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33800; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 2A|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33799; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 29|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33798; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 28|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33797; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 27|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33796; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 26|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33795; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 08|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33794; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 19|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33793; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 17|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33792; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 14|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33791; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 11|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33790; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 0E|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33789; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 0B|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33788; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 08|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33787; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 06|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33786; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade cipher suite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 03|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33785; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 19|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33784; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 17|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33783; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 14|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33782; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 11|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33781; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 0E|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33780; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 0B|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33779; rev:4;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 06|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33778; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 03|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33777; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9200 (msg:"SERVER-OTHER ElasticSearch script remote code execution attempt"; flow:to_server,established; content:"_search"; content:"import java."; fast_pattern:only; metadata:service http; reference:cve,2014-3120; reference:url,bouk.co/blog/elasticsearch-rce/; classtype:attempted-user; sid:33830; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Lighttpd Host header directory traversal attempt"; flow:to_server,established; content:"Host|3A| |5B|"; http_header; content:"|5D|"; distance:0; http_header; content:!"|3A|"; within:1; metadata:policy max-detect-ips drop, service http; reference:cve,2014-2324; reference:url,download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt; classtype:attempted-admin; sid:33817; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9200 (msg:"SERVER-OTHER ElasticSearch script remote code execution attempt"; flow:to_server,established; content:"POST"; depth:4; content:"_search"; distance:0; content:".class.forName|28|"; fast_pattern:only; metadata:service http; reference:cve,2015-1427; reference:url,jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/; classtype:attempted-user; sid:33814; rev:2;)
# alert tcp any any -> $HOME_NET [10514,6514] (msg:"SERVER-OTHER rsyslog remote PRI out of bounds attempt"; flow:to_server; content:"<"; depth:1; content:">"; within:8; distance:3; byte_test:10,>,191,1,string,dec; metadata:service syslog; reference:cve,2014-3634; reference:cve,2014-3683; reference:url,www.rsyslog.com/remote-syslog-pri-vulnerability; classtype:denial-of-service; sid:33858; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP unserialize code execution attempt"; flow:to_server,established; content:"O%3A"; content:"S%3A"; distance:0; nocase; content:"a%3A"; distance:0; content:"R%3A"; distance:0; nocase; pcre:"/O%3a\d%3a%22\w+%22%3a\d%3a%7b.*?s%3a\d%3a%22\d+%22%3b/i"; metadata:service http; reference:cve,2015-0231; classtype:attempted-admin; sid:33961; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP unserialize code execution attempt"; flow:to_server,established; content:"O|3A|"; content:"S|3A|"; distance:0; nocase; content:"a|3A|"; distance:0; content:"R|3A|"; distance:0; nocase; pcre:"/O\x3a\d\x3a\x22\w+\x22\x3a\d\x3a\x7b.*?s\x3a\d\x3a\x22\d+\x22\x3b/i"; metadata:service http; reference:cve,2015-0231; classtype:attempted-admin; sid:33960; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12174 (msg:"SERVER-OTHER Symantec System Center Alert Management System untrusted command execution attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:".exe"; distance:2; metadata:policy max-detect-ips drop; reference:bugtraq,34675; reference:cve,2009-1431; classtype:policy-violation; sid:33987; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt"; flow:to_server,established; dsize:>4800; content:"Cookie:"; isdataat:3600,relative; content:!"|0D 0A|"; within:3600; metadata:service http; reference:cve,2007-1286; classtype:attempted-admin; sid:34027; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP unserialize and __wakeup use after free attempt"; flow:to_server,established; file_data; content:"<?php"; content:"class"; distance:0; content:"function"; within:200; content:"__wakeup"; within:50; fast_pattern; content:"unset|28|"; within:50; content:"unserialize|28|"; distance:0; metadata:service http; reference:cve,2015-2787; classtype:attempted-user; sid:34054; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER PHP unserialize and __wakeup use after free attempt"; flow:to_client,established; file_data; content:"<?php"; content:"class"; distance:0; content:"function"; within:200; content:"__wakeup"; within:50; fast_pattern; content:"unset|28|"; within:50; content:"unserialize|28|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2787; classtype:attempted-user; sid:34053; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft SharePoint projectdetails.aspx ret parameter XSS attempt"; flow:to_server,established; content:"/projectdetails.aspx?"; fast_pattern:only; http_uri; content:"ret="; nocase; http_uri; pcre:"/ret=[^&]*([\x22\x27\x28\x29\x3c\x3e]|script|onload|src)/Ui"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1640; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-036; classtype:attempted-user; sid:34099; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER NTP mode 6 UNSETTRAP denial of service attempt"; flow:to_server,no_stream; content:"|16 1F 00 00|"; depth:4; detection_filter:track by_dst, count 1000, seconds 5; metadata:service ntp; reference:cve,2013-5211; reference:url,attack.mitre.org/techniques/T1209; reference:url,r-7.co/R7-2014-12; classtype:attempted-dos; sid:34114; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER NTP mode 6 REQ_NONCE denial of service attempt"; flow:to_server,no_stream; content:"|16 0C 00 00|"; depth:4; detection_filter:track by_dst, count 1000, seconds 5; metadata:service ntp; reference:cve,2013-5211; reference:url,attack.mitre.org/techniques/T1209; reference:url,r-7.co/R7-2014-12; classtype:attempted-dos; sid:34112; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Oracle Outside In Paradox database denial of service attempt"; flow:to_client,established; file_data; content:"|00 00 00 00 00 00 0E 08 01 1E 01 1E 01 14 01 14 01 0F 01 0A 01 0F 01 0F 09 01 92 A0 E0 6B 97 A1 E0 6B A1 A1|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,57357; reference:cve,2013-0393; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-012; classtype:attempted-dos; sid:34160; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Oracle CorelDRAW file parser heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.cdr; file_data; content:"|FF F1 54 FF FF 40 A9 FE FF C1 52 00 00 00 00 00 00 28 55 4E 05 60 2D 5C 05 FD FF FF FF 00 00 00|"; fast_pattern:only; metadata:service smtp; reference:cve,2013-0418; classtype:attempted-admin; sid:34142; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Oracle CorelDRAW file parser heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.cdr; file_data; content:"|FF F1 54 FF FF 40 A9 FE FF C1 52 00 00 00 00 00 00 28 55 4E 05 60 2D 5C 05 FD FF FF FF 00 00 00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0418; classtype:attempted-admin; sid:34141; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Novell ZenWorks configuration management file upload directory traversal attempt"; flow:to_server,established; content:"/zenworks/jsp/index.jsp"; fast_pattern:only; http_uri; content:"pageid="; http_uri; content:"filename=|22|"; http_client_body; content:".."; within:3; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-1080; reference:url,www.novell.com/support/kb/doc.php?id=7011812; classtype:attempted-admin; sid:34139; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"SERVER-OTHER PHP zip_cdir_new function integer overflow file upload attempt"; flow:to_server,established; file_data; content:"PK|06 06|"; byte_test:1,>=,0x10,23,relative; content:"PK|06 07|"; distance:0; content:"PK|05 06|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2331; classtype:attempted-user; sid:34239; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"SERVER-OTHER PHP zip_cdir_new function integer overflow file upload attempt"; flow:to_server,established; file_data; content:"PK|06 06|"; content:!"|00 00 00 00|"; within:4; distance:24; content:"PK|06 07|"; distance:0; content:"PK|05 06|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2331; classtype:attempted-user; sid:34238; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SERVER-OTHER GNU Mailman listname directory traversal attempt"; flow:to_server,established; content:"RCPT TO"; depth:7; nocase; content:"../"; fast_pattern:only; metadata:service smtp; reference:cve,2015-2775; classtype:attempted-user; sid:34301; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [3260,860] (msg:"SERVER-OTHER Windows iSCSI target login request Denial of Service attempt"; flow:to_server,established,no_stream; content:"InitiatorName="; content:"|2D|"; distance:0; content:"|2D|"; distance:0; detection_filter:track by_dst, count 200, seconds 2; reference:cve,2014-0255; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-028; classtype:attempted-dos; sid:34288; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt"; flow:to_server,established; file_data; content:"PK|06 06|"; byte_test:1,>=,0x10,23,relative; content:"PK|06 07|"; distance:0; content:"PK|05 06|"; distance:0; metadata:service smtp; reference:cve,2015-2331; classtype:attempted-user; sid:34376; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt"; flow:to_server,established; file_data; content:"PK|06 06|"; content:!"|00 00 00 00|"; within:4; distance:24; content:"PK|06 07|"; distance:0; content:"PK|05 06|"; distance:0; metadata:service smtp; reference:cve,2015-2331; classtype:attempted-user; sid:34375; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt"; flow:to_client,established; file_data; content:"PK|06 06|"; byte_test:1,>=,0x10,23,relative; content:"PK|06 07|"; distance:0; content:"PK|05 06|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2331; classtype:attempted-user; sid:34374; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER PHP zip_cdir_new function integer overflow file download attempt"; flow:to_client,established; file_data; content:"PK|06 06|"; content:!"|00 00 00 00|"; within:4; distance:24; content:"PK|06 07|"; distance:0; content:"PK|05 06|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-2331; classtype:attempted-user; sid:34373; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30051 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt"; flow:to_server,established; content:"|AA BB AA BB|"; depth:4; content:"|00 00 00 09|"; within:4; distance:12; content:"user="; within:511; distance:13; isdataat:400,relative; content:!"|20|"; within:400; metadata:policy max-detect-ips drop; reference:bugtraq,73917; reference:cve,2015-0119; classtype:attempted-admin; sid:34353; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30051 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt"; flow:to_server,established; content:"|AA BB AA BB|"; depth:4; content:"|00 00 00 09|"; within:4; distance:12; content:"safe="; within:511; distance:13; isdataat:400,relative; content:!"|20|"; within:400; metadata:policy max-detect-ips drop; reference:bugtraq,73917; reference:cve,2015-0119; classtype:attempted-admin; sid:34352; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30051 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt"; flow:to_server,established; content:"|AA BB AA BB|"; depth:4; content:"|00 00 00 09|"; within:4; distance:12; content:"port="; within:511; distance:13; isdataat:400,relative; content:!"|20|"; within:400; metadata:policy max-detect-ips drop; reference:bugtraq,73917; reference:cve,2015-0119; classtype:attempted-admin; sid:34351; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30051 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt"; flow:to_server,established; content:"|AA BB AA BB|"; depth:4; content:"|00 00 00 09|"; within:4; distance:12; content:"pass="; within:511; distance:13; isdataat:400,relative; content:!"|20|"; within:400; metadata:policy max-detect-ips drop; reference:bugtraq,73917; reference:cve,2015-0119; classtype:attempted-admin; sid:34350; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30051 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt"; flow:to_server,established; content:"|AA BB AA BB|"; depth:4; content:"|00 00 00 09|"; within:4; distance:12; content:"ip="; within:511; distance:13; isdataat:400,relative; content:!"|20|"; within:400; metadata:policy max-detect-ips drop; reference:bugtraq,73917; reference:cve,2015-0119; classtype:attempted-admin; sid:34349; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-OTHER AsusWRT infosvr remote command execution attempt"; flow:to_server; content:"|0C 15 33 00|"; depth:4; metadata:policy security-ips drop; reference:bugtraq,71889; reference:cve,2014-9583; classtype:attempted-admin; sid:34464; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt"; flow:to_server,established; content:"STYLE="; fast_pattern:only; content:"c="; content:"%60"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service ssl; reference:cve,2014-2850; classtype:attempted-admin; sid:32998; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt"; flow:to_server,established; content:"STYLE="; fast_pattern:only; content:"c="; content:"|60|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ssl; reference:cve,2014-2850; classtype:attempted-admin; sid:32997; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,8000:8099] (msg:"SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt"; flow:established,to_server; content:"/sap/bc/soap/rfc"; fast_pattern:only; content:"ADDITIONAL_PARAMETERS"; nocase; content:"SXPG_CALL_SYSTEM"; nocase; pcre:"/<ADDITIONAL_PARAMETERS>[^<]*?[\x26\x27\x28\x24\x21]/i"; metadata:policy max-detect-ips drop, service http; reference:url,packetstormsecurity.com/files/121580/SAP-SOAP-RFC-SXPG_COMMAND_EXECUTE-Remote-Command-Execution.html; classtype:web-application-attack; sid:32992; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,8000:8099] (msg:"SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt"; flow:established,to_server; content:"/sap/bc/soap/rfc"; fast_pattern:only; content:"<ADDITIONAL_PARAMETERS>"; nocase; content:"SXPG_COMMAND_EXECUTE"; nocase; pcre:"/<ADDITIONAL_PARAMETERS>[^<]*?[\x26\x27\x28\x24\x21]/i"; metadata:policy max-detect-ips drop, service http; reference:url,packetstormsecurity.com/files/121580/SAP-SOAP-RFC-SXPG_COMMAND_EXECUTE-Remote-Command-Execution.html; classtype:web-application-attack; sid:32991; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector - initiate connection"; flow:to_server,established; content:"HP OpenView OmniBack"; fast_pattern:only; flowbits:set,hp_openview_sdp; flowbits:noalert; classtype:protocol-command-decode; sid:32345; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt"; flow:to_server,established; file_data; content:"CreateObject|28|"; nocase; content:"XGO.XGoCtrl"; within:15; fast_pattern; nocase; content:".SetShapeNodeType|28|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,55272; classtype:attempted-user; sid:31882; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt"; flow:to_client,established; file_data; content:"CreateObject|28|"; nocase; content:"XGO.XGoCtrl"; within:15; fast_pattern; nocase; content:".SetShapeNodeType|28|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55272; classtype:attempted-user; sid:31881; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt"; flow:to_server,established; file_data; content:"ActiveXObject|28|"; nocase; content:"XGO.XGoCtrl"; within:15; fast_pattern; nocase; content:".SetShapeNodeType|28|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,55272; classtype:attempted-user; sid:31880; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt"; flow:to_client,established; file_data; content:"ActiveXObject|28|"; nocase; content:"XGO.XGoCtrl"; within:15; fast_pattern; nocase; content:".SetShapeNodeType|28|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55272; classtype:attempted-user; sid:31879; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt"; flow:to_server,established; file_data; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; fast_pattern; nocase; content:".SetShapeNodeType|28|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,55272; classtype:attempted-user; sid:31878; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER HP Application Life Cycle Management ActiveX arbitrary code execution attempt"; flow:to_client,established; file_data; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; fast_pattern; nocase; content:".SetShapeNodeType|28|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,55272; classtype:attempted-user; sid:31877; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"SERVER-OTHER Symantec pcAnywhere remote code execution attempt"; flow:to_server,established; content:"|0B D1 BA 29 AD DF A7 C6 5C 8B 1F 10 89 53 92 0B 83 58 DF 4A CC CB 97 0C 6D B8 3F 9B 31 CE 71 8C|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,51592; reference:cve,2011-3478; classtype:attempted-admin; sid:31238; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector Backup Client Service directory traversal attempt"; flow:to_server,established; content:"|32 00|"; depth:4; offset:4; content:"|00 34|"; distance:0; content:"../"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2013-2348; reference:url,h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03822422&ac.admitted=1395676245824.876444892.199480143; classtype:attempted-user; sid:30556; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector Backup Client Service UTF directory traversal attempt"; flow:to_server,established; content:"|32 00|"; depth:4; offset:4; content:"|00 34|"; distance:0; content:"|2E 00 2E 00 5C 00|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2013-2348; reference:url,h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03822422&ac.admitted=1395676245824.876444892.199480143; classtype:attempted-user; sid:30555; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector Backup Client Service UTF directory traversal attempt"; flow:to_server,established; content:"|32 00|"; depth:4; offset:4; content:"|00 34|"; distance:0; content:"|2E 00 2E 00 2F 00|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2013-2348; reference:url,h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03822422&ac.admitted=1395676245824.876444892.199480143; classtype:attempted-user; sid:30554; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector Backup Client Service directory traversal attempt"; flow:to_server,established; content:"|32 00|"; depth:4; offset:4; content:"|00 34|"; distance:0; content:"..|5C|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2013-2348; reference:url,h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03822422&ac.admitted=1395676245824.876444892.199480143; classtype:attempted-user; sid:30553; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector opcode 42 directory traversal attempt"; flow:to_server,established; content:"|FF FE 32 00 00 00 20 00|"; depth:8; offset:4; content:"|34 00 32 00 00 00 20 00|"; distance:0; content:"|5C 00 2E 00 2E 00 5C 00|"; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6194; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30268; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector opcode 42 directory traversal attempt"; flow:to_server,established; content:"|FF FE 32 00 00 00 20 00|"; depth:8; offset:4; content:"|34 00 32 00 00 00 20 00|"; distance:0; content:"|2F 00 2E 00 2E 00 2F 00|"; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6194; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30267; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector opcode 42 directory traversal attempt"; flow:to_server,established; content:"|FE FF 00 32 00 00 00 20|"; depth:8; offset:4; content:"|00 34 00 32 00 00 00 20|"; distance:0; content:"|00 5C 00 2E 00 2E 00 5C|"; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6194; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30266; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector opcode 42 directory traversal attempt"; flow:to_server,established; content:"|FE FF 00 32 00 00 00 20|"; depth:8; offset:4; content:"|00 34 00 32 00 00 00 20|"; distance:0; content:"|00 2F 00 2E 00 2E 00 2F|"; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6194; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30265; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector opcode 42 directory traversal attempt"; flow:to_server,established; content:"|32 00|"; depth:2; offset:4; content:"|00|42|00|"; distance:0; content:"|00 2E 2E 5C 2E 2E 5C|"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6194; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30264; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector opcode 42 directory traversal attempt"; flow:to_server,established; content:"|32 00|"; depth:2; offset:4; content:"|00|42|00|"; distance:0; content:"|00 2E 2E 2F 2E 2E 2F|"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6194; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30263; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [523,524] (msg:"SERVER-OTHER IBM DB2 Universal Database receiveDASMessage buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|DB2DAS|20 20 20 20 20 20|"; depth:16; byte_test:4,>,0xFFFFFFD8,21,relative; metadata:policy max-detect-ips drop; reference:bugtraq,46052; reference:cve,2011-0731; classtype:attempted-admin; sid:29948; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [523,524] (msg:"SERVER-OTHER IBM DB2 Universal Database receiveDASMessage buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|DB2DAS|20 20 20 20 20 20|"; depth:16; byte_test:4,>,0xFFFFFFD8,21,relative,little; metadata:policy max-detect-ips drop; reference:bugtraq,46052; reference:cve,2011-0731; classtype:attempted-admin; sid:29947; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [523,524] (msg:"SERVER-OTHER IBM DB2 Universal Database receiveDASMessage buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|DB2DAS|20 20 20 20 20 20|"; depth:16; byte_test:4,>,0xFFFFFFD8,16,relative; metadata:policy max-detect-ips drop; reference:bugtraq,46052; reference:cve,2011-0731; classtype:attempted-admin; sid:29946; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER JBoss JMXInvokerServlet remote code execution attempt"; flow:to_server,established; content:"POST"; http_method; content:"/invoker/JMXInvokerServlet"; nocase; http_uri; content:"application/x-java-serialized-object|3B| class=org.jboss.invocation.Marshalled"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62347; reference:cve,2013-4810; classtype:misc-attack; sid:29909; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER JBoss EJBInvokerServlet remote code execution attempt"; flow:to_server,established; content:"POST"; http_method; content:"/invoker/EJBInvokerServlet"; nocase; http_uri; content:"application/x-java-serialized-object|3B| class=org.jboss.invocation.MarshalledInvocation"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62347; reference:cve,2013-4810; classtype:web-application-attack; sid:28851; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStore format string vulnerability exploit attempt"; flow:to_server,established; content:"unsrmm "; depth:7; content:"%"; distance:0; metadata:policy max-detect-ips drop; reference:cve,2013-0929; classtype:attempted-admin; sid:28398; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStore format string vulnerability exploit attempt"; flow:to_server,established; content:"unsrjb "; depth:7; content:"%"; distance:0; metadata:policy max-detect-ips drop; reference:cve,2013-0929; classtype:attempted-admin; sid:28397; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStore format string vulnerability exploit attempt"; flow:to_server,established; content:"ummpool "; depth:8; content:"%"; distance:0; metadata:policy max-detect-ips drop; reference:cve,2013-0929; classtype:attempted-admin; sid:28396; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStore format string vulnerability exploit attempt"; flow:to_server,established; content:"ummlocate "; depth:10; content:"%"; distance:0; metadata:policy max-detect-ips drop; reference:cve,2013-0929; classtype:attempted-admin; sid:28395; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStore format string vulnerability exploit attempt"; flow:to_server,established; content:"umminfo "; depth:8; content:"%"; distance:0; metadata:policy max-detect-ips drop; reference:cve,2013-0929; classtype:attempted-admin; sid:28394; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 211 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|1|00|1|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1400,relative; content:!"|00 00|"; within:1400; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60309; reference:cve,2013-2333; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:28227; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER HP ProCurve Manager SNAC UpdateDomainControllerServlet directory traversal attempt"; flow:to_server,established; content:"/RegWeb/UpdateDomainControllerServlet"; fast_pattern:only; http_uri; content:"adCert"; nocase; http_client_body; content:"filename"; distance:0; nocase; http_client_body; pcre:"/filename\s*?=\s*?[\x22\x27][^\x22\x27]*?(\x2e\x2e|%2e%2e)([\x5c\x2f]|%5c|%2f)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62349; reference:cve,2013-4811; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409; classtype:attempted-admin; sid:27941; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER HP ProCurve Manager SNAC UpdateCertificatesServlet directory traversal attempt"; flow:to_server,established; content:"/RegWeb/"; fast_pattern; nocase; http_uri; content:"/update"; distance:0; nocase; http_uri; content:"filename"; nocase; http_client_body; pcre:"/filename\s*?=\s*?[\x22\x27][^\x22\x27]*?(\x2e\x2e|%2e%2e)([\x5c\x2f]|%5c|%2f)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62348; reference:cve,2013-4812; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409; classtype:attempted-admin; sid:27937; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 265 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|6|00|5|00 00 00 20 00|"; depth:10; offset:6; isdataat:1400,relative; content:!"|00 00|"; within:1400; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60299; reference:cve,2013-2324; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27773; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 243 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|4|00|3|00 00 00 20 00|"; depth:10; offset:6; isdataat:1400,relative; content:!"|00 00|"; within:1400; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60299; reference:cve,2013-2324; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27772; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 236 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|3|00|6|00 00 00 20 00|"; depth:10; offset:6; isdataat:1400,relative; content:!"|00 00|"; within:1400; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60299; reference:cve,2013-2324; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27771; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 210 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|1|00|0|00 00 00 20 00|"; depth:10; offset:6; isdataat:1400,relative; content:!"|00 00|"; within:1400; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60299; reference:cve,2013-2324; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27770; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 207 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|0|00|7|00 00 00 20 00|"; depth:10; offset:6; isdataat:1400,relative; content:!"|00 00|"; within:1400; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60299; reference:cve,2013-2324; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27769; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 264 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|6|00|4|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1300,relative; content:!"|00 00|"; within:1300; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60302; reference:cve,2013-2327; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27617; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 235 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|3|00|5|00 00 00 20 00|"; depth:10; offset:6; isdataat:1400,relative; content:!"|00 00|"; within:1400; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60300; reference:cve,2013-2325; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27571; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 234 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|3|00|4|00 00 00 20 00|"; depth:10; offset:6; isdataat:1400,relative; content:!"|00 00|"; within:1400; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60301; reference:cve,2013-2326; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27539; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 227 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|2|00|7|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1300,relative; content:!"|00 00|"; within:1300; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60311; reference:cve,2013-2335; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27264; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|6|00|3|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1300,relative; content:!"|00 00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60303; reference:bugtraq,64647; reference:cve,2013-2328; reference:cve,2013-6195; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27262; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|1|00|5|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1300,relative; content:!"|00 00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60303; reference:bugtraq,64647; reference:cve,2013-2328; reference:cve,2013-6195; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27261; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 260 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|6|00|0|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1300,relative; content:!"|00 00|"; within:1300; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60308; reference:cve,2013-2332; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27217; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"1|00|0|00|9|00|1|00 00 00 20 00|"; depth:12; offset:6; isdataat:1400,relative; content:!"|00 00|"; within:1400; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60310; reference:cve,2013-2334; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27170; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 211 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|1|00|1|00 00 00 20 00|"; depth:10; offset:6; isdataat:1400,relative; content:!"|00 00|"; within:1400; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60309; reference:cve,2013-2333; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27125; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1092 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"1|00|0|00|9|00|2|00 00 00 20 00|"; depth:12; offset:6; isdataat:1400,relative; content:!"|00 00|"; within:1400; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60307; reference:cve,2013-2331; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27124; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 259 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|5|00|9|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:200,relative; content:!"|00 00|"; within:200; metadata:policy max-detect-ips drop; reference:bugtraq,60304; reference:cve,2013-2329; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27123; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 305 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"3|00|0|00|5|00 00 00 20 00|"; depth:10; offset:6; isdataat:1400,relative; content:!"|00 00|"; within:1400; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60306; reference:cve,2013-2330; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:27122; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector - initiate connection"; flow:to_server,established; content:"H|00|P|00| |00|O|00|p|00|e|00|n|00|V|00|i|00|e|00|w|00| |00|O|00|m|00|n|00|i|00|B|00|a|00|c|00|k"; fast_pattern:only; flowbits:set,hp_openview_sdp; flowbits:noalert; classtype:protocol-command-decode; sid:27121; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Novell NetIQ User Manager ldapagnt_eval remote code execution attempt"; flow:to_server,established; content:"application/x-amf"; nocase; http_header; content:"|03 00 06|method|02 00 04|eval|00 06|module|02 00 08|ldapagnt"; fast_pattern:only; http_client_body; content:"|00 04|Eval|03 00 07|content|02|"; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,56539; classtype:attempted-admin; sid:27075; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Novell NetIQ User Manager modifyAccounts policy bypass attempt"; flow:to_server,established; content:"application/x-amf"; nocase; http_header; content:"|03 00 06|method|02 00 0E|modifyAccounts"; fast_pattern:only; http_client_body; content:"|03 00 04|name|02 00 05|admin"; nocase; http_client_body; content:"|00 0A|ACT_PASSWD|03 00 05|value"; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,56535; classtype:attempted-admin; sid:27036; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SERVER-OTHER RealNetworks Helix snmp master agent denial of service attempt"; flow:to_server,established; flags:FA; stream_size:client,<=,2; metadata:policy max-detect-ips drop, service snmp; reference:bugtraq,52929; reference:cve,2012-1923; classtype:attempted-dos; sid:26980; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Apache Struts allowStaticMethodAccess invocation attempt"; flow:to_server,established; content:".do?"; nocase; http_uri; content:"allowStaticMethodAccess"; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,60166; reference:cve,2013-1966; reference:cve,2013-2115; reference:url,struts.apache.org/development/2.x/docs/s2-014.html; classtype:attempted-admin; sid:26825; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Apache Struts allowStaticMethodAccess invocation attempt"; flow:to_server,established; content:".action"; nocase; http_uri; content:"allowStaticMethodAccess"; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,60166; reference:cve,2013-1966; reference:cve,2013-2115; reference:url,struts.apache.org/development/2.x/docs/s2-014.html; classtype:attempted-admin; sid:26824; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6661 (msg:"SERVER-OTHER BigAnt Document Service DDNF request stack buffer overflow attempt"; flow:to_server,established; content:"cmdid: "; fast_pattern:only; content:"DDNF"; depth:4; content:"username: "; distance:0; nocase; isdataat:1024,relative; content:!"|0A|"; within:1024; metadata:policy max-detect-ips drop; classtype:attempted-admin; sid:26501; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5666 (msg:"SERVER-OTHER Nagios NRPE command execution attempt"; flow:to_server,established; content:"|00 02 00 01|"; depth:4; content:"$("; within:20; distance:6; metadata:policy max-detect-ips drop; reference:bugtraq,58142; reference:cve,2013-1362; classtype:attempted-admin; sid:26491; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER ActFax LPD Server data field buffer overflow attempt"; flow:to_server,established; content:"@F"; content:!"@"; within:254; pcre:"/@F\d{3}[^@\x00]{251}/"; metadata:policy max-detect-ips drop, service printer; reference:bugtraq,57789; classtype:attempted-admin; sid:26479; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6661 (msg:"SERVER-OTHER BigAnt IM Server buffer overflow attempt"; flow:to_server,established; content:"source_cmdname|3A| DUPF"; content:"username|3A| "; distance:0; isdataat:574,relative; content:!"|0A|"; within:574; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57214; reference:cve,2012-6275; classtype:attempted-admin; sid:26105; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [13838] (msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra ping request buffer overflow attempt"; flow:to_server,established; content:"get|3A|/lhn/public/network/ping/"; nocase; content:"/"; distance:0; isdataat:1048,relative; content:!"/"; within:1048; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2012-3285; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03661318; classtype:attempted-admin; sid:26103; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStor Device Manager command injection attempt"; flow:to_server,established; content:"|75|"; depth:1; content:"mminfo"; distance:0; pcre:"/mminfo[^\x00]*?([\x3b\x7c\x26\x60]|\x24\x28)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57472; reference:cve,2013-0928; classtype:attempted-admin; sid:25582; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart domain name logging stack buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 63 00 00 00 01|"; depth:8; offset:12; isdataat:40,relative; content:!"|00|"; within:32; distance:8; metadata:policy max-detect-ips drop; reference:bugtraq,49238; reference:cve,2011-2735; classtype:attempted-user; sid:25380; rev:7;)
# alert tcp $EXTERNAL_NET 70 -> $HOME_NET any (msg:"SERVER-OTHER Squid Gopher response processing buffer overflow attempt"; flow:to_client,established; dsize:>1024; metadata:policy max-detect-ips drop, service gopher; reference:bugtraq,49356; reference:cve,2011-3205; reference:url,www.secunia.com/advisories/45805; reference:url,www.squid-cache.org/Advisories/SQUID-2011_3.txt; classtype:attempted-user; sid:25356; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [514,515] (msg:"SERVER-OTHER HP HP Intelligent Management Center syslog remote code execution attempt"; flow:to_server; dsize:>2047; metadata:policy max-detect-ips drop, service syslog; reference:cve,2011-1854; classtype:attempted-admin; sid:25352; rev:7;)
# alert udp $HOME_NET 68 -> $HOME_NET 67 (msg:"SERVER-OTHER ISC dhcpd bootp request missing options field DOS attempt"; flow:to_server; dsize:<240; content:"|01 01 06 00|"; depth:4; fast_pattern; content:!"|63 82 53 63|"; distance:0; metadata:policy max-detect-ips drop, service dhcp; reference:bugtraq,49120; reference:cve,2011-2748; reference:cve,2011-2749; reference:url,kb.isc.org/article/AA-00454/75/CVE-2011-2748%3A-ISC-DHCP-Server-Halt.html; classtype:attempted-dos; sid:25342; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3035 (msg:"SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt"; flow:to_server, established; content:"POST"; depth:4; content:"<SERVERVERSION>"; fast_pattern; isdataat:84,relative; content:!"</SERVERVERSION>"; within:84; metadata:policy max-detect-ips drop; reference:cve,2011-2220; classtype:attempted-admin; sid:25340; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3035 (msg:"SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt"; flow:to_server, established; content:"POST"; depth:4; content:"<PSEP>"; fast_pattern; isdataat:75,relative; content:!"</PSEP>"; within:75; metadata:policy max-detect-ips drop; reference:cve,2011-2220; classtype:attempted-admin; sid:25339; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3035 (msg:"SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt"; flow:to_server, established; content:"POST"; depth:4; content:"<HNAME>"; fast_pattern; isdataat:76,relative; content:!"</HNAME>"; within:76; metadata:policy max-detect-ips drop; reference:cve,2011-2220; classtype:attempted-admin; sid:25338; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3035 (msg:"SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt"; flow:to_server, established; content:"POST"; depth:4; content:"<URL>"; fast_pattern; isdataat:74,relative; content:!"</URL>"; within:74; metadata:policy max-detect-ips drop; reference:cve,2011-2220; classtype:attempted-admin; sid:25337; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3035 (msg:"SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt"; flow:to_server, established; content:"POST"; depth:4; content:"<PROTOCOL>"; fast_pattern; isdataat:79,relative; content:!"</PROTOCOL>"; within:79; metadata:policy max-detect-ips drop; reference:cve,2011-2220; classtype:attempted-admin; sid:25336; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3035 (msg:"SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt"; flow:to_server, established; content:"POST"; depth:4; content:"<NAME>"; fast_pattern; isdataat:75,relative; content:!"</NAME>"; within:75; metadata:policy max-detect-ips drop; reference:cve,2011-2220; classtype:attempted-admin; sid:25335; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3035 (msg:"SERVER-OTHER Novell File Reporter record tag parsing buffer overflow attempt"; flow:to_server, established; content:"|B7 73 B8 1C 6B 9D 80 D5 0F 8C 4A 1E 98 1F 17 26 98 DF 26 95 52 85 D3 9F 91|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ssl; reference:cve,2011-2220; classtype:attempted-admin; sid:25334; rev:8;)
# alert tcp $EXTERNAL_NET 1745 -> $HOME_NET any (msg:"SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt"; flow:to_client,established; content:"|00|RWS"; depth:4; content:"|0F|"; depth:1; offset:16; isdataat:370; metadata:policy max-detect-ips drop, service dns; reference:cve,2011-1889; classtype:attempted-admin; sid:25312; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Rails XML parameter parsing vulnerability exploitation attempt"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type"; nocase; http_header; content:"xml"; within:20; http_header; content:"yaml"; http_client_body; content:"!ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0156; classtype:attempted-admin; sid:25288; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Rails XML parameter parsing vulnerability exploitation attempt"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type"; nocase; http_header; content:"xml"; within:20; http_header; content:"yaml"; http_client_body; content:"!ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0156; classtype:attempted-admin; sid:25287; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [19985,19988] (msg:"SERVER-OTHER HP Archive Query Server stack overflow attempt"; flow:to_server,established; content:"GIOP"; depth:4; byte_jump:4,20,relative,align; byte_jump:4,0,relative,align,post_offset 4; content:"|00 00 00 0E|"; distance:0; byte_test:4,>,2147483647,4,relative; metadata:policy max-detect-ips drop; reference:cve,2011-4163; classtype:attempted-admin; sid:25003; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [5556,443] (msg:"SERVER-OTHER Free Software Foundation GnuTLS record application integer overflow attempt"; flow:to_server,established; content:"|17 03 02 00 20|"; depth:5; metadata:policy max-detect-ips drop, service ssl; reference:cve,2012-1573; classtype:attempted-admin; sid:24995; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [5512,5513] (msg:"SERVER-OTHER ABB Multiple Product RobNetScanHost.exe buffer overflow attempt"; flow:to_server; content:"Netscan|3B|"; depth:8; content:"|3A|"; within:4; distance:5; pcre:"/^Netscan\x3b[^\x3a]{0,5}\x3b0[AE]\x3a.{23}/"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2012-0245; reference:url,www05.abb.com/global/scot/scot348.nsf/veritydisplay/f261be074480dc24c12579a00049ecd5/$file/si10227a1%20vulnerability%20security%20advisory.pdf; classtype:attempted-admin; sid:24898; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [19985,19988] (msg:"SERVER-OTHER HP Database Archiving Software GIOP parsing buffer overflow attempt"; flow:to_server,established; content:"|FF FF 07|"; depth:3; offset:77; byte_test:1,>,55,0,relative; metadata:policy max-detect-ips drop; reference:cve,2011-4164; classtype:attempted-user; sid:24802; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealPlayer Helix rn5auth credential overflow attempt"; flow:to_server,established; content:"rtsp|3A 2F 2F|"; content:"Authorization|3A| RN5"; isdataat:256,relative; pcre:"/^\s+?[a-z0-9]+?\x3D[^\x22\x2C]{256}/Ri"; metadata:policy max-detect-ips drop, service rtsp; reference:cve,2012-0942; reference:url,helixproducts.real.com/docs/security/SecurityUpdate04022012HS.pdf; classtype:attempted-admin; sid:24768; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|1B 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24760; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|1A 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24759; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|19 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:19; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24758; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|16 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24757; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|15 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24756; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|14 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24755; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|13 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24754; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|12 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24753; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|11 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:26; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24752; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|10 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:30; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24751; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|0F 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24750; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|0E 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:19; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24749; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|0B 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24748; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|0A 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:111; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24747; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|05 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24746; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|04 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24745; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|03 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24744; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|02 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24743; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|01 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24742; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services multiple opcode integer overflow attempt"; flow:to_server; content:"|00 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:18; metadata:policy max-detect-ips drop; reference:bugtraq,49803; classtype:attempted-user; sid:24741; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10008 (msg:"SERVER-OTHER Gimp Script-Fu server buffer overflow attempt"; flow:to_server,established; content:"G"; depth:1; byte_test:2,>,1024,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,53741; reference:cve,2012-2763; reference:url,www.reactionpenetrationtesting.co.uk/advisories/scriptfu-buffer-overflow-GIMP-2.6.html; classtype:attempted-admin; sid:24739; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 32 00 00 00 02|"; within:8; distance:8; byte_test:4,>,0x10000,184,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24738; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9111 (msg:"SERVER-OTHER HP StorageWorks file migration agent buffer overflow attempt"; flow:to_server,established; content:"_RRP|00 01 00 00 22 00 02 00 01 00|"; depth:14; content:"<FtpPath>"; content:!"</FtpPath>"; within:266; metadata:policy max-detect-ips drop; classtype:attempted-admin; sid:24686; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SERVER-OTHER RealNetworks Helix server open PDU denial of service attempt"; flow:to_server,established; content:"|01|"; depth:2; offset:1; byte_jump:1,22,relative,multiplier 4, post_offset 3; byte_test:4,>,0xffff,0,relative,little; metadata:policy max-detect-ips drop; reference:cve,2012-1923; reference:url,helixproducts.real.com/docs/security/SecurityUpdate04022012HS.pdf; classtype:denial-of-service; sid:24677; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [7937:] (msg:"SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt"; flow:to_server,established; dsize:>64; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 05 F3 DD 00 00 00 02 00 00 00 06|"; within:12; distance:4; byte_jump:4,24,relative,align; byte_test:4,>,0,0,relative; byte_extract:4,4,string1,relative; content:"%n"; within:string1; metadata:policy max-detect-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,55330; reference:cve,2012-2288; classtype:attempted-admin; sid:24446; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Novell Remote Manager off-by-one denial of service attempt"; flow:to_server,established; content:"POST"; http_method; content:"/_LOGIN_SERVER_"; fast_pattern:only; http_uri; content:"host:"; nocase; http_header; pcre:"/host\x3a\s*?[^\x0d\x0a]{64}[\x0d\x0a]/Hi"; metadata:policy max-detect-ips drop, service http; classtype:denial-of-service; sid:24337; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 4B 00 00 1D 4C|"; within:8; distance:8; byte_test:4,>,0x10000,32,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24329; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9111 (msg:"SERVER-OTHER HP StorageWorks File Migration Agent buffer overflow attempt"; flow:to_server,established; content:"_RRP|00 01 00 00 22 00 02 00|"; depth:12; content:"|31 00 2C 00 30 00 2C 00 30 00 2C 00 30 00 2C 00 30 00 2C 00|"; within:20; distance:12; isdataat:512,relative; content:!"|0A|"; within:512; metadata:policy max-detect-ips drop; classtype:attempted-admin; sid:24321; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [7937:] (msg:"SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt"; flow:to_server,established; dsize:>64; byte_test:4,=,0x0,8; content:"|00 05 F3 DD 00 00 00 02 00 00 00 06|"; depth:12; offset:16; byte_jump:4,24,relative,align; byte_test:4,>,0,0,relative; byte_test:4,>=,0x708,4,relative; metadata:policy max-detect-ips drop, service sunrpc; reference:cve,2012-2228; reference:url,blog.exodusintel.com/2012/08/29/when-wrapping-it-up-goes-wrong/; classtype:attempted-admin; sid:24293; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [67,68] (msg:"SERVER-OTHER Dhcpcd packet size buffer overflow attempt"; flow:stateless; dsize:>1456; content:"|02 01 06|"; fast_pattern; content:"|63 82 53 63|"; within:4; distance:233; metadata:policy max-detect-ips drop, service dhcp; reference:bugtraq,53354; reference:cve,2012-2152; classtype:attempted-admin; sid:23993; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|"; depth:2; content:"|02 02 02 32 06 00 00 00|"; within:8; distance:2; isdataat:104,relative; content:"|20 03|"; within:2; distance:104; isdataat:210,relative; content:!"|00|"; within:1500; distance:210; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23632; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27000 (msg:"SERVER-OTHER Flexera FlexNet License Server buffer overflow attempt"; flow:to_server,established; content:"|2F|"; depth:1; byte_test:2,>,510,3,relative; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:14; distance:5; metadata:policy max-detect-ips drop; reference:bugtraq,52718; reference:url,aluigi.altervista.org/adv/lmgrd_1-adv.txt; reference:url,flexerasoftware.com/pl/13057.htm; classtype:attempted-admin; sid:23444; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services stack buffer overflow attempt"; flow:to_server; content:"|06 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:22; metadata:policy max-detect-ips drop; classtype:attempted-admin; sid:23398; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1315,2315] (msg:"SERVER-OTHER IBM SolidDB redundant where clause DoS attempt"; flow:to_server,established; flowbits:isset,soliddb; content:"|02 00 00 01 00 0F|"; fast_pattern:only; content:"where"; nocase; pcre:"/where[\s\x28]+(?P<var>[^\s]+)\s+[^\x01]*?(and|or|not)[\s\x28]+(?P=var)\s/i"; metadata:policy max-detect-ips drop; reference:cve,2012-0200; reference:url,ibm.com/support/docview.wss?uid=swg1IC81244; classtype:attempted-dos; sid:23392; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [20101,20102] (msg:"SERVER-OTHER Trend Micro Control Manager AddTask stack buffer overflow attempt"; flow:to_server,established; content:"|15 09|"; depth:2; offset:13; byte_test:4,>,408,0,relative; metadata:policy max-detect-ips drop; reference:cve,2011-5001; classtype:attempted-user; sid:23355; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER HP DPNECentral RequestCopy type SQL injection attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|2F|dpnepolicyservice|2F|DPNECentral.asmx"; nocase; http_uri; content:"<RequestCopy"; nocase; http_client_body; content:"type"; distance:0; nocase; http_client_body; pcre:"/\x3ctype\x3e.*?((\%27)|(\')|(\-\-)|(\%23)).*?\x3c\x2ftype\x3e/smixP"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3158; reference:url,h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03058866&ac.admitted=1322233177040.876444892.492883150; classtype:web-application-attack; sid:23241; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [3200:3299] (msg:"SERVER-OTHER SAP NetWeaver Dispatcher denial of service attempt"; flow:to_server,established; content:"|10 0F 01 00 11|"; depth:5; offset:21; byte_test:2,>,255,13,relative; metadata:policy max-detect-ips drop; reference:cve,2012-2514; reference:url,www.exploit-db.com/exploits/18853/; classtype:attempted-dos; sid:23112; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [3200:3299] (msg:"SERVER-OTHER SAP NetWeaver Dispatcher DiagTraceHex denial of service attempt"; flow:to_server,established; content:"|00 10 04 26 00 04 00 00 00 01 12 04 18|"; depth:13; offset:11; byte_test:1,&,0xFF,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,53424; reference:cve,2012-2612; classtype:attempted-dos; sid:23099; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1315,2315] (msg:"SERVER-OTHER IBM solidDB SELECT statement denial of service attempt"; flow:to_server,established; content:"|02 00 00 01 00 0F|"; depth:6; content:"rownum"; offset:15; nocase; content:"SELECT"; distance:0; nocase; metadata:policy max-detect-ips drop; reference:bugtraq,51629; reference:cve,2011-4890; reference:url,www-01.ibm.com/support/docview.wss?rs=3457&uid=swg1IC79861; classtype:denial-of-service; sid:23097; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13722 (msg:"SERVER-OTHER VERITAS NetBackup java authentication service format string exploit attempt"; flow:to_server,established; content:"foo%n"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,15079; reference:cve,2005-2715; reference:url,secunia.com/advisories/17181; classtype:attempted-user; sid:23096; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [3200:3299] (msg:"SERVER-OTHER SAP NetWeaver Dispatcher DiagTraceR3Info buffer overflow attempt"; flow:to_server,established; content:"|00 10 04 26 00 04 00 00 00 01 10 06 20|"; depth:13; offset:11; content:!"|00 0C|"; within:17; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,53424; reference:cve,2012-2611; classtype:attempted-admin; sid:23056; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 16388 (msg:"SERVER-OTHER Iron Mountain connected backup opcode 13 processing command injection attempt"; flow:to_server,established; content:"<Popupmessage>"; nocase; content:"<type>13</type>"; within:100; nocase; content:"<NotificationText"; within:100; fast_pattern; nocase; metadata:policy max-detect-ips drop; reference:bugtraq,50884; reference:cve,2011-2397; classtype:misc-attack; sid:22952; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 52312 (msg:"SERVER-OTHER IBM Tivoli Endpoint Manager Web Reports xss attempt"; flow:to_server,established; content:"ScheduleParam"; nocase; pcre:"/^\x3d[^\s\x26\x0d\x0a]*?\x2527/iR"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0719; reference:url,www.ibm.com/support/docview.wss?uid=swg21587743; classtype:attempted-user; sid:21944; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8300 (msg:"SERVER-OTHER Novell Groupwise HTTP login request"; flow:to_server,established; content:"NM_A_PARM1"; fast_pattern:only; flowbits:set,groupwise.request; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21916; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8300 (msg:"SERVER-OTHER Novell Groupwise HTTP login request"; flow:to_server,established; content:"NM_A_SZ_TRANSACTION_ID"; fast_pattern:only; flowbits:set,groupwise.request; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:21915; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 998 (msg:"SERVER-OTHER Novell ZENWorks configuration management preboot opcode 6C request buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 6C|"; depth:4; nocase; byte_jump:4,0,relative; byte_jump:4,0,relative; byte_jump:4,0,relative; byte_jump:4,0,relative; byte_test:4,>,2046,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,52659; reference:cve,2011-3176; reference:url,support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5127930.html; classtype:attempted-user; sid:21914; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3916 (msg:"SERVER-OTHER EMC data protection advisor DOS attempt"; flow:to_server,established; content:"<CXMLREQUEST>"; nocase; content:"<AUTHENTICATECONNECTION>"; distance:0; nocase; content:"<AUTHENTICATIONDATA>"; distance:0; nocase; content:!"<PASSWORD>"; distance:0; nocase; content:"</AUTHENTICATIONDATA>"; metadata:policy max-detect-ips drop; reference:url,aluigi.org/adv/dpa_1-adv.txt; classtype:attempted-dos; sid:21913; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 998 (msg:"SERVER-OTHER Novell ZENWorks configuration management preboot request buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 4C|"; depth:4; nocase; byte_jump:4,0,relative; byte_jump:4,0,relative; byte_jump:4,0,relative; byte_test:4,>,2046,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,52659; reference:cve,2011-3176; classtype:attempted-user; sid:21752; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6070 (msg:"SERVER-OTHER CA BrightStor Agent for Microsoft SQL overflow attempt"; flow:to_server,established; isdataat:3163; byte_test:2,>,0x6e2,694; metadata:policy max-detect-ips drop; reference:bugtraq,14453; reference:cve,2005-1272; classtype:attempted-admin; sid:21663; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"SERVER-OTHER Novell iPrint attributes-natural-language buffer overflow attempt"; flow:to_server,established; content:"Content-type|3A| application/ipp"; fast_pattern:only; content:"attributes-natural-language"; nocase; byte_test:2,>,31,0,big,relative; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51791; reference:cve,2011-4194; reference:url,novell.com/support/kb/doc.php?id=7010084; classtype:attempted-user; sid:21378; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23472 (msg:"SERVER-OTHER HP Diagnostics Server magentservice.exe stack overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; isdataat:1096,relative; metadata:policy max-detect-ips drop; reference:bugtraq,51398; reference:cve,2011-4789; classtype:attempted-admin; sid:21050; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1500 (msg:"SERVER-OTHER IBM Tivoli Storage Manager Express Backup initialization packet"; flow:to_server,established; content:"|00 04 1D A5|"; depth:4; flowbits:set,tivoli.backup; flowbits:noalert; classtype:protocol-command-decode; sid:20874; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 497 (msg:"SERVER-OTHER EMC Retrospect client crafted packet buffer overflow attempt"; flow:to_server,established; content:"|00 68 00 00 00 00 00|"; depth:7; byte_test:1,>,0x24,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,17948; reference:cve,2006-2391; classtype:attempted-admin; sid:20749; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9850 (msg:"SERVER-OTHER Novell Groupwise internet agent http uri buffer overflow attempt"; flow:to_server,established; content:"/gwagents|2E|css?"; fast_pattern; nocase; isdataat:239,relative; content:!"|20| HTTP"; within:239; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2011-0334; classtype:attempted-user; sid:20607; rev:11;)
# alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any (msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; content:"misc/ultravox"; http_header; file_data; content:"|5A|"; within:1; content:"|39 01|"; within:2; distance:1; content:"<name>"; distance:0; nocase; isdataat:266,relative; content:!"</name>"; within:256; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0065; classtype:attempted-user; sid:20110; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER IBM Tivoli Directory Server ibmslapd.exe stack buffer overflow attempt"; flow:to_server,established; content:"CRAM-MD5"; nocase; content:"|04 84 FF FF FF FF|"; within:7; metadata:policy max-detect-ips drop, service ldap; reference:cve,2011-1206; reference:url,www-304.ibm.com/support/docview.wss?uid=swg21496117; classtype:attempted-admin; sid:19938; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CA Total Defense Suite UNCWS getDBConfigSettings credential information disclosure attempt"; flow:to_server, established; content:"POST"; http_method; content:"/UNCWS/Management.asmx"; fast_pattern:only; http_uri; content:"<getDBConfigSettings"; nocase; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,47356; reference:cve,2011-0406; classtype:attempted-admin; sid:19812; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CA Total Defense Suite UNCWS deleteReportTemplate SQL injection attempt"; flow:to_server, established; content:"POST"; nocase; http_method; content:"/UNCWS/Management.asmx/deleteReportTemplate"; fast_pattern:only; http_uri; content:"reportTemplateID="; nocase; http_client_body; pcre:"/reportTemplateID=[^&]*?[\x3b\x29]/iP"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1655; classtype:attempted-admin; sid:19810; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 2810 (msg:"SERVER-OTHER HP Intelligent Management Center dbman buffer overflow attempt"; flow:to_server; content:"|F7 10 3D 21|"; depth:4; isdataat:58,relative; content:!"|00|"; within:32; distance:26; metadata:policy max-detect-ips drop; reference:bugtraq,47789; reference:cve,2011-1850; classtype:attempted-admin; sid:19649; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8899 (msg:"SERVER-OTHER Oracle VM server agent command injection"; flow:to_server, established; content:"|C7 42 AD F2 57 01 C1 17 03 00 04 20 8F 5C C8 C6 D3 B9 C3 E4 F0|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2010-3582; classtype:attempted-user; sid:19452; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8899 (msg:"SERVER-OTHER Oracle VM server agent command injection"; flow:to_server, established; content:"|24 BC 40 F2 2E CF 73 91 BA 67 E0 36 ED 87 2B 28 4D 67 D8 8D|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2010-3582; classtype:attempted-user; sid:19451; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 (msg:"SERVER-OTHER Symantec Antivirus Intel Service DoS Attempt"; flow:to_server,established; content:"|41 6E 74 69 56 69 72 75 73 20 43 6F 72 70 6F 72 61 74 65 20 45 64 69 74 69 6F 6E 00 56 02 8E 4A 3F 09 00 53 59 4D 32 4B 53 52 56 00 07 08 0B 00 56 69 72 75 73 20 4E 61 6D 65 00 FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,45935; reference:cve,2010-0111; classtype:attempted-dos; sid:19313; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER SAP Crystal Reports 2008 directory traversal attempt"; flow:to_server,established; content:"/PerformanceManagement/jsp/qa.jsp?"; nocase; http_uri; content:"func=browse"; distance:0; http_uri; content:"path="; http_uri; pcre:"/path\x3d(\x2e\x2e|\x2f\x2e\x2e)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45980; classtype:web-application-attack; sid:19223; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1526,9088] (msg:"SERVER-OTHER IBM Informix Dynamic Server set environment buffer overflow attempt"; flow:to_server,established; content:"SET|20|ENVIRONMENT"; nocase; content:"USELASTCOMMITTED"; distance:0; fast_pattern; nocase; pcre:"/set\s+environment\s+uselastcommitted\s+[\x22\x27][^\x22\x27\x0A\x0D]{131}/i"; metadata:policy max-detect-ips drop; reference:cve,2011-1033; classtype:attempted-admin; sid:19210; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services streamprocess.exe buffer overflow attempt"; flow:to_server; dsize:>512; content:"|17 00 02 40|"; depth:4; metadata:policy max-detect-ips drop; reference:bugtraq,45914; reference:url,support.citrix.com/article/CTX127149; classtype:attempted-user; sid:19208; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 (msg:"SERVER-OTHER Symantec Alert Management System AMSSendAlertAck stack buffer overflow attempt"; flow:established, to_server; content:"|FF FF FF FF|"; depth:4; content:"PAGECNFG"; within:8; distance:26; byte_test:2,>,0x400,0,little,relative; metadata:policy max-detect-ips drop; reference:cve,2010-0110; classtype:attempted-admin; sid:19207; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [523,524] (msg:"SERVER-OTHER IBM DB2 Universal Database receiveDASMessage buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|DB2DAS|20 20 20 20 20 20|"; depth:16; byte_test:4,>,0xFFFFFFD8,16,relative,little; metadata:policy max-detect-ips drop; reference:bugtraq,46052; reference:cve,2011-0731; classtype:attempted-admin; sid:19206; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Novell iManager Tree parameter denial of service attempt"; flow:to_server,established; content:"/nps/servlet/webacc"; fast_pattern:only; http_uri; content:"tree="; nocase; http_client_body; pcre:"/tree\x3d[^\x26]{256}/Pi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20841; reference:bugtraq,40485; reference:cve,2006-4517; reference:cve,2010-1930; classtype:attempted-dos; sid:19205; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER strongSwan Certificate and Identification payload overflow attempt"; flow:to_server; content:"|00 00 00 14 E3 53 34 B2 09 54 7F 6A A4 D9 F4 A9 A3 88 DE DD|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,42444; reference:cve,2010-2628; classtype:attempted-admin; sid:19182; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5405 (msg:"SERVER-OTHER NetSupport Manager client buffer overflow attempt"; flow:to_server,established; content:"|15 00 5A 00|AAAAAAAAAAAAAAAA"; depth:20; metadata:policy max-detect-ips drop; reference:bugtraq,45728; reference:cve,2011-0404; classtype:attempted-admin; sid:19161; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5405 (msg:"SERVER-OTHER NetSupport Manager client buffer overflow attempt"; flow:to_server,established; content:"|15 15|AAAAAAAAAAAAAAAAAA"; depth:20; metadata:policy max-detect-ips drop; reference:bugtraq,45728; reference:cve,2011-0404; classtype:attempted-admin; sid:19160; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1530 (msg:"SERVER-OTHER HP Data Protector Manager RDS attempt"; flow:to_server,established; content:"|23 8C 29 B6|"; depth:4; byte_test:4,>,0xFFFF,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,45725; reference:cve,2011-0514; classtype:denial-of-service; sid:19159; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1526,9088] (msg:"SERVER-OTHER IBM Informix EXPLAIN stack buffer overflow attempt"; flow:to_server, established; content:"EXPLAIN"; nocase; isdataat:935,relative; pcre:"/SET\s*EXPLAIN\s*FILE\s*TO\s*[\x22\x27][^\x22\x27]{927}/smi"; metadata:policy max-detect-ips drop; reference:bugtraq,44192; reference:cve,2010-4053; classtype:attempted-admin; sid:19121; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1526,9088] (msg:"SERVER-OTHER IBM Informix DBINFO stack buffer overflow"; flow:to_server, established; content:"DBINFO("; nocase; isdataat:281,relative; pcre:"/\s*[\x22\x27]version[\x22\x27]\s*,\s*[\x22\x27][^\x22\x27]{269}/smiR"; metadata:policy max-detect-ips drop; reference:bugtraq,44190; reference:cve,2010-4069; classtype:attempted-admin; sid:19120; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 30005 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack mount service code execution attempt"; flow:to_server; isdataat:7; content:"|04 00 00 00|"; depth:4; metadata:policy max-detect-ips drop; reference:bugtraq,42549; reference:cve,2010-3058; classtype:attempted-admin; sid:19116; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"SERVER-OTHER HP Data Protector Manager MMD service buffer overflow attempt"; flow:to_server,established; content:"|FE FF 00 32 00 36 00 37 00 00|"; depth:10; offset:4; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:!"|00 00|"; within:624; metadata:policy max-detect-ips drop; reference:bugtraq,45128; classtype:attempted-admin; sid:19105; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1530 (msg:"SERVER-OTHER HP OpenView Storage Data Protector Cell Manager heap overflow attempt"; flow:to_server,established; content:"|23 8C 29 B6|"; depth:4; byte_test:4,>,0xFFFFFFF8,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,37386; reference:cve,2007-2281; classtype:attempted-admin; sid:19104; rev:9;)
# alert tcp $EXTERNAL_NET [443,8888] -> $HOME_NET any (msg:"SERVER-OTHER OpenSSL ssl3_get_key_exchange use-after-free attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 17 41 04 DE 85 30 79 B2 47 60 F1 BB 59 B6 03 F3 1F 6F 05|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ssl; reference:bugtraq,42306; reference:cve,2010-2939; classtype:attempted-admin; sid:19092; rev:10;)
# alert tcp $EXTERNAL_NET [443,8888] -> $HOME_NET any (msg:"SERVER-OTHER OpenSSL ssl3_get_key_exchange use-after-free attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|03 00 17 41 04 04 65 28 13 29 CF 08 AA AC 13 CE 6C 72 AB D2 E5|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ssl; reference:bugtraq,42306; reference:cve,2010-2939; classtype:attempted-admin; sid:19091; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Squid Proxy Expect header null pointer denial of service attempt"; flow:to_server,established; content:"Expect:|0D 0A|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42982; reference:cve,2010-3072; classtype:attempted-dos; sid:19073; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt"; flow:to_server,established; content:"Authorization: NTLM"; fast_pattern:only; pcre:!"/^Authorization: NTLM ([A-Z0-9\x2F\x2B]{4})+([A-Z0-9\x2F\x2B]{2}\x3D\x3D|[A-Z0-9\x2F\x2B]{3}\x3D)?\x0d$/im"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39490; reference:cve,2010-1317; classtype:attempted-admin; sid:19072; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt"; flow:to_server,established; content:"|51 84|"; depth:2; isdataat:260; content:!"|00|"; depth:240; offset:20; metadata:policy max-detect-ips drop; reference:bugtraq,43105; reference:cve,2010-3007; classtype:attempted-user; sid:19006; rev:9;)
# alert udp $HOME_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER ISC DHCP server zero length client ID denial of service attempt"; flow:to_server; content:"|01|"; depth:1; content:"|63 82 53 63|"; within:4; distance:235; content:"|3D 00|"; within:30; metadata:policy max-detect-ips drop; reference:bugtraq,40775; reference:cve,2010-2156; classtype:attempted-dos; sid:18935; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER MIT Kerberos KDC Ticket validation double free memory corruption attempt"; flow:to_server; content:"|A1 03 02 01 05 A2 03 02 01 0C A3 82 02 4A 30 82 02 46 30 82 02 42 A1 03|"; fast_pattern:only; content:"|40 81 00 02|"; metadata:policy max-detect-ips drop, service kerberos; reference:bugtraq,39599; reference:cve,2010-1320; reference:url,attack.mitre.org/techniques/T1097; classtype:attempted-admin; sid:18901; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER OpenLDAP Modrdn RDN NULL string denial of service attempt"; flow:to_server,established; content:"|30|"; depth:1; content:"|6C|"; within:20; content:"|03|dc="; fast_pattern:only; pcre:"/\x04(|\x81|\x82\x00|\x83\x00\x00|\x84\x00\x00\x00)\x03dc=/i"; metadata:policy max-detect-ips drop, service ldap; reference:bugtraq,41770; reference:cve,2010-0212; classtype:attempted-dos; sid:18807; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 19813 (msg:"SERVER-OTHER HP Data Protector Media Operations denial of service attempt"; flow:to_server,established; content:"|01|"; depth:1; content:"|02|"; distance:11; content:!"|00 00 00 00|"; within:4; distance:3; metadata:policy max-detect-ips drop; reference:url,secunia.com/advisories/41698; classtype:attempted-dos; sid:18799; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 19813 (msg:"SERVER-OTHER HP Data Protector Media Operations denial of service attempt"; flow:to_server,established; content:"|02|"; depth:1; content:!"|00 00 00 00|"; within:4; distance:3; metadata:policy max-detect-ips drop; reference:url,secunia.com/advisories/41698; classtype:attempted-dos; sid:18798; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 998 (msg:"SERVER-OTHER Novell ZENworks Configuration Management Preboot service code overflow attempt"; flow:to_server,established; content:"|00 00 00 06|"; depth:4; byte_test:4,>,0x200,0,relative,big; metadata:policy max-detect-ips drop; reference:bugtraq,39111; classtype:attempted-admin; sid:18791; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2400 (msg:"SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe overflow attempt"; flow:to_server,established; content:"|0B|"; depth:1; byte_jump:1,0,relative; content:"|01|"; within:1; byte_test:4,>,0x1000,0,relative,little; content:"|05|"; within:1; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,44700; reference:cve,2010-4299; classtype:attempted-admin; sid:18790; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP data protector OmniInet service NULL dereference denial of service attempt"; flow:to_server,established; content:"|FE FF 00 32 00 00 20 00|"; depth:12; offset:4; byte_jump:4,-12,relative,post_offset -4; content:!"|00 00 00 00|"; within:4; metadata:policy max-detect-ips drop; reference:url,support.ixiacom.com/strikes/denial/misc/hp_data_protector_omnilnet_dos.xml; classtype:denial-of-service; sid:18777; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER OpenSSL CMS structure OriginatorInfo memory corruption attempt"; flow:to_client,established; file_data; content:"|06 09 2A 86 48 86 F7 0D 01 07 03|"; content:"|A0 03 02 01 02 02 0B 01 00 00 00 00 01 16 0F 8C 27 81|"; within:48; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40502; reference:cve,2010-0742; classtype:attempted-user; sid:18766; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector Backup Client Service code execution attempt"; flow:to_server,established; content:"|FF FE 32 00 00 00|"; depth:6; offset:4; content:"|32 00 36 00 00 00 20 00 5C 00 5C 00|"; distance:0; metadata:policy max-detect-ips drop; reference:cve,2011-0922; classtype:suspicious-filename-detect; sid:18754; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10001 (msg:"SERVER-OTHER Zend Server Java Bridge remote code execution attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 0C|CreateObject|00 00 00 02|"; depth:24; offset:4; metadata:policy max-detect-ips drop; reference:bugtraq,47060; classtype:attempted-admin; sid:18753; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,563,636,989,992:995,7801,7802,7900:7920] (msg:"SERVER-OTHER OpenSSL TLS connection record handling denial of service attempt"; flow:to_server,established; ssl_state:unknown; content:"|17 FE FF|"; depth:3; metadata:policy max-detect-ips drop; reference:bugtraq,39013; reference:cve,2010-0740; classtype:attempted-dos; sid:18714; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,563,636,989,992:995,7801,7802,7900:7920] (msg:"SERVER-OTHER OpenSSL TLS connection record handling denial of service attempt"; flow:to_server,established; ssl_state:unknown; content:"|17 01 00|"; depth:3; metadata:policy max-detect-ips drop, service ssl; reference:bugtraq,39013; reference:cve,2010-0740; classtype:attempted-dos; sid:18713; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8081 (msg:"SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt"; flow:to_server,established,only_stream; isdataat:128; pcre:"/^(?!GET|PUT|HEAD|POST)[^\x00\r\n]{128}/"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28573; reference:cve,2008-1855; classtype:attempted-admin; sid:18710; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Oracle Java Applet2ClassLoader Remote Code Execution"; flow:to_client,established; file_data; content:"codebase|3D 22|file|3A|"; nocase; content:"code|3D 22|"; distance:0; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2010-4452; reference:url,exploit-db.com/exploits/16990/; classtype:attempted-user; sid:18679; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 267 buffer overflow attempt"; flow:to_server,established; content:"2|00|6|00|7|00 00 00|"; depth:8; offset:6; content:"|00 00|"; distance:0; content:"|00 00|"; within:75; content:"|00 00|"; within:75; isdataat:64,relative; content:!"|00 00|"; within:64; metadata:policy max-detect-ips drop; reference:bugtraq,37396; reference:cve,2007-2280; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01124817; classtype:attempted-admin; sid:18587; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13722 (msg:"SERVER-OTHER VERITAS NetBackup java authentication service format string exploit attempt"; flow:to_server,established; content:" 101 "; pcre:"/^ 101\s+\d+[^\x0a]*\x0a[^\x0a]*\x25/sm"; metadata:policy max-detect-ips drop; reference:bugtraq,15079; reference:cve,2005-2715; reference:url,secunia.com/advisories/17181; classtype:attempted-user; sid:18555; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER MIT Kerberos KDC authentication denial of service attempt"; flow:to_server,established; content:"|6A|"; depth:1; content:"|A1 03 02 01 05 A2 03 02 01|"; within:30; byte_test:1,!=,0x0A,0,relative; metadata:policy max-detect-ips drop, service kerberos; reference:bugtraq,38260; reference:cve,2010-0283; reference:url,attack.mitre.org/techniques/T1097; classtype:attempted-dos; sid:18534; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER MIT Kerberos KDC authentication denial of service attempt"; flow:to_server; content:"|6A|"; depth:1; content:"|A1 03 02 01 05 A2 03 02 01|"; within:30; byte_test:1,!=,0x0A,0,relative; metadata:policy max-detect-ips drop, service kerberos; reference:bugtraq,38260; reference:cve,2010-0283; reference:url,attack.mitre.org/techniques/T1097; classtype:attempted-dos; sid:18533; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER Lotus Domino LDAP Heap Buffer Overflow Attempt"; flow:to_server,established; content:"|30|"; depth:1; content:"|68|"; within:15; content:"|04 84 FF FF FF|"; within:20; byte_test:1,>,0xF3,0,relative; metadata:policy max-detect-ips drop, service ldap; reference:cve,2010-0358; classtype:attempted-user; sid:18525; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Multiple vendor anti-virus extended ASCII filename scan bypass attempt"; flow:to_server,established; content:"ascii|2F|eicar|01|1.com"; http_uri; metadata:policy max-detect-ips drop, service http; classtype:misc-attack; sid:18524; rev:9;)
# alert udp $EXTERNAL_NET 1111 -> $HOME_NET 1111 (msg:"SERVER-OTHER Sourcefire Snort packet fragmentation reassembly denial of service attempt"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; id:27002; fragbits:+M; metadata:policy max-detect-ips drop; reference:bugtraq,22872; reference:cve,2007-1398; classtype:attempted-dos; sid:18511; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER Ingres Database iidbms heap overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; byte_test:1,&,0x80,4; metadata:policy max-detect-ips drop; reference:bugtraq,38001; classtype:attempted-user; sid:18487; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SERVER-OTHER Linux Kernel SNMP Netfilter Memory Corruption attempt"; content:"|01 04|"; depth:2; offset:4; byte_jump:1,0,relative; content:"|A4 02 61 61|"; within:4; metadata:policy max-detect-ips drop; reference:bugtraq,18081; reference:cve,2006-2444; classtype:attempted-dos; sid:17738; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [689,1001] (msg:"SERVER-OTHER Novell NetMail NMAP STOR buffer overflow attempt"; flow:to_server,established; content:"STOR "; depth:5; nocase; isdataat:128,relative; content:!"|00|"; within:128; metadata:policy max-detect-ips drop; reference:bugtraq,21725; reference:cve,2006-6424; classtype:attempted-admin; sid:17713; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13701 (msg:"SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt"; flow:to_server,established; dsize:>84; byte_test:1,>,80,0; metadata:policy max-detect-ips drop; reference:bugtraq,15353; reference:cve,2005-3116; classtype:attempted-admin; sid:17710; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5800 (msg:"SERVER-OTHER VNC password request URL buffer overflow attempt"; flow:to_server,established; content:"GET "; depth:4; isdataat:1029,relative; content:!"|0A|"; within:1024; metadata:policy max-detect-ips drop; reference:bugtraq,17378; reference:cve,2006-1652; classtype:web-application-attack; sid:17708; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13722 (msg:"SERVER-OTHER Veritas NetBackup java user interface service format string attack attempt"; flow:to_server,established; content:"|20|101|20|"; byte_test:10,>,0,0,relative,string; pcre:"/^\s*\d+\s*\n[^\n]*?\x25/R"; metadata:policy max-detect-ips drop; reference:bugtraq,15079; reference:cve,2005-2715; classtype:attempted-admin; sid:17706; rev:10;)
# alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"SERVER-OTHER ISC BIND DNSSEC Validation Multiple RRsets DoS"; flow:to_server; content:"|01 10|"; depth:2; offset:2; content:"|00 80 01 00 01 00 00 29|"; isdataat:!9,relative; content:"|03|com"; content:"|03|com"; within:4; distance:4; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,22231; reference:cve,2007-0494; classtype:attempted-dos; sid:17680; rev:10;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER VMware Workstation DHCP service integer overflow attempt"; ip_proto:17; dsize:4; content:"|00 44 00 43|"; depth:4; metadata:policy max-detect-ips drop; reference:bugtraq,14687; reference:cve,2007-0064; classtype:attempted-admin; sid:17662; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Oracle Java Web Start arbitrary command execution attempt"; flow:to_client,established; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; nocase; content:"jnlpDocbase=|22|ABBA|3A|"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:17660; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13782 (msg:"SERVER-OTHER Symantec NetBackup BPCD Daemon exploit attempt"; flow:to_server,established; content:"|00 18 00 24 00 01 00 00 EE 0B|"; depth:10; metadata:policy max-detect-ips drop; reference:bugtraq,21565; reference:cve,2006-6222; classtype:attempted-admin; sid:17657; rev:7;)
alert tcp $EXTERNAL_NET 41523 -> $HOME_NET any (msg:"SERVER-OTHER Products Discovery Service Buffer Overflow"; flow:to_client,established; flowbits:set,CA.response; content:"TESTTESTTESTTESTTESTTESTTEST"; fast_pattern:only; isdataat:990; metadata:policy max-detect-ips drop; reference:bugtraq,20364; reference:cve,2006-5143; classtype:attempted-user; sid:17620; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4662 (msg:"SERVER-OTHER Xi Software Net Transport eDonkey Protocol Buffer Overflow attempt"; flow:to_server,established; content:"|E3|"; depth:1; content:"|01|"; within:1; distance:4; content:"|74 65 73 74 03 01 00 11 3C 00|"; within:10; distance:32; fast_pattern; metadata:policy max-detect-ips drop; reference:bugtraq,40617; classtype:attempted-user; sid:17607; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Oracle Java AWT ConvolveOp memory corruption attempt"; flow:to_client,established; file_data; content:"java/awt/image/ConvolveOp|0C 00 0E 00 23 01 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,21675; reference:cve,2006-6731; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1; classtype:attempted-user; sid:17604; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-OTHER IBM DB2 Universal Database rdbname denial of service attempt"; flow:to_server,established; flowbits:isset,ibmdb2.accsec; content:"|D0|"; content:"|10 6D|"; within:2; distance:5; content:"|21 10|"; within:75; metadata:policy max-detect-ips drop, service drda; reference:bugtraq,19586; reference:cve,2006-4257; classtype:attempted-dos; sid:17599; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-OTHER IBM DB2 Universal Database accsec command without rdbnam"; flow:to_server,established; content:"|D0|"; content:"|10 6D|"; within:2; distance:5; content:!"|21 10|"; flowbits:set,ibmdb2.accsec; flowbits:noalert; metadata:policy max-detect-ips drop, service drda; reference:bugtraq,19586; reference:cve,2006-4257; classtype:attempted-dos; sid:17598; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-OTHER BEA Weblogic Admin Console Cross Site Scripting Vulnerability attempt"; flow:to_server,established; content:"/console/login/LoginForm.jsp?"; nocase; http_uri; content:"j_password=|22 22|onBlur=|22|window.open"; distance:0; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13793; reference:cve,2005-1747; classtype:web-application-attack; sid:17569; rev:9;)
# alert udp $EXTERNAL_NET !53 -> $HOME_NET 65535 (msg:"SERVER-OTHER LANDesk Management Suite Alerting Service buffer overflow attempt"; flow:to_server; dsize:>268; metadata:policy max-detect-ips drop; reference:bugtraq,23483; reference:cve,2007-1674; classtype:attempted-admin; sid:17567; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Firebird database invalid state integer overflow attempt"; flow:to_server,established; content:"|00 00 00 18 00 00 61 61 00 00 61 61|"; depth:12; metadata:policy max-detect-ips drop; reference:bugtraq,27403; reference:cve,2008-0387; classtype:attempted-dos; sid:17556; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 921 (msg:"SERVER-OTHER Wireshark LWRES Dissector getaddrsbyname buffer overflow attempt"; flow:to_server; content:"|00 00 01 5D 00 00 00 00|"; depth:8; content:"|00 01 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 01|"; within:24; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,37985; reference:cve,2010-0304; classtype:attempted-dos; sid:17544; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt"; flow:to_server,established; flowbits:isset,ipp.application; content:"printer-uri"; nocase; content:"ipp://"; within:6; distance:2; pcre:"/(((c|l)pi\x00.{1}(-\d|0)\x21)|(columns\x00.{1}(-\d|0)\x21)|(page-(right|left|top|bottom)\x00.{1}(-\d|0|([3-9]\d{5}|24\d{4}|236\d{3}|23593\d{1}|23592[2-9])\x21)))/is"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31690; reference:cve,2008-3640; classtype:attempted-user; sid:17535; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"SERVER-OTHER IPP Application Content"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"application/ipp"; distance:1; nocase; flowbits:set,ipp.application; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; sid:17534; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"SERVER-OTHER HP OpenView Storage Data Protector Stack Buffer Overflow"; flow:to_server, established; content:"|FF FE 32 00 36 00 37 00 00 00|"; depth:72; content:"|20 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 00 00 20 00|"; distance:0; metadata:policy max-detect-ips drop; reference:cve,2007-2280; reference:cve,2007-2881; classtype:attempted-admin; sid:17530; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 4011 (msg:"SERVER-OTHER Fujitsu SystemcastWizard Lite PXEService UDP Handling Buffer Overflow"; flow:to_server; dsize:>1024; metadata:policy max-detect-ips drop; reference:bugtraq,33342; reference:cve,2009-0270; classtype:attempted-admin; sid:17524; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SERVER-OTHER GoodTech SSH Server SFTP processing buffer overflow attempt"; flow:to_server,established; content:"|C4 90 89 C8 19 AD BD 70 41 AB EF 40 55 31 B3 B8|"; offset:62; metadata:policy max-detect-ips drop, service ssh; reference:bugtraq,31879; reference:cve,2008-4726; classtype:attempted-user; sid:17521; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6504 (msg:"SERVER-OTHER CA ARCserve Backup DB Engine Denial of Service"; flow:to_server,established; dce_iface:506b1890-14c8-11d1-bbc3-00805fa6962e; dce_opnum:548; content:"|05|"; byte_test:1,&,16,3,relative,dce; content:"|00|"; within:1; distance:1; content:"|24 02|"; within:2; distance:19; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,31684; reference:cve,2008-4399; classtype:protocol-command-decode; sid:17520; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [7460,7461,7465] (msg:"SERVER-OTHER Novell ZENworks Asset Management buffer overflow attempt"; flow:to_server,established; content:"|FF FF FF FF|"; depth:4; offset:59; metadata:policy max-detect-ips drop; reference:bugtraq,21395; reference:cve,2006-6299; classtype:attempted-admin; sid:17504; rev:7;)
# alert tcp $EXTERNAL_NET [5800,5900:5999] -> $HOME_NET any (msg:"SERVER-OTHER VNCViewer Authenticate buffer overflow attempt"; flow:to_client,established; flowbits:isset,vnc.auth; content:"|00 00 00|"; depth:3; content:"|7F FF FF FF|"; within:4; distance:1; pcre:"/^\x00{3}[\x00\x01]\x7f\xff{3}/m"; metadata:policy max-detect-ips drop, service vnc-server; reference:bugtraq,33568; reference:cve,2009-0388; classtype:attempted-user; sid:17397; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [5800,5900:5999] (msg:"SERVER-OTHER VNC client authentication response"; flow:to_server,established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; flowbits:set,vnc.auth; flowbits:noalert; metadata:service vnc-server; classtype:protocol-command-decode; sid:17396; rev:13;)
# alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"SERVER-OTHER IBM Lotus Notes Cross Site Scripting attempt"; flow:to_client,established; content:"<SCRIPT>|0D 0A|alert|28 22|"; nocase; metadata:policy max-detect-ips drop, service pop3; reference:bugtraq,14164; reference:cve,2005-2175; classtype:string-detect; sid:17346; rev:11;)
# alert udp $EXTERNAL_NET 1604 -> $HOME_NET any (msg:"SERVER-OTHER Citrix Program Neighborhood Client buffer overflow attempt"; content:"|04 33|"; depth:2; offset:2; isdataat:292,relative; pcre:"/^.{36}([^\x00]{0,255}\x00)*[^\x00]{256}/isR"; metadata:policy max-detect-ips drop; reference:bugtraq,15907; reference:cve,2005-3652; classtype:attempted-user; sid:17326; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SERVER-OTHER OpenSSH sshd identical blocks DoS attempt"; flow:to_server,established; content:"|00 03|"; depth:2; byte_test:4,>,200000,0,relative; metadata:policy max-detect-ips drop, service ssh; reference:bugtraq,20216; reference:cve,2006-4924; classtype:attempted-admin; sid:17317; rev:11;)
# alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"SERVER-OTHER ISC BIND RRSIG query denial of service attempt"; content:"|03 77 77 77 04 74 65 73 74 03 63 6F 6D 00 00 2E 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,23738; reference:cve,2007-2241; classtype:attempted-dos; sid:17299; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1918,6014,10110,14206,18302] (msg:"SERVER-OTHER IBM Tivoli Monitoring Express Universal Agent Buffer Overflow"; flow:to_server,established; stream_size:client,>,4098; metadata:policy max-detect-ips drop; reference:bugtraq,23558; reference:cve,2007-2137; classtype:attempted-admin; sid:17298; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER McAfee VirusScan on-access scanner long unicode filename handling buffer overflow attempt"; flow:to_client,established; content:"|52 61 72 21 1A 07 00 CF 90 73 00 00 0D|"; content:"|E2 CA D4 B2 E2 CA D4 B2|"; distance:0; metadata:policy max-detect-ips drop; reference:bugtraq,23543; reference:cve,2007-2152; classtype:attempted-dos; sid:17297; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Panda Antivirus ZOO archive decompression buffer overflow attempt"; flow:to_client,established; file_data; content:"Rar!|1A|"; depth:5; content:"|77|"; content:"|01 01 00|"; within:3; distance:8; byte_test:2,>,3168,0,relative; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2005-3922; classtype:attempted-user; sid:17282; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER MIT Kerberos V5 KDC krb5_unparse_name overflow attempt"; flow:to_server; content:"|30 09 A0 03 02 01 01 A1 02 30 00 A2 0D 1B 0B 65 78 61 6D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service kerberos; reference:cve,2005-1175; reference:url,attack.mitre.org/techniques/T1097; reference:url,secunia.com/advisories/16041/; classtype:attempted-admin; sid:17274; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER MIT Kerberos V5 KDC krb5_unparse_name overflow attempt"; flow:established, to_server; content:"|30 09 A0 03 02 01 01 A1 02 30 00 A2 0D 1B 0B 65 78 61 6D|"; fast_pattern:only; metadata:policy max-detect-ips drop, service kerberos; reference:cve,2005-1174; reference:url,attack.mitre.org/techniques/T1097; reference:url,secunia.com/advisories/16041/; classtype:attempted-admin; sid:17273; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 543 (msg:"SERVER-OTHER MIT Kerberos V5 krb5_recvauth double free attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"KRB5_SENDAUTH_"; depth:14; offset:5; fast_pattern; content:!"V1.0"; within:4; metadata:policy max-detect-ips drop; reference:bugtraq,14239; reference:cve,2005-1689; reference:url,attack.mitre.org/techniques/T1097; classtype:attempted-admin; sid:17243; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER Alt-N MDaemon WorldClient invalid user"; flow:to_server,established; content:"ComposeUser=Anyinvaliduser"; depth:26; offset:150; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2008-2631; classtype:attempted-dos; sid:17225; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 4827 (msg:"SERVER-OTHER Squid Proxy HTCP packet processing denial of service attempt"; flow:to_server; byte_test:1,!&,3,6; byte_test:1,&,4,6; byte_test:1,!&,8,6; content:"|00 03|GET"; depth:7; offset:14; nocase; content:!"|3A 2F 2F|"; within:30; distance:2; metadata:policy max-detect-ips drop; reference:bugtraq,38212; reference:cve,2010-0639; classtype:attempted-dos; sid:17208; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [80,19300] (msg:"SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt"; flow:to_server,established; content:"Authorization"; nocase; content:"Y3hzZGs6a2RzeGM="; within:100; fast_pattern; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,38084; reference:cve,2010-0557; classtype:attempted-admin; sid:17207; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER Multiple vendors OPIE off-by-one stack buffer overflow attempt"; flow:to_server,established; content:"USER "; depth:5; nocase; isdataat:32,relative; content:!"|0D|"; within:32; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,40403; reference:cve,2010-1938; classtype:attempted-admin; sid:17155; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 (msg:"SERVER-OTHER Symantec Alert Management System HNDLRSVC arbitrary command execution attempt"; flow:to_server,established; content:"|FF FF FF FF|"; depth:4; content:"PRGX"; within:4; distance:26; fast_pattern; metadata:policy max-detect-ips drop; reference:bugtraq,41959; reference:cve,2010-0110; classtype:attempted-admin; sid:17139; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER iSCSI target multiple implementations iSNS stack buffer overflow attempt"; flow:to_server,established; content:"|00 01 00 08|"; depth:4; content:"|00 00 00 20|"; within:4; distance:8; byte_test:4,>,1008,0,relative,big; byte_test:2,>,1024,4,big; metadata:policy max-detect-ips drop; reference:bugtraq,41327; reference:cve,2010-2221; classtype:attempted-admin; sid:17138; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1900,2200] (msg:"SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt"; flow:to_server,established; byte_test:10,>,86,0,dec,string; pcre:"/^\d{10}[0-9a-z]{87}/i"; metadata:policy max-detect-ips drop; reference:bugtraq,30472; reference:cve,2008-3175; classtype:attempted-admin; sid:17046; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt"; flow:to_server,established; byte_test:2,>,17,8,dec,string; byte_test:2,<,87,8,dec,string; byte_jump:2,8,dec,string,from_beginning; content:"0"; within:1; distance:9; pcre:"/^0{8}[0-9a-z]+$/i"; metadata:policy max-detect-ips drop; reference:bugtraq,30472; reference:cve,2008-3175; classtype:attempted-admin; sid:17045; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [5800,5900:5999] (msg:"SERVER-OTHER RealVNC VNC Server ClientCutText message memory corruption attempt"; flow:to_server,established; flowbits:isset,vnc.traffic; content:"|06 00 00 00|"; depth:4; byte_test:1,&,0x80,0,relative; metadata:policy max-detect-ips drop, service vnc-server; reference:bugtraq,39895; classtype:attempted-admin; sid:16788; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-OTHER Oracle BEA Weblogic server console-help.portal cross-site scripting attempt"; flow:to_server,established; content:"|2F|consolehelp|2F|console-help|2E|portal"; nocase; content:"searchQuery|3D|"; distance:0; nocase; pcre:"/^[^\x26\s]*(\x3e|\x253e)/iR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35673; reference:cve,2009-1975; classtype:attempted-user; sid:16710; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix Server RTSP SET_PARAMETERS empty DataConvertBuffer header denial of service attempt"; flow:to_server,established; content:"SET_PARAMETER"; depth:13; content:"DataConvertBuffer"; distance:0; nocase; pcre:!"/^Content-Length\s*\x3A\s*[1-9]/mi"; metadata:policy max-detect-ips drop, service rtsp; reference:bugtraq,35731; reference:cve,2009-2533; classtype:attempted-dos; sid:16709; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix Server RTSP SETUP request denial of service attempt"; flow:to_server,established; content:"SETUP"; depth:5; nocase; pcre:"/^\s+(rtsp\x3a\x2f{2}|\x2f+)\s+/iR"; metadata:policy max-detect-ips drop, service rtsp; reference:bugtraq,35732; reference:cve,2009-2534; classtype:attempted-dos; sid:16694; rev:9;)
# alert tcp any any -> $HOME_NET 1024: (msg:"SERVER-OTHER iscsi target format string code execution attempt"; flow:established, to_server; content:"|00 01 00 08|"; content:"|00 00 00 20|"; within:4; distance:8; pcre:"/%([0-9]+$)?([-+ #0-9]+)?([0-9]+)?\.?([0-9]+)?[hlL]?[cdieEfgGosuxXpn]/Rims"; metadata:policy max-detect-ips drop; reference:cve,2010-0743; classtype:attempted-admin; sid:16688; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1584 (msg:"SERVER-OTHER IBM Tivoli Storage Manager Client dsmagent.exe NodeName length buffer overflow attempt"; flow:to_server,established; content:"|08 A5 00 01|"; depth:4; offset:2; pcre:"/^.{2}\x08\xa5\x00\x01.{14}(([^\x00]|\x00[\x81-\xFF])|.{4}([^\x00]|\x00[\x81-\xFF]))/s"; metadata:policy max-detect-ips drop; reference:bugtraq,34803; reference:cve,2008-4828; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21384389; classtype:attempted-admin; sid:16685; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt"; flow:to_server,established; dsize:<20; metadata:policy max-detect-ips drop; reference:bugtraq,39564; reference:cve,2010-1318; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=867; classtype:attempted-admin; sid:16576; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Novell QuickFinder server cross-site-scripting attempt"; flow:to_server, established; content:"AdminServlet"; nocase; http_uri; pcre:"/AdminServlet.*(userid|adminurl)[^\x26\x20\x0a]*<script/smiU"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0611; classtype:web-application-attack; sid:16522; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1100 (msg:"SERVER-OTHER HP StorageWorks storage mirroring double take service code execution attempt"; flow:to_server,established; content:"|00 02 00 01 27 30|"; depth:6; byte_test:2,>,256,54,relative,little; metadata:policy max-detect-ips drop; reference:cve,2008-1661; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01362558; classtype:attempted-admin; sid:16444; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"SERVER-OTHER PostgreSQL bit substring buffer overflow attempt"; flow:to_server,established; content:"substring|28|B'"; fast_pattern:only; pcre:"/substring\x28B'[^\x27\x29]+\x27\s*,\s*\d+\s*,\s*-([2-9][\s\x29]|\d{2})/smi"; metadata:policy max-detect-ips drop, service postgresql; reference:bugtraq,37973; reference:cve,2010-0442; classtype:attempted-admin; sid:16393; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8222 (msg:"SERVER-OTHER VMware Server ISAPI Extension remote denial of service attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:".pl"; nocase; http_uri; pcre:"/\x2epl([\?\x5c\x2f]|$)/iU"; content:"Content-Length:"; nocase; byte_test:10,>,49152,0,relative,string; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30935; reference:cve,2008-3697; reference:url,www.secunia.com/advisories/31708/; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; reference:url,xforce.iss.net/xforce/xfdb/44796; classtype:attempted-dos; sid:16384; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-OTHER IBM DB2 Database Server invalid data stream denial of service attempt"; flow:to_server,established; content:"|24 14|"; byte_test:1,=,0xd0,-8,relative; byte_test:1,&,4,-7,relative; byte_test:1,!&,3,-7,relative; metadata:policy max-detect-ips drop, service drda; reference:bugtraq,33258; reference:cve,2009-0173; classtype:attempted-dos; sid:16341; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12174 (msg:"SERVER-OTHER Symantec System Center Alert Management System untrusted command execution attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:"cmd"; distance:2; metadata:policy max-detect-ips drop; reference:bugtraq,34671; reference:bugtraq,34675; reference:cve,2009-1429; reference:cve,2009-1431; classtype:policy-violation; sid:16332; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2954 (msg:"SERVER-OTHER OpenView Network Node Manager ovalarmsrv opcode 45 integer overflow attempt"; flow:to_server,established; content:"45"; depth:2; pcre:"/^45\s+([0-9]+\s+){2}([2-9][0-9]{8}|[0-9]{10})/m"; metadata:policy max-detect-ips drop; reference:bugtraq,34738; reference:cve,2008-2438; classtype:attempted-admin; sid:16217; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt"; flow:to_server,established; content:"|17 03 01 00| |AB CA A4| q|EC|IW|F2|&G|CD 1D 08 F9 F5 E9|^F|BF B8 DC|F|C8|K|FC|D|99|o|9A|X|AD|"; depth:37; metadata:policy max-detect-ips drop, service ssl; reference:bugtraq,27387; reference:cve,2008-0401; classtype:attempted-user; sid:16216; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt"; flow:to_client,established; content:"HTTP/1.1 -"; depth:11; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35812; reference:cve,2009-2622; classtype:denial-of-service; sid:16214; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9830 (msg:"SERVER-OTHER Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow attempt"; flow:to_server,established; content:"Accept-Language"; fast_pattern:only; pcre:"/^Accept-Language\s*\x3a\s*([^\x2c\x2d\n]+[\x2c\x2d]){16}/im"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30869; reference:cve,2008-2928; classtype:attempted-admin; sid:16213; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [1645,1812] (msg:"SERVER-OTHER FreeRADIUS RADIUS server rad_decode remote denial of service attempt"; flow:to_server; content:"|01|"; depth:1; content:"E|02|"; within:2; distance:19; metadata:policy max-detect-ips drop; reference:bugtraq,36263; reference:cve,2009-3111; classtype:attempted-dos; sid:16209; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER HP OpenView Network Node Manager ovlaunch host field overflow attempt"; flow:to_server,established; content:"ovlaunch.exe"; nocase; http_uri; content:"host|3A|"; nocase; isdataat:300,relative; pcre:"/^host\x3a\s*[^\r\n]{300}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,33668; reference:cve,2008-4562; classtype:attempted-user; sid:16204; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER OpenLDAP ber_get_next BER decoding denial of service attempt"; flow:to_server,established; content:"|1F 80 80 00 84|aaaa"; depth:9; metadata:policy max-detect-ips drop, service ldap; reference:bugtraq,30013; reference:cve,2008-2952; classtype:attempted-dos; sid:16197; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8443 (msg:"SERVER-OTHER Symantec Backup Exec System Recovery Manager unauthorized file upload attempt"; flow:to_server,established; content:"|17 03 00 02 01 87 09|k]dg]|86|T|D0 F4|'|EF|+2|CA A3 D3 FA 97 AA|@|14 ED|'|15 D2 9B 06 EA 07 09|}|B8 D2|ai|CD|mtR|F9 8A|"; depth:48; nocase; metadata:policy max-detect-ips drop, service ssl; reference:cve,2008-0457; classtype:misc-activity; sid:16196; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1111 (msg:"SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt"; flow:to_server,established; dsize:3; content:"a|0D 0A|"; depth:3; metadata:policy max-detect-ips drop; reference:bugtraq,15822; reference:cve,2005-4216; classtype:attempted-dos; sid:16091; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"SERVER-OTHER CUPS server query metacharacter buffer overflow attempt"; flow:to_server,established; content:"/?query=.........."; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28307; reference:cve,2008-0047; classtype:attempted-admin; sid:16072; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER CA ARCServe Backup Discovery Service denial of service attempt"; flow:to_server,established; content:"h|00 00 00|"; depth:4; content:"|FF FF FF|s"; depth:4; offset:58; metadata:policy max-detect-ips drop; reference:bugtraq,28927; reference:cve,2008-1979; reference:url,www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36440; classtype:attempted-dos; sid:16071; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1526 (msg:"SERVER-OTHER IBM Informix server argument processing overflow attempt"; flow:to_server,established; content:"sq"; depth:2; pcre:"/^.{8}[^\s]+(\s+[^\s]+){49}/smOR"; metadata:policy max-detect-ips drop; reference:bugtraq,28198; reference:cve,2008-0727; classtype:attempted-admin; sid:16069; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER IBM Lotus Domino LDAP server memory exception attempt"; flow:to_server,established; content:"0|0C 02 01 01|`|07 02 00 DD 04 00 80 00|"; depth:14; metadata:policy max-detect-ips drop, service ldap; reference:bugtraq,16523; reference:cve,2006-0580; classtype:attempted-dos; sid:16060; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Novell iManager Tree parameter denial of service attempt"; flow:to_server,established; content:"/nps/servlet/webacc"; fast_pattern:only; http_uri; content:"tree="; nocase; http_uri; pcre:"/tree\x3d[^\x26]{256}/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20841; reference:bugtraq,40485; reference:cve,2006-4517; reference:cve,2010-1930; classtype:attempted-dos; sid:16052; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1813 (msg:"SERVER-OTHER GNU Radius SQL accounting format string exploit attempt"; flow:to_server; content:"|04|"; depth:1; content:"|01 1A|%n%s%n%s%n%s%n%s%n%s%n%s"; distance:19; metadata:policy max-detect-ips drop; reference:bugtraq,21303; reference:cve,2006-4181; classtype:attempted-admin; sid:16049; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft ASP.NET application folder info disclosure attempt"; flow:to_server,established; content:"app|5F|code"; nocase; http_uri; pcre:"/^\w+\s+[^\s]*app\x5fcode(\x255c|\x5c)/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,18920; reference:cve,2006-1300; classtype:attempted-recon; sid:16048; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 497 (msg:"SERVER-OTHER EMC Dantz Retrospect Backup Agent denial of service attempt"; flow:to_server,established; content:"|87 00 00|"; depth:3; offset:1; content:"|00 00 00 00|"; within:4; distance:4; metadata:policy max-detect-ips drop; reference:cve,2006-0995; classtype:denial-of-service; sid:16039; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3017 (msg:"SERVER-OTHER Novell Distributed Print Services integer overflow attempt"; flow:to_server,established; content:"|01 8F 9C 19 00 00 00 0C|SLAWEKSERVER"; metadata:policy max-detect-ips drop; reference:cve,2006-2327; classtype:attempted-user; sid:16019; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"SERVER-OTHER HP OpenView network node manager buffer overflow"; flow:to_server,established; isdataat:1000; byte_test:4,>,16384,0; content:"aaaaaaaaaaaaaaaaa"; metadata:policy max-detect-ips drop; reference:bugtraq,28689; reference:cve,2008-1842; classtype:attempted-admin; sid:16018; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER IBM Lotus Domino LDAP server invalid DN message buffer overflow attempt"; flow:to_server,established; content:"0|84 00 01 00|5|02 01 04|h|84 00 01 00|,|04 84 00 01 00| cn="; fast_pattern:only; metadata:policy max-detect-ips drop, service ldap; reference:bugtraq,23174; reference:cve,2007-1739; classtype:attempted-user; sid:16017; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8008,8028] (msg:"SERVER-OTHER Novell eDirectory HTTP headers denial of service attempt"; flow:to_server,established; content:"Connection"; fast_pattern:only; http_header; pcre:"/^Connection\s*\x3a\s*\S+([^\r\n]*?\r\nConnection\s*\x3a\s*\S+|[^\n]*\x2c\s*\S+).*\n\r?\n/Hmsi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28757; reference:cve,2008-0927; classtype:attempted-dos; sid:16014; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1315,2315] (msg:"SERVER-OTHER IBM solidDB logging function format string exploit attempt"; flow:to_server,established; content:"|04 00 00 00|nnnn|04 00 00 00|aaaa|D2 07 00 00 14 00 00 00|%n%n%n%n%n%n%n%n%n%n"; metadata:policy max-detect-ips drop; reference:bugtraq,28468; reference:cve,2008-1705; classtype:attempted-user; sid:16013; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3465 (msg:"SERVER-OTHER HP OpenView Client Configuration Manager Radia Notify Daemon code execution attempt"; flow:to_server,established; content:"8899|00|test|00|test|00|radcrecv.exe|0A|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,20971; reference:cve,2006-5782; classtype:attempted-admin; sid:15998; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SERVER-OTHER Squid strListGetItem denial of service attempt"; flow:to_server,established; content:"user=va,lue"; content:"user=va,lue"; http_cookie; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36091; reference:cve,2009-2855; classtype:attempted-dos; sid:15994; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21700 (msg:"SERVER-OTHER 3Com Network Supervisor directory traversal attempt"; flow:to_server,established; content:"GET"; depth:3; content:"../../boot.ini"; within:14; distance:23; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14715; reference:cve,2005-2020; classtype:attempted-recon; sid:15961; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8008 (msg:"SERVER-OTHER Novell eDirectory MS-DOS device name DoS attempt"; flow:to_server,established; content:"GET /COM1"; depth:9; metadata:policy max-detect-ips drop, service http; reference:cve,2005-1729; classtype:attempted-dos; sid:15960; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1761 (msg:"SERVER-OTHER Novell ZENworks Remote Management overflow attempt"; flow:to_server,established; content:"|00 01|"; depth:2; offset:16; byte_jump:2,0,relative,big; byte_jump:2,0,relative,big; byte_jump:2,0,relative,big; content:"|00 01 00 02|"; within:4; distance:2; byte_test:2,>,28,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,13678; reference:cve,2005-1543; classtype:attempted-admin; sid:15958; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER McAfee LHA Type-2 file handling overflow attempt"; flow:to_client,established; file_data; content:"-lh0-"; content:"|02 C9 C5|M|88 00 02|DDDD"; within:11; distance:13; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12832; reference:cve,2005-0644; classtype:attempted-user; sid:15950; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [10202,10203] (msg:"SERVER-OTHER CA License Software invalid command overflow attempt"; flow:to_server,established; content:"A0 AAAAAAAAAAAAAAAAAAAAAAAAAA"; depth:30; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-admin; sid:15948; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12168 (msg:"SERVER-OTHER CA Multiple Products Console Server login credentials handling overflow attempt"; flow:to_server,established; content:"|96|8|9E 04|"; depth:8; offset:4; byte_test:4,>,83,0; content:!"|F6|v|D0|"; depth:24; offset:21; metadata:policy max-detect-ips drop; reference:bugtraq,23906; reference:cve,2007-2522; classtype:attempted-user; sid:15942; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SERVER-OTHER Squid Proxy TRACE request remote DoS attempt"; flow:to_server,established; content:"TRACE"; depth:5; content:"Max-Forwards|3A| 0|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,23085; reference:cve,2007-1560; classtype:attempted-admin; sid:15941; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Firebird SQL op_connect_request denial of service attempt"; flow:to_server,established; content:"|00 00 00 35|"; depth:4; isdataat:11,relative; metadata:policy max-detect-ips drop; reference:bugtraq,35842; reference:cve,2009-2620; classtype:attempted-dos; sid:15896; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [3985,3986] (msg:"SERVER-OTHER Unisys Business Information Server stack buffer overflow attempt"; flow:to_server,established; content:"|16|?"; depth:2; byte_test:4,>,24,2,big; metadata:policy max-detect-ips drop; reference:bugtraq,35494; reference:cve,2009-1628; classtype:attempted-admin; sid:15708; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Squid oversized reply header handling exploit attempt"; flow:to_client,established; content:"Content-Length|3A| 3|0D 0A|Server|3A| AAAAAA"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12412; reference:cve,2005-0241; classtype:bad-unknown; sid:15580; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix Server RTSP SET_PARAMETER heap buffer overflow attempt"; flow:to_server,established; content:"SET_PARAMETER"; depth:13; content:"DataConvertBuffer"; distance:0; nocase; pcre:"/\x0a\x0d?\x0a[A-Z0-9\x2b\x2f\s]*[^A-Z0-9\x2b\x2f\s\x3d]/iR"; metadata:policy max-detect-ips drop, service rtsp; reference:bugtraq,33059; reference:cve,2008-5911; classtype:attempted-admin; sid:15573; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix Server RTSP SETUP stack buffer overflow attempt"; flow:to_server,established; content:"SETUP"; depth:5; nocase; content:"HOST:"; nocase; isdataat:1023,relative; content:!"?"; within:1024; metadata:policy max-detect-ips drop, service rtsp; reference:bugtraq,33059; reference:cve,2008-5911; classtype:attempted-admin; sid:15571; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 (msg:"SERVER-OTHER Symantec Alert Management System Intel Alert Originator Service buffer overflow attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF FF FF|"; depth:8; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; content:"|03|"; within:1; distance:23; content:"BIND"; within:4; distance:8; content:"BIND|00|"; within:5; distance:17; fast_pattern; byte_test:2,>,0x400,0,relative,big; metadata:policy max-detect-ips drop; reference:bugtraq,34672; reference:cve,2009-1430; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02; classtype:attempted-admin; sid:15555; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt"; flow:to_server; content:"INIT"; content:"|02 01|"; within:2; distance:32; byte_test:4,>,256,14,relative; metadata:policy max-detect-ips drop, service ntp; reference:bugtraq,35017; reference:cve,2009-1252; reference:url,attack.mitre.org/techniques/T1209; reference:url,lists.ntp.org/pipermail/announce/2009-May/000062.html; classtype:attempted-admin; sid:15514; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Trend Micro OfficeScan Server cgiRecvFile overflow attempt"; flow:to_server,established; content:"/cgi/cgiRecvFile.exe"; http_uri; content:"ComputerName"; pcre:"/ComputerName\s*\x3d\s*\x22[^\x22]{256}/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31139; reference:cve,2008-2437; classtype:attempted-admin; sid:15510; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-OTHER IBM DB2 database server CONNECT denial of service attempt"; flow:to_server,established; content:"|10|A"; depth:2; offset:8; byte_jump:2, -10, relative; content:"|10|n"; within:2; distance:6; metadata:policy max-detect-ips drop; reference:cve,2009-0172; classtype:denial-of-service; sid:15509; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1500 (msg:"SERVER-OTHER IBM Tivoli Storage Manager Express Backup counter heap corruption attempt"; flow:to_server,established; flowbits:isset,tivoli.backup; content:"*|A5|"; byte_test:2,>,0x41,19,relative,big; metadata:policy max-detect-ips drop; reference:bugtraq,34077; reference:cve,2008-4563; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21377388; classtype:attempted-admin; sid:15436; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"SERVER-OTHER X.Org X Font Server QueryXBitmaps and QueryXExtents Handlers integer overflow attempt"; flow:to_server,established; content:"|12 01 03 00|<|00 00 00|AAAA"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,25898; reference:cve,2007-4568; classtype:attempted-admin; sid:15382; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8652 (msg:"SERVER-OTHER Ganglia Meta Daemon process_path stack buffer overflow attempt"; flow:to_server,established; content:"/"; depth:1; isdataat:256,relative; content:!"/"; within:256; metadata:policy max-detect-ips drop; reference:bugtraq,33299; reference:cve,2009-0241; reference:url,www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg04929.html; classtype:attempted-user; sid:15364; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"SERVER-OTHER Multiple vendors CUPS HPGL filter remote code execution attempt"; flow:to_server,established; content:"PC"; byte_test:4,>=,1024,0,relative,string,dec; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31688; reference:cve,2008-3641; reference:url,www.cups.org/str.php?L2911; classtype:attempted-user; sid:15188; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"SERVER-OTHER Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt"; flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:"IHDR"; content:"|02|"; within:1; distance:9; byte_test:4,>,1431655765,-6,relative; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32518; reference:cve,2008-5286; reference:url,www.cups.org/str.php?L2974; classtype:attempted-admin; sid:15145; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2954 (msg:"SERVER-OTHER HP Openview Network Node Manager OValarmsrv buffer overflow attempt"; flow:to_server,established; pcre:"/^((22|33|35|36|44) \d+ [^\s\x00]{129})|((25|45) \d+ \d+ \d+ [^\s\x00]{129})|((46|47) \d+ \d+ [^\x0a]{129})|((61|62) [^\x0a]{129})/smi"; metadata:policy max-detect-ips drop; reference:cve,2008-1852; classtype:attempted-admin; sid:15078; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"SERVER-OTHER DATAC RealWin SCADA System buffer overflow attempt"; flow:to_server,established; content:"|10 23|Tg"; depth:4; isdataat:426,relative; content:!"|10 23|Tg"; within:412; distance:14; metadata:policy max-detect-ips drop; reference:bugtraq,31418; reference:bugtraq,46937; reference:cve,2008-4322; reference:cve,2011-1563; classtype:attempted-user; sid:14769; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4888 (msg:"SERVER-OTHER Symantec Veritas Storage Scheduler Service NULL Session auth bypass attempt"; flow:to_server,established; content:"NTLMSSP|00 03 00 00 00|"; content:"|00 00|"; within:2; distance:34; metadata:policy max-detect-ips drop, service ident; reference:bugtraq,30596; reference:cve,2008-3703; classtype:attempted-user; sid:14768; rev:7;)
# alert tcp $EXTERNAL_NET 8300 -> $HOME_NET any (msg:"SERVER-OTHER Novell Groupwise HTTP response message parsing overflow"; flow:to_client,established; flowbits:isset,groupwise.request; isdataat:512; pcre:"/[^\x0a]{512}/"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-2703; classtype:attempted-user; sid:13926; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1533,8082] (msg:"SERVER-OTHER IBM Lotus Sametime multiplexer stack buffer overflow attempt"; flow:to_server,established; urilen:>59; content:"/CommunityCBR/CC."; fast_pattern:only; http_uri; pcre:"/^\/CommunityCBR\/CC\.[0-9a-f]+?\.[^\r\n]{41}/miU"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29328; reference:cve,2008-2499; classtype:attempted-admin; sid:13902; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"SERVER-OTHER Veritas Backup Agent password overflow attempt"; flow:to_server,established; content:"|00 00 09 01|"; depth:4; offset:16; content:"|00 00 00 03|"; depth:4; offset:28; byte_test:4,>,1000,32; metadata:policy max-detect-ips drop; reference:cve,2005-0773; classtype:attempted-admin; sid:13846; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-OTHER MaxDB WebDBM get buffer overflow"; flow:to_server,established; content:"POST"; content:"database="; nocase; isdataat:18,relative; content:!"|0A|"; within:18; content:!"&"; within:18; content:!"|3B|"; within:18; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13843; reference:cve,2006-4305; classtype:attempted-admin; sid:13843; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER CA ARCServ NetBackup remote file upload attempt"; flow:to_server,established; content:"rxrReceiveFileFromServer~~8~~"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,28616; reference:cve,2008-1329; reference:url,secunia.com/advisories/25606/; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105; classtype:web-application-activity; sid:13839; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER ARCServe LGServer service data overflow attempt"; flow:to_server,established; isdataat:90; content:"  "; depth:2; byte_test:10, >, 80, 0, string, dec; pcre:"/^.{10}[0-9a-fA-f]{80}/"; metadata:policy max-detect-ips drop; reference:bugtraq,28616; reference:cve,2008-1328; classtype:attempted-admin; sid:13800; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 8082 (msg:"SERVER-OTHER McAfee ePolicy Orchestrator Framework Services log handling format string attempt"; content:"Type=|22|AgentWakeup|22|"; fast_pattern:only; content:"|22 FA E5|"; content:"|8F|"; within:212; distance:20; metadata:policy max-detect-ips drop; reference:bugtraq,28228; reference:cve,2008-1357; classtype:attempted-admin; sid:13631; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2439 (msg:"SERVER-OTHER Sybase SQL Anywhere Mobilink username string buffer overflow"; flow:to_server,established; content:"|03 22 00|"; byte_test:2,>,128,0,relative,little; metadata:policy max-detect-ips drop; reference:bugtraq,27914; reference:cve,2008-0912; reference:url,aluigi.altervista.org/adv/mobilinkhof-adv.txt; classtype:attempted-admin; sid:13553; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 3207 (msg:"SERVER-OTHER Symantec VERITAS Storage Foundation Suite buffer overflow attempt"; flow:to_server; content:"|FE FE|"; depth:2; byte_test:2,>,1024,2; metadata:policy max-detect-ips drop; reference:bugtraq,25778; reference:cve,2008-0638; reference:url,www.symantec.com/avcenter/security/Content/2008.02.20a.html; classtype:attempted-admin; sid:13552; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Firebird Database Server username handling buffer overflow"; flow:to_server,established; content:"|00 00 00 13|"; depth:4; content:"|1C|"; within:80; byte_test:1,>,0x81,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,27467; reference:cve,2008-0467; classtype:attempted-admin; sid:13522; rev:8;)
# alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any (msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; content:"misc/ultravox"; http_header; file_data; content:"|5A|"; within:1; content:"|39 01|"; within:2; distance:1; content:"<artist>"; distance:0; nocase; isdataat:266,relative; content:!"</artist>"; within:256; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0065; classtype:attempted-user; sid:13520; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2512:2513 (msg:"SERVER-OTHER Citrix MetaFrame IMA buffer overflow attempt"; flow:to_server,established; content:"|FF FF FF|"; depth:3; offset:1; content:!"|00 00 00|"; depth:3; offset:5; byte_test:1,>,195,0; metadata:policy max-detect-ips drop; reference:bugtraq,27329; reference:cve,2008-0356; classtype:attempted-admin; sid:13519; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5005 (msg:"SERVER-OTHER Trend Micro ServerProtect TMregChange buffer overflow attempt"; flow:to_server,established; content:"!Ce|87 15 00 00 00|"; byte_test:4,>,844,8,relative,little; isdataat:1092,relative; content:!"|00|"; within:256; distance:836; metadata:policy max-detect-ips drop; reference:cve,2007-4731; reference:url,www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt; classtype:attempted-admin; sid:13365; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2444 (msg:"SERVER-OTHER Cisco Unified Communications Manager heap overflow attempt"; flow:to_server,established; content:"|17 03 01|"; depth:3; byte_test:2,>,16383,0,relative,big; metadata:policy max-detect-ips drop; reference:bugtraq,27313; reference:cve,2008-0027; classtype:attempted-admin; sid:13363; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 407 (msg:"SERVER-OTHER Motorola Timbuktu crafted login request buffer overflow attempt"; flow:to_server,established; content:"|00 01|"; depth:2; content:"|00 23 07|"; depth:3; offset:6; byte_test:1,>,31,30; metadata:policy max-detect-ips drop; reference:bugtraq,25454; reference:cve,2007-4221; reference:url,ftp-xo.netopia.com/evaluation/docs/timbuktu/win/865/relnotes/TB2Win865Evalrn.pdf; classtype:attempted-admin; sid:13221; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER HP OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; content:"|2F|OvCgi|2F|"; nocase; http_uri; isdataat:1024; pcre:"/^\x2FOvCgi\x2F[^\x2E]*?\x2Eexe[^\h]{1024}/iU"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26741; reference:cve,2007-6204; reference:cve,2008-0067; classtype:attempted-user; sid:13161; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13701 (msg:"SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt"; flow:to_server,established; dsize:4; byte_test:1,>,80,0; metadata:policy max-detect-ips drop; reference:bugtraq,15353; reference:cve,2005-3116; classtype:attempted-admin; sid:12904; rev:7;)
# alert tcp $EXTERNAL_NET 554 -> $HOME_NET any (msg:"SERVER-OTHER Apple Quicktime TCP RTSP sdp type buffer overflow attempt"; flow:to_client,established; content:"RTSP"; depth:4; fast_pattern; content:"Content-Type"; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/Content-Type\s*\x3A[^\n\x3A]{256}/smi"; metadata:policy max-detect-ips drop; reference:bugtraq,26549; reference:cve,2007-6166; classtype:attempted-user; sid:12741; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1581 (msg:"SERVER-OTHER IBM Tivoli Storage Manger Express CAD Host buffer overflow"; flow:to_server,established; content:"Host|3A|"; nocase; isdataat:64,relative; content:!"|00|"; within:64; content:!"|3A|"; within:64; content:!"|0A|"; within:64; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25743; reference:cve,2007-4880; classtype:attempted-admin; sid:12685; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER CA BrightStor ARCServer malicious fileupload attempt"; flow:to_server,established; content:"rxrReceiveFileFromServer~~8~~"; nocase; pcre:"/^((\.\.\/|\.\.\\).*|(\.(exe|dll)))~~/Ri"; metadata:policy max-detect-ips drop; reference:bugtraq,24348; reference:cve,2007-5005; classtype:attempted-admin; sid:12667; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [5051,5053] (msg:"SERVER-OTHER HP OpenView OVTrace buffer overflow attempt"; flow:to_server,established; content:"|0F|"; depth:1; byte_jump:2,0,relative; byte_test:2,>,51,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,25255; reference:cve,2007-3872; classtype:attempted-admin; sid:12666; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER CA BrightStor LGSever username buffer overflow attempt"; flow:to_server,established; content:"rxrLogin~~"; nocase; content:"~~"; distance:0; pcre:"/^0*(([1-9]\d{3,})|([7-9]\d\d)|(6[7-9]\d)|(66[8-9]))/R"; metadata:policy max-detect-ips drop; reference:bugtraq,24348; reference:cve,2007-5004; classtype:attempted-admin; sid:12665; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER CA BrightStor LGServer username buffer overflow attempt"; flow:to_server,established; content:"rxrLogin"; nocase; isdataat:281,relative; content:!"~~"; within:279; distance:2; metadata:policy max-detect-ips drop; reference:bugtraq,24348; reference:cve,2007-5003; classtype:attempted-admin; sid:12596; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER Helix DNA Server RTSP require tag heap overflow attempt"; flow:to_server,established; content:"require|3A|"; nocase; content:"|0A|require|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service rtsp; reference:bugtraq,25440; reference:cve,2007-4561; classtype:attempted-admin; sid:12358; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 89 (msg:"SERVER-OTHER Novell WebAdmin long user name"; flow:to_server,established; content:"POST /f"; depth:8; content:"username="; content:!"&"; within:80; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22857; reference:cve,2007-1350; classtype:attempted-admin; sid:12223; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"SERVER-OTHER Squid proxy long WCCP packet"; flow:to_server; dsize:>1428; metadata:policy max-detect-ips drop; reference:bugtraq,12432; reference:cve,2005-0211; classtype:attempted-user; sid:12222; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland interbase string length buffer overflow attempt"; flow:to_server,established; content:"|00 00 00|R"; depth:4; isdataat:1032; content:!"|00|"; within:1024; distance:8; metadata:policy max-detect-ips drop; reference:bugtraq,25048; reference:cve,2007-3566; classtype:attempted-admin; sid:12218; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland interbase Create Request opcode string length buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 14|"; depth:4; isdataat:1032; content:!"|00|"; within:1024; distance:8; metadata:policy max-detect-ips drop; reference:bugtraq,25048; reference:cve,2007-3566; classtype:attempted-admin; sid:12216; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21064 (msg:"SERVER-OTHER Ingres long message heap buffer overflow attempt"; flow:to_server,established; isdataat:1169; byte_test:2,>,1168,0,little; metadata:policy max-detect-ips drop; reference:cve,2007-3334; classtype:attempted-admin; sid:12202; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3101 (msg:"SERVER-OTHER RIM BlackBerry SRP negative string size"; flow:to_server,established; content:"S|FF FF FF|"; metadata:policy max-detect-ips drop; reference:bugtraq,16100; reference:cve,2005-2342; classtype:attempted-dos; sid:12199; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3104 (msg:"SERVER-OTHER CA message queuing server buffer overflow attempt"; flow:to_server,established; isdataat:14; pcre:"/^([^\d]|\d[^\d])/s"; metadata:policy max-detect-ips drop; reference:bugtraq,25051; reference:cve,2007-0060; reference:url,supportconnectw.ca.com/public/dto_transport/infodocs/camsgguevul-secnot.asp; classtype:attempted-admin; sid:12197; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER BakBone NetVault server heap overflow attempt"; flow:to_server,established; stream_size:client,>,32784; byte_test:4,>,32784,0,little; metadata:policy max-detect-ips drop; reference:bugtraq,12967; reference:cve,2005-1009; classtype:attempted-admin; sid:12081; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"SERVER-OTHER CA BrightStor ARCserve LGServer heap buffer overflow"; flow:to_server,established; content:"N=|2C 1B|"; depth:4; isdataat:1000; content:!"N=|2C 1B|"; within:996; metadata:policy max-detect-ips drop; reference:bugtraq,22340; reference:cve,2007-0449; classtype:attempted-admin; sid:12078; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5151 (msg:"SERVER-OTHER Ipswitch WS_FTP log server long unicode string"; flow:to_server; content:"|AB AA|"; byte_test:2,>,2123,0,relative,little; metadata:policy max-detect-ips drop; reference:cve,2007-3823; reference:url,secunia.com/advisories/26040; classtype:denial-of-service; sid:12076; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5003 (msg:"SERVER-OTHER Symantec Discovery logging buffer overflow"; flow:to_server,established; content:"|ED ED|"; depth:2; offset:2; content:!"|ED|"; depth:1; isdataat:1176; content:!"|00|"; depth:976; offset:200; metadata:policy max-detect-ips drop; reference:bugtraq,24002; reference:cve,2007-1173; classtype:attempted-admin; sid:11670; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9191 (msg:"SERVER-OTHER CA eTrust key handling dos via username attempt"; flow:to_server,established; content:"|01 06 00 00 00|"; depth:5; offset:2; byte_test:4,<,4,0,relative, little; metadata:policy max-detect-ips drop; reference:bugtraq,22743; reference:cve,2007-1005; classtype:denial-of-service; sid:11185; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7205:7211 (msg:"SERVER-OTHER Novell GroupWise WebAccess authentication overflow"; flow:to_server,established; content:"Authorization"; nocase; content:"Basic"; distance:0; nocase; pcre:"/Authorization\s*\x3A\s*Basic\s*[^\n]{437}/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,23556; reference:cve,2007-2171; classtype:attempted-admin; sid:10998; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt"; flow:to_server,established; content:"LoadTestPassword|3A|"; nocase; isdataat:251,relative; pcre:"/^LoadTestPassword\x3A[^\r\n]{251}/smi"; metadata:policy max-detect-ips drop, service rtsp; reference:bugtraq,23068; reference:cve,2006-6026; reference:url,lists.helixcommunity.org/pipermail/server-cvs/2007-January/003783.html; classtype:attempted-admin; sid:10407; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 54345 (msg:"SERVER-OTHER HP Mercury Loadrunner command line buffer overflow"; flow:to_server,established; content:"|00 00 00 05 00 00 00 01|"; byte_jump:4, -12, relative ; byte_jump:4, 4, relative, align; byte_test:4, >, 1132, 0, relative; metadata:policy max-detect-ips drop; reference:bugtraq,22487; reference:cve,2007-0446; classtype:attempted-admin; sid:10187; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SERVER-OTHER Squid proxy FTP denial of service attempt"; flow:to_server,established; content:"GET"; depth:3; nocase; content:"FTP|3A|//"; nocase; pcre:"/ftp\x3A\x2F\x2F[\w\x2E\x2F]+[^\x2F]\x3Btype=D/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22079; reference:cve,2007-0247; classtype:denial-of-service; sid:10135; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13782 (msg:"SERVER-OTHER Symantec NetBackup connect_options buffer overflow attempt"; flow:to_server,established; content:"CONNECT_OPTIONS="; nocase; isdataat:900,relative; pcre:"/CONNECT_OPTIONS\x3D[^\x20\x0A\x0D\x00]{900}/smi"; metadata:policy max-detect-ips drop; reference:bugtraq,21565; reference:cve,2006-5822; classtype:attempted-admin; sid:9813; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER Computer Associates Product Discovery Service type 9B remote buffer overflow attempt TCP"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:256,relative; content:!"|00|"; within:256; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:bugtraq,21502; reference:cve,2005-2535; reference:cve,2006-6379; classtype:attempted-admin; sid:9633; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1500 (msg:"SERVER-OTHER Tivoli Storage Manager command request buffer overflow attempt"; flow:to_server,established; content:"|1A A5|"; depth:2; offset:2; byte_test:2,>,100,0,relative; byte_jump:2,16,relative; content:"|18|"; within:1; distance:20; metadata:policy max-detect-ips drop; reference:bugtraq,21440; reference:cve,2006-5855; classtype:attempted-admin; sid:9632; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2513 (msg:"SERVER-OTHER Citrix IMA DOS event data length denial of service attempt"; flow:to_server,established; content:"|1C 00 00 00|"; depth:4; byte_test:4,<,6,8,little; metadata:policy max-detect-ips drop; reference:bugtraq,20986; reference:cve,2006-5861; classtype:denial-of-service; sid:9325; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,993,995] (msg:"SERVER-OTHER SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv2; content:"|01 00 02|"; depth:3; offset:2; byte_test:2, >, 256, 0, relative; metadata:policy max-detect-ips drop, service ssl; reference:bugtraq,20249; reference:bugtraq,22083; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8428; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,993,995] (msg:"SERVER-OTHER SSLv3 openssl get shared ciphers overflow attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 00|"; within:2; distance:3; content:"|00|"; within:1; distance:32; byte_test:2, >, 256, 0, relative; metadata:policy max-detect-ips drop, service ssl; reference:bugtraq,20249; reference:bugtraq,25831; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8426; rev:20;)
# alert udp $HOME_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER ISC DHCP server 2 client_id length denial of service attempt"; flow:to_server; content:"c|82|Sc"; content:"= "; distance:0; metadata:policy max-detect-ips drop; reference:cve,2006-3122; reference:url,www.debian.org/security/2006/dsa-1143; classtype:attempted-dos; sid:8056; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2967 (msg:"SERVER-OTHER symantec antivirus realtime virusscan overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; content:"|0A|"; depth:1; offset:4; content:"|00 24|"; depth:2; offset:16; byte_jump:2,32; content:!"|00|"; within:1; metadata:policy max-detect-ips drop; reference:bugtraq,18107; reference:cve,2006-2630; classtype:attempted-admin; sid:6512; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [5800,5900:5999] (msg:"SERVER-OTHER RealVNC password authentication bypass attempt"; flow:to_server,established; flowbits:isset,vnc.server.auth.types; flowbits:unset,vnc.server.auth.types; dsize:1; content:"|01|"; depth:1; metadata:policy max-detect-ips drop, service vnc-server; reference:bugtraq,17978; reference:cve,2006-2369; classtype:attempted-admin; sid:6471; rev:12;)
alert tcp $HOME_NET [5800,5900:5999] -> $EXTERNAL_NET any (msg:"SERVER-OTHER RealVNC authentication types without None type sent attempt"; flow:to_client,established; flowbits:isset,vnc.handshake.client; flowbits:unset,vnc.handshake.client; pcre:"/^[^\x00][^\x00\x01]+$/"; flowbits:set,vnc.server.auth.types; flowbits:noalert; metadata:policy max-detect-ips alert, service vnc-server; classtype:protocol-command-decode; sid:6470; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [5800,5900:5999] (msg:"SERVER-OTHER RealVNC connection attempt"; flow:to_server,established; dsize:12; content:"RFB 003.00"; depth:10; content:!"3"; within:1; flowbits:set,vnc.handshake.client; flowbits:set,vnc.traffic; flowbits:noalert; metadata:service vnc-server; classtype:protocol-command-decode; sid:6469; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13701 (msg:"SERVER-OTHER Veritas NetBackup Volume Manager overflow attempt"; flow:to_server,established; flowbits:isset,veritas.vmd.connect; pcre:"/(0x[0-9a-f]+|0[0-8]+|[1-9]\d*)\s+\S{157}|(0x[0-9a-f]+|0[0-8]+|[1-9]\d*)\s+\S+\s+\S{125}|(0x[0-9a-f]+|0[0-8]+|[1-9]\d*)\s+\S+\s+\S+\s+\S{1025}|(0x[ 0-9a-f]+|0[0-8]+|[1-9]\d*)\s+\S+\s+\S+\s+\S+\s+\S{117}|(0x[0-9a-f]+|0[0-8]+|[1-9]\d*)\s+\S+\s+\S+\s+\S+\s+\S+\s+\S{37}/i"; metadata:policy max-detect-ips drop; reference:bugtraq,17264; reference:cve,2006-0989; classtype:attempted-admin; sid:6405; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 13701 (msg:"SERVER-OTHER Veritas NetBackup Volume Manager connection attempt"; flow:to_server,established; byte_test:1,>,3,10,dec,string; byte_test:1,<,11,10,dec,string; flowbits:set,veritas.vmd.connect; flowbits:noalert; classtype:protocol-command-decode; sid:6404; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13724 (msg:"SERVER-OTHER VERITAS NetBackup vnetd buffer overflow attempt"; flow:to_server,established; flowbits:isset,vnetd.bpspsserver.connection; byte_test:4,>,1024,0; isdataat:1024; flowbits:unset,vnetd.bpspsserver.connection; metadata:policy max-detect-ips drop; reference:bugtraq,17264; reference:cve,2006-0991; classtype:attempted-admin; sid:6011; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4105 (msg:"SERVER-OTHER CA CAM log_security overflow attempt"; flow:to_server,established; content:"|FA F9 00 10|"; isdataat:256; content:!"|00|"; within:256; metadata:policy max-detect-ips drop; reference:bugtraq,14622; reference:cve,2005-2668; classtype:misc-attack; sid:5316; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER MailEnable HTTPMail buffer overflow attempt"; flow:to_server,established; content:"GET"; content:!"Proxy-Authorization|3A|"; nocase; content:"Authorization|3A|"; nocase; isdataat:261,relative; content:!"|0D 0A|"; within:261; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13350; reference:cve,2005-1348; reference:url,frsirt.com/english/advisories/2005/0383; classtype:attempted-admin; sid:4637; rev:15;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER lpd receive printer job cascade adaptor protocol request"; flow:to_server,established; content:"|02|"; depth:1; pcre:"/\x02[^\x0a]+\x3a[^\x0a]+\x0a/"; flowbits:set,lp.cascade; flowbits:noalert; metadata:policy max-detect-ips drop, service ldp; classtype:protocol-command-decode; sid:4143; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"SERVER-OTHER SHOUTcast URI format string attempt"; flow:to_server,established; content:"/content/"; fast_pattern:only; pcre:"/\/content\/[^\r\n\x20]*\x2emp3/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,12096; reference:cve,2004-1373; classtype:web-application-attack; sid:4131; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1761 (msg:"SERVER-OTHER Novell ZenWorks Remote Management Agent buffer overflow Attempt"; flow:to_server,established; content:"|00 01|"; depth:2; offset:16; byte_jump:2,0,relative; byte_jump:2,0,relative; byte_jump:2,0,relative; content:"|00 01 00 01 00 02|"; within:6; isdataat:30,relative; byte_test:2,>,28,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,13678; reference:cve,2005-1543; classtype:attempted-dos; sid:4130; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8008,8028] (msg:"SERVER-OTHER Novell eDirectory Server iMonitor overflow attempt"; flow:to_server,established; content:"/nds/"; pcre:"/\x2fnds\x2f[^&\r\n\x3b]{500}/smi"; metadata:policy max-detect-ips drop; reference:bugtraq,14548; reference:cve,2005-2551; classtype:attempted-admin; sid:4127; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"SERVER-OTHER Veritas Backup Exec root connection attempt using default password hash"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; depth:8; offset:12; content:"|00 00 00 02|"; depth:4; offset:28; content:"root"; depth:4; offset:36; nocase; content:"|B4 B8 0F|& |5C|B4|03 FC AE EE 8F 91|=o"; distance:0; metadata:policy max-detect-ips drop; reference:bugtraq,14551; reference:cve,2005-2611; reference:url,attack.mitre.org/techniques/T1078; classtype:suspicious-login; sid:4126; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"SERVER-OTHER Veritas Backup Agent DoS attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:12; byte_test:4,>,0,24; metadata:policy max-detect-ips drop; reference:bugtraq,14201; reference:cve,2005-0772; classtype:attempted-dos; sid:3696; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"SERVER-OTHER Veritas Backup Agent password overflow attempt"; flow:to_server,established; content:"|00 00 09 01|"; depth:4; offset:16; content:"|00 00 00 03|"; depth:4; offset:28; byte_jump:4,32; byte_test:4,>,1023,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,14022; reference:cve,2005-0773; classtype:attempted-admin; sid:3695; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"SERVER-OTHER ARCserve universal backup agent option 1000 little endian buffer overflow attempt"; flow:to_server,established; content:"|E8 03|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6,little; byte_test:2,<,1705,6,little; metadata:policy max-detect-ips drop; reference:bugtraq,13102; reference:cve,2005-1018; reference:nessus,18041; classtype:attempted-admin; sid:3658; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10202 (msg:"SERVER-OTHER Computer Associates license GETCONFIG server overflow attempt"; flow:to_server,established; content:"GETCONFIG SELF "; depth:15; offset:3; nocase; isdataat:200,relative; content:!"<EOM>"; within:204; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3522; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"SERVER-OTHER Computer Associates license GCR NETWORK overflow attempt"; flow:to_server,established; content:"GCR NETWORK<"; depth:12; offset:3; nocase; pcre:"/^\S{65}|\S+\s+\S{65}|\S+\s+\S+\s+\S{65}/Ri"; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3520; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"SERVER-OTHER Computer Associates license PUTOLF overflow attempt"; flow:to_server,established; content:"PUTOLF"; depth:6; offset:3; nocase; pcre:"/PUTOLF\s+((\S+\s+){4}[^\s]{256}|(\S+\s+){6}[^\x3c]{512})/i"; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0582; classtype:attempted-user; sid:3517; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia backup client type 77 overflow attempt"; flow:to_server,established; content:"|00|M"; depth:2; byte_test:2,>,23,6; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; reference:nessus,17158; classtype:attempted-user; sid:3457; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6101 (msg:"SERVER-OTHER Veritas backup overflow attempt"; flow:to_server,established; content:"|02 00|"; depth:2; content:"|00|"; within:1; distance:1; isdataat:72; content:!"|00|"; depth:66; offset:6; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,11974; reference:cve,2004-1172; classtype:attempted-admin; sid:3084; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL handshake with potentially unseeded PRNG information disclosure attempt"; flow:to_server,established; ssl_version:tls1.0,tls1.1,tls1.2; ssl_state:client_hello; content:"|16 03|"; depth:2; content:"|00 8A 00 FF|"; within:4; distance:44; metadata:service ssl; reference:bugtraq,73234; reference:cve,2015-0285; reference:url,www.openssl.org/news/secadv_20150319.txt; classtype:attempted-recon; sid:34595; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt "; flow:to_server,established; content:"Authorization"; nocase; http_header; content:"Basic"; within:50; nocase; http_header; content:"User-Agent"; nocase; http_header; content:"MSRPC"; within:50; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^n]*MSRPC/smiH"; pcre:"/^Authorization\x3A\s*basic/smiH"; metadata:service http; reference:cve,2009-1135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-031; classtype:attempted-user; sid:17041; rev:7;)
# alert udp $EXTERNAL_NET 53 -> $SMTP_SERVERS any (msg:"SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt "; flow:to_client; byte_test:1,&,128,2; content:"|00 0F 00 01|"; offset:12; content:"|00 0F 00 01|"; distance:0; byte_test:1,<,192,8,relative; content:!"|00|"; within:1; distance:8; content:"|00|"; within:1; distance:9; metadata:policy max-detect-ips drop, service dns, service smtp; reference:bugtraq,39308; reference:cve,2010-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-024; classtype:attempted-dos; sid:16534; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"SERVER-OTHER Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt "; flow:to_server; content:"|01|"; depth:1; content:"|1A 02|"; distance:25; content:"|4F|"; within:2; distance:-8; content:"|02|"; within:1; distance:1; byte_test:2,<,74,1,relative; reference:cve,2009-3677; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-071; classtype:attempted-user; sid:16329; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER Microsoft Active Directory NTDSA stack space exhaustion attempt "; flow:to_server,established; content:"|50 01|"; content:"|02 01|"; within:2; distance:-5; pcre:"/\x30(\x84\x00\x00\x00\x06|\x82\x00\x06|\x01\x06)\x02\x01.\x50\x01(.)(\x30(\x84\x00\x00\x00\x06|\x82\x00\x06|\x01\x06)\x02\x01.\x50\x01\2){9}/"; reference:cve,2009-1928; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-066; classtype:attempted-dos; sid:16237; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [5357,5358] (msg:"SERVER-OTHER Web Service on Devices API WSDAPI URL processing buffer corruption attempt "; flow:to_server, established; content:"Mime-Version|3A|"; fast_pattern:only; http_header; pcre:"/^Mime-Version\x3A[^\x0D\x0A]{100}/Hsmi"; metadata:service http; reference:cve,2009-2512; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-063; classtype:attempted-user; sid:16227; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER ISA Server OTP-based Forms-authorization fallback policy bypass attempt "; flow:to_server,established; content:"Authorization"; nocase; http_header; content:"Basic"; within:50; nocase; http_header; content:"User-Agent"; nocase; http_header; content:"Frontpage"; within:50; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^n]*Frontpage/smiH"; pcre:"/Authorization\x3A\s*basic/smiH"; metadata:service http; reference:cve,2009-1135; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-031; classtype:attempted-user; sid:15683; rev:9;)
# alert tcp $HOME_NET 389 -> $EXTERNAL_NET any (msg:"SERVER-OTHER Active Directory invalid OID denial of service attempt "; flow:to_client,established,no_stream; content:"problem 2001 |28|NO_OBJECT|29|"; detection_filter:track by_dst, count 200, seconds 30; metadata:service ldap; reference:cve,2009-1139; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-018; classtype:attempted-dos; sid:15522; rev:7;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER WinHTTP SSL/TLS impersonation attempt "; flow:to_client,established; content:"|16 03 01|"; depth:3; content:"1|0B|0|09 06 03|U|04 06 13 02|US1|0B|0|09 06 03|U|04 08 13 02|HI1|10|0|0E 06 03|U|04 07 13 07|Anytown1|13|0|11 06 03|U|04 0A 13 0A|Badguy.com1|0D|0|0B 06 03|U|04 0B 13 04|Evil1|17|0|15 06 03|U|04 03 13 0E|www.badguy.com1|1F|0|1D 06 09|*|86|H|86 F7 0D 01 09 01 16 10|admin@badguy.com"; metadata:service ssl; reference:cve,2009-0089; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-013; classtype:misc-attack; sid:15456; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30051 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt"; flow:to_server,established; content:"tsm|3A|"; content:"pass="; distance:0; isdataat:220,relative; content:!"|20|"; within:220; content:!"|00|"; within:220; metadata:policy max-detect-ips drop; reference:bugtraq,74021; reference:cve,2015-0120; classtype:attempted-admin; sid:34603; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP unserialize datetimezone object code execution attempt"; flow:to_server,established; content:"O%3A"; content:"%22DateTime"; within:16; content:"S%3A"; distance:0; nocase; content:"%3A%22timezone_type%22%3B"; within:28; content:!"i"; within:1; nocase; metadata:service http; reference:cve,2015-0273; classtype:attempted-admin; sid:34710; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [543,544,754] (msg:"SERVER-OTHER MIT Kerberos MIT Kerberos 5 krb5_read_message denial of service attempt"; flow:to_server,established; content:"KRB5_SENDAUTH_V1.0"; content:"|00 00 00 00|"; within:4; distance:-23; metadata:service kerberos; reference:cve,2014-5355; reference:url,attack.mitre.org/techniques/T1097; classtype:attempted-dos; sid:34709; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL zero-length ClientKeyExchange message denial of service attempt"; flow:to_server,established; ssl_version:tls1.0,tls1.1,tls1.2,sslv3; ssl_state:client_keyx; content:"|16 03|"; depth:2; content:"|10 00 00 00|"; within:4; distance:3; metadata:service ssl; reference:bugtraq,73238; reference:cve,2015-1787; reference:url,www.openssl.org/news/secadv_20150319.txt; classtype:attempted-dos; sid:34649; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [50500,443] (msg:"SERVER-OTHER HP LoadRunner launcher.dll stack buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 19|"; depth:4; content:"=="; within:2; distance:22; content:"|00 00 00 01|"; within:4; distance:13; byte_jump:4,-12,relative,post_offset 4; byte_test:4,>,520,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,74737; reference:cve,2015-2110; classtype:attempted-admin; sid:34798; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [25,443,465,587,5061] (msg:"SERVER-OTHER OpenSSL denial-of-service via crafted x.509 certificate attempt"; flow:to_server,established; ssl_version:tls1.2; content:"|30 0E 06 09 2A 86 48 86 F7 0D 01 01 0B 01 01 01|"; fast_pattern:only; metadata:service ssl; reference:cve,2015-0286; classtype:attempted-dos; sid:34889; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER MiniUPnPd SSDP request buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ST|3A|"; content:!"|0D|"; within:512; content:!"|0A|"; within:512; metadata:service ssdp; reference:cve,2013-0229; reference:cve,2013-2600; classtype:denial-of-service; sid:25664; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ST|3A|uuid|3A|"; fast_pattern:only; content:"uuid|3A|"; isdataat:190,relative; content:!"|3A 3A|"; within:190; metadata:policy security-ips drop, service ssdp; reference:cve,2012-5959; classtype:attempted-admin; sid:25620; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ST|3A|uuid|3A|"; fast_pattern:only; content:"uuid|3A|"; isdataat:190,relative; content:!"|0D|"; within:190; metadata:policy security-ips drop, service ssdp; reference:cve,2012-5963; classtype:attempted-admin; sid:25619; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"|3A|service|3A|"; fast_pattern:only; content:"ST|3A|urn|3A|"; isdataat:190,relative; content:!"|0D|"; within:190; metadata:policy security-ips drop, service ssdp; reference:cve,2012-5964; classtype:attempted-admin; sid:25618; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"|3A|device|3A|"; fast_pattern:only; content:"ST|3A|urn|3A|"; isdataat:190,relative; content:!"|0D|"; within:190; metadata:policy security-ips drop, service ssdp; reference:cve,2012-5965; classtype:attempted-admin; sid:25617; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ST|3A|"; content:!"|3A 3A|upnp|3A|rootdevice"; within:200; content:"|3A 3A|upnp|3A|rootdevice"; fast_pattern:only; metadata:policy security-ips drop, service ssdp; reference:cve,2012-5960; classtype:attempted-admin; sid:25612; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ST|3A|uuid|3A|schemas|3A|device|3A|"; content:"|3A|"; within:20; isdataat:200,relative; content:!"|0D|"; within:200; metadata:policy security-ips drop, service ssdp; reference:cve,2012-5961; classtype:attempted-admin; sid:25601; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy security-ips drop, ruleset community, service ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:25589; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 524 (msg:"SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt"; flow:to_server; dsize:>100; content:"|00 00 00 01 00 00 00 05 22 22|"; fast_pattern:only; content:"DmdT"; depth:4; content:"|22 22|"; within:2; distance:12; content:"|17|"; within:1; distance:4; content:"|18|"; within:1; distance:2; byte_test:1,>,52,10,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service netware; reference:cve,2012-0432; reference:url,www.novell.com/support/kb/doc.php?id=3426981; classtype:attempted-admin; sid:25550; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 524 (msg:"SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt"; flow:to_server,established; dsize:>100; content:"|00 00 00 01 00 00 00 05 22 22|"; fast_pattern:only; content:"DmdT"; depth:4; content:"|22 22|"; within:2; distance:12; content:"|17|"; within:1; distance:4; content:"|18|"; within:1; distance:2; byte_test:1,>,52,10,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service netware; reference:cve,2012-0432; reference:url,www.novell.com/support/kb/doc.php?id=3426981; classtype:attempted-admin; sid:25549; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt"; flow:to_server,established; byte_test:10,>,256,0,dec,string; content:"rxr"; depth:3; offset:10; content:"~~"; within:50; isdataat:256,relative; content:!"~~"; within:256; metadata:policy max-detect-ips drop, service ssdp; reference:bugtraq,24348; reference:cve,2007-3216; classtype:attempted-admin; sid:12786; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt"; flow:to_server,established; byte_test:10,>,256,0,dec,string; content:"rxc"; depth:3; offset:10; content:"~~"; within:50; isdataat:256,relative; content:!"~~"; within:256; metadata:policy max-detect-ips drop, service ssdp; reference:bugtraq,24348; reference:cve,2007-3216; classtype:attempted-admin; sid:12785; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt"; flow:to_server,established; byte_test:10,>,256,0,dec,string; content:"rxs"; depth:3; offset:10; content:"~~"; within:50; isdataat:256,relative; content:!"~~"; within:256; metadata:policy max-detect-ips drop, service ssdp; reference:bugtraq,24348; reference:cve,2007-3216; classtype:attempted-admin; sid:12784; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30051 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt"; flow:to_server,established; content:"vault|3A|"; content:"user="; distance:0; isdataat:500,relative; content:!"|20|"; within:500; content:!"|00|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,74024; reference:cve,2015-1896; classtype:attempted-admin; sid:34943; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30051 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt"; flow:to_server,established; content:"vault|3A|"; content:"safe="; distance:0; isdataat:500,relative; content:!"|20|"; within:500; content:!"|00|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,74024; reference:cve,2015-1896; classtype:attempted-admin; sid:34942; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30051 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt"; flow:to_server,established; content:"vault|3A|"; content:"port="; distance:0; isdataat:500,relative; content:!"|20|"; within:500; content:!"|00|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,74024; reference:cve,2015-1896; classtype:attempted-admin; sid:34941; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30051 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt"; flow:to_server,established; content:"vault|3A|"; content:"pass="; distance:0; isdataat:500,relative; content:!"|20|"; within:500; content:!"|00|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,74024; reference:cve,2015-1896; classtype:attempted-admin; sid:34940; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30051 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt"; flow:to_server,established; content:"vault|3A|"; content:"ip="; distance:0; isdataat:500,relative; content:!"|20|"; within:500; content:!"|00|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,74024; reference:cve,2015-1896; classtype:attempted-admin; sid:34939; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30051 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt"; flow:to_server,established; content:"vault|3A|"; content:"inifile="; distance:0; isdataat:500,relative; content:!"|20|"; within:500; content:!"|00|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,74024; reference:cve,2015-1896; classtype:attempted-admin; sid:34938; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER Novell ZENworks Configuration Management preboot policy service stack buffer overflow attempt"; flow:to_server; content:"|00 03|"; depth:2; byte_test:2,>,0x1000,0,relative; content:"|00 00|"; within:2; distance:2; content:"|01|"; within:1; distance:3; isdataat:1028,relative; content:!"|00|"; within:1024; distance:4; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,74290; reference:cve,2015-0786; reference:url,www.novell.com/support/kb/doc.php?id=7016431; classtype:attempted-admin; sid:34937; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484,5061] (msg:"SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt"; flow:to_server,established; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; ssl_state:!client_hello,!server_hello,!server_keyx; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|06 09 2A 86 48 86 F7 0D 01 01 0A|"; distance:9; fast_pattern; content:"|06 09 2A 86 48 86 F7 0D 01 01 08|"; within:50; content:!"|06 05 2B 0E 03 02 1A|"; within:17; distance:2; content:!"|06 09 60 86 48 01 65 03 04 02 04|"; within:17; distance:-17; content:!"|06 09 60 86 48 01 65 03 04 02 01|"; within:17; distance:-17; content:!"|06 09 60 86 48 01 65 03 04 02 02|"; within:17; distance:-17; content:!"|06 09 60 86 48 01 65 03 04 02 03|"; within:17; distance:-17; metadata:service ssl; reference:cve,2015-0208; classtype:attempted-dos; sid:34956; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484,5061] (msg:"SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt"; flow:to_server,established; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; ssl_state:!client_hello,!server_hello,!server_keyx; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|06 09 2A 86 48 86 F7 0D 01 01 0A|"; distance:9; fast_pattern; content:!"|06 09 2A 86 48 86 F7 0D 01 01 08|"; within:50; distance:15; metadata:service ssl; reference:cve,2015-0208; classtype:attempted-dos; sid:34955; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484,5061] (msg:"SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt"; flow:to_server,established; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; ssl_state:!client_hello,!server_hello,!server_keyx; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|06 09 2A 86 48 86 F7 0D 01 01 0A|"; distance:9; fast_pattern; content:!"|06 05 2B 0E 03 02 1A|"; within:17; distance:2; content:!"|06 09 60 86 48 01 65 03 04 02 04|"; within:17; distance:-17; content:!"|06 09 60 86 48 01 65 03 04 02 01|"; within:17; distance:-17; content:!"|06 09 60 86 48 01 65 03 04 02 02|"; within:17; distance:-17; content:!"|06 09 60 86 48 01 65 03 04 02 03|"; within:17; distance:-17; metadata:service ssl; reference:cve,2015-0208; classtype:attempted-dos; sid:34954; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484,5061] (msg:"SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt"; flow:to_server,established; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; ssl_state:!client_hello,!server_hello,!server_keyx; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|06 09 2A 86 48 86 F7 0D 01 01 0A|"; distance:9; content:"|06 09 2A 86 48 86 F7 0D 01 01 08 30 09 06 05 2B 0E 03 02 1A 05 00 A2 03 02 01 14 A3 03 02 01 02|"; distance:0; metadata:service ssl; reference:cve,2015-0208; classtype:attempted-dos; sid:34953; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484,5061] (msg:"SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt"; flow:to_server,established; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; ssl_state:!client_hello,!server_hello,!server_keyx; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|06 09 2A 86 48 86 F7 0D 01 01 0A|"; distance:9; content:"|05 2B 0E 03 02 1A 05 00 A2 03 02 01 F0 A3 03 02 01 01 30 81 B3 31 0B 30 09 06 03 55 04 06 13 02|"; distance:0; metadata:service ssl; reference:cve,2015-0208; classtype:attempted-dos; sid:34952; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP DateTimeZone object timezone unserialize type confusion attempt"; flow:to_server,established; content:"O%3A"; content:"%22DateTimeZone%22"; within:30; content:"S%3A"; distance:0; nocase; content:"%3A%22timezone_type%22%3B"; within:28; content:"%3A%22timezone%22%3B"; content:!"s"; within:1; nocase; metadata:service http; reference:url,bugs.php.net/bug.php?id=68942; classtype:attempted-admin; sid:34951; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Apache mod_include buffer overflow attempt"; flow:to_client,established; content:"<!--#"; isdataat:1000,relative; content:!"-->"; reference:bugtraq,11471; reference:cve,2004-0940; classtype:attempted-user; sid:34973; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"SERVER-OTHER Apple Cups cupsd privilege escalation attempt"; flow:to_server,established; content:"|00 1B|attributes-natural-language"; nocase; http_client_body; content:"/admin"; within:6; distance:2; fast_pattern; nocase; http_client_body; content:"|00 19|job-originating-host-name"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,75098; reference:cve,2015-1158; reference:url,googleprojectzero.blogspot.com/2015/06/owning-internet-printing-case-study-in.html; classtype:attempted-admin; sid:35043; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Trustwave ModSecurity chunked transfer encoding policy bypass attempt "; flow:to_server,established; content:"Transfer-Encoding|3A|"; nocase; http_header; pcre:"/^Transfer-Encoding\x3a\s*(Ch|CH|cH|chU|chuN|chunK|chunkE|chunkeD)/mH"; metadata:service http; reference:cve,2013-5705; reference:url,www.securityfocus.com/bid/66552; classtype:attempted-user; sid:35038; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP core compressed file temp_len buffer overflow attempt"; flow:to_server,established; content:".phar"; fast_pattern:only; content:"ustar|00|"; content:"L"; within:1; distance:-107; byte_test:10,>,0x1000,-32,relative,string,oct; metadata:service http; reference:cve,2015-3329; classtype:attempted-admin; sid:35093; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP core compressed file temp_len buffer overflow attempt"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4; content:"PK|01 02|"; distance:0; byte_test:2,>=,0x1000,24,relative,little; metadata:service http; reference:cve,2015-3329; classtype:attempted-admin; sid:35092; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER OpenSSL anomalous x509 certificate with default org name and certificate chain detected"; flow:to_client,established; ssl_state:server_hello; content:"|55 04 0A 13 18|Internet Widgits Pty Ltd"; content:"|06 03 55 1D 0E 04 16 04 14|"; distance:0; byte_extract:4,0,cert_key_id,relative; content:"|06 03 55 1D 23 04 18 30 16 80 14|"; byte_test:4,!=,cert_key_id,0,relative; metadata:service ssl; reference:cve,2015-1793; reference:url,attack.mitre.org/techniques/T1078; classtype:misc-attack; sid:35111; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1599 (msg:"SERVER-OTHER LibreOffice Impress socket manager Use After Free attempt"; flow:to_server,established; content:"LO_SERVER_CLIENT_PAIR|0A|"; pcre:"/LO_SERVER_CLIENT_PAIR\x0A.+\x0A(?![\d]{4}\x0A)/"; reference:bugtraq,71351; reference:cve,2014-3963; reference:url,libreoffice.org/about-us/security/advisories/cve-2014-3693/; classtype:attempted-user; sid:35253; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Advantech ADAMView conditional bitmap buffer overflow attempt"; flow:to_server,established; file_data; content:"AGNI"; depth:4; content:"SWPL"; distance:0; fast_pattern; content:"BMP"; distance:0; content:!"|00|"; within:260; distance:1; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-8386; reference:url,www.coresecurity.com/advisories/advantech-adamView-buffer-overflow; classtype:attempted-user; sid:35252; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Advantech ADAMView conditional bitmap buffer overflow attempt"; flow:to_client,established; file_data; content:"AGNI"; depth:4; content:"SWPL"; distance:0; fast_pattern; content:"BMP"; distance:0; content:!"|00|"; within:260; distance:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-8386; reference:url,www.coresecurity.com/advisories/advantech-adamView-buffer-overflow; classtype:attempted-user; sid:35251; rev:2;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER OpenSSL alternative chains certificate forgery attempt"; flow:to_client,established; ssl_state:server_hello; content:"|55 1D 13 04 02 30 00|"; fast_pattern:only; content:"|06 03 55 1D 23 04 18 30 16 80 14|"; byte_extract:4,0,cert_key_id,relative; content:"|06 03 55 1D 0E 04 16 04 14|"; distance:0; byte_test:4,=,cert_key_id,0,relative; content:"|55 1D 13 04 02 30 00|"; within:400; distance:-200; metadata:service ssl; reference:cve,2015-1793; reference:url,www.openssl.org/news/secadv_20150709.txt; classtype:misc-attack; sid:35307; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER HP Release Control authenticated privilege escalation attempt"; flow:to_server,established; content:"/messagebroker/amfsecure"; fast_pattern:only; http_uri; content:"|00 03 00 00 00 01 00 04 6E 75 6C 6C 00 03 2F 32 39|"; http_client_body; content:"searchUser"; distance:0; nocase; http_client_body; content:"I8E50A453-"; distance:0; http_client_body; metadata:service http; reference:url,gist.github.com/brandonprry/1ed5633fa7ba18538f02; classtype:attempted-admin; sid:35405; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8000] (msg:"SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt"; flow:to_server,established; content:"|00 0F FF FF 80|"; depth:5; byte_test:1,<=,0x05,0,relative; byte_test:1,!=,0x04,0,relative; byte_test:1,!=,0x00,0,relative; reference:bugtraq,73206; reference:cve,2015-2281; classtype:denial-of-service; sid:35418; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8000] (msg:"SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt"; flow:to_server,established; content:"|00 00 FF FF 80|"; depth:5; byte_test:1,<=,0x05,0,relative; byte_test:1,!=,0x04,0,relative; byte_test:1,!=,0x00,0,relative; reference:bugtraq,73206; reference:cve,2015-2281; classtype:denial-of-service; sid:35417; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftagent SQL injection attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 55 00 00 00 21|"; within:12; distance:4; pcre:"/\x00{7}\x55\x00{3}\x21.{4}[^\x00]*?[\x22\x27\x29\x3b]/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,74426; reference:cve,2015-0538; classtype:attempted-admin; sid:35541; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftagent SQL injection attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 53 00 00 00 16|"; within:12; distance:4; pcre:"/\x00{7}\x53\x00{3}\x16.{8}[^\x00]*?[\x22\x27\x29\x3b]/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,74426; reference:cve,2015-0538; classtype:attempted-admin; sid:35540; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [5900:6000] (msg:"SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt"; flow:to_server,established; dsize:4; content:"|0F 00|"; depth:2; metadata:service vnc-server; reference:cve,2014-6054; reference:url,github.com/newsoft/libvncserver/commit/05a9bd41a; classtype:denial-of-service; sid:35631; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [5900:6000] (msg:"SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt"; flow:to_server,established; dsize:4; content:"|08 00|"; depth:2; metadata:service vnc-server; reference:cve,2014-6054; reference:url,github.com/newsoft/libvncserver/commit/05a9bd41a; classtype:denial-of-service; sid:35630; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,993,636,995] (msg:"SERVER-OTHER gnuTLS _asn1_extract_der_octet memory error inbound malicious client dos attempt"; flow:to_server,established; ssl_state:!server_hello; content:"|06 03 55 1D|"; fast_pattern; nocase; content:"|24|"; within:1; distance:1; metadata:service imap, service ldap, service pop3, service ssl; reference:bugtraq,74419; reference:cve,2015-3622; reference:url,blog.fuzzing-project.org/9-Heap-overflow-invalid-read-in-Libtasn1-TFPA-0052015.html; reference:url,lists.gnu.org/archive/html/help-libtasn1/2015-04/msg00000.html; classtype:attempted-dos; sid:35766; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [443,993,636,995] (msg:"SERVER-OTHER gnuTLS _asn1_extract_der_octet memory error inbound malicious client dos attempt"; flow:to_server,established; ssl_state:!server_hello; content:"|06 03 55 1D|"; fast_pattern; nocase; content:"|01|"; within:1; distance:1; content:"|24|"; within:1; distance:2; metadata:service imap, service ldap, service pop3, service ssl; reference:bugtraq,74419; reference:cve,2015-3622; reference:url,blog.fuzzing-project.org/9-Heap-overflow-invalid-read-in-Libtasn1-TFPA-0052015.html; reference:url,lists.gnu.org/archive/html/help-libtasn1/2015-04/msg00000.html; classtype:attempted-dos; sid:35765; rev:2;)
# alert tcp $EXTERNAL_NET [443,993,636,995] -> $HOME_NET any (msg:"SERVER-OTHER gnuTLS _asn1_extract_der_octet memory error inbound malicious server dos attempt"; flow:to_client,established; ssl_state:!server_hello; content:"|06 03 55 1D|"; fast_pattern; nocase; content:"|24|"; within:1; distance:1; metadata:service imap, service ldap, service pop3, service ssl; reference:bugtraq,74419; reference:cve,2015-3622; reference:url,blog.fuzzing-project.org/9-Heap-overflow-invalid-read-in-Libtasn1-TFPA-0052015.html; reference:url,lists.gnu.org/archive/html/help-libtasn1/2015-04/msg00000.html; classtype:attempted-dos; sid:35764; rev:2;)
# alert tcp $EXTERNAL_NET [443,993,636,995] -> $HOME_NET any (msg:"SERVER-OTHER gnuTLS _asn1_extract_der_octet memory error inbound malicious server dos attempt"; flow:to_client,established; ssl_state:!server_hello; content:"|06 03 55 1D|"; fast_pattern; nocase; content:"|01|"; within:1; distance:1; content:"|24|"; within:1; distance:2; metadata:service imap, service ldap, service pop3, service ssl; reference:bugtraq,74419; reference:cve,2015-3622; reference:url,blog.fuzzing-project.org/9-Heap-overflow-invalid-read-in-Libtasn1-TFPA-0052015.html; reference:url,lists.gnu.org/archive/html/help-libtasn1/2015-04/msg00000.html; classtype:attempted-dos; sid:35763; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg:"SERVER-OTHER QEMU VNC set-pixel-format memory corruption attempt"; flow:to_server,established; content:"|00 FF 00 FF 00 FF 10 08 00 00 00 00|"; fast_pattern:only; content:"|00 00 00 00|"; depth:4; byte_test:1,<,8,0,relative; content:!"|00|"; within:1; distance:3; reference:bugtraq,70998; reference:cve,2014-7815; classtype:attempted-user; sid:35851; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 51000 (msg:"SERVER-OTHER EMC Documentum Content Server privilege escalation attempt"; flow:to_server,established; content:"object_name"; nocase; content:"dm_user"; distance:0; fast_pattern; nocase; content:"FOR_UPDATE"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-4532; reference:url,security-tracker.debian.org/tracker/CVE-2015-4532; classtype:attempted-admin; sid:35850; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Digium Asterisk TLS Certificate Common Name null byte validation bypass attempt"; flow:to_client,established; content:"|16 03|"; depth:2; content:"|06 03 55 04 03|"; distance:0; byte_extract:1,1,string_length,relative; content:"|00|"; within:string_length; metadata:service ssl; reference:bugtraq,74022; reference:cve,2015-3008; classtype:misc-attack; sid:36025; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 E1 03 33 CA|"; depth:9; fast_pattern; content:!"o|3B|n32|3B|o|3B|o|3B|"; within:10; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36095; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 D5 EE E4 C8|"; depth:9; fast_pattern; content:!"i|3B|i|3B|i|3B|i|3B|d|3B|i|3B|i|3B|i|3B|s|3B|i|3B|"; within:20; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36094; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 D2 56 19 CA|"; depth:9; fast_pattern; content:!"i|3B|"; within:2; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36093; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 CB 22 77 C9|"; depth:9; fast_pattern; content:!"i|3B|i|3B|i|3B|i|3B|i|3B|i|3B|i|3B|i|3B|i|3B|i|3B|s|3B|"; within:22; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36092; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 C5 B7 4A CA|"; depth:9; fast_pattern; content:!"o|3B|i|3B|i|3B|b|3B|b|3B|i|3B|s|3B|s|3B|o|3B|o|3B|o|3B|o|3B|i|3B|o|3B|o|3B|o|3B|p|3B|i|3B|i|3B|i"; within:40; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36091; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 A5 E0 22 CA|"; depth:9; fast_pattern; content:!"b|3B|b|3B|b|3B|b|3B|b|3B|i|3B|n32|3B|o|3B|i|3B|i|3B|p|3B|i|3B|i|3B|n32768|3B|o|3B|o|3B|"; within:40; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36090; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 8F D0 F0 CA|"; depth:9; fast_pattern; content:!"i|3B|b|3B|o|3B|o|3B|z|3B|"; within:10; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36089; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 77 18 2B C9|"; depth:9; fast_pattern; content:!"s|3B|"; within:2; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36088; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 6D 5B 37 CA|"; depth:9; fast_pattern; content:!"s|3B|s|3B|i|3B|i|3B|i|3B|"; within:10; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36087; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 67 93 72 CA|"; depth:9; fast_pattern; content:!"o|3B|i|3B|o|3B|i|3B|o|3B|o|3B|"; within:12; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36086; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 5D BD C6 C9|"; depth:9; fast_pattern; content:!"o|3B|"; within:2; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36085; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 59 F8 32 CA|"; depth:9; fast_pattern; content:!"b|3B|i|3B|s|3B|n32|3B|"; within:10; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36084; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 54 D3 86 CA|"; depth:9; fast_pattern; content:!"b|3B|i|3B|i|3B|i|3B|"; within:10; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36083; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 32 FD 66 C8|"; depth:9; fast_pattern; content:!"s|3B|"; within:2; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36082; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 28 BE C6 C9|"; depth:9; fast_pattern; content:!"I|3B|i|3B|i|3B|i|3B|b|3B|b|3B|i|3B|"; within:15; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36081; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 20 EC 24 CB|"; depth:9; fast_pattern; content:!"o|3B|i|3B|o|3B|"; within:6; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36080; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 18 E8 BE C8|"; depth:9; fast_pattern; content:!"i|3B|"; within:2; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36079; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 16 67 73 C9|"; depth:9; fast_pattern; content:!"d|3B|"; within:2; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36078; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 16 09 0B CC|"; depth:9; fast_pattern; content:!"b|3B|i|3B|o|3B|i|3B|b|3B|i|3B|o|3B|"; within:15; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36077; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 07 69 1B CA|"; depth:9; fast_pattern; content:!"s|3B|"; within:2; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36076; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 04 F9 C4 C9|"; depth:9; fast_pattern; content:!"s|3B|b|3B|b|3B|b|3B|b|3B|i|3B|i|3B|i|3B|i|3B|i|3B|i|3B|p|3B|o|3B|o|3B|o|3B|o|3B|o|3B|o|3B|o|3B|o"; within:40; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36075; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 03 BE C6 C9|"; depth:9; fast_pattern; content:!"o|3B|i|3B|"; within:4; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36074; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 03 05 27 CA|"; depth:9; fast_pattern; content:!"s|3B|b|3B|o|3B|"; within:6; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36073; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20031 (msg:"SERVER-OTHER Dell Netvault Backup remote denial of service attempt"; flow:to_server,established; content:"|18 00 00 00 01 02 06 1B CA|"; depth:9; fast_pattern; content:!"i|3B|o|3B|i|3B|o|3B|"; within:8; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,76122; reference:cve,2015-5696; reference:url,documents.software.dell.com/netvault-backup/10.0.5/release-notes/; classtype:attempted-dos; sid:36072; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9200 (msg:"SERVER-OTHER ElasticSearch script remote code execution attempt"; flow:to_server,established; content:"GET /"; depth:5; nocase; content:"_search"; distance:0; nocase; content:".class.forName|28|"; fast_pattern:only; metadata:service http; reference:cve,2015-1427; reference:url,jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/; classtype:attempted-user; sid:36067; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER SAP SQL Anywhere .NET malformed integer buffer overflow attempt"; flow:to_server,established; content:"|2E|aspx"; fast_pattern:only; http_uri; content:"="; http_client_body; isdataat:132,relative; content:!"&"; within:132; http_client_body; pcre:"/\x3d([0-9]{1,10})?e[0-9]{1,10}e/Pi"; metadata:service http; reference:cve,2014-9264; reference:url,scn.sap.com/docs/DOC-8218; classtype:attempted-user; sid:36061; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER OpenSSL DTLS handshake oversized fragment length denial of service attempt"; flow:stateless; content:"|FE FF|"; depth:2; offset:1; content:"|01|"; within:1; distance:10; byte_test:3,>,0x19000,0,relative; metadata:service ssl; reference:bugtraq,69076; reference:cve,2014-3506; reference:url,openssl.org/news/vulnerabilities.html; classtype:attempted-dos; sid:36096; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6667 (msg:"SERVER-OTHER IRC w3wt0rk pitbull perl bot remote command execution attempt"; flow:to_server,established; content:":I eat w3tw0rk bots!"; fast_pattern:only; content:":!bot @system"; nocase; content:":The bot answers to"; within:75; nocase; content:"which allows command execution"; within:75; nocase; metadata:service irc; reference:url,exploit-db.com/exploits/36652/; classtype:attempted-user; sid:36248; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6667 (msg:"SERVER-OTHER IRC w3wt0rk pitbull perl bot remote command execution attempt"; flow:to_server,established; content:":!bot sh -c |27|"; fast_pattern:only; content:"PRIVMSG"; nocase; pcre:"/PRIVMSG(\s)*?(\w)*?(\s)*?\x3a\x21bot\s*?(@system|sh|bash).*?\x27/i"; metadata:service irc; reference:url,rapid7.com/db/modules/exploit/multi/misc/w3tw0rk_exec; classtype:attempted-user; sid:36247; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9200 (msg:"SERVER-OTHER ElasticSearch information disclosure attempt"; flow:to_server,established; content:"_search"; content:"script"; nocase; content:"System."; distance:0; nocase; metadata:service http; reference:cve,2014-3120; reference:url,bouk.co/blog/elasticsearch-rce/; classtype:policy-violation; sid:36256; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"SERVER-OTHER IBM Tivoli Management Framework lcfd endpoint daemon buffer overflow attempt"; flow:to_server,established; content:"POST /"; depth:6; fast_pattern; nocase; content:"Content-Length: "; within:350; nocase; content:"|0D 0A 0D 0A|"; within:350; isdataat:256,relative; metadata:service http; reference:bugtraq,48049; reference:cve,2011-1220; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21499146; classtype:attempted-user; sid:36376; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"SERVER-OTHER IBM Tivoli Management Framework Endpoint default HTTP password authentication attempt"; flow:to_server,established; content:"Authorization: "; nocase; content:"dGl2b2xpOmJvc3M=|0D 0A|"; within:25; metadata:service http; reference:cve,2011-1220; reference:cve,2011-2330; reference:url,attack.mitre.org/techniques/T1078; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21499146; classtype:attempted-user; sid:36375; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1234 (msg:"SERVER-OTHER Schneider Electric InduSoft Web Studio Remote Agent remote code execution attempt"; flow:to_server,established; content:"WinExec("; fast_pattern:only; reference:cve,2015-7374; reference:url,schneider-electric.com/ww/en/download/document/SEVD-2015-251-01; classtype:attempted-user; sid:36455; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1234 (msg:"SERVER-OTHER multiple products WinExec function remote code execution attempt"; flow:to_server,established; content:"|00|W|00|i|00|n|00|E|00|x|00|e|00|c|00|(|00|"; fast_pattern:only; reference:cve,2015-7374; reference:url,automationdirect.com; reference:url,schneider-electric.com/ww/en/download/document/SEVD-2015-251-01; classtype:attempted-user; sid:36454; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"SERVER-OTHER Xerox Administrator Console password extraction attempt"; flow:to_server,established; content:"OID_ATT_DLM_EXTRACTION_CRITERIA"; fast_pattern:only; reference:url,www.rapid7.com/db/modules/auxiliary/gather/xerox_pwd_extract; classtype:attempted-recon; sid:36435; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 3401 (msg:"SERVER-OTHER Squid snmphandleUDP off-by-one buffer overflow attempt"; flow:to_server,no_stream; dsize:>4095; content:!"communitystring"; nocase; detection_filter:track by_src, count 60, seconds 1; metadata:service snmp; reference:bugtraq,69686; reference:cve,2014-6270; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1139967; classtype:attempted-dos; sid:36493; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11460 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack Server opcode 1332 buffer overflow attempt"; flow:to_server,established; content:"|34 05 00 00|"; depth:4; offset:16; content:"File|3A|"; within:5; distance:32; byte_test:4,>,256,-33,relative,little; metadata:policy max-detect-ips drop; reference:bugtraq,75449; reference:cve,2015-1925; classtype:attempted-admin; sid:36463; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt"; flow:to_server,established; content:"/dhost/httpstk|3B|submit"; fast_pattern:only; http_uri; content:"verifypwd="; nocase; http_client_body; isdataat:250,relative; content:!"&"; within:250; metadata:service http; reference:bugtraq,37042; reference:cve,2009-4654; classtype:attempted-user; sid:36462; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt"; flow:to_server,established; content:"/dhost/httpstk|3B|submit"; fast_pattern:only; http_uri; content:"sadminpwd="; nocase; http_client_body; isdataat:250,relative; content:!"&"; within:250; metadata:service http; reference:bugtraq,37042; reference:cve,2009-4654; classtype:attempted-user; sid:36461; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Oracle Java JMX server insecure configuration remote code execution attempt"; flow:to_server,established; flowbits:isset,file.jmx; content:"|50 AC ED|"; content:"type=MLet"; nocase; content:"getMBeansFromURL"; fast_pattern:only; content:"http|3A 2F 2F|"; nocase; metadata:policy max-detect-ips drop, service java_rmi; reference:cve,2015-2342; reference:url,7elements.co.uk/resources/blog/cve-2015-2342-remote-code-execution-within-vmware-vcenter; classtype:attempted-user; sid:36532; rev:2;)
# alert udp any any -> any 123 (msg:"SERVER-OTHER NTP crypto-NAK packet flood attempt"; flow:to_server,no_stream; dsize:52; content:"|21|"; depth:1; content:"|00 00 00 00|"; within:4; distance:47; detection_filter:track by_dst, count 10, seconds 1; metadata:policy max-detect-ips drop, service ntp; reference:cve,2015-7871; reference:cve,2016-1550; reference:url,attack.mitre.org/techniques/T1209; classtype:misc-activity; sid:36536; rev:5;)
# alert udp any any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd saveconfig directory traversal attempt"; flow:to_server; content:"|16 09|"; depth:2; content:"|00 00 00 00 00 00|"; within:6; distance:2; content:"[-]"; distance:0; metadata:service ntp; reference:cve,2015-7851; reference:url,attack.mitre.org/techniques/T1209; reference:url,talosintel.com/vulnerability-reports; classtype:attempted-admin; sid:36253; rev:4;)
# alert udp any any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd remote configuration denial of service attempt"; flow:to_server; content:"|16 08|"; depth:2; content:"keys"; fast_pattern:only; metadata:service ntp; reference:cve,2015-7850; reference:url,attack.mitre.org/techniques/T1209; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-dos; sid:36252; rev:3;)
# alert udp any 123 -> any any (msg:"SERVER-OTHER ntpq atoascii memory corruption attempt"; flow:to_client; dsize:>500; content:"|16 A2|"; depth:2; content:"|01 F8|"; within:2; distance:8; metadata:service ntp; reference:cve,2015-7852; reference:url,attack.mitre.org/techniques/T1209; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-user; sid:36251; rev:3;)
# alert udp any any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd keyfile buffer overflow attempt"; flow:to_server; content:"|16 08|"; depth:2; content:"MD5"; fast_pattern; isdataat:33,relative; content:!"|0D|"; within:33; content:!"|0A|"; within:33; metadata:service ntp; reference:cve,2015-7854; reference:url,attack.mitre.org/techniques/T1209; reference:url,www.talosintel.com/vulnerability-reports; classtype:attempted-admin; sid:36250; rev:3;)
# alert udp any any -> any 123 (msg:"SERVER-OTHER multiple vendors NTP daemon integer overflow attempt"; flow:to_server; content:"|80|"; depth:1; offset:1; content:"|00 00|"; depth:2; offset:4; pcre:"/^.\x80.[\x12\x16]\x00\x00/"; metadata:service ntp; reference:cve,2015-7848; reference:url,attack.mitre.org/techniques/T1209; reference:url,talosintel.com/vulnerability-reports/; classtype:attempted-dos; sid:35831; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt"; flow:to_client,established; content:"|16 03|"; depth:2; content:"|06 03 55 04 03 13|"; distance:0; byte_extract:1,0,string_length,relative; content:"<"; within:string_length; metadata:service ssl; classtype:attempted-user; sid:36548; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt"; flow:to_client,established; content:"|16 03|"; depth:2; content:"|06 03 55 04 03 0C|"; distance:0; byte_test:1,<,0x80,0,relative; byte_extract:1,0,string_length,relative; content:"<"; within:string_length; metadata:service ssl; classtype:attempted-user; sid:36547; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt"; flow:to_client,established; content:"|16 03|"; depth:2; content:"|06 03 55 04 03 0C 82|"; distance:0; byte_extract:1,1,string_length,relative; content:"<"; within:string_length; metadata:service ssl; classtype:attempted-user; sid:36546; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt"; flow:to_client,established; content:"|16 03|"; depth:2; content:"|06 03 55 04 03 0C 81|"; distance:0; byte_extract:1,0,string_length,relative; content:"<"; within:string_length; metadata:service ssl; classtype:attempted-user; sid:36545; rev:1;)
# alert udp any any -> $HOME_NET 123 (msg:"SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt"; flow:to_server; content:"|0A|"; depth:1; offset:1; content:"laddr="; distance:10; isdataat:80,relative; content:!"|20|"; within:80; content:!"|2C|"; within:80; metadata:policy max-detect-ips drop, service ntp; reference:cve,2015-7855; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug2922; classtype:attempted-dos; sid:36633; rev:3;)
# alert udp any any -> $HOME_NET 123 (msg:"SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt"; flow:to_server; content:"|0A|"; depth:1; offset:1; content:"addr."; distance:10; byte_extract:10,0,num,relative,string; content:"="; within:1; isdataat:80,relative; content:!"|20|"; within:80; content:!"|2C|"; within:80; metadata:policy max-detect-ips drop, service ntp; reference:cve,2015-7855; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug2922; classtype:attempted-dos; sid:36632; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8800 (msg:"SERVER-OTHER HP Intelligent Management Center img buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 04|"; depth:4; offset:24; byte_test:2,>,60,-6,relative; reference:bugtraq,47789; reference:cve,2011-1848; classtype:attempted-admin; sid:36803; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11460 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack Server buffer overflow attempt"; flow:to_server,established; content:"|00 00|"; depth:2; offset:18; byte_test:4,>,24999,20,relative,little; reference:bugtraq,75451; reference:cve,2015-1929; reference:url,ibm.com/support/docview.wss?uid=swg21959398; classtype:attempted-admin; sid:36823; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected"; flow:to_client,established; file_data; flowbits:isset,file.spnego; content:"|06 06 2B 06 01 05 02 05 A2|"; content:"|05 01|"; within:10; flowbits:set,file.iakerb; flowbits:noalert; metadata:service kerberos; reference:cve,2014-4344; reference:url,attack.mitre.org/techniques/T1097; classtype:protocol-command-decode; sid:36816; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected"; flow:to_server,established; file_data; content:"|06 06 2B 06 01 05 05 02 A0|"; content:"|06 06 2B 06 01 05 02 05 A2|"; within:10; distance:11; content:"|06 06 2B 06 01 05 02 05 05 01|"; within:11; distance:11; flowbits:set,file.spnego; flowbits:noalert; metadata:service kerberos; reference:cve,2014-4344; reference:url,attack.mitre.org/techniques/T1097; classtype:protocol-command-decode; sid:36815; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt"; flow:to_server,established; flowbits:isset,file.iakerb; file_data; dsize:5; content:"|00 00 00 00|"; depth:4; offset:1; metadata:service kerberos; reference:cve,2014-4344; reference:url,attack.mitre.org/techniques/T1097; classtype:attempted-dos; sid:36814; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,6099,7001,$HTTP_PORTS] (msg:"SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt"; flow:to_server,established; content:"|AC ED 00 05|"; content:"getRuntime"; distance:0; content:"java.lang.Class"; within:50; content:"invoke"; distance:90; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http, service java_rmi; reference:cve,2015-3253; reference:cve,2015-4852; reference:cve,2015-7450; reference:cve,2015-8103; reference:cve,2016-3510; reference:cve,2016-3642; reference:cve,2016-4385; reference:cve,2017-12149; reference:cve,2017-15708; reference:cve,2017-7504; reference:cve,2018-15381; reference:url,github.com/frohoff/ysoserial; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-cue; classtype:attempted-user; sid:36826; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Novell eDirectory dhost buffer overflow attempt"; flow:to_server,established; urilen:>90; content:"/dhost/modules?"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,36815; reference:cve,2009-4653; reference:url,tcc.hellcode.net/advisories/hellcode-adv004.txt; classtype:attempted-admin; sid:36912; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"SERVER-OTHER Redis SSH authorized keys file overwrite attempt"; flow:to_server,established; content:"config"; nocase; content:"set"; distance:0; nocase; content:"dbfilename"; distance:0; nocase; content:"authorized_keys"; fast_pattern:only; reference:url,antirez.com/news/96; classtype:misc-activity; sid:37017; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23] (msg:"SERVER-OTHER Juniper ScreenOS unauthorized backdoor access attempt"; flow:to_server,established; content:"<<< %s(un=|27|%s|27|) = %u"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssh, service telnet; reference:cve,2015-7755; reference:url,kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST; classtype:attempted-admin; sid:37146; rev:4;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER OpenSSL invalid RSASSA-PSS certificate denial of service attempt"; flow:to_client,established; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|06 09 2A 86 48 86 F7 0D 01 01 08|"; content:!"|30|"; within:1; metadata:service ssl; reference:cve,2015-3194; reference:url,openssl.org/news/secadv/20151203.txt; classtype:attempted-dos; sid:37155; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL invalid RSASSA-PSS certificate denial of service attempt"; flow:to_server,established; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|06 09 2A 86 48 86 F7 0D 01 01 08|"; content:!"|30|"; within:1; metadata:service ssl; reference:cve,2015-3194; reference:url,openssl.org/news/secadv/20151203.txt; classtype:attempted-dos; sid:37154; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER Seagate GoFlex Satellite hidden credentials authentication attempt"; flow:to_server,established; content:"xoFaeS"; content:"etagknil"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service telnet; reference:bugtraq,76547; reference:cve,2015-2874; classtype:attempted-admin; sid:37147; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SERVER-OTHER Trend Micro local node.js http command execution attempt"; flow:to_server,established; file_data; content:":49155/api/"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:37292; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SERVER-OTHER Trend Micro local node.js http command execution attempt"; flow:to_server,established; file_data; content:"49155"; content:"/api/"; within:300; content:"url="; within:50; metadata:service smtp; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:37291; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SERVER-OTHER Trend Micro local node.js http command execution attempt"; flow:to_server,established; file_data; content:"/api/showSB"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:37290; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SERVER-OTHER Trend Micro local node.js http command execution attempt"; flow:to_server,established; file_data; content:"/api/openUrlInDefaultBrowser"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:37289; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Trend Micro local node.js http command execution attempt"; flow:to_client,established; file_data; content:"49155"; content:"/api/"; within:300; content:"url="; within:50; metadata:service ftp-data, service http, service imap, service pop3; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:37288; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Trend Micro local node.js http command execution attempt"; flow:to_client,established; file_data; content:"/api/openUrlInDefaultBrowser"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:37287; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Trend Micro local node.js http command execution attempt"; flow:to_client,established; file_data; content:":49155/api/"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:37286; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Trend Micro local node.js http command execution attempt"; flow:to_client,established; file_data; content:"/api/showSB"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:37285; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Easy Chat server authentication request username parameter overflow attempt"; flow:to_server,established; content:"/chat.ghp"; fast_pattern:only; http_uri; content:"username"; isdataat:216,relative; content:!"&"; within:216; metadata:service http; reference:cve,2004-2466; classtype:misc-attack; sid:37404; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Easy Chat server authentication request password parameter overflow attempt"; flow:to_server,established; content:"/chat.ghp"; fast_pattern:only; http_uri; content:"password"; isdataat:216,relative; content:!"&"; within:216; metadata:service http; reference:url,www.securitytracker.com/alerts/2009/Mar/1021785.html; classtype:misc-attack; sid:37403; rev:1;)
alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"SERVER-OTHER OpenSSH insecure roaming key exchange attempt"; flow:to_client,established; content:"resume@appgate.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssh; reference:cve,2016-0777; reference:cve,2016-0778; reference:url,www.openssh.com/txt/release-7.1p2; classtype:attempted-user; sid:37371; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,8200] (msg:"SERVER-OTHER Multiple Vendors SOAP large array information disclosure attempt"; flow:to_server,established; file_data; content:"<principal xsi:type=|22|xsd:double|22|>10000</principal>"; fast_pattern:only; metadata:service http; reference:bugtraq,9877; reference:cve,2004-1815; classtype:attempted-recon; sid:37368; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Java Library SpringFramework unauthorized serialized object attempt"; flow:to_server,established; content:"|AC ED 00 05|"; content:"springframework"; nocase; content:"getRuntime"; distance:0; nocase; content:"exec"; within:250; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49536; reference:cve,2011-2894; classtype:attempted-user; sid:37363; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6660 (msg:"SERVER-OTHER BigAnt server USV command buffer overflow attempt"; flow:to_server,established; content:"USV"; nocase; isdataat:218,relative; content:!"|0A 0A|"; within:218; reference:bugtraq,37520; classtype:misc-attack; sid:37446; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER IBM WebSphere InvokerTransformer serialized Java object remote code execution attempt"; flow:to_server,established; file_data; content:"xmlns:"; content:"|22|urn:AdminService|22|"; within:100; content:"javax.management.ObjectName"; distance:0; base64_decode:bytes 1600, offset 0, relative; base64_data; content:"|AC ED 00 05|"; within:10; content:"InvokerTransformer"; distance:0; content:"getRuntime"; distance:0; content:"exec"; within:250; metadata:policy max-detect-ips drop, service http; reference:bugtraq,77653; reference:cve,2015-7450; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21970575; classtype:attempted-user; sid:37527; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt"; flow:to_server; content:"pidfile"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ntp; reference:bugtraq,77278; reference:cve,2015-7703; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug2902; classtype:policy-violation; sid:37526; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER NTP arbitrary pidfile and driftfile overwrite attempt"; flow:to_server; content:"driftfile"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ntp; reference:bugtraq,77278; reference:cve,2015-7703; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug2902; classtype:policy-violation; sid:37525; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 61616 (msg:"SERVER-OTHER Apache ActiveMQ shutdown command denial of service attempt"; flow:to_server,established; content:"|08|shutdown"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,76272; reference:cve,2014-3576; classtype:denial-of-service; sid:37503; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 13701 (msg:"SERVER-OTHER Veritas NetBackup Volume Manager connection attempt"; flow:to_server,established; byte_test:1,>,3,14,dec,string; byte_test:1,<,11,14,dec,string; flowbits:set,veritas.vmd.connect; flowbits:noalert; classtype:protocol-command-decode; sid:37546; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 57772 (msg:"SERVER-OTHER InterSystems Cache UtilConfigHome.csp buffer overflow attempt"; flow:to_server,established; content:"UtilConfigHome.csp="; isdataat:708,relative; content:!"|20|"; within:708; metadata:service http; reference:bugtraq,37177; classtype:misc-attack; sid:37619; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,8,12,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-1287; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike; classtype:attempted-admin; sid:36903; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt"; flow:to_server; content:"|84 10|"; depth:2; offset:16; byte_test:2,<,8,12,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-1287; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike; classtype:attempted-admin; sid:37674; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3104 (msg:"SERVER-OTHER CA message queuing server buffer overflow attempt"; flow:to_server,established; isdataat:14; content:"AA|30 31 30 00 30 31 30 00 30 31|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,25051; reference:cve,2007-0060; reference:url,supportconnectw.ca.com/public/dto_transport/infodocs/camsgguevul-secnot.asp; classtype:attempted-admin; sid:37725; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 62514 (msg:"SERVER-OTHER SafeNEt SoftRemote IKE service buffer overflow attempt"; flow:to_server; dsize:>150; content:"|00 00 00 01 33 00 00 00 81 C4 54 F2 FF FF|"; fast_pattern:only; reference:cve,2009-1943; classtype:attempted-user; sid:37861; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MSN MSNP2P message integer overflow attempt"; flow:to_client,established; content:"|0D 0A 0D 0A 00 00 00 00 E4 AB 46 10 FF FF FF FF 00 00 00 00 B6 04 00 00 00 00 00 00 04 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29956; reference:cve,2008-2927; reference:url,pidgin.im/news/security/?id=25; classtype:attempted-user; sid:37960; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Joomla com_maqmahelpdesk task parameter local file inclusion attempt"; flow:to_server,established; content:"option=com_maqmahelpdesk"; fast_pattern:only; http_uri; pcre:"/task=[^\x26]*\.\./Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:23182; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8090,2700:2709,27000:27009] (msg:"SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|2F|"; depth:1; content:"|01 0A|"; within:2; distance:5; isdataat:17,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-8277; reference:url,www.securifera.com/advisories/cve-2015-8277/; classtype:attempted-admin; sid:38247; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8090,2700:2709,27000:27009] (msg:"SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|2F|"; depth:1; content:"|01 07|"; within:2; distance:5; isdataat:17,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-8277; reference:url,www.securifera.com/advisories/cve-2015-8277/; classtype:attempted-admin; sid:38246; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"SERVER-OTHER CUPS Filters command injection attempt"; flow:to_server; content:"ipp://"; depth:6; offset:7; pcre:"/ipp:\/\/.+?([\x60\x3b\x7c\x26]|\x24\x28)/smi"; reference:bugtraq,66624; reference:cve,2014-2707; classtype:attempted-user; sid:38263; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11460 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack Server opcode 1329 buffer overflow attempt"; flow:to_server,established; content:"|31 05 00 00|"; depth:4; offset:16; content:"File|3A|"; within:5; distance:32; byte_test:4,>,256,-33,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,75447; reference:cve,2015-1924; classtype:attempted-admin; sid:38248; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4420 (msg:"SERVER-OTHER Wavelink Emulation License Server malicious URI code execution attempt"; flow:to_server,established; content:"GET|20 0A 20|HTTP/1.0"; depth:14; metadata:service http; reference:cve,2015-4059; classtype:attempted-user; sid:38271; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4420 (msg:"SERVER-OTHER Wavelink Emulation License Server HTTP header overflow attempt"; flow:to_server,established; content:"GET /"; depth:5; isdataat:1000,relative; content:!"|0D 0A 0D 0A|"; within:1000; metadata:service http; reference:cve,2015-4059; classtype:attempted-user; sid:38270; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"SERVER-OTHER Redis lua script integer overflow attempt"; flow:to_server,established; content:"struct.pack("; fast_pattern; nocase; content:">i"; within:5; nocase; byte_test:10,>,2147483647,0,relative,string,dec; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-8080; classtype:attempted-user; sid:38313; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"SERVER-OTHER Redis lua script integer overflow attempt"; flow:to_server,established; content:"struct.pack("; fast_pattern; nocase; content:"<i"; within:5; nocase; byte_test:10,>,2147483647,0,relative,string,dec; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-8080; classtype:attempted-user; sid:38312; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13701 (msg:"SERVER-OTHER Veritas NetBackup Volume Manager overflow attempt"; flow:to_server,established; content:"12 A A 1 A|09|AAAAA"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,17264; reference:cve,2006-0989; classtype:attempted-admin; sid:38350; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8081 (msg:"SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt"; flow:to_server,established; content:"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB HTTP/1.1"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28573; reference:cve,2008-1855; classtype:attempted-admin; sid:38349; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8081 (msg:"SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt"; flow:to_server,established; content:"AAAAAAAAAAAAAAAAA|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,28573; reference:cve,2008-1855; classtype:attempted-admin; sid:38348; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER TCPDUMP ISAKMP payload handling denial of service attempt"; flow:to_server; content:"|0C 10 02 00 0A 0B 0C 0D 00 00 00 48 00 00 00 2C 00 00 00 00 00 10 AF C8 41 42 43 44 45 46 47 48|"; fast_pattern:only; reference:cve,2004-0183; classtype:attempted-dos; sid:38365; rev:1;)
# alert tcp any any -> $HOME_NET 9100 (msg:"SERVER-OTHER HP JetDirect PJL path traversal attempt"; flow:to_server,established; content:"@PJL FS"; fast_pattern:only; content:"../"; metadata:policy security-ips drop, service printer; reference:bugtraq,44882; reference:cve,2010-4107; classtype:attempted-recon; sid:38391; rev:2;)
# alert tcp any any -> $HOME_NET 9100 (msg:"SERVER-OTHER HP JetDirect PJL path traversal attempt"; flow:to_server,established; content:"@PJL FS"; fast_pattern:only; content:"..|5C|"; metadata:policy security-ips drop, service printer; reference:bugtraq,44882; reference:cve,2010-4107; classtype:attempted-recon; sid:38390; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt"; flow:to_server,established; ssl_state:!client_hello,!server_hello,!client_keyx,!server_keyx,unknown; content:"|16 03|"; byte_extract:1,0,tls_version,relative; content:"|14 03|"; within:250; byte_test:1,!=,tls_version,0,relative; metadata:service ssl; reference:bugtraq,64530; reference:cve,2013-6449; reference:url,www.openssl.org/news/vulnerabilities.html#2013-6449; classtype:attempted-dos; sid:38575; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1211 (msg:"SERVER-OTHER Smart Software Solutions Codesys Gateway Server projectName heap buffer overflow attempt"; flow:to_server,established; content:"|DD DD|"; depth:2; content:"|EF 03 00 00 00 00 00 00|"; within:8; distance:16; isdataat:250,relative; content:!"|00|"; within:250; metadata:policy max-detect-ips drop; reference:bugtraq,76754; reference:cve,2015-6460; classtype:attempted-admin; sid:38568; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 953 (msg:"SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt"; flow:to_server,established; content:"|00 00 00 01|"; depth:4; offset:4; content:"|05|_auth"; fast_pattern; byte_test:1,!=,2,0,relative; metadata:policy max-detect-ips drop; reference:cve,2016-1285; reference:url,kb.isc.org/article/AA-01363/81/BIND-9.10.3-P4-Release-Notes.html; classtype:attempted-dos; sid:38622; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt"; flow:to_server,established; file_data; content:"/json/new/?"; fast_pattern; nocase; content:"spawnSync"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=773; classtype:attempted-user; sid:38649; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt"; flow:to_client,established; file_data; content:"/json/new/?"; fast_pattern; nocase; content:"spawnSync"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=773; classtype:attempted-user; sid:38648; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Squid Proxy range header denial of service attempt"; flow:established,to_server; content:"range"; nocase; http_header; content:"bytes="; within:20; http_header; content:"-"; within:5; http_header; pcre:"/bytes=\s*?-\s*?-/iH"; metadata:service http; reference:cve,2014-3609; classtype:denial-of-service; sid:38731; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt"; flow:to_server,established; content:"language-en|3B| admin|3A|language-en"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-5995; classtype:attempted-admin; sid:38729; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3250 (msg:"SERVER-OTHER Adroit denial of service attempt"; flow:to_server,established; content:"|FF FF FD E1 5C FF FF FD E1 5C FF FF FD E1 5C|"; fast_pattern:only; isdataat:15000; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-dos; sid:38796; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Magento unauthenticated arbitrary file write attempt"; flow:to_server,established; content:"/rest/default/V1/guest-carts/"; http_uri; content:"shipping-information"; distance:0; http_uri; content:"new Credis_Client"; http_client_body; content:"serialize"; http_client_body; content:"new Magento_Framework_DB_Transaction"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4010; reference:url,netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/; classtype:attempted-admin; sid:39066; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 8211 (msg:"SERVER-OTHER Aruba Networks IAP PAPI authentication bypass attempt"; flow:to_server; content:"|87 93 93 93 93 93 93 93 93 93 93 93 93 93 93 93 93 93 93 93 93|"; depth:21; offset:102; reference:cve,2016-2031; reference:url,www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-004.txt; classtype:attempted-admin; sid:39071; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 2003 (msg:"SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt"; flow:to_server; content:"|03 00 00 00 00 00 00 00 23 27 00 00 24 27 00|"; fast_pattern:only; reference:bugtraq,41187; reference:url,icysilence.org/?p=413; classtype:attempted-admin; sid:39408; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 2003 (msg:"SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt"; flow:to_server; content:"|03 00 00 00 00 00 00 00 21 27 00|"; fast_pattern:only; reference:bugtraq,41187; reference:url,icysilence.org/?p=413; classtype:attempted-admin; sid:39407; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 2003 (msg:"SERVER-OTHER D-LINK DAP-1160 unauthenticated remote configuration attempt"; flow:to_server; content:"|05 00 00 00 00 00 00 00|"; fast_pattern:only; reference:bugtraq,41187; reference:url,icysilence.org/?p=413; classtype:attempted-admin; sid:39406; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt"; flow:to_server,established; file_data; content:"<form"; nocase; content:"/Reporting/Reports/sr-save.php"; within:100; nocase; content:".submit"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3653; reference:url,hyp3rlinx.altervista.org/advisories/SYMANTEC-SEPM-MULTIPLE-VULNS.txt; classtype:attempted-user; sid:39405; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Symantec Endpoint Protection Manager cross site request forgery attempt"; flow:to_client,established; file_data; content:"<form"; nocase; content:"/Reporting/Reports/sr-save.php"; within:100; nocase; content:".submit"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3653; reference:url,hyp3rlinx.altervista.org/advisories/SYMANTEC-SEPM-MULTIPLE-VULNS.txt; classtype:attempted-user; sid:39404; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 263 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"263|00|"; depth:4; offset:4; content:"|00|"; distance:0; isdataat:1300,relative; content:!"|00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60303; reference:bugtraq,64647; reference:cve,2013-2328; reference:cve,2013-6195; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:39397; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"257|00|"; depth:4; offset:4; content:"|00|"; distance:0; isdataat:1300,relative; content:!"|00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6195; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:39396; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"219|00|"; depth:4; offset:4; content:"|00|"; distance:0; isdataat:1300,relative; content:!"|00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6195; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:39395; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"216|00|"; depth:4; offset:4; content:"|00|"; distance:0; isdataat:1300,relative; content:!"|00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6195; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:39394; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 215 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"215|00|"; depth:4; offset:4; content:"|00|"; distance:0; isdataat:1300,relative; content:!"|00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,60303; reference:bugtraq,64647; reference:cve,2013-2328; reference:cve,2013-6195; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03781657; classtype:attempted-admin; sid:39393; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"214|00|"; depth:4; offset:4; content:"|00|"; distance:0; isdataat:1300,relative; content:!"|00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6195; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:39392; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Symantec MIME parser updateheader heap buffer overflow attempt"; flow:to_server,established; content:"Content-Disposition"; nocase; content:"attachment"; within:20; nocase; content:"filename"; within:120; nocase; isdataat:83,relative; content:!"|0A|"; within:83; nocase; pcre:"/Content-Disposition\s*:\s*attachment.{0,120}filename\s*=\s*[\x22\x27]?[^\x22\x27\n]{83}/smi"; metadata:policy max-detect-ips drop, policy security-ips alert, service smtp; reference:cve,2016-3644; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=818; classtype:attempted-user; sid:39380; rev:6;)
# alert udp any any -> 255.255.255.255 33848 (msg:"SERVER-OTHER Jenkins server auto-discovery attempt"; flow:to_server; content:"|5C|n"; depth:2; dsize:2; reference:url,wiki.jenkins-ci.org/display/JENKINS/Auto-discovering+Jenkins+on+the+network; classtype:policy-violation; sid:39472; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 831 (msg:"SERVER-OTHER EasyCafe Server remote file access attempt"; flow:to_server,established; dsize:261; content:"|43|"; depth:1; fast_pattern; content:"|01 00 00 00 01|"; within:5; distance:255; reference:url,exploit-db.com/exploits/39102/; classtype:attempted-user; sid:39584; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8090,2700:2709,27000:27009] (msg:"SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt"; flow:to_server,established; file_data; content:"|2F|"; depth:1; content:"|01 30|"; within:2; distance:5; isdataat:17,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-8277; reference:url,www.securifera.com/advisories/cve-2015-8277/; classtype:attempted-admin; sid:39910; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 11460 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt"; flow:to_server,established; content:"|32 05 00 00|"; depth:4; offset:16; content:"SourceFile|3A 20|"; distance:0; content:"|22|"; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-1949; reference:url,ibm.com/support/docview.wss?uid=swg21959398; classtype:attempted-admin; sid:39924; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; dce_stub_data; content:"|71 3C 01 00|"; depth:4; offset:4; byte_test:4,>,32,0,relative,dce; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:bugtraq,80745; reference:cve,2016-0856; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-014-01; classtype:attempted-admin; sid:40008; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53413 (msg:"SERVER-OTHER Netcore router backdoor access attempt"; content:"AA|00 00|AAAA"; fast_pattern:only; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/; classtype:attempted-admin; sid:39993; rev:1;)
# alert tcp any any <> any 179 (msg:"SERVER-OTHER BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,>,4096,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043; classtype:bad-unknown; sid:39977; rev:1;)
# alert tcp any any <> any 179 (msg:"SERVER-OTHER BGP bad marker strings"; flow:stateless; content:!"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|01 04|"; depth:2; offset:18; classtype:bad-unknown; sid:39976; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt"; flow:to_server,established; content:"Accept-Language"; http_header; content:"Accept-Language:"; isdataat:158,relative; content:!"|0A|"; within:158; metadata:service http; reference:cve,2016-6294; reference:url,bugs.php.net/bug.php?id=72533; classtype:web-application-attack; sid:40046; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 02 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40222; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 01 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40221; rev:5;)
alert udp $HOME_NET [500,848,4500,4848] -> $EXTERNAL_NET any (msg:"SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt"; flow:to_client; dsize:>2000; content:"|0B 10 05 00|"; depth:8; offset:16; byte_test:4,>,2000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,attack.mitre.org/techniques/T1020; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40220; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow"; flow:to_server,established; content:"APSCOOKIE"; fast_pattern:only; content:"APSCOOKIE"; http_cookie; content:"Cookie|3A|"; nocase; http_raw_header; content:!"|0A|"; within:200; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6909; reference:url,fortiguard.com/advisory/FG-IR-16-023; classtype:attempted-admin; sid:40241; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Redis CONFIG SET array index out of bounds attempt"; flow:to_server,established; content:"*4|0D 0A|$6|0D 0A|CONFIG|0D 0A|$3|0D 0A|SET|0D 0A|$26|0D 0A|client-output-buffer-limit|0D 0A|"; depth:58; nocase; content:"master"; within:20; nocase; metadata:service http; reference:cve,2016-8339; reference:url,talosintelligence.com/reports/TALOS-2016-0206/; classtype:attempted-admin; sid:40301; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER JBoss directory traversal attempt"; flow:to_server,established; content:"/jmx-console-users.properties"; fast_pattern:only; http_uri; metadata:service http; classtype:attempted-recon; sid:40330; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Axis2 directory traversal attempt"; flow:to_server,established; content:"/axis2/services/Version"; http_uri; content:"/conf/axis2.xml"; fast_pattern:only; http_uri; content:".."; http_raw_uri; metadata:service http; classtype:attempted-recon; sid:40329; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Railo directory traversal attempt"; flow:to_server,established; content:"/railo-web.xml"; fast_pattern:only; http_uri; content:".."; http_raw_uri; metadata:service http; classtype:attempted-recon; sid:40328; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Adobe ColdFusion fckeditor arbitrary file upload"; flow:to_server,established; content:"/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm"; fast_pattern:only; http_uri; content:"Command=FileUploads&Type=File&CurrentFolder=/"; http_client_body; metadata:service http; classtype:attempted-admin; sid:40327; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER JBoss directory traversal attempt"; flow:to_server,established; content:"/client/auth.conf"; fast_pattern:only; http_uri; content:".."; http_raw_uri; metadata:service http; classtype:attempted-recon; sid:40326; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Adobe ColdFusion default credential login attempt"; flow:to_server,established; content:"/CFIDE/administrator/"; http_uri; content:"cfadminPassword=admin&requestedURL=/CFIDE/administrator/index.cfm?&submit=Login"; fast_pattern:only; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:40325; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Adobe ColdFusion default credential login attempt"; flow:to_server,established; content:"/CFIDE/administrator/"; http_uri; content:"cfadminPassword=4015bc9ee91e437d90df83fb64fbbe312d9c9f05&requestedURL=/CFIDE/administrator/"; fast_pattern:only; http_client_body; content:"&submit=Login"; http_client_body; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:40324; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Adobe ColdFusion RDS admin bypass attempt"; flow:to_server,established; content:"/CFIDE/adminapi"; http_uri; content:"adminpassword=&rdsPasswordAllowed=1&method=login"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,57330; reference:cve,2013-0632; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:attempted-admin; sid:40323; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CA weblogic default credential login attempt"; flow:to_server,established; content:"j_username=weblogic&j_password=weblogic"; fast_pattern:only; http_client_body; content:"/console/j_security_check"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:40322; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 11460 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack opcode 4115 remote code execution attempt"; flow:to_server,established; content:"|13 10 00 00|"; depth:4; offset:16; isdataat:182,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-4931; reference:url,ibm.com/support/docview.wss?uid=swg21961928; classtype:attempted-admin; sid:40422; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Easy File Sharing Server remote code execution attempt"; flow:to_server,established; isdataat:4400; content:"E"; depth:1; offset:1; nocase; content:"|EB|"; depth:6; offset:4064; fast_pattern; content:"HTTP"; distance:400; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/easyfilesharing_seh.rb; classtype:attempted-user; sid:40382; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER OpenSSL OCSP Status Request Extension denial of service attempt"; flow:to_server,established,no_stream; content:"Content-Type: application/ocsp-request"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6304; reference:url,www.openssl.org/news/secadv/20160922.txt; classtype:attempted-dos; sid:40360; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 11460 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack opcode 1301 remote code execution attempt"; flow:to_server,established; content:"|15 05 00 00|"; depth:4; offset:16; content:"%"; distance:32; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-1986; reference:url,ibm.com/support/docview.wss?uid=swg21959398; classtype:attempted-admin; sid:40358; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Linknat Vos Manager potential directory traversal attempt"; flow:to_server,established; content:"%c0%ae%c0%ae"; fast_pattern:only; content:"%c0%ae%c0%ae"; http_raw_uri; metadata:service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/linknat_vos_traversal.rb; classtype:suspicious-filename-detect; sid:40353; rev:1;)
alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"SERVER-OTHER ISC BIND 9 DNS query overly long name denial of service attempt"; flow:to_server; content:"|00 01 00 01 00|"; content:"|00 00 80 00 00 00 00 00 F9 00 FF|"; within:11; distance:4; fast_pattern; content:"|01 00|"; depth:2; offset:2; pcre:"/^.{2}\x01\x00.{8}[^\x00]{230}/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2016-2848; classtype:attempted-dos; sid:40579; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 11460 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack directory traversal attempt"; flow:to_server,established; content:"|31 05 00 00|"; depth:4; offset:16; content:"File|3A|"; distance:0; nocase; content:"..|5C|"; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-1941; reference:url,ibm.com/support/docview.wss?uid=swg21959398; classtype:attempted-admin; sid:40766; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER OpenLDAP deref control denial of service attempt"; flow:to_server,established; content:"|04 19 31 2E 33 2E 36 2E 31 2E 34 2E 31 2E 34 32 30 33 2E 36 36 36 2E 35 2E 31 36|"; content:"|04|"; within:1; distance:6; byte_jump:1,0,relative; content:"|30 00|"; within:2; metadata:service ldap; reference:cve,2015-1545; reference:url,openldap.org/its/?findid=8027; classtype:attempted-dos; sid:40760; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER NTP origin timestamp denial of service attempt"; flow:to_server; content:"|00|"; depth:1; offset:1; byte_test:1,>,17,0,relative; content:"RATE|00 00 00 00|"; within:8; distance:10; metadata:service ntp; reference:cve,2015-7704; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug2952; classtype:attempted-dos; sid:40811; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt"; flow:to_server; content:"|16 0A|"; depth:2; content:"resany|2C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ntp; reference:bugtraq,94448; reference:cve,2016-7434; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug3082; classtype:attempted-dos; sid:40864; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt"; flow:to_server; content:"|16 0A|"; depth:2; content:"resall|2C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ntp; reference:bugtraq,94448; reference:cve,2016-7434; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug3082; classtype:attempted-dos; sid:40863; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt"; flow:to_server; content:"|16 0A|"; depth:2; content:"nonce|2C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ntp; reference:bugtraq,94448; reference:cve,2016-7434; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug3082; classtype:attempted-dos; sid:40862; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt"; flow:to_server; content:"|16 0A|"; depth:2; content:"mincount|2C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ntp; reference:bugtraq,94448; reference:cve,2016-7434; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug3082; classtype:attempted-dos; sid:40861; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt"; flow:to_server; content:"|16 0A|"; depth:2; content:"maxlstint|2C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ntp; reference:bugtraq,94448; reference:cve,2016-7434; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug3082; classtype:attempted-dos; sid:40860; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt"; flow:to_server; content:"|16 0A|"; depth:2; content:"limit|2C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ntp; reference:bugtraq,94448; reference:cve,2016-7434; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug3082; classtype:attempted-dos; sid:40859; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt"; flow:to_server; content:"|16 0A|"; depth:2; content:"last."; fast_pattern:only; pcre:"/last\x2e\d+\x2c/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ntp; reference:bugtraq,94448; reference:cve,2016-7434; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug3082; classtype:attempted-dos; sid:40858; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt"; flow:to_server; content:"|16 0A|"; depth:2; content:"laddr|2C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ntp; reference:bugtraq,94448; reference:cve,2016-7434; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug3082; classtype:attempted-dos; sid:40857; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt"; flow:to_server; content:"|16 0A|"; depth:2; content:"frags|2C|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ntp; reference:bugtraq,94448; reference:cve,2016-7434; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug3082; classtype:attempted-dos; sid:40856; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt"; flow:to_server; content:"|16 0A|"; depth:2; content:"addr."; fast_pattern:only; pcre:"/addr\x2e\d+\x2c/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ntp; reference:bugtraq,94448; reference:cve,2016-7434; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug3082; classtype:attempted-dos; sid:40855; rev:3;)
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt"; flow:to_client,established; file_data; content:"application/"; content:"pkcs7"; within:8; content:"|0D 0A|MBYGCSqGSIb3DQEHA6AJMAcCAQMxAjAB"; distance:0; metadata:service imap, service pop3; reference:cve,2016-7053; reference:url,www.openssl.org/news/secadv/20161110.txt; classtype:attempted-dos; sid:40845; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt"; flow:to_server,established; file_data; content:"application/"; content:"pkcs7"; within:8; content:"|0D 0A|MBYGCSqGSIb3DQEHA6AJMAcCAQMxAjAB"; distance:0; metadata:service smtp; reference:cve,2016-7053; reference:url,www.openssl.org/news/secadv/20161110.txt; classtype:attempted-dos; sid:40844; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL SSLv3 warning denial of service attempt"; flow:to_server,established,only_stream; ssl_version:sslv3; content:"|15|"; depth:1; content:"|01|"; within:1; distance:4; detection_filter:track by_src, count 10, seconds 1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:cve,2016-8610; classtype:attempted-dos; sid:40843; rev:3;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MXIT file transfer length memory disclosure attempt"; flow:to_client,established; content:"ln="; depth:3; content:"|00|27|00|0|00 08|"; within:12; byte_test:4,>,200,16,relative,big; isdataat:!221,relative; reference:cve,2016-2372; reference:url,www.talosintelligence.com/reports/TALOS-2016-0140/; classtype:attempted-user; sid:40876; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt"; flow:to_server; content:"|16 0A|"; depth:2; byte_jump:2,8,relative,post_offset -9; pcre:"/^(maxlstint|.mincount|...?(last|addr)\.\d\d?|...resa(ll|ny)|.{4}(nonce|frags|limit|laddr))/Rs"; metadata:policy max-detect-ips drop, policy security-ips drop, service ntp; reference:bugtraq,94448; reference:cve,2016-7434; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug3082; classtype:attempted-dos; sid:40897; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 30024 (msg:"SERVER-OTHER Alcatel Lucent OmniVista arbitrary command execution attempt"; flow:to_server,established; content:"GIOP"; depth:4; content:"|00|"; within:1; distance:3; content:"|00 00 00 07|AddJob|00|"; fast_pattern:only; content:".exe"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,94649; reference:cve,2016-9796; classtype:attempted-admin; sid:40995; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Tarantool Msgpuck mp_check denial of service vulnerability attempt"; flow:to_server,established; content:"|DE FF FF 01 01 CC 02 CC 02 CD 00 03 CD 00 03 CE 00 00 00 04 CE 00 00 00 04 CF 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-9036; reference:url,www.talosintelligence.com/reports/TALOS-2016-0254; classtype:attempted-dos; sid:41082; rev:3;)
alert tcp $HOME_NET [3301,3302] -> $EXTERNAL_NET any (msg:"SERVER-OTHER Tarantool initial connection banner detected"; flow:to_client,established; content:"Tarantool "; depth:10; flowbits:set,tarantool; flowbits:noalert; reference:url,tarantool.org/doc/singlehtml.html; classtype:protocol-command-decode; sid:41081; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [3301,3302] (msg:"SERVER-OTHER Tarantool xrow_header_decode out of bounds read attempt"; flow:to_server,established; flowbits:isset,tarantool; content:"|CE 00 00 00|"; depth:4; byte_test:1,>,0x80,1,relative; byte_test:1,<,0x90,1,relative; byte_test:1,<,0x80,2,relative; byte_test:1,>,0x31,2,relative; byte_jump:1,0,relative; content:"|00|"; within:1; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-9037; reference:url,www.talosintelligence.com/reports/TALOS-2016-0255/; classtype:attempted-dos; sid:41080; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 4445 (msg:"SERVER-OTHER Rockwell Factorytalk RNADiagReceiver denial of service attempt"; flow:to_server; content:"|00 02 00 01|"; depth:4; content:"|00 00 00 00 FF FF|"; within:6; distance:48; content:"aaaaaaaaaa"; within:10; reference:cve,2012-0222; classtype:denial-of-service; sid:41090; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL ChaCha20 Poly1305 heap-buffer overflow attempt"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|03 03|"; distance:6; content:"|CC AA|"; within:2; distance:35; metadata:service ssl; reference:cve,2016-7054; reference:url,www.openssl.org/news/secadv/20161110.txt; classtype:attempted-dos; sid:41118; rev:1;)
# alert tcp any any -> $HOME_NET 389 (msg:"SERVER-OTHER OpenLDAP BER Message denial of service attempt"; flow:to_server,established; content:"|FF E0 F3 D4 AA CE 77 83 0A 62 3E 59 32 C6 C3 15 10|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ldap; reference:cve,2015-6908; classtype:attempted-dos; sid:41382; rev:2;)
# alert tcp any any -> $HOME_NET 389 (msg:"SERVER-OTHER OpenLDAP BER Message denial of service attempt"; flow:to_server,established; content:"|FF 84 84 84 84 84 77 83 0A 62 3E 59 32 00 00 00 2F|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ldap; reference:cve,2015-6908; classtype:attempted-dos; sid:41381; rev:2;)
# alert tcp any any -> $HOME_NET 389 (msg:"SERVER-OTHER OpenLDAP BER Message denial of service attempt"; flow:to_server,established; content:"|1F 8F FF FF FF FF FF 7F 81 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ldap; reference:cve,2015-6908; classtype:attempted-dos; sid:41380; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Squid HTTP Vary response header denial of service attempt"; flow:to_client,established; content:"Vary|3A|"; http_header; content:!"|0D 0A|"; within:250; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2016-2569; reference:url,www.squid-cache.org/Advisories/SQUID-2016_2.txt; classtype:denial-of-service; sid:41379; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11460 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack server denial of service attempt"; flow:to_server,established; content:"|50 10 00 00 00 00 00 00|"; depth:8; offset:16; byte_test:4,>,2000,0,relative,little; metadata:policy max-detect-ips drop; reference:cve,2015-8523; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21975536; classtype:attempted-dos; sid:41366; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP remote buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; http_uri; content:"p="; http_uri; isdataat:263,relative; content:!"&"; within:263; http_uri; content:!"|0D 0A|"; within:263; http_uri; metadata:ruleset community, service http; reference:url,seclists.org/bugtraq/2017/Jan/5; classtype:attempted-admin; sid:41445; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Siemens WinCC TIA Portal DOS attempt"; flow:to_server,established; content:"FormLogin"; fast_pattern:only; http_uri; content:"Login="; http_client_body; content:"Redirection="; distance:0; http_client_body; isdataat:75,relative; metadata:service http; reference:url,w3.siemens.com/mcms/automation-software/en/tia-portal-software/wincc-tia-portal/wincc-tia-portal-es/Pages/default.aspx; classtype:attempted-dos; sid:41537; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Ge Fanuc Proficy WebView DOS attempt"; flow:to_server,established; content:"/CimWeb/"; fast_pattern:only; http_uri; content:"|25|"; http_raw_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.ge.com/digital/products/cimplicity; classtype:attempted-dos; sid:41520; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER Schneider Electric ETY Telnet DOS attempt"; flow:to_server,established; content:"tTelnetd"; fast_pattern:only; metadata:service telnet; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=36895; classtype:attempted-dos; sid:41651; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP Exception Handling remote denial of service attempt"; flow:to_server,established; content:"O"; http_client_body; content:"exception"; nocase; http_client_body; content:"Exception"; nocase; http_client_body; content:"previous"; nocase; http_client_body; pcre:"/O(\x3a|%3a)\d+(\x3a|%3a).*exception.*(\x3a|%3a)\d(\x3a|%3a)(\x7b|%7b)S(\x3a|%3a)\d+(\x3a|%3a).*Exception.*previous.*(\x3b|%3b)r(\x3a|%3a)\d+(\x3b\x7d|%3b%7d)/Psim"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-7478; classtype:attempted-admin; sid:41690; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP Exception Handling remote denial of service attempt"; flow:to_server,established; content:"O:"; http_uri; content:"exception"; nocase; http_uri; content:"Exception"; within:50; nocase; http_uri; content:"previous"; within:20; nocase; http_uri; pcre:"/O:\d+:.*exception.*:\d:\x7bS:\d+:.*Exception.*previous.*\x3br:\d+\x3b\x7d/iU"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-7478; classtype:attempted-admin; sid:41689; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol version command attempt"; flow:to_server,established; content:"|00 00 00 02 00 00 00 01 00 00 00 05|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2018-0156; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41725; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 02|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41724; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 03|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41723; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 08|"; depth:12; content:"://"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41722; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Beck IPC CHIP DoS attempt"; flow:to_server,established; urilen:>250; content:"|2F 26 2F 26 2F 26 2F 26 2F 26 2F 26 2F 26 2F 26 2F 26 2F 26 2F 26|"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2001-1337; classtype:attempted-dos; sid:41736; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8161 (msg:"SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt"; flow:to_server,established; content:"MOVE /fileserver"; fast_pattern:only; reference:cve,2015-1499; classtype:attempted-user; sid:41812; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8161 (msg:"SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt"; flow:to_server,established; content:"DELETE /fileserver"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2015-1499; reference:cve,2016-3088; classtype:attempted-user; sid:41811; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8161 (msg:"SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt"; flow:to_server,established; content:"PUT /fileserver"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2015-1499; reference:cve,2016-3088; classtype:attempted-user; sid:41810; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11460 (msg:"SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt"; flow:to_server,established; file_data; content:"|04 07 00 00|"; depth:4; offset:16; byte_test:4,>,1000,4,relative,little; metadata:policy max-detect-ips drop; reference:cve,2015-8519; classtype:attempted-admin; sid:41802; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11460 (msg:"SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt"; flow:to_server,established; file_data; content:"|07 07 00 00|"; depth:4; offset:16; byte_test:4,>,1000,4,relative,little; metadata:policy max-detect-ips drop; reference:cve,2015-8522; classtype:attempted-admin; sid:41801; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11460 (msg:"SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt"; flow:to_server,established; file_data; content:"|92 12 00 00|"; depth:4; offset:16; byte_test:4,>,1000,4,relative,little; metadata:policy max-detect-ips drop; reference:cve,2015-8520; classtype:attempted-admin; sid:41800; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11460 (msg:"SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt"; flow:to_server,established; file_data; content:"|06 07 00 00|"; depth:4; offset:16; byte_test:4,>,1000,4,relative,little; metadata:policy max-detect-ips drop; reference:cve,2015-8521; classtype:attempted-admin; sid:41799; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Nagios Core privilege escalation attempt"; flow:to_server,established; file_data; content:"/usr/local/nagios/var/rw/nagios.cmd"; content:"/bin/bash"; content:"gcc"; within:20; content:"/etc/ld.so.preload"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-9566; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-admin; sid:41824; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Nagios Core privilege escalation attempt"; flow:to_client,established; file_data; content:"/usr/local/nagios/var/rw/nagios.cmd"; content:"/bin/bash"; content:"gcc"; within:20; content:"/etc/ld.so.preload"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-9566; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-admin; sid:41823; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER ImageMagick mvg label arbitrary file read attempt"; flow:to_server,established; file_data; content:"fill"; nocase; content:"label"; distance:0; nocase; pcre:"/fill\s+[\x27\x22]\s*?label\s*?:(EPHEMERAL|HTTPS|MVG|MSL|TEXT|SHOW|WIN|PLT|@)/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-3717; classtype:attempted-admin; sid:41888; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER ImageMagick mvg label arbitrary file read attempt"; flow:to_client,established; file_data; content:"fill"; nocase; content:"label"; distance:0; nocase; pcre:"/fill\s+[\x27\x22]\s*?label\s*?:(EPHEMERAL|HTTPS|MVG|MSL|TEXT|SHOW|WIN|PLT|@)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3717; classtype:attempted-admin; sid:41887; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER ImageMagick mvg label arbitrary file read attempt"; flow:to_server,established; file_data; content:"stroke"; nocase; content:"label"; distance:0; nocase; pcre:"/stroke\s+[\x27\x22]\s*?label\s*?:(EPHEMERAL|HTTPS|MVG|MSL|TEXT|SHOW|WIN|PLT|@)/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-3717; classtype:attempted-admin; sid:41886; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER ImageMagick mvg label arbitrary file read attempt"; flow:to_client,established; file_data; content:"stroke"; nocase; content:"label"; distance:0; nocase; pcre:"/stroke\s+[\x27\x22]\s*?label\s*?:(EPHEMERAL|HTTPS|MVG|MSL|TEXT|SHOW|WIN|PLT|@)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3717; classtype:attempted-admin; sid:41885; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER ImageMagick mvg label arbitrary file read attempt"; flow:to_server,established; file_data; content:"image"; nocase; content:"label"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x27\x22]*?[\x27\x22]\s*?label\s*?:(EPHEMERAL|HTTPS|MVG|MSL|TEXT|SHOW|WIN|PLT|@)/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2016-3717; classtype:attempted-admin; sid:41884; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER ImageMagick mvg label arbitrary file read attempt"; flow:to_client,established; file_data; content:"image"; nocase; content:"label"; distance:0; nocase; pcre:"/image\s+[\w\x2d]+\s+\d+\s*,\s*\d+[^\x27\x22]*?[\x27\x22]\s*?label\s*?:(EPHEMERAL|HTTPS|MVG|MSL|TEXT|SHOW|WIN|PLT|@)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-3717; classtype:attempted-admin; sid:41883; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Advantech WebAccess DCERPC heap buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; dce_stub_data; content:"|28 52 00 00|"; depth:4; byte_test:4,>,600,0,relative,dce; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:bugtraq,80745; reference:cve,2016-0857; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-014-01; classtype:attempted-admin; sid:41882; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER Valhala Honeypot ABOR command buffer overflow attempt"; flow:to_server,established; content:"ABOR "; nocase; isdataat:2000,relative; pcre:"/^ABOR\s[^\n]{2000}/mi"; metadata:policy max-detect-ips drop, service ftp; reference:url,sourceforge.net/projects/valhalahoneypot/; classtype:attempted-user; sid:41851; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; dce_stub_data; content:"|80 3C 01 00|"; depth:4; offset:4; byte_test:4,>,36,0,relative,dce; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:bugtraq,80745; reference:cve,2016-0856; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-014-01; classtype:attempted-admin; sid:41849; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; dce_stub_data; content:"|7F 3C 01 00|"; depth:4; offset:4; byte_test:4,>,310,0,relative,dce; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:bugtraq,80745; reference:cve,2016-0856; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-014-01; classtype:attempted-admin; sid:41848; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; dce_stub_data; content:"|75 3C 01 00|"; depth:4; offset:4; byte_test:4,>,32,0,relative,dce; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:bugtraq,80745; reference:cve,2016-0856; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-014-01; classtype:attempted-admin; sid:41847; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; dce_stub_data; content:"|3A 52 00 00|"; depth:4; offset:4; byte_test:4,>,20,0,relative,dce; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:bugtraq,80745; reference:cve,2016-0856; reference:url,ics-cert.us-cert.gov/advisories/ICSA-16-014-01; classtype:attempted-admin; sid:41846; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 25923 (msg:"SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; content:"|20|"; within:1; distance:69; content:"|89 7A DB 01|"; within:4; distance:6; content:"|F0 6A DB 01|"; within:4; distance:612; reference:url,kaskad-asu.com/download/kaskad/RP_Kaskad.pdf; classtype:attempted-user; sid:42065; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 25923 (msg:"SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; content:"|20|"; within:1; distance:69; content:"|89 7A E5 01|"; within:4; distance:6; content:"|F0 6A E5 01|"; within:4; distance:612; reference:url,kaskad-asu.com/download/kaskad/RP_Kaskad.pdf; classtype:attempted-user; sid:42064; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Pharos PopUp Printer Client DecodeBinary heap buffer overflow attempt"; flow:to_server,established; content:"|0A 08 00 00 00|CONNECT|00|"; depth:13; offset:13; content:"|05|"; distance:0; content:"|0B|"; within:1; distance:4; byte_test:4,>,0x7FFF,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2788; reference:url,www.talosintelligence.com/reports/TALOS-2017-0283; classtype:attempted-admin; sid:41510; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Pharos PopUp Printer Client DecodeBinary heap buffer overflow attempt"; flow:to_server,established; content:"|0A 08 00 00 00|CONNECT|00|"; depth:13; offset:13; content:"|05|"; distance:0; content:"|4B|"; within:1; distance:4; byte_test:4,>,0x7FFF,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2788; reference:url,www.talosintelligence.com/reports/TALOS-2017-0283; classtype:attempted-admin; sid:41509; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Pharos PopUp Printer Client Memcpy heap overflow attempt"; flow:to_server,established; content:"|08 00 00 00|CONNECT|00|"; depth:12; offset:14; content:"|0B 00 00 00 00|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2787; reference:url,www.talosintelligence.com/reports/TALOS-2017-0282; classtype:attempted-admin; sid:41508; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Pharos PopUp Printer Client DecodeString denial of service attempt"; flow:to_server,established; content:"CONNECT|00|"; depth:8; offset:18; content:"|0A|"; within:1; distance:-13; byte_test:4,>,0x188,0,relative,little; reference:cve,2017-2786; reference:url,www.talosintelligence.com/reports/TALOS-2017-0281; classtype:denial-of-service; sid:41507; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Pharos PopUp Printer Client DecodeString heap overflow attempt"; flow:to_server,established; content:"CONNECT|00|"; depth:8; offset:18; content:"|8A|"; within:1; distance:-13; byte_test:4,>,0x188,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2785; reference:url,www.talosintelligence.com/reports/TALOS-2017-0280; classtype:attempted-admin; sid:41506; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Pharos PopUp Printer Client DecodeString heap overflow attempt"; flow:to_server,established; content:"CONNECT|00|"; depth:8; offset:18; content:"|4A|"; within:1; distance:-13; byte_test:4,>,0x188,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2785; reference:url,www.talosintelligence.com/reports/TALOS-2017-0280; classtype:attempted-admin; sid:41505; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3001 (msg:"SERVER-OTHER Aerospike Database Server Fabric denial of service attempt"; flow:to_server,established; dsize:6; content:"|FF FF FF|"; depth:3; content:"|00 00|"; within:2; distance:1; reference:cve,2016-9049; reference:url,www.talosintelligence.com/reports/TALOS-2016-0263; classtype:attempted-user; sid:41219; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER Aerospike Database Server si_prop stack buffer overflow attempt"; flow:to_server,established; content:"|03|"; depth:1; offset:1; content:"|00 04|"; within:2; distance:24; content:"|00|"; within:1; distance:6; byte_jump:4,-5,relative; content:"|16|"; within:1; distance:4; byte_jump:4,-5,relative; content:"|01|"; within:1; distance:4; byte_test:4,>,84,-5,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-9054; reference:url,www.talosintelligence.com/reports/TALOS-2016-0268; classtype:attempted-user; sid:41216; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER Aerospike Database Server client batch request exploit attempt"; flow:to_server,established; content:"|00 00 02 00 00|"; content:"|01|"; within:1; distance:4; byte_test:4,>,0x7FFFFFFF,-5,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-9051; reference:url,www.talosintelligence.com/reports/TALOS-2016-0265; classtype:attempted-admin; sid:41213; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER Aerospike Database Server digest_ripe message field out of bounds read attempt"; flow:to_server,established; content:"|03|"; depth:1; offset:1; content:"|00 02|"; within:2; distance:24; content:"|00|"; within:1; distance:6; byte_jump:4,-5,relative; content:"|00 00 00 01 04|"; within:5; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-9050; reference:url,www.talosintelligence.com/reports/TALOS-2016-0264; classtype:attempted-user; sid:41212; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3001 (msg:"SERVER-OTHER Aerospike Database Server Fabric particle_vtable out of bounds read attempt"; flow:to_server,established; content:"|00 09 06|"; content:"|00 01|"; within:2; distance:4; content:"|00|"; within:1; distance:1; byte_jump:1,-2,relative; content:"|00|"; within:1; byte_test:1,>,24,0,relative; byte_jump:4,1,relative; content:"|00 04 02|"; within:3; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-9053; reference:url,www.talosintelligence.com/reports/TALOS-2016-0267; classtype:attempted-user; sid:41209; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER Aerospike Database Server index name buffer overflow attempt"; flow:to_server,established; content:"|02 03|"; depth:2; byte_jump:4,28,relative; content:"|00 00 00 02 16 00|"; within:6; content:"|15|"; within:1; distance:4; byte_test:4,>,0x200,-5,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-9052; reference:url,www.talosintelligence.com/reports/TALOS-2016-0266/; classtype:attempted-admin; sid:41206; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 21|"; depth:2; content:"|00 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8706; reference:url,www.talosintelligence.com/reports/TALOS-2016-0221; classtype:attempted-admin; sid:40483; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 21|"; depth:2; byte_extract:2,0,keylen,relative; content:"|00 00|"; within:2; byte_test:4,<,keylen,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8706; reference:url,www.talosintelligence.com/reports/TALOS-2016-0221; classtype:attempted-admin; sid:40482; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 13|"; depth:2; content:"|08 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8705; reference:cve,2017-9951; reference:url,www.talosintelligence.com/reports/TALOS-2016-0220; classtype:attempted-admin; sid:40481; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 03|"; depth:2; content:"|08 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8705; reference:cve,2017-9951; reference:url,www.talosintelligence.com/reports/TALOS-2016-0220; classtype:attempted-admin; sid:40480; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 12|"; depth:2; content:"|08 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8705; reference:cve,2017-9951; reference:url,www.talosintelligence.com/reports/TALOS-2016-0220; classtype:attempted-admin; sid:40479; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached add opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 02|"; depth:2; content:"|08 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8705; reference:cve,2017-9951; reference:url,www.talosintelligence.com/reports/TALOS-2016-0220; classtype:attempted-admin; sid:40478; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 11|"; depth:2; content:"|08 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8705; reference:cve,2017-9951; reference:url,www.talosintelligence.com/reports/TALOS-2016-0220; classtype:attempted-admin; sid:40477; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached set opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 01|"; depth:2; content:"|08 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8705; reference:cve,2017-9951; reference:url,www.talosintelligence.com/reports/TALOS-2016-0220; classtype:attempted-admin; sid:40476; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached prependq opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 1A|"; depth:2; content:"|00 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8704; reference:url,www.talosintelligence.com/reports/TALOS-2016-0219; classtype:attempted-admin; sid:40475; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached prependq opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 1A|"; depth:2; byte_extract:2,0,keylen,relative; content:"|00 00|"; within:2; byte_test:4,<,keylen,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8704; reference:url,www.talosintelligence.com/reports/TALOS-2016-0219; classtype:attempted-admin; sid:40474; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached appendq opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 19|"; depth:2; content:"|00 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8704; reference:url,www.talosintelligence.com/reports/TALOS-2016-0219; classtype:attempted-admin; sid:40473; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached appendq opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 19|"; depth:2; byte_extract:2,0,keylen,relative; content:"|00 00|"; within:2; byte_test:4,<,keylen,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8704; reference:url,www.talosintelligence.com/reports/TALOS-2016-0219; classtype:attempted-admin; sid:40472; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached prepend opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 0F|"; depth:2; content:"|00 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8704; reference:url,www.talosintelligence.com/reports/TALOS-2016-0219; classtype:attempted-admin; sid:40471; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached prepend opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 0F|"; depth:2; byte_extract:2,0,keylen,relative; content:"|00 00|"; within:2; byte_test:4,<,keylen,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8704; reference:url,www.talosintelligence.com/reports/TALOS-2016-0219; classtype:attempted-admin; sid:40470; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached append opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 0E|"; depth:2; content:"|00 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8704; reference:url,www.talosintelligence.com/reports/TALOS-2016-0219; classtype:attempted-admin; sid:40469; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached append opcode request heap buffer overflow attempt"; flow:to_server,established; content:"|80 0E|"; depth:2; byte_extract:2,0,keylen,relative; content:"|00 00|"; within:2; byte_test:4,<,keylen,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8704; reference:url,www.talosintelligence.com/reports/TALOS-2016-0219; classtype:attempted-admin; sid:40468; rev:4;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MXIT message length overflow attempt"; flow:to_client,established; content:"ln="; depth:3; byte_test:10,>,1000000,0,relative,string,dec; reference:cve,2016-2376; reference:url,www.talosintelligence.com/reports/TALOS-2016-0118; classtype:attempted-user; sid:39151; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MXIT negative message length underflow attempt"; flow:to_client,established; content:"ln=-"; depth:4; reference:cve,2016-2376; reference:url,www.talosintelligence.com/reports/TALOS-2016-0118; classtype:attempted-user; sid:39150; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin mxit_chunk_parse_cr out of bounds read attempt"; flow:to_client,established; content:"ln="; byte_extract:10,0,len,relative,string,dec; content:"|00|27|00|0|00 01|"; within:7; byte_jump:2,4,relative; byte_jump:2,0,relative; content:"|01|"; within:1; byte_test:4,>,len,0,relative; reference:cve,2016-2370; reference:url,www.talosintelligence.com/reports/TALOS-2016-0138; classtype:attempted-user; sid:38870; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin mxit_chunk_parse_get_avatar out of bounds read attempt"; flow:to_client,established; content:"ln="; byte_extract:10,0,len,relative,string,dec; content:"|00|27|00|0|00 0E|"; within:7; content:"|00 03|PNG"; distance:0; byte_test:4,>,len,13,relative; reference:cve,2016-2367; reference:url,www.talosintelligence.com/reports/TALOS-2016-0135; classtype:attempted-user; sid:38867; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin mxit_parse_cmd_suggestcontacts out of bounds read attempt"; flow:to_client,established; content:"ln="; depth:3; content:"|00|13|00|0|00|"; within:15; byte_test:4,>,500,10,relative; reference:cve,2016-2375; reference:url,www.talosintelligence.com/reports/TALOS-2016-0143; classtype:attempted-user; sid:38583; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin multimx_message_received out of bounds read attempt"; flow:to_client,established; content:"ln="; depth:3; content:"|00|9|00|0|00|"; within:15; content:">|00|"; isdataat:!1,relative; pcre:"/^ln=\d+\x009\x000\x00([\x20-\x7e]+\x01){4}\d+\x00\x3c\w+\x3e\x00$/"; reference:cve,2016-2374; reference:url,www.talosintelligence.com/reports/TALOS-2016-0142; classtype:attempted-user; sid:38578; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MXIT protocol handling splash_remove directory traversal attempt"; flow:to_client,established; content:"ln="; depth:3; content:"|00|27|00|0|00 01|"; within:15; content:"..|5C|"; reference:cve,2016-4323; reference:url,www.talosintelligence.com/reports/TALOS-2016-0128; classtype:attempted-user; sid:38551; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MXIT protocol handling splash_remove directory traversal attempt"; flow:to_client,established; content:"ln="; depth:3; content:"|00|27|00|0|00 01|"; within:15; content:"../"; reference:cve,2016-4323; reference:url,www.talosintelligence.com/reports/TALOS-2016-0128; classtype:attempted-user; sid:38550; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin mxit_parse_cmd_extprofile out of bounds read attempt"; flow:to_client,established; content:"ln="; depth:3; content:"|00|57|00|0|00|"; within:15; pcre:"/^ln=\d+\x0057\x000\x00[\x20-\x7e]+\x01/"; byte_test:10,>,50,0,relative,string,dec; reference:cve,2016-2371; reference:url,www.talosintelligence.com/reports/TALOS-2016-0139; classtype:attempted-user; sid:38549; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MXIT protocol handling null pointer dereference attempt"; flow:to_client,established; content:"ln="; depth:3; content:"|00 00|"; within:5; pcre:"/^ln=\d+\x00\x00/"; reference:cve,2016-2369; reference:url,www.talosintelligence.com/reports/TALOS-2016-0137; classtype:attempted-user; sid:38548; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MXIT table markup command out of bounds read attempt"; flow:to_client,established; content:"ln="; depth:3; content:"op=tbl|7C|"; fast_pattern:only; content:"row="; byte_test:10,>,100000,0,relative,string,dec; reference:cve,2016-2366; reference:url,www.talosintelligence.com/reports/TALOS-2016-0134; classtype:attempted-user; sid:38547; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MXIT table markup command out of bounds read attempt"; flow:to_client,established; content:"ln="; depth:3; content:"op=tbl|7C|"; fast_pattern:only; content:"col="; byte_test:10,>,100000,0,relative,string,dec; reference:cve,2016-2366; reference:url,www.talosintelligence.com/reports/TALOS-2016-0134; classtype:attempted-user; sid:38546; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin mxit_update_contact out of bounds read attempt"; flow:to_client,established; content:"ln="; depth:3; content:"|00|3|00|0|00 01|"; within:15; pcre:"/^ln=\d+\x003\x000\x00\x01([\x20-\x7e]+\x01){2}(\d+\x01){2}/"; byte_test:10,>,15,0,relative,string,dec; reference:cve,2016-2373; reference:url,www.talosintelligence.com/reports/TALOS-2016-0141; classtype:attempted-user; sid:38545; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MXIT is operation null pointer dereference attempt"; flow:to_client,established; content:"|3A 3A|op=tbl|7C|"; content:"|3A 00|"; isdataat:!1,relative; pcre:"/::op=tbl(((?!\x7Cnm=).)*|((?!\x7Ccol=).)*|((?!\x7Crow=).)*|((?!\x7Cmode=).)*|((?!\x7Cd=).)*):\x00/"; reference:cve,2016-2365; reference:url,www.talosintelligence.com/reports/TALOS-2016-0133; classtype:attempted-user; sid:38345; rev:2;)
# alert tcp $EXTERNAL_NET 9119 -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MXIT is operation null pointer dereference attempt"; flow:to_client,established; content:"|3A 3A|op=is|7C|"; content:"|3A 00|"; isdataat:!1,relative; pcre:"/::op=is(((?!\x7Cnm=).)*|((?!\x7Cv=).)*|((?!\x7Cfw=).)*|((?!\x7Cfh=).)*|((?!\x7Clayer=).)*):\x00/"; reference:cve,2016-2365; reference:url,www.talosintelligence.com/reports/TALOS-2016-0133; classtype:attempted-user; sid:38344; rev:2;)
# alert udp any 123 -> any 123 (msg:"SERVER-OTHER NTP crypto-NAK possible DoS attempt"; flow:to_server; dsize:52; content:"|24|"; depth:1; content:"|00 00 00 00|"; within:4; distance:47; metadata:service ntp; reference:cve,2016-1547; reference:url,attack.mitre.org/techniques/T1209; reference:url,www.talosintelligence.com/reports/TALOS-2016-0081; classtype:attempted-dos; sid:37843; rev:3;)
# alert udp 127.127.0.0/16 any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd reference clock impersonation attempt"; flow:to_server; content:"|1C 01|"; depth:2; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:14; metadata:service ntp; reference:cve,2016-1551; reference:url,attack.mitre.org/techniques/T1209; reference:url,www.talosintelligence.com/reports/TALOS-2016-0132; classtype:misc-attack; sid:37842; rev:3;)
# alert udp 127.127.0.0/16 any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpd reference clock impersonation attempt"; flow:to_server; content:"|24 01|"; depth:2; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:14; metadata:service ntp; reference:cve,2016-1551; reference:url,attack.mitre.org/techniques/T1209; reference:url,www.talosintelligence.com/reports/TALOS-2016-0132; classtype:misc-attack; sid:37841; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER NTPD zero origin timestamp denial of service attempt"; flow:to_client,no_stream; content:"|06 80 00 00 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:12; detection_filter:track by_src, count 7, seconds 30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ntp; reference:cve,2016-9042; reference:url,attack.mitre.org/techniques/T1209; reference:url,www.talosintelligence.com/reports/TALOS-2016-0260/; classtype:attempted-dos; sid:41367; rev:5;)
alert udp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|01|"; depth:1; offset:9; content:"|18 03 03|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30742; rev:1;)
alert udp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|01|"; depth:1; offset:37; content:"|18 03 03|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30741; rev:2;)
alert udp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|01|"; depth:1; offset:9; content:"|18 03 02|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30740; rev:1;)
alert udp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|01|"; depth:1; offset:37; content:"|18 03 02|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30739; rev:2;)
alert udp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|01|"; depth:1; offset:9; content:"|18 03 01|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30738; rev:1;)
alert udp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|01|"; depth:1; offset:37; content:"|18 03 01|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30737; rev:2;)
alert udp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|01|"; depth:1; offset:9; content:"|18 03 00|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30736; rev:1;)
alert udp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|01|"; depth:1; offset:37; content:"|18 03 00|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30735; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|00|"; depth:1; offset:9; content:"|18 03 03|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30734; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|00|"; depth:1; offset:37; content:"|18 03 03|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30733; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|00|"; depth:1; offset:9; content:"|18 03 02|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30732; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|00|"; depth:1; offset:37; content:"|18 03 02|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30731; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt"; flow:to_server; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|00|"; depth:1; offset:9; content:"|18 03 01|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30730; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt"; flow:to_server; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|00|"; depth:1; offset:37; content:"|18 03 01|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30729; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|00|"; depth:1; offset:9; content:"|18 03 00|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30728; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server; byte_test:1,>=,0x20,0; byte_test:1,<=,0x27,0; content:"|00|"; depth:1; offset:37; content:"|18 03 00|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30727; rev:4;)
alert tcp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|01|"; depth:1; offset:39; content:"|18 03 03|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30726; rev:3;)
alert tcp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|01|"; depth:1; offset:11; content:"|18 03 03|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30725; rev:2;)
alert tcp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|01|"; depth:1; offset:39; content:"|18 03 02|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30724; rev:3;)
alert tcp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|01|"; depth:1; offset:11; content:"|18 03 02|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30723; rev:2;)
alert tcp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|01|"; depth:1; offset:39; content:"|18 03 01|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30722; rev:3;)
alert tcp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|01|"; depth:1; offset:11; content:"|18 03 01|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30721; rev:2;)
alert tcp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|01|"; depth:1; offset:39; content:"|18 03 00|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30720; rev:3;)
alert tcp $HOME_NET 1194 -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|01|"; depth:1; offset:11; content:"|18 03 00|"; within:3; distance:16; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30719; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established,only_stream; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|00|"; depth:1; offset:39; content:"|18 03 03|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30718; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established,only_stream; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|00|"; depth:1; offset:11; content:"|18 03 03|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30717; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|00|"; depth:1; offset:39; content:"|18 03 02|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30716; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|00|"; depth:1; offset:11; content:"|18 03 02|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30715; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|00|"; depth:1; offset:39; content:"|18 03 01|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30714; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|00|"; depth:1; offset:11; content:"|18 03 01|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30713; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established,only_stream; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|00|"; depth:1; offset:39; content:"|18 03 00|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30712; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1194 (msg:"SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established,only_stream; byte_test:1,>=,0x20,2; byte_test:1,<=,0x27,2; content:"|00|"; depth:1; offset:11; content:"|18 03 00|"; within:3; distance:4; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service openvpn; reference:cve,2014-0160; classtype:attempted-recon; sid:30711; rev:3;)
alert tcp any any -> any 389 (msg:"SERVER-OTHER Microsoft LDAP MaxBuffSize buffer overflow attempt"; flow:to_server,established; content:"|30 81|"; depth:2; content:"|63 81|"; within:6; byte_jump:1,2,relative; content:"|02 02 FF FF|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-0166; classtype:attempted-user; sid:42160; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER NTP malformed config request denial of service attempt"; flow:stateless; content:"mode "; fast_pattern:only; content:"|16 08|"; depth:2; pcre:"/mode\s+?\d{4}/"; metadata:policy max-detect-ips drop, policy security-ips drop, service ntp; reference:cve,2017-6464; reference:url,attack.mitre.org/techniques/T1209; reference:url,wiki.mozilla.org/images/e/ea/Ntp-report.pdf; classtype:denial-of-service; sid:42235; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER TopSec Firewall cookie header command injection attempt"; flow:to_server,established; content:"/get/maincgi.cgi"; fast_pattern:only; http_uri; urilen:16; content:"session_id=|22|"; http_cookie; content:"|60|"; within:1000; http_cookie; pcre:"/session_id=\x22[^\x22]{0,1000}([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/smC"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/40273/; classtype:attempted-user; sid:42232; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER NTP Config Unpeer denial of service attempt"; flow:stateless; content:"unpeer"; fast_pattern:only; content:"|16 08|"; depth:2; pcre:"/unpeer\s*?0/"; metadata:service ntp; reference:cve,2017-6463; reference:url,attack.mitre.org/techniques/T1209; reference:url,wiki.mozilla.org/images/e/ea/Ntp-report.pdf; classtype:denial-of-service; sid:42227; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Moxa MX-AOPC XML external entity injection attempt"; flow:to_client,established; flowbits:isset,file.aop; file_data; content:"file"; nocase; content:"|21|ENTITY"; nocase; pcre:"/\x21ENTITY((?!\x3e).)*?(SYSTEM|PUBLIC)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-7457; classtype:attempted-admin; sid:42224; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER 389-ds-base bind code execution attempt"; flow:to_server, established; content:"|30|"; depth:1; content:"|60|"; within:1; distance:4; content:"cn="; pcre:"/cn=([\'\"]?\\[\x80-\xC1\xF5-\xFF]|[\'\"]{2}|[\'\"][^\"\']+[,\;])/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2668; classtype:attempted-admin; sid:42362; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER 389-ds-base bind code execution attempt"; flow:to_server, established; content:"|30|"; depth:1; content:"|60|"; within:1; distance:4; content:"uid="; pcre:"/uid=([\'\"]?\\[\x80-\xC1\xF5-\xFF]|[\'\"]{2}|[\'\"][^\"\']+[,\;])/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2668; classtype:attempted-admin; sid:42361; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER 389-ds-base bind code execution attempt"; flow:to_server, established; content:"|30|"; depth:1; content:"|60|"; within:1; distance:4; content:"street="; pcre:"/street=([\'\"]?\\[\x80-\xC1\xF5-\xFF]|[\'\"]{2}|[\'\"][^\"\']+[,\;])/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2668; classtype:attempted-admin; sid:42360; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER 389-ds-base bind code execution attempt"; flow:to_server, established; content:"|30|"; depth:1; content:"|60|"; within:1; distance:4; content:"c="; pcre:"/c=([\'\"]?\\[\x80-\xC1\xF5-\xFF]|[\'\"]{2}|[\'\"][^\"\']+[,\;])/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2668; classtype:attempted-admin; sid:42359; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER 389-ds-base bind code execution attempt"; flow:to_server, established; content:"|30|"; depth:1; content:"|60|"; within:1; distance:4; content:"ou="; pcre:"/ou=([\'\"]?\\[\x80-\xC1\xF5-\xFF]|[\'\"]{2}|[\'\"][^\"\']+[,\;])/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2668; classtype:attempted-admin; sid:42358; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER 389-ds-base bind code execution attempt"; flow:to_server, established; content:"|30|"; depth:1; content:"|60|"; within:1; distance:4; content:"o="; pcre:"/o=([\'\"]?\\[\x80-\xC1\xF5-\xFF]|[\'\"]{2}|[\'\"][^\"\']+[,\;])/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2668; classtype:attempted-admin; sid:42357; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER 389-ds-base bind code execution attempt"; flow:to_server, established; content:"|30|"; depth:1; content:"|60|"; within:1; distance:4; content:"st="; pcre:"/st=([\'\"]?\\[\x80-\xC1\xF5-\xFF]|[\'\"]{2}|[\'\"][^\"\']+[,\;])/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2668; classtype:attempted-admin; sid:42356; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER 389-ds-base bind code execution attempt"; flow:to_server, established; content:"|30|"; depth:1; content:"|60|"; within:1; distance:4; content:"l="; pcre:"/l=([\'\"]?\\[\x80-\xC1\xF5-\xFF]|[\'\"]{2}|[\'\"][^\"\']+[,\;])/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2668; classtype:attempted-admin; sid:42355; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10051 (msg:"SERVER-OTHER Zabbix Server Trapper code execution attempt"; flow:to_server,established; content:"ZBXD|01|"; depth:5; fast_pattern; content:"request"; nocase; content:"discovery"; distance:0; nocase; content:"data"; distance:0; nocase; content:"ip"; distance:0; nocase; pcre:"/request\s*?[\x22\x27]\s*?\x3a\s*?[\x27\x22]\s*?discovery\s*?data[\x27\x22][^}]*?[\x27\x22]\s*?ip\s*?[\x27\x22]\s*?\x3a\s*?[\x27\x22][^\x27\x22]*?([\x60\x3b\x7c\x26]|\x24\x28)/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-2825; reference:url,support.zabbix.com/browse/ZBX-12076; reference:url,talosintelligence.com/reports/TALOS-2017-0326; classtype:attempted-admin; sid:42326; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Yealink VoIP phone remote code execution attempt"; flow:to_server, established; content:"/cgiServer.exx"; fast_pattern:only; http_uri; content:"system("; http_client_body; metadata:service http; reference:bugtraq,68052; reference:cve,2013-5758; classtype:attempted-admin; sid:42378; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [7771,8976] (msg:"SERVER-OTHER HP Operations Agent for NonStop server HEALTH packet parsing stack buffer overflow attempt"; flow:to_server,established; content:"|00 01 00 00|"; depth:4; isdataat:1400,relative; reference:url,tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1572&signatureSubId=0; classtype:attempted-admin; sid:42420; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"SERVER-OTHER WinRadius long password denial of service attempt"; flow:to_server; content:"|01|"; depth:1; content:"|02|"; distance:19; byte_jump:1,0,relative,post_offset -2; byte_test:1,>,91,0,relative; reference:cve,2012-3816; classtype:misc-activity; sid:42466; rev:1;)
alert udp $EXTERNAL_NET 123 -> $HOME_NET any (msg:"SERVER-OTHER ntpq flagstr buffer overflow attempt"; flow:stateless; byte_test:1,&,6,0; byte_test:1,&,11,1; content:"flags."; content:"="; within:5; isdataat:130,relative; content:!"|2C 0D 0A|"; within:130; content:!"|00 00 00 01|"; within:130; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ntp; reference:cve,2017-6460; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu; classtype:attempted-user; sid:42887; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Apache mod_auth_digest out of bounds read attempt"; flow:to_server,established; content:"Authorization: "; http_header; content:"Digest "; within:50; fast_pattern; http_header; pcre:"/Authorization:\s+Digest\s+(username|realm|nonce|uri|response|algorithm|cnonce|opaque|qop|nc)\s*\x0d\x0a/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9788; reference:url,www.securityfocus.com/bid/99562/info; classtype:attempted-user; sid:43790; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,6099,7001,$HTTP_PORTS] (msg:"SERVER-OTHER Solarwinds Virtualization Manager Java malicious object deserialization attempt"; flow:to_server,established; content:"|50 AC ED|"; depth:3; content:"InvokerTransformer"; content:"org.apache.commons.collections.Transformer"; metadata:policy max-detect-ips drop, service http, service java_rmi; reference:cve,2016-3642; classtype:attempted-user; sid:43789; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt"; flow:to_server,established; file_data; content:"/scsrvcntr.cmd"; fast_pattern:only; content:"rmtmode="; nocase; content:"rmtport="; nocase; content:"rmtaction="; nocase; metadata:service smtp; reference:cve,2013-5730; classtype:attempted-admin; sid:43774; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt"; flow:to_client,established; file_data; content:"/scsrvcntr.cmd"; fast_pattern:only; content:"rmtmode="; nocase; content:"rmtport="; nocase; content:"rmtaction="; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-5730; classtype:attempted-admin; sid:43773; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt"; flow:to_server,established; file_data; content:"/wlmacflt.cmd"; fast_pattern:only; content:"action="; nocase; content:"wlFltMacMode="; nocase; metadata:service smtp; reference:cve,2013-5730; classtype:attempted-admin; sid:43772; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt"; flow:to_client,established; file_data; content:"/wlmacflt.cmd"; fast_pattern:only; content:"action="; nocase; content:"wlFltMacMode="; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-5730; classtype:attempted-admin; sid:43771; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt"; flow:to_server,established; file_data; content:"/scdmz.cmd"; fast_pattern:only; content:"fwFlag="; nocase; content:"dosenbl="; nocase; metadata:service smtp; reference:cve,2013-5730; classtype:attempted-admin; sid:43770; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt"; flow:to_client,established; file_data; content:"/scdmz.cmd"; fast_pattern:only; content:"fwFlag="; nocase; content:"dosenbl="; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-5730; classtype:attempted-admin; sid:43769; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 520 (msg:"SERVER-OTHER FreeBSD Routing Information Protocol assertion failure attempt"; flow:to_server; content:"|01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10|"; depth:24; dsize:24; metadata:policy max-detect-ips drop; reference:cve,2015-5674; classtype:policy-violation; sid:43755; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Sami FTP RETR denial of service attempt"; flow:to_server,established; content:"RETR A|0D 0A|"; fast_pattern:only; metadata:service ftp; reference:cve,2008-5105; classtype:denial-of-service; sid:43753; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER Sun Solaris dhcpd malformed bootp denial of service attempt"; flow:to_server; content:"|63 82 53 63|"; depth:4; offset:236; content:"|39 02|"; distance:0; byte_test:2,>,277,0,relative; byte_test:2,<,285,0,relative; metadata:service dhcp; reference:bugtraq,32213; reference:cve,2007-5365; classtype:denial-of-service; sid:43752; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER multiple vulnerabilities malformed mp3 buffer overflow attempt"; flow:to_server,established; content:"Content-Disposition: attachment|3B| filename="; content:".mp3"; within:50; fast_pattern; nocase; file_data; content:!"|FF FB|"; depth:2; metadata:service smtp; reference:cve,2011-5129; reference:cve,2012-6044; classtype:attempted-admin; sid:43730; rev:1;)
# alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"SERVER-OTHER XChat heap buffer overflow attempt"; flow:to_client,established; content:"|14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14|"; depth:20; isdataat:1000,relative; metadata:service ircd; reference:cve,2011-5129; classtype:attempted-admin; sid:43728; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 54345 (msg:"SERVER-OTHER HPE LoadRunner buffer overflow exploitation attempt"; flow:to_server,established; content:"(-server_type=2)"; fast_pattern:only; content:"(-server_name="; content:!")"; within:224; reference:bugtraq,90975; reference:cve,2016-4359; classtype:attempted-user; sid:43705; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"SERVER-OTHER Monkey HTTPD null request denial of service attempt"; flow:to_server,established; content:"|20 2F|"; content:"|00 20|"; within:5; fast_pattern; reference:cve,2013-3724; classtype:denial-of-service; sid:43700; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER WSFTP IpSwitch custom SITE command execution attempt"; flow:to_server,established; content:"SITE SETC"; nocase; metadata:ruleset community, service ftp; reference:cve,2004-1885; classtype:attempted-admin; sid:43663; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt"; flow:to_server,established; content:"DESCRIBE / RTSP/1.0|0A|Session:|0A|"; fast_pattern:only; metadata:service rtsp; reference:cve,2004-0389; classtype:denial-of-service; sid:43621; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt"; flow:to_server,established; content:"GET_PARAMETER / RTSP/1.0"; fast_pattern:only; metadata:service rtsp; reference:cve,2004-0389; classtype:denial-of-service; sid:43620; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt"; flow:to_server,established; file_data; content:"/admin.php"; nocase; content:"page="; within:50; nocase; content:"plugin-LocalFilesEditor"; within:50; nocase; content:"method="; within:50; nocase; content:"post"; within:25; nocase; metadata:service smtp; reference:cve,2013-1468; classtype:web-application-attack; sid:43611; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt"; flow:to_client,established; file_data; content:"/admin.php"; nocase; content:"page="; within:50; nocase; content:"plugin-LocalFilesEditor"; within:50; nocase; content:"method="; within:50; nocase; content:"post"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-1468; classtype:web-application-attack; sid:43610; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt"; flow:to_server; file_data; content:"ESDD"; depth:4; content:"|04 00 0C FE FF 41 FE FF 42 FE FF 43 FE FF 44|"; within:15; distance:2; reference:cve,2010-4538; classtype:attempted-admin; sid:43602; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Oracle Demantra information disclosure attempt"; flow:to_server,established; content:"/demantra/GraphServlet"; fast_pattern:only; http_uri; content:"filename="; http_client_body; metadata:service http; reference:bugtraq,64831; reference:cve,2013-5877; classtype:attempted-recon; sid:43596; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER Oracle DBMS AUTH_ALTER_SESSION SQL injection attempt"; flow:to_server,established; content:"|06 00|"; depth:2; offset:4; content:"|03 73|"; within:2; distance:4 ; content:"|12|AUTH_ALTER_SESSION"; content:"--"; within:255; reference:bugtraq,84088; reference:cve,2006-0547; reference:url,www.securityfocus.com/archive/1/422253/30/0/threaded; classtype:attempted-admin; sid:43581; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER Cisco IOS DHCP denial of service attempt"; flow:to_server; content:"|01|"; depth:1; content:"|00|"; within:1; distance:1; content:!"|3D|"; distance:0; metadata:service dhcp; reference:cve,2013-5475; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-dhcp; classtype:attempted-dos; sid:43573; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-OTHER LAN Messenger initiation request buffer overflow attempt"; flow:to_server,established; content:"MSG"; depth:3; isdataat:1000,relative; reference:cve,2012-3845; classtype:denial-of-service; sid:43566; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER Aerospike Database Server si_prop stack buffer overflow attempt"; flow:to_server,established; content:"|03|"; depth:1; offset:1; content:"|00 04|"; within:2; distance:24; content:"|00|"; within:1; distance:6; byte_jump:4,-5,relative; content:"|16|"; within:1; distance:4; byte_jump:4,-5,relative; content:"|1A|"; within:1; distance:4; byte_jump:4,-5,relative; content:"|01|"; within:1; distance:4; byte_test:4,>,84,-5,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-9054; reference:url,www.talosintelligence.com/reports/TALOS-2016-0268; classtype:attempted-user; sid:43561; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER CCProxy telnet ping buffer overflow attempt"; flow:to_server,established; content:"p "; isdataat:20,relative; content:!"|0D 0A|"; within:20; metadata:service telnet; reference:cve,2004-2685; classtype:attempted-user; sid:43542; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2000 (msg:"SERVER-OTHER Cisco ASA malformed SCCP packet denial of service attempt"; flow:to_server,established; content:"|00 00 00 00 30 00 00 00|"; depth:12; offset:4; byte_test:4,>,6,16,relative,little; reference:cve,2010-0151; classtype:denial-of-service; sid:43525; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cisco IOS authentication proxy authentication request attempt"; flow:to_server,established; content:"uname="; nocase; content:"pwd="; nocase; content:"Submit=Log+in"; fast_pattern:only; content:"Referer: "; http_header; content:"/php/auth/login.php"; distance:0; nocase; http_header; metadata:service http; reference:cve,2009-2863; classtype:attempted-user; sid:43514; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2810 (msg:"SERVER-OTHER HP Intelligent Management Center dbman RestartDB opcode command injection attempt"; flow:to_server,established; content:"|00 00 27 18|"; depth:4; content:"|30|"; within:1; distance:4; pcre:"/\x04.[^\x04]*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/s"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,98469; reference:cve,2017-5816; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us; classtype:attempted-admin; sid:43464; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Proface GP-Pro EX EX-ED BeginPreRead stack buffer overflow attempt"; flow:to_client,established; file_data; content:"|7F 77|"; fast_pattern; content:!"|7F 77|"; within:521; content:"|00 02|"; within:2; distance:257; content:"|01 F0|"; within:2; distance:1; content:"|00 F0|"; within:2; distance:2; content:"|00 02|"; within:2; distance:1; content:!"|00 00|"; within:40; distance:12; metadata:service http; reference:cve,2016-2292; classtype:attempted-user; sid:43397; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Karjasoft Sami HTTP Server denial of service attempt"; flow:to_server,established; content:"|2F FF FF FF FF FF|"; fast_pattern:only; http_uri; content:"/%n%n%n%n%n"; depth:11; http_raw_uri; metadata:service http; reference:cve,2007-0548; classtype:denial-of-service; sid:43349; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cisco ASA 5500 series denial of service attempt"; flow:to_server,established; content:"/|FF|"; depth:2; fast_pattern; http_uri; content:"/%%"; depth:3; http_raw_uri; metadata:service http; reference:cve,2010-0149; classtype:denial-of-service; sid:43297; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Moore Industries NCS denial of service attempt"; flow:to_client,established; file_data; content:"|EF 59 78 F1 31 EF 59 78 F1 31 EF 59 78 F1 31 EF 59 78 F1 31 EF 59 78 F1 31 EF 59 78 F1 31|"; fast_pattern:only; reference:url,www.miinet.com; classtype:attempted-dos; sid:43116; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Magento unauthenticated arbitrary file write attempt"; flow:to_server,established; content:"rest/V1/guest-carts/"; http_uri; content:"/set-payment-information"; distance:0; http_uri; content:"stat_file_name"; http_client_body; content:"components"; within:200; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4010; reference:url,netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/; classtype:attempted-admin; sid:43109; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"SERVER-OTHER Novus WS10 Data Server buffer overflow attempt"; flow:to_server,established; content:"|EB 14|"; content:"|AD BB C3 77|"; within:100; content:"|B4 73 ED 77|"; fast_pattern:only; reference:url,novusautomation.com; classtype:attempted-admin; sid:43105; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7131 (msg:"SERVER-OTHER Ecava IntegraXor SCADA information leak attempt"; flow:to_server,established; content:"POST"; depth:4; nocase; content:"/getdata"; fast_pattern:only; content:"function="; nocase; content:"sql"; within:250; nocase; pcre:"/[?&]function=[^&]*?sql/i"; metadata:service http; reference:url,www.integraxor.com; classtype:attempted-admin; sid:43094; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt"; flow:to_server; flowbits:isset,file.crammd5; dsize:>273; metadata:policy max-detect-ips drop, service imap; reference:cve,2007-1675; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21257028; classtype:attempted-admin; sid:43068; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1556,13720] (msg:"SERVER-OTHER NetBackup bprd remote file write attempt"; flow:to_server,established; content:"71"; content:"localhost"; distance:0; content:"root"; distance:0; content:"/netbackup/"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-8857; reference:url,www.veritas.com/content/support/en_US/security/VTS17-004.html; classtype:attempted-admin; sid:43064; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1556 (msg:"SERVER-OTHER Veritas Netbackup bprd remote code execution attempt"; flow:to_server,established; content:"extension=bprd"; fast_pattern:only; content:"329199 112"; content:!"|0A|"; within:25; content:"`"; within:25; content:"`"; within:25; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-8856; reference:url,www.veritas.com/content/support/en_US/security/VTS17-004.html; classtype:attempted-user; sid:43055; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"SERVER-OTHER RaySharp DVR administrative interface access attempt"; flow:to_server,established; content:"REMOTE HI_SRDK_SYS_USERMNG_GetUserList"; depth:38; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,community.rapid7.com/community/metasploit/blog/2013/01/23/ray-sharp-cctv-dvr-password-retrieval-remote-root; reference:url,console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html; classtype:attempted-admin; sid:43045; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"SERVER-OTHER RaySharp DVR administrative interface access attempt"; flow:to_server,established; content:"REMOTE HI_SRDK_"; depth:15; reference:url,community.rapid7.com/community/metasploit/blog/2013/01/23/ray-sharp-cctv-dvr-password-retrieval-remote-root; reference:url,console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html; classtype:attempted-admin; sid:43044; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER HP Operations Orchestration unauthorized serialized object attempt"; flow:to_server,established; content:"POST"; http_method; content:"/oo/backwards-compatibility/wsExecutionBridgeService"; fast_pattern:only; nocase; http_uri; content:"|AC ED 00 05|"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-8519; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05361944; classtype:attempted-user; sid:43007; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER Moxa AWK-3131A backdoor root account access attempt"; flow:to_server,established; content:"94jo3dkru4"; fast_pattern:only; content:"moxaiwroot"; metadata:policy max-detect-ips drop, policy security-ips drop, service telnet; reference:cve,2016-8717; reference:url,www.talosintelligence.com/reports/TALOS-2016-0231; classtype:attempted-admin; sid:40758; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 953 (msg:"SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt"; flow:to_server,established; content:"|00 00 00 01|"; depth:4; offset:4; content:"|05|_ctrl"; fast_pattern; byte_test:1,!=,2,0,relative; metadata:policy max-detect-ips drop; reference:cve,2016-1285; reference:url,kb.isc.org/article/AA-01363/81/BIND-9.10.3-P4-Release-Notes.html; classtype:attempted-dos; sid:43846; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30005 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack mount service code execution attempt"; flow:to_server,established; isdataat:7; content:"|04 00 00 00|"; depth:4; metadata:policy max-detect-ips drop; reference:bugtraq,42549; reference:cve,2010-3058; classtype:attempted-admin; sid:43829; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER Randombit Botan Library X509 DistinguishedName out of bounds read attempt"; flow:to_client,established; content:"|06 03 55 04 03 0C|"; byte_test:1,<,0x80,0,relative; byte_extract:1,0,len,relative; content:!"|00|"; within:1; content:"|20 00|"; within:len; isdataat:1,relative; content:!"|30|"; within:1; metadata:service ssl; reference:cve,2017-2801; reference:url,www.talosintelligence.com/reports/TALOS-2017-0294/; classtype:attempted-user; sid:42015; rev:2;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER WolfSSL X509 parsing off-by-one code execution attempt"; flow:to_client,established; ssl_state:server_hello; content:"|02 09 00 FA 85 67 0E 2A E1 5B 65 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05|"; fast_pattern:only; metadata:service ssl; reference:cve,2017-2800; reference:url,www.talosintelligence.com/reports/TALOS-2017-0293; classtype:attempted-user; sid:42000; rev:2;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER InsideSecure MatrixSSL x509 IssuerDomainPolicy remote code execution attempt"; flow:to_client,established; content:"|30 82|"; depth:2; content:"|06 03 55 1D 21 04 81 85 30 81 82 30 18 06 0A 60 76 48 01 65 03 02 01 03 01|"; fast_pattern:only; metadata:service ssl; reference:cve,2017-2780; reference:cve,2017-2781; reference:url,www.talosintelligence.com/reports/TALOS-2017-0276/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0277/; classtype:attempted-user; sid:41467; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5801 (msg:"SERVER-OTHER Moxa AWK-3131A serviceAgent information disclosure attempt"; flow:to_server,established; content:"|00 01 00 01 00 00 00|"; content:"|00 00 00 00 00 00 00 00 00 00 00|"; within:12; content:"|00 0C 29 D3 E0 26 00 90 E8 57 23 07 00 00 00|"; within:16; content:"|00 02 00 06 00 18 00 00 00 00|"; within:11; reference:cve,2016-8724; reference:url,www.talosintelligence.com/reports/TALOS-2016-0238; classtype:attempted-recon; sid:41097; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 50021 (msg:"SERVER-OTHER Foscam C1 backdoor account ftp login attempt"; flow:to_server,established; content:"PASS r|0D 0A|"; fast_pattern:only; flowbits:isset,foscam_ftp; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp; reference:cve,2016-8731; reference:url,www.talosintelligence.com/reports/TALOS-2016-0245; classtype:attempted-user; sid:40909; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 50021 (msg:"SERVER-OTHER Foscam C1 backdoor account ftp login attempt"; flow:to_server,established; content:"USER r|0D 0A|"; fast_pattern:only; flowbits:set,foscam_ftp; flowbits:noalert; metadata:service ftp; reference:cve,2016-8731; reference:url,www.talosintelligence.com/reports/TALOS-2016-0245; classtype:attempted-user; sid:40908; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2810 (msg:"SERVER-OTHER HP Intelligent Management Center dbman BackupZipFile opcode command injection attempt"; flow:to_server,established; content:"|00 00 27 14|"; depth:4; content:"|30 81|"; within:2; distance:4; pcre:"/\x04.[^\x04\x02]*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/s"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,98493; reference:cve,2017-5820; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03746en_us; classtype:attempted-admin; sid:43850; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2810 (msg:"SERVER-OTHER HP Intelligent Management Center dbman RestoreZipFile opcode command injection attempt"; flow:to_server,established; content:"|00 00 27 16|"; depth:4; content:"|30 81|"; within:2; distance:4; pcre:"/\x04.[^\x04\x02]*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/s"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,98493; reference:cve,2017-5821; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03746en_us; classtype:attempted-admin; sid:43849; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5001:5002 (msg:"SERVER-OTHER Sybase Open Server function pointer array code execution attempt"; flow:to_server,established; content:"|02|"; depth:1; content:!"|02 00|"; within:2; distance:131; content:!"|02 01|"; within:2; distance:131; content:!"|03 00|"; within:2; distance:131; content:!"|03 01|"; within:2; distance:131; reference:bugtraq,48934; reference:url,www.sybase.com/detail?id=1094235; classtype:attempted-admin; sid:43959; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt"; flow:to_server,established; file_data; content:"iframe"; nocase; content:"src"; within:100; nocase; content:"ftp://"; within:10; fast_pattern; metadata:service smtp; reference:cve,2007-1308; classtype:attempted-admin; sid:43988; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt"; flow:to_client,established; file_data; content:"iframe"; nocase; content:"src"; within:100; nocase; content:"ftp://"; within:10; fast_pattern; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2007-1308; classtype:attempted-admin; sid:43987; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13666 (msg:"SERVER-OTHER LCDproc test_func buffer overflow attempt"; flow:to_server,established; content:"test_func"; depth:9; isdataat:1000,relative; reference:bugtraq,10085; classtype:attempted-admin; sid:44041; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13666 (msg:"SERVER-OTHER LCDproc parse_all_client_messages buffer overflow attempt"; flow:to_server,established; content:"i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i"; fast_pattern:only; reference:cve,2004-1915; classtype:attempted-admin; sid:44038; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER WebPageTests upload feature remote file upload attempt"; flow:to_server,established; content:"POST"; http_method; content:"/work/resultimage.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,support.ixiacom.com/strikes/exploits/webapp/upload/webpagetes_upload_feature_resultimage_php.xml; classtype:attempted-user; sid:44105; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [1645,1812] (msg:"SERVER-OTHER FreeRADIUS invalid WiMAX VSA length out of bounds write attempt"; flow:stateless; content:"|01|"; depth:1; content:"|1A|"; within:1; distance:19; byte_extract:1,0,avpLen,relative; content:"|00 00 60 B5|"; within:4; byte_test:1,>,avpLen,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service radius; reference:bugtraq,99901; reference:cve,2017-10979; classtype:attempted-admin; sid:44085; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt"; flow:to_server; content:"|21 20 22|"; depth:15; offset:12; content:!"|00|"; within:1; distance:13; content:!"|02|"; within:1; distance:13; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-5205; classtype:attempted-user; sid:44161; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 4500 (msg:"SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt"; flow:to_server; content:"|00 00 00 00|"; depth:4; content:"|21 20 22|"; within:3; distance:16; fast_pattern; content:!"|00|"; within:1; distance:13; content:!"|02|"; within:1; distance:13; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-5205; classtype:attempted-user; sid:44160; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Multmedia Builder MEF buffer overflow attempt"; flow:to_server,established; content:"Content-Disposition: attachment|3B| filename="; content:".mef"; within:25; fast_pattern; nocase; dsize:>500; metadata:service smtp; reference:url,support.ixiacom.com/strikes/exploits/misc/multimedia_builder_mef_DoS.xml; classtype:attempted-admin; sid:44152; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13666 (msg:"SERVER-OTHER LCDproc test_func format string code execution attempt"; flow:to_server,established; content:"test_func"; depth:9; content:"|25|"; within:25; reference:cve,2004-1917; classtype:attempted-admin; sid:44143; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP data protector OmniInet service NULL dereference denial of service attempt"; flow:to_server,established; content:"|FF FE 32 00 00 00 20 00|"; depth:12; offset:4; byte_jump:4,-12,relative,post_offset -4; content:!"|00 00 00 00|"; within:4; metadata:policy max-detect-ips drop; reference:url,support.ixiacom.com/strikes/denial/misc/hp_data_protector_omnilnet_dos.xml; classtype:denial-of-service; sid:44219; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [5001,5002] (msg:"SERVER-OTHER Sybase Open Server TDS login packet stack memory corruption attempt"; flow:to_server,established; content:"|02 01|"; depth:2; content:"|00 00 00 00|"; within:4; distance:2; byte_test:1,>,6,563,relative; metadata:policy max-detect-ips drop; reference:url,support.ixiacom.com/strikes/denial/misc/sybase_open_server_stack_null_byte.xml; classtype:attempted-admin; sid:44215; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 19813 (msg:"SERVER-OTHER HP Data Protector memory corruption attempt"; flow:to_server,established; content:"|FF FF|"; depth:6; offset:4; content:"|01|"; depth:9; offset:8; reference:url,aluigi.altervista.org/adv/hpdpmedia_2-adv.txt; classtype:attempted-user; sid:44203; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8903 (msg:"SERVER-OTHER Sybase M-Business Anywhere agSoap.exe closing tag buffer overflow attempt"; flow:to_server,established; content:"/agsoap"; nocase; content:"<SOAP-ENV:"; distance:0; nocase; content:"<"; distance:0; isdataat:500,relative; content:!">"; within:500; reference:bugtraq,47775; classtype:attempted-admin; sid:44202; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER Verso NetPerformer frame relay access device telnet buffer overflow attempt"; flow:to_server,established; content:"LOGIN"; depth:5; isdataat:1000,relative; content:!"|0D 0A|"; within:1000; metadata:service telnet; reference:bugtraq,19989; classtype:denial-of-service; sid:44201; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2810 (msg:"SERVER-OTHER HP Intelligent Management Center dbman BackupDBase opcode command injection attempt"; flow:to_server,established; content:"|00 00 27 15|"; depth:4; content:"|30|"; within:1; distance:4; pcre:"/\x04.[^\x04\x02]*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/s"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,99925; reference:cve,2017-8954; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03764en_us; classtype:attempted-admin; sid:44191; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [1645,1812] (msg:"SERVER-OTHER FreeRADIUS data2vp_wimax out of bounds write attempt"; flow:stateless; content:"|01|"; depth:1; content:"|1A|"; within:1; distance:19; content:"|00 00 60 B5|"; within:4; distance:1; byte_extract:1,1,vsaLen,relative; content:"|80|"; within:1; content:"|B5|"; within:1; distance:-4; isdataat:!vsaLen,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service radius; reference:bugtraq,99876; reference:cve,2017-10984; reference:url,freeradius.org/security/fuzzer-2017.html; classtype:attempted-admin; sid:44293; rev:3;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"SERVER-OTHER Symantec Firewalls DNS response denial of service attempt"; flow:to_server; content:"|80 00 00 01 00 01|"; byte_test:1,>=,0x40,4,relative; metadata:service dns; reference:cve,2004-0445; classtype:denial-of-service; sid:44320; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SERVER-OTHER Novell iPrint Client buffer overflow attempt"; flow:to_client,established; file_data; content:"iprint-client-config-info"; isdataat:27,relative; content:!"printer-state"; within:42; content:!"|00|"; within:25; distance:2; reference:cve,2011-1706; classtype:attempted-user; sid:44326; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2810 (msg:"SERVER-OTHER HP Intelligent Management Center dbman RestoreDBase opcode command injection attempt"; flow:to_server,established; content:"|00 00 27 17|"; depth:4; content:"|30|"; within:1; distance:4; pcre:"/\x04.[^\x04\x02]*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/s"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,98469; reference:cve,2017-5817; reference:url,h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us; classtype:attempted-admin; sid:44337; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid signature algorithm"; flow:to_server,established; ssl_state:client_hello; file_data; content:"|00|"; depth:1; offset:43; content:"|00 0D 00 04 00 02|"; distance:0; byte_test:1,>,3,1,relative; content:"|FF 01|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0291; reference:url,www.openssl.org/news/secadv/20150319.txt; classtype:denial-of-service; sid:44375; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid hash algorithm"; flow:to_server,established; ssl_state:client_hello; file_data; content:"|00|"; depth:1; offset:43; content:"|00 0D 00 04 00 02|"; distance:0; byte_test:1,>,6,0,relative; content:"|FF 01|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0291; reference:url,www.openssl.org/news/secadv/20150319.txt; classtype:denial-of-service; sid:44374; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"SERVER-OTHER Tipping Point IPS reverse DNS lookup format string exploit attempt"; flow:to_client; content:"%n%n%n%n"; fast_pattern:only; reference:url,support.ixiacom.com/strikes/exploits/ids/tippingpoint_reverse_dns_lookup_format_string.xml; classtype:denial-of-service; sid:44418; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 19541 (msg:"SERVER-OTHER D-Link router remote reboot attempt"; flow:to_server; content:"EXEC REBOOT SYSTEM"; fast_pattern:only; reference:url,embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin; classtype:misc-activity; sid:44382; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5159 (msg:"SERVER-OTHER General Electric Proficy malicious log forwarding request attempt"; flow:to_server,established; content:"|00|D|00|E|00|F|00|A|00|U|00|L|00|T|00 00|"; content:"|00 5C 00 5C|"; within:4; distance:2; metadata:ruleset limited; classtype:attempted-recon; sid:35921; rev:2;)
alert tcp any any -> $HOME_NET 5159 (msg:"SERVER-OTHER General Electric Proficy memory leakage request attempt "; flow:to_server,established; content:"|00 00 00 04|"; depth:4; offset:12; byte_test:4,>,0x1000,3,big; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset limited; classtype:attempted-recon; sid:35920; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 15869 (msg:"SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt"; flow:stateless; content:"|00 00 00 0C|Xid User Map"; nocase; content:"|5C 5C|"; within:2; distance:4; metadata:ruleset limited; classtype:policy-violation; sid:35917; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 15869 (msg:"SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt"; flow:stateless; content:"|00 00 00 0C|Xid User Map"; nocase; content:"|2F 2F|"; within:2; distance:4; metadata:ruleset limited; classtype:policy-violation; sid:35916; rev:2;)
alert tcp $HOME_NET 6780 -> $EXTERNAL_NET any (msg:"SERVER-OTHER Siemens Desigo Insight information disclosure attempt "; flow:to_client,established; content:"|0D 03 00 00|"; depth:4; content:"|5A|"; within:1; distance:3; content:"|00|ools-"; distance:0; content:"|00|SYSTEM|00|"; within:12; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset limited; reference:url,www.buildingtechnologies.siemens.com/bt/global/en/buildingautomation-hvac/buildingautomation/building-automation-and-control-system-europe-desigo/management-station/pages/managementstation.aspx; classtype:attempted-admin; sid:35910; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6780 (msg:"SERVER-OTHER Siemens Desigo Insight buffer overflow attempt "; flow:to_server,established; dsize:32; content:"|0D 03 00 00|"; depth:4; content:"|81|"; within:1; distance:3; byte_test:4,>,0x100,0,relative; pcre:"/^.{12}[^\x00\x40\xff]{20}$/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset limited; reference:url,www.buildingtechnologies.siemens.com/bt/global/en/buildingautomation-hvac/buildingautomation/building-automation-and-control-system-europe-desigo/management-station/pages/managementstation.aspx; classtype:attempted-admin; sid:35909; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1234 (msg:"SERVER-OTHER SCADA InduSoft Web Studio buffer overflow attempt"; flow:to_server,established; content:"|02 31|"; depth:40; isdataat:1024,relative; content:!"|03|"; within:1024; metadata:ruleset limited; classtype:attempted-user; sid:35904; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8011 (msg:"SERVER-OTHER GE Proficy CIMPLICITY Marquee Manager stack buffer overflow attempt "; flow:to_server,established; content:"ADMIN|3B|DETAIL|3B|"; depth:13; isdataat:1400,relative; content:!"|3B 0D|"; within:1400; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset limited; classtype:attempted-admin; sid:35896; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt"; flow:to_server,established; content:"|00|S|00|T|00|U|00|B|00|L|00|I|00|B|00|=|00 5C 00 5C|"; depth:20; offset:4; content:".|00|d|00|l|00|l|00|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset limited; classtype:attempted-admin; sid:35893; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt"; flow:to_server,established; content:"|00|S|00|T|00|U|00|B|00|L|00|I|00|B|00|=|00 2F 00 2F|"; depth:20; offset:4; content:".|00|d|00|l|00|l|00|"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset limited; classtype:attempted-admin; sid:35892; rev:3;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER dnsmasq IPv6 heap overflow attempt"; itype:133; icode:0; content:"|01|"; depth:1; offset:4; byte_test:1,>,128,0,relative; reference:cve,2017-14492; classtype:attempted-admin; sid:44481; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 547 (msg:"SERVER-OTHER dnsmasq Relay-forw information leak attempt"; flow:to_server; content:"|0C|"; depth:1; byte_test:1,>,32,0,relative; content:"|00 09|"; within:2; distance:33; content:"|00 02|"; within:2; distance:6; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-14494; classtype:attempted-recon; sid:44480; rev:2;)
# alert udp any any -> $HOME_NET 547 (msg:"SERVER-OTHER dnsmasq dhcp6_maybe_relay stack buffer overflow attempt"; flow:to_server; content:"|0C|"; depth:1; content:"|00 4F|"; within:2; distance:33; byte_test:2,>,18,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-14493; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-admin; sid:44477; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 3200 (msg:"SERVER-OTHER SAP Netweaver Dynpro Engine denial of service attempt"; flow:to_server,established; content:"|00 80 00 00 04 4C 00 00 13 89 10 04 0B 00 20 FF 7F FE 2D DA B7 37 D6 74 08 7E 13 05 97 15 97 EF|"; fast_pattern:only; reference:bugtraq,96874; reference:cve,2017-9845; reference:url,erpscan.com/advisories/erpscan-17-015-sap-netweaver-dispwork-anonymous-denial-service/; classtype:attempted-dos; sid:44468; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44502; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44501; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9001 (msg:"SERVER-OTHER Supervisord remote code execution attempt"; flow:to_server,established; content:"/RPC2"; fast_pattern:only; file_data; content:"<methodCall>"; content:"<methodName>supervisor.supervisord.options."; distance:0; content:"</methodName>"; distance:0; content:"<params>"; distance:0; content:"<param>"; distance:0; content:"<string>"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-11610; reference:url,supervisord.org/; classtype:attempted-user; sid:44483; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER Novell eDirectory LDAP server buffer overflow attempt"; flow:to_server,established; content:"|30 84|"; depth:2; byte_test:4,>,0xFFFFFF,0,relative,little; metadata:policy max-detect-ips drop, service ldap; reference:url,download.novell.com/Download?buildid=bXPFv5btgsA; classtype:attempted-user; sid:44604; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER TrendMicro OfficeScan LogonUser buffer overflow attempt"; flow:to_server,established; content:"/officescan/console/html/cgi/cgiShowClientAdm.exe"; fast_pattern:only; http_uri; content:"LogonUser"; nocase; http_cookie; pcre:"/LogonUser\s*?=\s*?[^\x3b]{100}/Ci"; metadata:service http; reference:cve,2017-14089; classtype:attempted-user; sid:44581; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8161 (msg:"SERVER-OTHER Samsung Security Manager ActiveMQ cross site scripting attempt"; flow:to_server,established; content:"/admin/browse.jsp"; nocase; content:"JMSDestination="; distance:0; nocase; pcre:"/[?&]JMSDestination=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; reference:cve,2015-3435; classtype:web-application-attack; sid:44577; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8161 (msg:"SERVER-OTHER Samsung Security Manager ActiveMQ arbitrary file upload attempt"; flow:to_server,established; content:"/fileserver/"; fast_pattern; nocase; content:"admin"; within:50; nocase; pcre:"/\x2ffileserver\x2f(((\x2e|%2e)(\x2e|%2e))(\x2f|%2f|\x5c|%5c))/i"; reference:cve,2015-3435; classtype:attempted-admin; sid:44576; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-OTHER Ipass Client control pipe remote code execution attempt"; flow:to_server,established; content:"|5C|IPEFSYSPCPIPE"; fast_pattern:only; reference:url,codewhitesec.blogspot.com/2015/02/how-i-could-ipass-your-client-security.html; classtype:attempted-admin; sid:44574; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8291 (msg:"SERVER-OTHER Mikrotik RouterOS denial of service attempt"; flow:to_server,established; content:"|12 02|"; depth:2; content:"|FF ED 00 00 00 00|"; distance:0; metadata:ruleset community; reference:cve,2012-6050; classtype:denial-of-service; sid:44643; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11460 (msg:"SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt"; flow:to_server,established; content:"|33 05 00 00|"; depth:4; offset:16; content:"SourceFile"; distance:0; fast_pattern; byte_extract:4,24,msg_len; content:"|22|"; depth:msg_len; offset:52; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset limited; reference:cve,2015-1923; reference:cve,2015-1938; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21959398; classtype:attempted-admin; sid:44634; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER Colorado FTP Server directory traversal attempt"; flow:to_server,established; content:"retr"; nocase; content:"|5C 5C 5C|"; distance:0; pcre:"/retr.*?\x5c\x5c\x5c.*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/i"; metadata:service ftp; reference:url,seclists.org/pen-test/2016/Aug/0; classtype:attempted-user; sid:44633; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Mikrotik RouterOS SNMP security bypass attempt"; flow:to_server; content:"|30|"; content:"|02 01 00 04|"; within:4; distance:1; byte_jump:1,0,relative; content:"|A3|"; within:1; metadata:service snmp; reference:cve,2008-6976; classtype:attempted-admin; sid:44663; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt"; flow:to_server,established; content:"/DevInfo.txt"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.s3cur1ty.de/m1adv2013-003; classtype:attempted-recon; sid:44662; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt"; flow:to_server,established; content:"/router_info.xml"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.s3cur1ty.de/m1adv2013-003; classtype:attempted-recon; sid:44661; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER D-Link DIR-300 and DIR-600 command execution attempt"; flow:to_server,established; content:"/command.php"; fast_pattern:only; http_uri; content:"cmd="; nocase; http_client_body; metadata:service http; reference:url,www.s3cur1ty.de/m1adv2013-003; classtype:attempted-admin; sid:44660; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Easy Chat Server buffer overflow attempt"; flow:to_server,established; content:"/registresult.htm"; fast_pattern:only; http_uri; content:"UserName="; nocase; http_uri; isdataat:150,relative; content:!"&"; within:150; http_uri; metadata:service http; reference:bugtraq,67384; reference:cve,2004-2466; classtype:attempted-admin; sid:44666; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Easy Chat Server buffer overflow attempt"; flow:to_server,established; content:"/registresult.htm"; fast_pattern:only; http_uri; content:"UserName="; nocase; http_client_body; isdataat:150,relative; content:!"&"; within:150; http_client_body; metadata:service http; reference:bugtraq,67384; reference:cve,2004-2466; classtype:attempted-admin; sid:44665; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"SERVER-OTHER Veritas Backup Exec Agent use after free attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; depth:8; offset:12; content:"|00 00 00 00 00 00 09 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 09 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 09 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 09 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 09 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 09 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 09 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 09 01|"; within:8; distance:128; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,98386; reference:cve,2017-8895; reference:url,www.veritas.com/product/backup-and-recovery/backup-exec; classtype:attempted-admin; sid:44701; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"SERVER-OTHER Veritas Backup Exec Agent use after free attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 01 01|"; depth:8; offset:12; content:"|00 00 00 00 00 00 01 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 01 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 01 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 01 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 01 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 01 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 01 01|"; within:8; distance:128; content:"|00 00 00 00 00 00 01 01|"; within:8; distance:128; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,98386; reference:cve,2017-8895; reference:url,www.veritas.com/product/backup-and-recovery/backup-exec; classtype:attempted-admin; sid:44700; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 14592 (msg:"SERVER-OTHER Advantech WebAccess MSRPC server integer overflow attempt"; flow:to_server,established; dce_iface:ca9ef8b9-7fe9-4a70-b2a8-bb00fe5e7482; dce_opnum:0; dce_stub_data; content:"|1E 79|"; depth:2; content:"|5C|"; within:1; distance:18; byte_test:4, >, 0xFFFFFEE6, 263, relative, little; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:bugtraq,80745; reference:cve,2016-0859; reference:url,www.advantech.com/industrial-automation/webaccess/; classtype:attempted-user; sid:44696; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9200 (msg:"SERVER-OTHER ElasticSearch script remote code execution attempt"; flow:to_server,established; content:"_search"; content:"script"; nocase; content:"File("; distance:0; nocase; metadata:service http; reference:cve,2014-3120; reference:url,bouk.co/blog/elasticsearch-rce/; classtype:attempted-admin; sid:44690; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30888 (msg:"SERVER-OTHER TVMOBiLi HttpUtils.dll denial of service attempt"; flow:to_server,established; content:"|3A|30888|0D 0A|"; fast_pattern:only; content:"HEAD"; depth:4; nocase; isdataat:150,relative; content:!"|0D 0A|"; within:150; reference:cve,2012-5451; classtype:attempted-admin; sid:44686; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 30888 (msg:"SERVER-OTHER TVMOBiLi HttpUtils.dll denial of service attempt"; flow:to_server,established; content:"|3A|30888|0D 0A|"; fast_pattern:only; content:"GET"; depth:3; nocase; isdataat:150,relative; content:!"|0D 0A|"; within:150; reference:cve,2012-5451; classtype:attempted-admin; sid:44685; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt"; flow:to_server,established; content:"/gw/webacc"; fast_pattern:only; http_uri; content:"User.id="; nocase; http_client_body; isdataat:500,relative; content:!"&"; within:500; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,2016-5762; classtype:attempted-admin; sid:44683; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Novell GroupWise Post Office Agent heap overflow attempt"; flow:to_server,established; content:"/gw/webacc"; fast_pattern:only; http_uri; content:"User.password="; nocase; http_client_body; isdataat:500,relative; content:!"&"; within:500; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,2016-5762; classtype:attempted-admin; sid:44682; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Beetel Connection Manager username buffer overflow attempt"; flow:to_server,established; file_data; content:"UserName="; nocase; isdataat:100,relative; content:!"|0D 0A|"; within:100; metadata:service smtp; reference:bugtraq,63414; classtype:attempted-user; sid:44680; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Beetel Connection Manager username buffer overflow attempt"; flow:to_client,established; file_data; content:"UserName="; nocase; isdataat:100,relative; content:!"|0D 0A|"; within:100; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,63414; classtype:attempted-user; sid:44679; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"SERVER-OTHER Wireshark Sigcomp buffer overflow attempt"; flow:to_server; content:"|F8 33 A9 0F 80 00 00 81 00 80|"; depth:10; reference:cve,2010-2287; classtype:attempted-user; sid:44676; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER iSCSI target multiple implementations iSNS stack buffer overflow attempt"; flow:to_server,established; content:"|00 02 00 08|"; depth:4; content:"|00 00 00 20|"; within:4; distance:8; byte_test:4,>,1008,0,relative; byte_test:2,>,1024,4; metadata:policy max-detect-ips drop; reference:bugtraq,41327; reference:cve,2010-2221; classtype:attempted-admin; sid:44675; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7809 (msg:"SERVER-OTHER Oracle GoldenGate Manager process arbitrary file execution attempt"; flow:to_server,established; content:"GGSCI|09|START|09|OBEY|09|"; depth:17; offset:2; reference:cve,2016-0451; reference:url,www.oracle.com/technetwork/middleware/goldengate/overview/index.html; classtype:policy-violation; sid:44721; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Oracle GoldenGate arbitrary file write attempt"; flow:to_server,established; content:"|48 00|"; depth:2; offset:2; content:"|2F|"; within:1; distance:1; reference:cve,2016-0451; reference:url,www.oracle.com/technetwork/middleware/goldengate/overview/index.html; classtype:policy-violation; sid:44720; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Oracle GoldenGate arbitrary file write attempt"; flow:to_server,established; content:"|57|"; depth:1; offset:2; content:"|2F|"; within:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:150; reference:cve,2016-0451; reference:url,www.oracle.com/technetwork/middleware/goldengate/overview/index.html; classtype:policy-violation; sid:44719; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Oracle GoldenGate arbitrary file write attempt"; flow:to_server,established; content:"|57|"; depth:1; offset:2; content:":|5C|"; within:2; distance:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:150; reference:cve,2016-0451; reference:url,www.oracle.com/technetwork/middleware/goldengate/overview/index.html; classtype:policy-violation; sid:44718; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7809 (msg:"SERVER-OTHER Oracle GoldenGate Collector process remote start attempt"; flow:to_server,established; content:"EXTRACT|09|START|09|SERVER|09|CPU|09|"; depth:25; offset:2; reference:cve,2016-0451; reference:url,www.oracle.com/technetwork/middleware/goldengate/overview/index.html; classtype:policy-violation; sid:44717; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Oracle GoldenGate arbitrary file write attempt"; flow:to_server,established; content:"|48 00|"; depth:2; offset:2; content:":|5C|"; within:2; distance:2; reference:cve,2016-0451; reference:url,www.oracle.com/technetwork/middleware/goldengate/overview/index.html; classtype:policy-violation; sid:44716; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7809 (msg:"SERVER-OTHER Oracle GoldenGate Collector process remote start attempt"; flow:to_server,established; content:"GGSCI|09|START|09|SERVER|09|PORT|09|"; depth:24; offset:2; reference:cve,2016-0451; reference:url,www.oracle.com/technetwork/middleware/goldengate/overview/index.html; classtype:policy-violation; sid:44715; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"NOTIFY "; depth:7; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy security-ips drop, ruleset community, service ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:44743; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [7180,7181,9850] (msg:"SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt"; flow:to_server,established; file_data; content:"|5C|help|5C|..|5C|..|5C|"; fast_pattern:only; reference:cve,2012-0419; classtype:attempted-recon; sid:44742; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [7180,7181,9850] (msg:"SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt"; flow:to_server,established; file_data; content:"/help/../../../"; fast_pattern:only; reference:cve,2012-0419; classtype:attempted-recon; sid:44741; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [7180,7181,9850] (msg:"SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt"; flow:to_server,established; file_data; content:"/images/../../../"; fast_pattern:only; reference:cve,2012-0419; classtype:attempted-recon; sid:44740; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [7180,7181,9850] (msg:"SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt"; flow:to_server,established; file_data; content:"|5C|images|5C|..|5C|..|5C|..|5C|"; fast_pattern:only; reference:cve,2012-0419; classtype:attempted-recon; sid:44739; rev:1;)
# alert udp any any -> $HOME_NET 123 (msg:"SERVER-OTHER NTP crypto-NAK denial of service attempt"; flow:to_server; dsize:52; byte_test:1,&,32,0; byte_test:1,!&,16,0; byte_test:1,!&,8,0; content:"|00 00 00 00|"; depth:4; offset:47; metadata:service ntp; reference:cve,2016-4957; reference:url,attack.mitre.org/techniques/T1209; classtype:denial-of-service; sid:44756; rev:2;)
# alert udp $DNS_SERVERS 53 -> $EXTERNAL_NET any (msg:"SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt"; flow:to_client; content:"|FF FD|"; offset:12; byte_test:2,>=,4,6,relative; byte_test:2,<=,15,6,relative; pcre:"/\S+?\x00\xff\xfd/i"; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,61479; reference:cve,2013-4854; reference:url,kb.isc.org/article/AA-01015; reference:url,kb.isc.org/article/AA-01016; classtype:denial-of-service; sid:44879; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Mako Web Server arbitrary file upload attempt"; flow:to_server,established; content:"PUT"; http_method; content:"/examples/save.lsp"; fast_pattern:only; http_uri; content:"ex="; http_uri; metadata:service http; reference:url,blogs.securiteam.com/index.php/archives/3391; classtype:attempted-user; sid:44878; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER  Citrix XenApp and XenDesktop XML service memory corruption attempt"; flow:to_server,established; content:"/scripts/"; depth:9; nocase; http_uri; urilen:>350; content:"<NFuseProtocol"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,48898; reference:cve,2008-3257; classtype:attempted-admin; sid:44877; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"SERVER-OTHER Galil RIO-47100 denial of service attempt"; flow:to_server,established; content:"|00|"; content:"|00 00 00 06|"; within:4; distance:1; content:"|01 00|"; within:2; distance:1; content:"|00|"; within:1; distance:1; content:"|00|"; within:1; distance:1; content:"|00 00 00 06|"; within:4; distance:1; content:"|01 00|"; within:2; distance:1; content:"|00|"; within:1; distance:1; content:"|00|"; within:1; distance:1; content:"|00 00 00 06|"; within:4; distance:1; content:"|01 00|"; within:2; distance:1; content:"|00|"; within:1; distance:1; reference:cve,2013-0699; classtype:denial-of-service; sid:44985; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install identification attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 04 00 00 00 08 00 00 00 01 00 00 00 00|"; depth:24; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/misc/cisco_smart_install.rb; classtype:attempted-recon; sid:44974; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9251 (msg:"SERVER-OTHER QNAP transcode server command injection attempt"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; content:"|7C|"; distance:0; content:"|09|"; within:50; metadata:ruleset community; reference:url,www.qnap.com/en-us/; classtype:attempted-admin; sid:44971; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5984 (msg:"SERVER-OTHER Apache CouchDB remote privilege escalation attempt"; flow:to_server,established; content:"PUT /_users/org.couchdb.user"; fast_pattern:only; content:"|22|roles|22|"; content:"|22|_admin|22|"; within:15; content:"|22|roles|22|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-12635; classtype:attempted-user; sid:44890; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Exim malformed BDAT code execution attempt"; flow:to_server,established; content:"BDAT"; fast_pattern:only; pcre:"/BDAT[\x20\x09]+?[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-16943; classtype:attempted-admin; sid:45046; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [13003,13004] (msg:"SERVER-OTHER Geutebrueck GCore web server buffer overflow attempt"; flow:to_server,established; content:"GET "; depth:4; isdataat:200,relative; content:!"|0D 0A|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-11517; classtype:attempted-admin; sid:45081; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Oracle Identity Manager default login attempt"; flow:to_server,established; content:"OIMINTERNAL"; reference:cve,2017-10151; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html; classtype:attempted-admin; sid:45068; rev:2;)
# alert tcp $EXTERNAL_NET 500 -> $HOME_NET any (msg:"SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt"; flow:to_client,established; content:"fMsmyLDvpFEuSekDiTJdNnHVsnwLGdbP"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,94938; reference:cve,2016-8377; classtype:attempted-user; sid:45107; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt"; flow:to_server,no_stream; content:"M-SEARCH"; depth:9; content:"ssdp:all"; fast_pattern:only; detection_filter:track by_src,count 50,seconds 1; metadata:ruleset community, service ssdp; reference:cve,2013-5211; reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:attempted-dos; sid:45157; rev:3;)
# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"SERVER-OTHER ElectraSoft 32bit FTP PASV reply stack buffer overflow attempt"; flow:to_client,established; content:"227 Entering Passive Mode"; fast_pattern; isdataat:992,relative; content:!"|0D 0A|"; within:992; reference:bugtraq,34838; reference:cve,2009-1675; classtype:attempted-user; sid:45188; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"SERVER-OTHER WinRadius long password denial of service attempt"; flow:to_server; content:"|01|"; depth:1; content:"|01|"; within:1; distance:19; byte_jump:1,0,relative,post_offset -2; content:"|02|"; within:1; byte_test:1,>,240,0,relative; reference:cve,2012-3816; classtype:misc-activity; sid:45187; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess dcerpc service opcode 80061 stack buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; dce_stub_data; content:"|BD 38 01 00|"; depth:4; offset:4; isdataat:264,relative; content:!"|00|"; within:256; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:bugtraq,101685; reference:cve,2017-14016; reference:url,ics-cert.us-cert.gov/advisories/ICSA-17-306-02; classtype:attempted-admin; sid:45198; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt"; flow:to_server,established; content:"|54 84|"; depth:2; isdataat:260; content:!"|00|"; depth:240; offset:20; metadata:policy max-detect-ips drop; reference:bugtraq,43105; reference:cve,2010-3007; classtype:attempted-user; sid:45205; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt"; flow:to_server,established; ssl_state:client_hello; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; within:1; distance:3; content:"|03|"; within:1; distance:3; content:"|00 00 10 00 9D 00 3D 00 35 00 9C 00 3C 00 2F 00 0A 00 FF|"; within:19; distance:33; metadata:policy max-detect-ips drop, policy security-ips drop, service ssl; reference:cve,2012-5081; reference:cve,2016-6883; reference:cve,2017-1000385; reference:cve,2017-12373; reference:cve,2017-13098; reference:cve,2017-13099; reference:cve,2017-17382; reference:cve,2017-17427; reference:cve,2017-17428; reference:cve,2017-6168; reference:url,robotattack.org; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher; classtype:attempted-recon; sid:45201; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt"; flow:to_server,established; ssl_state:client_hello; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; within:1; distance:3; content:"|03|"; within:1; distance:3; content:"|00 00 04 00 2F 00 FF|"; within:7; distance:33; metadata:policy max-detect-ips drop, policy security-ips drop, service ssl; reference:cve,2012-5081; reference:cve,2016-6883; reference:cve,2017-1000385; reference:cve,2017-12373; reference:cve,2017-13098; reference:cve,2017-13099; reference:cve,2017-17382; reference:cve,2017-17427; reference:cve,2017-17428; reference:cve,2017-6168; reference:url,robotattack.org; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher; classtype:attempted-recon; sid:45200; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt"; flow:to_server,established; ssl_state:client_hello; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; within:1; distance:3; content:"|03|"; within:1; distance:3; content:"|00 00 04 00 9C 00 FF|"; within:7; distance:33; metadata:policy max-detect-ips drop, policy security-ips drop, service ssl; reference:cve,2012-5081; reference:cve,2016-6883; reference:cve,2017-1000385; reference:cve,2017-12373; reference:cve,2017-13098; reference:cve,2017-13099; reference:cve,2017-17382; reference:cve,2017-17427; reference:cve,2017-17428; reference:cve,2017-6168; reference:url,robotattack.org; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher; classtype:attempted-recon; sid:45199; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER Polycom HDX Series remote code execution attempt"; flow:to_server,established; content:"lan"; content:"traceroute"; within:15; pcre:"/lan\x20+?traceroute.*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/"; metadata:policy max-detect-ips drop, policy security-ips drop, service telnet; reference:url,support.polycom.com/content/dam/polycom-support/global/documentation/secruity-advisory-hdx.pdf; classtype:attempted-user; sid:45254; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER Dahua DVR hard-coded root login attempt"; flow:to_server,established; content:"vizxv"; fast_pattern:only; content:"root"; metadata:policy security-ips drop, service telnet; reference:cve,2013-3612; classtype:attempted-admin; sid:45253; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 12203 (msg:"SERVER-OTHER Medal Of Honor Allied Assault getinfo buffer overflow attempt"; flow:to_server; content:"|FF FF FF FF 02|getinfo"; depth:12; isdataat:433,relative; reference:bugtraq,10743; reference:cve,2004-0735; classtype:attempted-user; sid:45228; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Docker Rancher Server remote code execution attempt"; flow:to_server,established; content:"/v1/projects/"; fast_pattern:only; http_uri; content:"|22|startOnCreate|22|"; http_client_body; content:"|22|dataVolumes|22|"; http_client_body; content:"/:"; http_client_body; pcre:"/\x22dataVolumes\x22\s*?\x3a\s*?\x5b\s*?\x22\x2f\x3a/P"; metadata:service http; reference:url,www.github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/rancher_server.rb; classtype:attempted-user; sid:45227; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5984 (msg:"SERVER-OTHER Apache CouchDB remote code execution attempt"; flow:to_server,established; content:"PUT /_config/query_servers/cmd "; depth:31; fast_pattern; content:"|0D 0A 0D 0A|"; distance:0; content:">"; within:50; content:"/"; within:5; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12636; classtype:attempted-user; sid:45269; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"SERVER-OTHER Quest Privilege Manager pmmasterd denial of service attempt"; flow:to_server,established; content:"|00 00 02 6C|"; depth:4; byte_math:bytes 4,offset 0,oper +,rvalue 79,result copy_size,relative; isdataat:!copy_size; reference:cve,2017-6553; reference:url,0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/; classtype:denial-of-service; sid:45394; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"SERVER-OTHER Quest Privilege Manager pmmasterd buffer overflow attempt"; flow:to_server,established; content:"|00 00 02 6C|"; depth:4; byte_test:4,>,200,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-6553; reference:url,0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/quest_pmmasterd_bof.rb; classtype:attempted-admin; sid:45393; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 18081 (msg:"SERVER-OTHER Sixnet SixView Manager directory traversal attempt"; flow:to_server,established; content:"GET /../../../../../../"; fast_pattern:only; reference:cve,2014-2976; classtype:attempted-admin; sid:45380; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Hewlett Packard Enterprise Intelligent Management Center FileDownloadServlet information disclosure attempt"; flow:to_server,established; content:"/servicedesk/servicedesk/fileDownload"; fast_pattern:only; http_uri; content:"filePath="; nocase; http_uri; content:"fileName="; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5797; classtype:attempted-recon; sid:45442; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 54345 (msg:"SERVER-OTHER HP LoadRunner remote command execution attempt"; flow:to_server,established; content:"|00 00 00 1C 00 00 00 05 00 00 00 01|"; fast_pattern:only; content:"|00 00 00 19|"; depth:4; content:"|00 00 00 00|"; distance:0; content:"|00 00 00 18 00 00 00 04|"; distance:0; content:"|00 00 04 37 00 00 00 00 00 00 00 31|"; within:12; distance:20; content:"cmd.exe"; distance:0; reference:cve,2010-1549; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/hp_loadrunner_magentproc_cmdexec.rb; classtype:attempted-admin; sid:45440; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER OpenLDAP zero size PagedResultsControl denial of service attempt"; flow:to_server,established; content:"|23 30 21 04 16 31 2E 32 2E 38 34 30 2E 31 31 33 35 35 36 2E 31 2E 34 2E 33 31 39 04 07 30 05 02 01 00 04 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ldap; reference:cve,2017-9287; classtype:denial-of-service; sid:45513; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7911 (msg:"SERVER-OTHER ISC DHCPD remote denial of service attempt"; flow:to_server,established,no_stream; content:"|00 00 00 64 00 00 00 18|"; depth:8; detection_filter:track by_src, count 15, seconds 10; metadata:service dhcp; reference:cve,2017-3144; reference:url,kb.isc.org/article/AA-01541; classtype:attempted-dos; sid:45499; rev:3;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER Mozilla Network Security Services heap underflow exploit attempt"; flow:to_client,established; content:"|04|"; depth:1; offset:2; content:"|01 00 02|"; within:3; distance:1; content:"|30|"; within:1; distance:22; byte_jump:1,0,relative; content:"|30|"; within:1; byte_jump:1,0,relative; content:"|30|"; within:1; content:"|30|"; within:1; distance:31; byte_jump:1,0,relative; content:"|30|"; within:1; content:"|30|"; within:5; byte_jump:1,0,relative; content:"|30|"; within:5; content:"|82|"; within:1; byte_test:2,<,50,0,relative; metadata:policy max-detect-ips drop, service ssl; reference:cve,2007-0008; classtype:attempted-user; sid:45539; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER Mozilla Network Security Services heap underflow exploit attempt"; flow:to_client,established; content:"|04|"; depth:1; offset:2; content:"|01 00 02|"; within:3; distance:1; content:"|30|"; within:1; distance:22; byte_jump:1,0,relative; content:"|30|"; within:1; byte_jump:1,0,relative; content:"|30|"; within:1; content:"|30|"; within:1; distance:31; byte_jump:1,0,relative; content:"|30|"; within:1; content:"|30|"; within:5; byte_jump:1,0,relative; content:"|30|"; within:5; content:"|81|"; within:1; byte_test:1,<,50,0,relative; metadata:policy max-detect-ips drop, service ssl; reference:cve,2007-0008; classtype:attempted-user; sid:45538; rev:1;)
# alert tcp $EXTERNAL_NET [443,465,993] -> $HOME_NET any (msg:"SERVER-OTHER Mozilla Network Security Services heap underflow exploit attempt"; flow:to_client,established; content:"|30 1E 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 0D 00 30 81 09 02 81 01 00 02 03 01 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ssl; reference:cve,2007-0008; classtype:attempted-user; sid:45537; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Magneto CE and EE PHP objection injection attempt"; flow:to_server,established; content:"Magento|5C 5C|Framework|5C 5C|Simplexml|5C 5C|Config|5C 5C|Cache|5C 5C|File"; nocase; content:"is_allowed_to_save"; within:100; nocase; content:"stat_file_name"; within:100; nocase; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-4010; classtype:attempted-admin; sid:45523; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-OTHER Firefly Media Server malformed HTTP request denial of service attempt"; flow:to_server,established; content:"Host: xxxxxxx|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:cve,2012-5875; classtype:denial-of-service; sid:45590; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-OTHER Firefly Media Server malformed HTTP request denial of service attempt"; flow:to_server,established; content:"User-Agent:|0D 0A|xxxxxxx|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:cve,2012-5875; classtype:denial-of-service; sid:45589; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-OTHER Firefly Media Server malformed HTTP request denial of service attempt"; flow:to_server,established; content:"Accept-Language: en-us|0D 0A|en|3B|q=0.5|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:cve,2012-5875; classtype:denial-of-service; sid:45588; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-OTHER Firefly Media Server malformed HTTP request denial of service attempt"; flow:to_server,established; content:"Connection: xxxxxxx_xxxx_|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:cve,2012-5875; classtype:denial-of-service; sid:45587; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8400 (msg:"SERVER-OTHER Commvault Communications Service command injection attempt"; flow:to_server,established; content:"|00 00 00 09|"; depth:4; offset:12; byte_test:4,>,346,-16,little,relative; isdataat:328,relative; pcre:"/\x00\x00\x00\x09.{328,}?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/i"; reference:url,www.securifera.com/advisories/sec-2017-0001/; classtype:attempted-admin; sid:45571; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"SERVER-OTHER Apple CUPS SGI image decoding buffer overflow attempt"; flow:to_server,established; content:"|01 DA 01 01 00 03|"; byte_extract:2,0,xsize,relative; byte_jump:4,504,relative,post_offset -516; byte_test:1,!&,0x80,0,relative; byte_test:1,>,xsize,0,relative; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31690; reference:cve,2008-3639; classtype:attempted-user; sid:17663; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Wordpress CMS platform denial of service attempt "; flow:to_server,established; content:"/load-scripts.php"; fast_pattern:only; http_uri; content:"load[]="; nocase; http_uri; pcre:"/load\x5B\x5D=([^&]*?,){50}/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-6389; classtype:denial-of-service; sid:45598; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER HP Integrated Lights-Out HTTP headers processing buffer overflow attempt"; flow:to_server,established; content:"/AccountService/Accounts"; fast_pattern:only; http_uri; content:"Connection:"; nocase; isdataat:29,relative; content:!"|0A|"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100467; reference:cve,2017-12542; reference:url,support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_us; classtype:attempted-admin; sid:45682; rev:1;)
# alert udp any any -> $HOME_NET 123 (msg:"SERVER-OTHER NTP crypto-NAK denial of service attempt"; flow:to_server; content:"|21 01 04 EB 00 00 00 00 00 00 00 27 49 4E 49 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; content:"|00 00 00 00|"; within:4; distance:8; metadata:policy max-detect-ips drop, service ntp; reference:cve,2016-4957; reference:url,attack.mitre.org/techniques/T1209; classtype:denial-of-service; sid:45693; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Squid HTTP Vary response header denial of service attempt"; flow:to_client,established; content:"Vary:"; fast_pattern:only; http_header; pcre:"/Vary\x3A\s*\r\n/Hmi"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-3948; reference:url,www.squid-cache.org/Advisories/SQUID-2016_4.txt; classtype:denial-of-service; sid:45757; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Squid HTTP Accept Encoding response header denial of service attempt"; flow:to_client,established; content:"Accept-Encoding:"; http_header; content:!"|0D 0A|"; within:500; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2016-3948; reference:url,www.squid-cache.org/Advisories/SQUID-2016_4.txt; classtype:denial-of-service; sid:45756; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt"; flow:to_server,established; isdataat:2234; content:"|EB 06|"; depth:2; offset:2232; content:"|9D 90 E6 6F|"; within:4; distance:2; reference:cve,2018-6892; classtype:attempted-user; sid:45747; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt"; flow:to_server,established; isdataat:2234; content:"|EB 06|"; depth:2; offset:2232; content:"|95 67 47 00|"; within:4; distance:2; reference:cve,2018-6892; classtype:attempted-user; sid:45746; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt"; flow:to_server,established; isdataat:2234; content:"|EB 06|"; depth:2; offset:2232; content:"|F6 B7 E7 61|"; within:4; distance:2; reference:cve,2018-6892; classtype:attempted-user; sid:45745; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 953 (msg:"SERVER-OTHER ISC BIND malformed data channel authentication message denial of service attempt"; flow:to_server,established; content:"|00 00 00 01|"; depth:4; offset:4; content:"|05|_data"; fast_pattern; byte_test:1,!=,2,0,relative; metadata:policy max-detect-ips drop; reference:cve,2016-1285; reference:url,kb.isc.org/article/AA-01363/81/BIND-9.10.3-P4-Release-Notes.html; classtype:attempted-dos; sid:45738; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9124 (msg:"SERVER-OTHER Disk Savvy Enterprise buffer overflow attempt"; flow:to_server,established; isdataat:148; content:"|75 19 BA AB|"; depth:4; content:!"|00|"; within:124; distance:20; content:!"|0D|"; within:124; distance:20; content:!"|0A|"; within:124; distance:20; content:!"|02|"; within:124; distance:20; content:!"|F8|"; within:124; distance:20; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.disksavvy.com/index.html; classtype:attempted-user; sid:45804; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,6099,7001,$HTTP_PORTS] (msg:"SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt"; flow:to_server,established; content:"|50 AC ED|"; depth:3; content:"WhileClosure"; fast_pattern:only; metadata:policy max-detect-ips drop, service http, service java_rmi; classtype:attempted-user; sid:45801; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,6099,7001,$HTTP_PORTS] (msg:"SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt"; flow:to_server,established; content:"|50 AC ED|"; depth:3; content:"PrototypeSerializationFactory"; fast_pattern:only; metadata:policy max-detect-ips drop, service http, service java_rmi; classtype:attempted-user; sid:45800; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,6099,7001,$HTTP_PORTS] (msg:"SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt"; flow:to_server,established; content:"|50 AC ED|"; depth:3; content:"PrototypeCloneFactory"; fast_pattern:only; metadata:policy max-detect-ips drop, service http, service java_rmi; classtype:attempted-user; sid:45799; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,6099,7001,$HTTP_PORTS] (msg:"SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt"; flow:to_server,established; content:"|50 AC ED|"; depth:3; content:"InstantiateTransformer"; fast_pattern:only; metadata:policy max-detect-ips drop, service http, service java_rmi; classtype:attempted-user; sid:45798; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,6099,7001,$HTTP_PORTS] (msg:"SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt"; flow:to_server,established; content:"|50 AC ED|"; depth:3; content:"InstantiateFactory"; fast_pattern:only; metadata:policy max-detect-ips drop, service http, service java_rmi; classtype:attempted-user; sid:45797; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,6099,7001,$HTTP_PORTS] (msg:"SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt"; flow:to_server,established; content:"|50 AC ED|"; depth:3; content:"ForClosure"; fast_pattern:only; metadata:policy max-detect-ips drop, service http, service java_rmi; classtype:attempted-user; sid:45796; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1099,6099,7001,$HTTP_PORTS] (msg:"SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt"; flow:to_server,established; content:"|50 AC ED|"; depth:3; content:"CloneTransformer"; fast_pattern:only; metadata:policy max-detect-ips drop, service http, service java_rmi; classtype:attempted-user; sid:45795; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_server,established; content:"|22|obj|22|"; content:"org.springframework.context.support.FileSystemXmlApplicationContext"; within:120; content:"http"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-17485; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=56516; classtype:attempted-user; sid:45779; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Jackson databind deserialization remote code execution attempt"; flow:to_server,established; content:"|22|obj|22|"; nocase; content:"org.springframework.context.support.FileSystemXmlApplicationContext"; within:120; content:"http"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-17485; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=56516; classtype:attempted-user; sid:45778; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt"; flow:to_server,established; ssl_state:client_hello; content:"|16 03 03 00 64 01 00 00 62 03 03|"; depth:11; content:"|00 00 0E|"; within:3; distance:32; pcre:"/^\x16\x03\x03\x00\x64\x01\x00\x00\x62\x03\x03.{32}\x00\x00\x0E(\x00[\x9d\x3d\x35\x9c\x3c\x2f\x0a]){7}/s"; metadata:policy max-detect-ips drop, policy security-ips drop, service ssl; reference:cve,2012-5081; reference:cve,2016-6883; reference:cve,2017-1000385; reference:cve,2017-12373; reference:cve,2017-13098; reference:cve,2017-13099; reference:cve,2017-17382; reference:cve,2017-17427; reference:cve,2017-17428; reference:cve,2017-6168; reference:url,robotattack.org; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher; classtype:attempted-recon; sid:45830; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt"; flow:to_client,established; content:"Fatek WinProladder, File Format"; fast_pattern:only; content:"|06 10|"; byte_test:2,>,100,6,relative,little; metadata:policy max-detect-ips drop; reference:bugtraq,94938; reference:cve,2016-8377; classtype:attempted-user; sid:45853; rev:1;)
# alert udp $HOME_NET 11211 -> any any (msg:"SERVER-OTHER Memcached DDoS reflective attempt"; flow:to_client; content:"STAT"; depth:4; offset:8; detection_filter:track by_dst,count 50, seconds 10; metadata:policy max-detect-ips drop; reference:cve,2018-1000115; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/memcached/memcached_amp.rb; classtype:attempted-dos; sid:45942; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached UDP version discovery attempt"; flow:to_server; content:"version|0D 0A|"; depth:10; offset:8; metadata:policy max-detect-ips drop; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/memcached/memcached_udp_version.rb; classtype:attempted-recon; sid:45941; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt"; flow:to_server; content:"|80 13|"; depth:2; content:"|08 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8705; reference:cve,2017-9951; reference:url,www.talosintelligence.com/reports/TALOS-2016-0220; classtype:attempted-admin; sid:45940; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt"; flow:to_server; content:"|80 03|"; depth:2; content:"|08 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8705; reference:cve,2017-9951; reference:url,www.talosintelligence.com/reports/TALOS-2016-0220; classtype:attempted-admin; sid:45939; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt"; flow:to_server; content:"|80 12|"; depth:2; content:"|08 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8705; reference:cve,2017-9951; reference:url,www.talosintelligence.com/reports/TALOS-2016-0220; classtype:attempted-admin; sid:45938; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached add opcode request heap buffer overflow attempt"; flow:to_server; content:"|80 02|"; depth:2; content:"|08 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8705; reference:cve,2017-9951; reference:url,www.talosintelligence.com/reports/TALOS-2016-0220; classtype:attempted-admin; sid:45937; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt"; flow:to_server; content:"|80 11|"; depth:2; content:"|08 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8705; reference:cve,2017-9951; reference:url,www.talosintelligence.com/reports/TALOS-2016-0220; classtype:attempted-admin; sid:45936; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached set opcode request heap buffer overflow attempt"; flow:to_server; content:"|80 01|"; depth:2; content:"|08 00|"; within:2; distance:2; byte_test:1,&,0x80,2,relative; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-8705; reference:cve,2017-9951; reference:url,www.talosintelligence.com/reports/TALOS-2016-0220; classtype:attempted-admin; sid:45935; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [8094,8096,8097,8098,9121] (msg:"SERVER-OTHER Flexense Syncbreeze buffer overflow attempt"; flow:to_server,established; content:"|75 19 BA AB 03 00 00 00 00 40 00 00|"; byte_test:4,>,900,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-5262; reference:cve,2018-6537; classtype:attempted-user; sid:45926; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary command execution attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; dce_stub_data; content:"|11 27 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:bugtraq,102424; reference:cve,2017-16720; reference:url,ics-cert.us-cert.gov/advisories/ICSA-18-004-02; classtype:attempted-admin; sid:45971; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary pointer dereference attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; dce_stub_data; content:"|E6 27 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:bugtraq,102424; reference:cve,2017-16728; reference:url,ics-cert.us-cert.gov/advisories/ICSA-18-004-02; classtype:attempted-admin; sid:46061; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER cPanel Mailman privilege escalation attempt"; flow:to_server,established; file_data; content:"/usr/local/cpanel/3rdparty/mailman/bin"; fast_pattern:only; content:"/usr/local/apache/bin/suexec"; content:"config_list"; content:"os.setuid|28|0|29|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:46131; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER cPanel Mailman privilege escalation attempt"; flow:to_client,established; file_data; content:"/usr/local/cpanel/3rdparty/mailman/bin"; fast_pattern:only; content:"/usr/local/apache/bin/suexec"; content:"config_list"; content:"os.setuid|28|0|29|"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46130; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER QNAP QTS cross site request forgery attempt"; flow:to_client,established; file_data; content:"cgi-bin/create_user.cgi"; fast_pattern:only; content:"function="; nocase; content:"subfun="; nocase; content:"NAME="; nocase; content:"PASSWD="; nocase; content:"VERIFY="; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0144; classtype:attempted-admin; sid:46342; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"SERVER-OTHER QNAP QTS hard coded credential access attempt"; flow:to_server,established; content:"PASS joxu06wj/|0D 0A|"; fast_pattern:only; metadata:ruleset community, service ftp; reference:cve,2015-7261; classtype:default-login-attempt; sid:46335; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server; content:"|59 0D B1 E7 67 23 51 BA 5B 5D 52 33 91 0D 09 7F|"; content:"|09 44 80 0E DE B6 FA 3B 5B 5D 52 33 91 0D 09 7F|"; metadata:ruleset community; classtype:attempted-admin; sid:46318; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server,established; content:"|C0 F3 AC 2A 40 79 49 0C A3 6E 89 64 73 66 0F 0B|"; content:"|5D FC 67 3A 16 DC 00 56 A3 6E 89 64 73 66 0F 0B|"; metadata:ruleset community; classtype:attempted-admin; sid:46317; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri; isdataat:35,relative; pcre:"/[?&]u=[^&\s]{35}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:attempted-admin; sid:46310; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri; content:"p="; nocase; http_uri; isdataat:260,relative; pcre:"/[?&]p=[^&\s]{260}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:attempted-admin; sid:46309; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 61616 (msg:"SERVER-OTHER Apache ActiveMQ JMS ObjectMessage deserialization attempt"; flow:to_server,established; content:"|1A|"; depth:5; offset:4; content:"|AC ED 00 05|"; distance:0; reference:cve,2015-5254; classtype:misc-activity; sid:46304; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow"; flow:to_server,established; content:"/cgi-bin/filemanager/wfm2Login.cgi"; fast_pattern:only; http_uri; content:"X-Forwarded-For"; nocase; http_raw_header; isdataat:90,relative; pcre:"/X-Forwarded-For:[^\n\r]{90}/Hsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.qnap.com/en/security-advisory/nas-201712-15; classtype:web-application-attack; sid:46301; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt"; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:24; byte_test:1,&,32,0; byte_test:1,!&,16,0; byte_test:1,!&,8,0; detection_filter:track by_dst,count 5,seconds 1; metadata:service ntp; reference:cve,2018-7184; reference:cve,2018-7185; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug3453; reference:url,support.ntp.org/bin/view/Main/NtpBug3454; classtype:attempted-dos; sid:46387; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Micro Focus Operations Orchestration information disclosure attempt"; flow:to_server,established; content:"POST"; http_method; content:"/oo/jminix/servers/0/domains/com.sun.management/mbeans"; fast_pattern:only; nocase; http_uri; content:"/type=DiagnosticCommand/operations/vmSystemProperties|28 29|"; nocase; http_uri; content:"executed=true"; http_client_body; metadata:service http; reference:cve,2018-6490; reference:url,softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03103896; classtype:attempted-user; sid:46383; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Micro Focus Operations Orchestration denial of service attempt"; flow:to_server,established; content:"POST"; http_method; content:"/oo/jminix/servers/0/domains/Catalina/mbeans"; fast_pattern:only; http_uri; content:"/type=Connector"; nocase; http_uri; content:"/operations/stop|28 29|"; nocase; http_uri; content:"executed=true"; http_client_body; metadata:service http; reference:cve,2018-6490; reference:url,softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03103896; classtype:denial-of-service; sid:46382; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER libgd heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|"; fast_pattern; content:"|02|"; within:1; distance:7; byte_test:1,>,128,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-3074; classtype:web-application-attack; sid:46377; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER libgd heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|"; fast_pattern; content:"|02|"; within:1; distance:7; byte_test:1,>,128,16,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-3074; classtype:web-application-attack; sid:46376; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [5500,5900] (msg:"SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt"; flow:to_server,established; content:"|0A|"; isdataat:214; content:!"|0A|"; depth:214; reference:cve,2018-7583; reference:url,www.exploit-db.com/exploits/44222/; classtype:attempted-dos; sid:46375; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5984 (msg:"SERVER-OTHER Apache CouchDB remote code execution attempt"; flow:to_server,established; content:"PUT /_config/query_servers/cmd "; fast_pattern:only; content:"|0D 0A 0D 0A|"; content:"/bin/"; within:5; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12636; classtype:attempted-user; sid:46440; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt"; flow:to_server,established; ssl_state:client_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; byte_extract:3,3,certs_length,relative; content:"|2B 06 01 05 05 07 01 07|"; within:certs_length; content:"|30|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|04 01|"; within:2; distance:1; metadata:service ssl; reference:cve,2017-3735; classtype:attempted-recon; sid:46418; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; byte_extract:3,3,certs_length,relative; content:"|2B 06 01 05 05 07 01 07|"; within:certs_length; content:"|30|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|04 01|"; within:2; distance:1; metadata:service ssl; reference:cve,2017-3735; classtype:attempted-recon; sid:46417; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected"; flow:to_server,established; content:"|AC ED 00 05|"; content:"Registry"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service java_rmi; reference:cve,2018-2628; reference:cve,2018-2893; reference:url,www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-user; sid:46446; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected"; flow:to_server,established; content:"|AC ED 00 05|"; content:"InvocationHandler"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service java_rmi; reference:cve,2018-2628; reference:cve,2018-2893; reference:url,www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-user; sid:46445; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"SERVER-OTHER PostgreSQL Empty Password authentication bypass attempt"; flow:to_server,established; content:"|70 00 00 00 05 00|"; depth:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service postgresql; reference:cve,2017-7546; classtype:attempted-user; sid:46449; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco Smart Install init discovery message stack buffer overflow attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|00 00 00 07|"; within:4; distance:5; fast_pattern; content:"|00 00 00 01|"; within:4; distance:4; byte_test:4,>,28,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-0171; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2; classtype:attempted-admin; sid:46096; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|00 00 00 07|"; within:4; distance:5; fast_pattern; content:"|00 00 00 01|"; within:4; distance:4; byte_math:bytes 4,offset 0,oper +,rvalue 8,result sub_len_plus_eight,relative; byte_test:4,!=,sub_len_plus_eight,-8,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-0171; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2; classtype:attempted-dos; sid:46468; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER HTTP request smuggling attempt"; flow:to_server,established; content:"Content-Length|3A|"; http_header; content:"|0D 0A|"; within:15; http_header; content:"Content-Length|3A|"; within:15; nocase; http_header; metadata:service http; reference:cve,2015-3183; classtype:web-application-activity; sid:46495; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Quest Appliance NetVault Backup buffer overflow attempt"; flow:to_server,established; isdataat:2000; content:"Content-Type: multipart/form-data|3B| boundary=IXA"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1161; classtype:attempted-admin; sid:46474; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Spring Data Commons remote code execution attempt"; flow:to_server,established; content:"[#this.getClass().forName("; fast_pattern:only; content:".getRuntime().exec"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1273; classtype:attempted-user; sid:46473; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MSN MSNP2P SLP message integer overflow attempt"; flow:to_client,established; content:"MSG"; content:"|0A|P2P-Dest|3A|"; within:200; nocase; content:"|0D 0A 0D 0A|"; within:100; content:!"|00 00 00 00|"; within:4; distance:8; content:!"|00 00 00 00|"; within:4; distance:24; byte_extract:4,24,message_len,relative,little; byte_math:bytes 4, offset -20, oper +, rvalue message_len, result cumulative_size, relative, endian little; byte_test:4,>,cumulative_size,-20,relative,little; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29956; reference:cve,2008-2927; reference:url,pidgin.im/news/security/?id=25; classtype:attempted-user; sid:46784; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4750 (msg:"SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt"; flow:to_server,established; content:"b7|3B|0|3B|2|3B|cae|3B|da4|3B|0"; content:"echo -en"; within:8; distance:8; reference:cve,2016-1542; reference:cve,2016-1543; classtype:attempted-user; sid:46880; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4750 (msg:"SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt"; flow:to_server,established; content:"b7|3B|0|3B|2|3B|cae|3B|da4|3B|0"; content:"powershell"; within:10; distance:8; reference:cve,2016-1542; reference:cve,2016-1543; reference:url,attack.mitre.org/techniques/T1086; classtype:attempted-user; sid:46879; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4750 (msg:"SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt"; flow:to_server,established; content:"b7|3B|0|3B|2|3B|cae|3B|da4|3B|0"; content:"cmd /c"; within:6; distance:8; reference:cve,2016-1542; reference:cve,2016-1543; classtype:attempted-user; sid:46878; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Mitsubishi Electric E-Designer font field buffer overflow attempt"; flow:to_server,established; file_data; content:"E-Designer"; fast_pattern:only; content:"SetupAlarm"; nocase; content:"font"; nocase; isdataat:256,relative; content:!"|0A|"; within:256; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-9638; classtype:attempted-admin; sid:46926; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Mitsubishi Electric E-Designer font field buffer overflow attempt"; flow:to_client,established; file_data; content:"E-Designer"; fast_pattern:only; content:"SetupAlarm"; nocase; content:"font"; nocase; isdataat:256,relative; content:!"|0A|"; within:256; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-9638; classtype:attempted-admin; sid:46925; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Mitsubishi Electric E-Designer Status_bit buffer overflow attempt"; flow:to_server,established; file_data; content:"BEComliSlave.ComliSlave"; fast_pattern:only; content:"Status_bit"; nocase; content:"="; within:10; content:"|22|"; within:10; isdataat:256,relative; content:!"|22|"; within:256; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-9638; classtype:attempted-admin; sid:46924; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Mitsubishi Electric E-Designer Status_bit buffer overflow attempt"; flow:to_client,established; file_data; content:"BEComliSlave.ComliSlave"; fast_pattern:only; content:"Status_bit"; nocase; content:"="; within:10; content:"|22|"; within:10; isdataat:256,relative; content:!"|22|"; within:256; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-9638; classtype:attempted-admin; sid:46923; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0,1; dce_stub_data; content:"|15 27 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,104190; reference:cve,2018-7495; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; reference:url,ics-cert.us-cert.gov/advisories/ICSA-18-135-01; classtype:misc-attack; sid:47052; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt"; flow:to_server,established; file_data; content:"q=1&l=0&lid=2&t=22&id=1&e=4&ew=1&eh=1&uls=0&df=&ds=0&tf=&ts=0&ds=0&gs=0"; fast_pattern; http_uri; urilen:>300; content:"&=yes"; distance:0; http_uri; metadata:service http; reference:url,reliance-scada.com/en/main; classtype:attempted-user; sid:48127; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2144 (msg:"SERVER-OTHER LSIS wXP Denial of Service attempt"; flow:to_server,established; file_data; content:"|6B|"; depth:1; content:"|0A 05 00 00 20 F5 00 8C 5A F5 00 8C 5A F5 00 8C 5A|"; within:17; distance:4; byte_test:2, >, 3, 0, relative, little; isdataat:4,relative; reference:url,lsis.com; classtype:denial-of-service; sid:48121; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure attempt"; flow:to_server,established; content:"<Cmds>"; nocase; content:"<Cmd name=|22|FILE|22|>"; distance:0; nocase; content:"<par"; distance:0; nocase; content:"../"; distance:0; reference:url,deltaww.com; classtype:attempted-user; sid:48114; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [3000,9495] (msg:"SERVER-OTHER Aktakom oscilloscope denial of service attempt"; flow:to_server,established; content:"|3A|SDSLCRS|01|"; fast_pattern:only; reference:url,www.aktakom.com; classtype:attempted-dos; sid:48109; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Western Digital My Cloud authentication bypass attempt"; flow:to_server,established; content:"/cgi-bin/network_mgr.cgi"; http_uri; content:"username=admin"; http_cookie; content:"cmd=cgi_get_ipv6"; http_client_body; content:"flag=1"; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-17153; classtype:attempted-admin; sid:48038; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,3000] (msg:"SERVER-OTHER Alt-N MDaemon buffer overflow attempt"; flow:to_server,established; content:"/WorldClient.dll"; fast_pattern; nocase; content:"Body="; within:500; nocase; isdataat:150,relative; content:!"="; within:150; metadata:service http; reference:url,support.ixiacom.com/strikes/exploits/iis/easy_fun_buffer_overflow.xml; classtype:attempted-admin; sid:47897; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,3000] (msg:"SERVER-OTHER Alt-N MDaemon buffer overflow attempt"; flow:to_server,established; content:"/WorldClient.dll"; fast_pattern; nocase; content:"From="; within:500; nocase; isdataat:150,relative; content:!"="; within:150; metadata:service http; reference:url,support.ixiacom.com/strikes/exploits/iis/easy_fun_buffer_overflow.xml; classtype:attempted-admin; sid:47896; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER JBoss Richfaces expression language injection attempt"; flow:to_server,established; content:"MediaOutputResource"; fast_pattern:only; http_uri; content:"do="; http_uri; content:"#{"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-0279; reference:cve,2018-12532; reference:url,access.redhat.com/security/cve/cve-2018-12532; classtype:attempted-user; sid:47829; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [25,443,587] (msg:"SERVER-OTHER OpenSSL invalid Diffie-Hellman parameter NULL pointer dereference attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|16 03|"; content:"|0C|"; within:1; distance:3; content:"|00 80|"; within:2; distance:3; content:"|00 01|"; within:2; distance:128; content:"|00 80|"; within:2; distance:1; byte_test:1,=,0,-6,relative,bitmask 0x01; metadata:service ssl; reference:cve,2017-3730; classtype:denial-of-service; sid:47821; rev:1;)
# alert tcp $EXTERNAL_NET [25,443,587] -> $HOME_NET any (msg:"SERVER-OTHER OpenSSL invalid Diffie-Hellman parameter NULL pointer dereference attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|16 03|"; content:"|0C|"; within:1; distance:3; content:"|00 80|"; within:2; distance:3; content:"|00 01|"; within:2; distance:128; content:"|00 80|"; within:2; distance:1; byte_test:1,=,0,-6,relative,bitmask 0x01; metadata:service ssl; reference:cve,2017-3730; classtype:denial-of-service; sid:47820; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached DDoS attempt"; flow:to_server; content:"stat"; depth:4; offset:8; nocase; detection_filter:track by_src,count 50, seconds 10; metadata:policy max-detect-ips drop; reference:cve,2018-1000115; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:47726; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-OTHER Memcached DDoS attempt"; flow:to_server; content:"get"; depth:3; offset:8; nocase; detection_filter:track by_src,count 50, seconds 10; metadata:policy max-detect-ips drop; reference:cve,2018-1000115; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:47725; rev:1;)
# alert udp $EXTERNAL_NET 11211 -> $HOME_NET any (msg:"SERVER-OTHER Memcached DDoS attempt"; flow:to_client; dsize:>1300; content:"VALUE"; depth:5; offset:8; detection_filter:track by_dst,count 50, seconds 10; metadata:policy max-detect-ips drop; reference:cve,2018-1000115; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:47724; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntpq decode array buffer overflow attempt"; content:"filt"; content:"="; within:7; distance:4; isdataat:50,relative; content:!","; within:50; metadata:service ntp; reference:cve,2018-7183; reference:url,attack.mitre.org/techniques/T1209; reference:url,support.ntp.org/bin/view/Main/NtpBug3414; classtype:attempted-user; sid:47585; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt"; flow:to_server; content:"|00 01|"; depth:2; content:"|3D|"; within:1; distance:30; byte_test:1,<,0x02,0,relative; classtype:attempted-user; sid:48169; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt"; flow:to_server; content:"|00 02|"; depth:2; content:"|3D|"; within:1; distance:30; byte_test:1,<,0x02,0,relative; classtype:attempted-user; sid:48168; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt"; flow:to_server; content:"|00 04|"; depth:2; content:"|3D|"; within:1; distance:30; byte_test:1,<,0x02,0,relative; classtype:attempted-user; sid:48167; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt"; flow:to_server; content:"|00 04|"; depth:2; content:"|01|"; within:1; distance:30; content:"|21 08|"; within:2; distance:2; fast_pattern; content:"|22|"; within:1; distance:6; byte_test:1,>,35,0,relative; reference:cve,2017-5806; classtype:attempted-admin; sid:48190; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt"; flow:to_server; content:"|00 02|"; depth:2; content:"|01|"; within:1; distance:30; content:"|21 08|"; within:2; distance:2; fast_pattern; content:"|22|"; within:1; distance:6; byte_test:1,>,35,0,relative; reference:cve,2017-5806; classtype:attempted-admin; sid:48189; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt"; flow:to_server; content:"|00 01|"; depth:2; content:"|01|"; within:1; distance:30; content:"|21 08|"; within:2; distance:2; fast_pattern; content:"|22|"; within:1; distance:6; byte_test:1,>,35,0,relative; reference:cve,2017-5806; classtype:attempted-admin; sid:48188; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt"; flow:to_server; content:"|00 04|"; depth:2; content:"|01|"; within:1; distance:30; content:"|21 08|"; within:2; distance:2; fast_pattern; content:"|22|"; within:1; distance:6; byte_test:1,<,0x02,0,relative; reference:cve,2017-5806; classtype:attempted-admin; sid:48187; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt"; flow:to_server; content:"|00 02|"; depth:2; content:"|01|"; within:1; distance:30; content:"|21 08|"; within:2; distance:2; fast_pattern; content:"|22|"; within:1; distance:6; byte_test:1,<,0x02,0,relative; reference:cve,2017-5806; classtype:attempted-admin; sid:48186; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt"; flow:to_server; content:"|00 01|"; depth:2; content:"|01|"; within:1; distance:30; content:"|21 08|"; within:2; distance:2; fast_pattern; content:"|22|"; within:1; distance:6; byte_test:1,<,0x02,0,relative; reference:cve,2017-5806; classtype:attempted-admin; sid:48185; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt"; flow:to_server; content:"|00 04|"; depth:2; content:"|01|"; within:1; distance:30; content:"|11|"; within:1; distance:2; byte_test:1,<=,1,0,relative; reference:cve,2017-5805; classtype:attempted-admin; sid:48184; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt"; flow:to_server; content:"|00 02|"; depth:2; content:"|01|"; within:1; distance:30; content:"|11|"; within:1; distance:2; byte_test:1,<=,1,0,relative; reference:cve,2017-5805; classtype:attempted-admin; sid:48183; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt"; flow:to_server; content:"|00 01|"; depth:2; content:"|01|"; within:1; distance:30; content:"|11|"; within:1; distance:2; byte_test:1,<=,1,0,relative; reference:cve,2017-5805; classtype:attempted-admin; sid:48182; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt"; flow:to_server; content:"|00 04|"; depth:2; content:"|01|"; within:1; distance:30; content:"|11|"; within:1; distance:2; byte_test:1,>,126,0,relative; reference:cve,2017-5805; classtype:attempted-admin; sid:48181; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt"; flow:to_server; content:"|00 02|"; depth:2; content:"|01|"; within:1; distance:30; content:"|11|"; within:1; distance:2; byte_test:1,>,126,0,relative; reference:cve,2017-5805; classtype:attempted-admin; sid:48180; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt"; flow:to_server; content:"|00 01|"; depth:2; content:"|01|"; within:1; distance:30; content:"|11|"; within:1; distance:2; byte_test:1,>,126,0,relative; reference:cve,2017-5805; classtype:attempted-admin; sid:48179; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER NUUO NVRMini2 stack based buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi_system"; fast_pattern:only; http_uri; content:"PHPSESSID"; http_raw_header; content:!"|0D 0A|"; within:125; http_raw_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1149; reference:url,www.nuuo.com/NewsDetail.php?id=0425; classtype:attempted-admin; sid:48235; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"SERVER-OTHER Oracle MySQL uninitialized variable remote code execution attempt"; flow:to_server,established; content:"extractvalue"; nocase; content:"number"; within:20; pcre:"/extractvalue.*?number\s*\x28\s*\x29/i"; metadata:service mysql; classtype:attempted-user; sid:48221; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER GP ProEX WinGP Runtime directory traversal attempt"; flow:to_server,established; content:"DRSTOR"; nocase; content:"../"; within:255; reference:url,profaceamerica.com/en-US/content/gp-pro-ex-hmi-software; classtype:attempted-user; sid:48249; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Adobe ColdFusion unauthenticated file upload attempt"; flow:to_server,established; content:"/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-15961; reference:url,helpx.adobe.com/security/products/coldfusion/apsb18-33.html; reference:url,www.volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/; classtype:attempted-admin; sid:48359; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-OTHER Oracle WebLogic remote code execution attempt"; flow:to_server,established; content:"|AC ED 00 05|"; content:".AbstractPlatformTransactionManager"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service java_rmi; reference:cve,2018-3191; reference:url,oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html; classtype:attempted-user; sid:48483; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-OTHER Oracle WebLogic remote code execution attempt"; flow:to_server,established; content:"|AC ED 00 05|"; content:"|00 0B|us-l-breens|A5|<|AF F1 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service java_rmi; reference:cve,2018-3191; reference:url,oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html; classtype:attempted-user; sid:48482; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-OTHER Oracle WebLogic remote code execution attempt"; flow:to_server,established; content:"|AC ED 00 05|"; content:"java.rmi.server.RemoteObject"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service java_rmi; reference:cve,2018-3191; reference:url,oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html; classtype:attempted-user; sid:48481; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Kubernetes API Server bypass attempt"; flow:to_server; content:"Connection|3A| Upgrade"; nocase; http_header; content:"Upgrade|3A| websocket"; fast_pattern:only; http_header; content:"/api/v1/namespaces/"; http_uri; content:"/pods/"; nocase; http_uri; content:"/exec"; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1002105; reference:url,gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/; classtype:attempted-admin; sid:48500; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Kubernetes API Server bypass attempt"; flow:to_server; content:"Connection|3A| Upgrade"; nocase; http_header; content:"Upgrade|3A| websocket"; fast_pattern:only; http_header; content:"/apis/"; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1002105; reference:url,gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/; classtype:attempted-admin; sid:48548; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2144 (msg:"SERVER-OTHER LSIS XP-Manager denial of service attempt"; flow:to_server,established; content:"|6B|"; depth:1; content:"|0A 05 00 00 20 F5 00 8C 5A F5 00 8C 5A F5 00 8C 5A|"; within:17; distance:4; byte_test:2,>=,2000,0,relative,little; isdataat:2000,relative; metadata:policy max-detect-ips drop, policy security-ips drop; classtype:attempted-dos; sid:48545; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER SQLite FTS integer overflow attempt"; flow:to_server,established; file_data; content:"USING fts"; nocase; content:"_segdir"; fast_pattern; nocase; content:"root"; within:50; nocase; content:"FFFFFFF"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-20346; classtype:attempted-user; sid:48786; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER SQLite FTS integer overflow attempt"; flow:to_client,established; file_data; content:"USING fts"; nocase; content:"_segdir"; fast_pattern; nocase; content:"root"; within:50; nocase; content:"FFFFFFF"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-20346; classtype:attempted-user; sid:48785; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11311:11500 (msg:"SERVER-OTHER Robot Operating System aztarna scanner fingerprinting attempt"; flow:to_server,established; content:"GET / HTTP/1.1|0D 0A|Accept: */*|0D 0A|"; depth:29; content:"User-Agent|3A 20|Python/"; distance:0; content:"aiohttp/"; within:20; fast_pattern; content:!"Accept-Language|3A 20|"; content:!"Cookie|3A 20|"; reference:url,www.ros.org; classtype:attempted-user; sid:49067; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11311:11500 (msg:"SERVER-OTHER Robot Operating System aztarna scanner fingerprinting attempt"; flow:to_server,established; content:"|16 03 01|"; depth:3; content:"|01 29 00 0A 00 1C 00 1A 00 17 00 19 00 1C 00 1B 00 18 00 1A 00 16 00 0E 00 0D 00 0B 00 0C 00 09 00 0A|"; depth:34; offset:196; metadata:service http; reference:url,www.ros.org; classtype:attempted-recon; sid:49066; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11311:11500 (msg:"SERVER-OTHER Robot Operating System aztarna scanner getSystemState attempt"; flow:to_server,established; stream_size:client,=,381; content:"<methodCall><methodName>getSystemState</methodName>"; fast_pattern:only; metadata:service http; reference:url,www.ros.org; classtype:attempted-user; sid:49065; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Westermo router default credential login attempt"; flow:to_server,established; content:"GET /"; depth:5; content:"Authorization: Basic YWRtaW46d2VzdGVybW8="; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.westermo.com; classtype:attempted-user; sid:49064; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Sierra Wireless router default credential login attempt"; flow:to_server,established; content:"urn:acemanager"; nocase; content:"<login>admin</login>"; nocase; content:"<password><![CDATA[]]></password>"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.sierrawireless.com; classtype:attempted-user; sid:49063; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Sierra Wireless router default credential login attempt"; flow:to_server,established; content:"urn:acemanager"; nocase; content:"<login>viewer</login>"; nocase; content:"<password><![CDATA[12345]]></password>"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.sierrawireless.com; classtype:attempted-user; sid:49062; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Sierra Wireless router default credential login attempt"; flow:to_server,established; content:"urn:acemanager"; nocase; content:"<login>user</login>"; nocase; content:"<password><![CDATA[12345]]></password>"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.sierrawireless.com; classtype:attempted-user; sid:49061; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Sierra Wireless router default credential login attempt"; flow:to_server,established; content:"urn:acemanager"; nocase; content:"<login></login>"; nocase; content:"<password><![CDATA[swiadmin]]></password>"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.sierrawireless.com; classtype:attempted-user; sid:49060; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Sierra Wireless router default credential login attempt"; flow:to_server,established; content:"urn:acemanager"; nocase; content:"<login></login>"; nocase; content:"<password><![CDATA[admin]]></password>"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.sierrawireless.com; classtype:attempted-user; sid:49059; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Sierra Wireless router default credential login attempt"; flow:to_server,established; content:"urn:acemanager"; nocase; content:"<login>sconsole</login>"; nocase; content:"<password><![CDATA[12345]]></password>"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.sierrawireless.com; classtype:attempted-user; sid:49058; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Moxa router default credential login attempt"; flow:to_server,established; content:"Username="; content:"MD5Password="; distance:0; content:"d41d8cd98f00b204e9800998ecf8427e"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.moxa.com/en/products/industrial-network-infrastructure/secure-routers; classtype:attempted-user; sid:49057; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Moxa router default credential login attempt"; flow:to_server,established; content:"Username="; content:"MD5Password="; distance:0; content:"21232f297a57a5a743894a0e4a801fc3"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.moxa.com/en/products/industrial-network-infrastructure/secure-routers; classtype:attempted-user; sid:49056; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Moxa router default credential login attempt"; flow:to_server,established; content:"Username="; content:"MD5Password="; distance:0; content:"63a9f0ea7bb98050796b649e85481845"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.moxa.com/en/products/industrial-network-infrastructure/secure-routers; classtype:attempted-user; sid:49055; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Moxa router default credential login attempt"; flow:to_server,established; content:"/home.htm"; content:"Password="; distance:0; content:"d8a1dd02029af4e10b495bc3ab03859e"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.moxa.com/en/products/industrial-network-infrastructure/secure-routers; classtype:attempted-user; sid:49054; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Moxa router default credential login attempt"; flow:to_server,established; content:"/home.htm"; content:"Password="; distance:0; content:"d41d8cd98f00b204e9800998ecf8427e"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.moxa.com/en/products/industrial-network-infrastructure/secure-routers; classtype:attempted-user; sid:49053; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Moxa router default credential login attempt"; flow:to_server,established; content:"/home.htm"; content:"Password="; distance:0; content:"efa59ad49b7bc93a9a7bb1004f24b1cc"; distance:0; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.moxa.com/en/products/industrial-network-infrastructure/secure-routers; classtype:attempted-user; sid:49052; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Ewon router default credential login attempt"; flow:to_server,established; content:"Authorization: Basic YWRtOmFkbQ=="; fast_pattern:only; content:"/Ast/MainAst.shtm"; depth:30; nocase; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; reference:url,ewon.biz/products; classtype:attempted-user; sid:49051; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Exchange Server NTLM relay attack attempt"; flow:to_server,established; content:"/EWS/Exchange.asmx"; fast_pattern:only; http_uri; content:"<m:PushSubscriptionRequest SubscribeToAllFolders=|22|true|22|"; nocase; http_client_body; content:"<t:StatusFrequency>1</t:StatusFrequency>"; distance:0; nocase; http_client_body; content:"<soap:Body >"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-8581; reference:cve,2019-0686; reference:cve,2019-0724; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0724; classtype:attempted-user; sid:49100; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Multiple products runc arbitrary code execution attempt"; flow:to_server,established; file_data; content:"echo |27|#!/proc/self/exe|27| > /bin/"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2019-5736; classtype:attempted-admin; sid:49195; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt"; flow:to_server,established; content:"|15 78 42 EF 56 4E FE 0A 69 17 95 A0 54 AC C2 55 28 E6 CC 45 7E 19 9E D5 F6 80 C7 6C DB 8B 86 98|"; fast_pattern:only; metadata:service ssl; reference:cve,2011-1867; classtype:attempted-user; sid:49252; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Google Golang GET command injection attempt"; flow:to_client,established; file_data; content:"<meta"; content:"go-import"; within:50; fast_pattern; content:"content="; within:50; nocase; pcre:"/content=[^&\r\n]*?([\x60\x3b\x7c\x23]|%(25)?(60|3b|7c|23|26)|([\x3c\x3e\x24]|%(25)?(3c|3e|24))(\x28|%(25)?28))/im"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-7187; classtype:attempted-user; sid:49304; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Adobe ColdFusion arbitrary file upload attempt"; flow:to_server,established; content:"action=upload"; fast_pattern:only; http_uri; content:"|89|PNG|0D 0A 1A 0A|"; http_client_body; content:"<%"; distance:0; nocase; http_client_body; content:"Language="; within:25; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-7816; reference:url,helpx.adobe.com/security/products/coldfusion/apsb19-14.html; classtype:web-application-attack; sid:49338; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Adobe ColdFusion arbitrary file upload attempt"; flow:to_server,established; content:"action=upload"; fast_pattern:only; http_uri; content:"|89|PNG|0D 0A 1A 0A|"; http_client_body; content:"<%eval"; distance:0; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-7816; reference:url,helpx.adobe.com/security/products/coldfusion/apsb19-14.html; classtype:web-application-attack; sid:49337; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER SCADA DataRate remote code execution attempt"; flow:to_server,established; file_data; content:"c81e9084-0965-4681-8176-745619f6ce51"; fast_pattern:only; content:"port"; content:"passwordHash"; content:"serverIPAddress"; metadata:service smtp; reference:url,scadadatarate.ru; classtype:attempted-admin; sid:49441; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER SCADA DataRate remote code execution attempt"; flow:to_client,established; file_data; content:"c81e9084-0965-4681-8176-745619f6ce51"; fast_pattern:only; content:"port"; content:"passwordHash"; content:"serverIPAddress"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,scadadatarate.ru; classtype:attempted-admin; sid:49440; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12412 (msg:"SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt"; flow:to_server,established; content:"../../"; depth:6; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; isdataat:256,rawbytes; reference:url,igss.schneider-electric.com/products/igss/index.aspx; classtype:attempted-recon; sid:49439; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"SERVER-OTHER QNX Neutrino qconn unauthenticated command execution attempt"; flow:to_server,established; content:"service launcher"; depth:16; metadata:service telnet; reference:url,blackberry.qnx.com/en/products/neutrino-rtos/neutrino-rtos; classtype:attempted-admin; sid:49438; rev:1;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt"; flow:to_server,established; content:"rkwjsdusrnth"; fast_pattern:only; content:"root"; metadata:service telnet; classtype:default-login-attempt; sid:49417; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt"; flow:to_server,established; content:"rkwjsdusrnth"; fast_pattern:only; pcre:"/pass\s+rkwjsdusrnth/i"; metadata:service ftp; classtype:default-login-attempt; sid:49416; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1315 (msg:"SERVER-OTHER IBM solidDB denial of service attempt"; flow:to_server,established; content:"|02 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; pcre:"/(\x00\x00\xfc\x3a){200}/R"; reference:cve,2010-4055; classtype:attempted-dos; sid:49485; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Western Digital MyNet unauthenticated configuration disclosure attempt"; flow:established,to_server; content:"/main_internet.php"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-5006; classtype:attempted-recon; sid:49484; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Sagem Fast 3304-V1 denial of service attempt"; flow:established,to_server; content:"SubmitMaintCONFIG"; fast_pattern:only; http_uri; content:"ACTION=R%E9tablir+la+configuration+initiale"; nocase; http_raw_uri; classtype:attempted-dos; sid:49481; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1315 (msg:"SERVER-OTHER IBM solidDB denial of service attempt"; flow:to_server,established; content:"|02 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FC 3A 00 00|"; fast_pattern:only; isdataat:!31; reference:cve,2010-4056; classtype:attempted-dos; sid:49480; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER ASP webshell upload attempt"; flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|"; http_client_body; content:"<%"; distance:0; http_client_body; content:"language"; within:25; nocase; http_client_body; content:"%>"; within:35; http_client_body; pcre:"/\x89PNG\x0d\x0a\x1a\x0a((?!^--).)*?\x3c\x25.{0,25}language.{0,35}\x25\x3e/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190/; classtype:attempted-user; sid:49460; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Perl webshell upload attempt"; flow:to_server,established; content:"|0D 0A 0D 0A FF D8 FF|"; http_client_body; content:"/usr/bin/perl"; distance:0; nocase; http_client_body; pcre:"/\x0d\x0a\x0d\x0a\xff\xd8\xff((?!^--).)*?\x2fusr\x2fbin\x2fperl/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190/; classtype:attempted-user; sid:49459; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP webshell upload attempt"; flow:to_server,established; content:"<?php"; fast_pattern:only; http_client_body; file_data; content:"|FF D8 FF|"; depth:3; content:"<?php"; distance:0; nocase; pcre:"/^\xff\xd8\xff((?!^--).)*?\x3c\x3fphp/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190/; classtype:attempted-user; sid:49458; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP webshell upload attempt"; flow:to_server,established; content:"GIF8"; http_client_body; content:"a"; within:1; distance:1; http_client_body; content:"<?php"; distance:0; nocase; http_client_body; pcre:"/GIF8[79]a((?!^--).)*?\x3c\x3fphp/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190/; classtype:attempted-user; sid:49457; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP webshell upload attempt"; flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|"; http_client_body; content:"<?php"; distance:0; nocase; http_client_body; pcre:"/\x89PNG\x0d\x0a\x1a\x0a((?!^--).)*?\x3c\x3fphp/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190/; classtype:attempted-user; sid:49456; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Perl webshell upload attempt"; flow:to_server,established; content:"GIF8"; http_client_body; content:"a"; within:1; distance:1; http_client_body; content:"/usr/bin/perl"; distance:0; nocase; http_client_body; pcre:"/GIF8[79]a((?!^--).)*?\x2fusr\x2fbin\x2fperl/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190/; classtype:attempted-user; sid:49455; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CFM webshell upload attempt"; flow:to_server,established; content:"|0D 0A 0D 0A FF D8 FF|"; http_client_body; content:"cfexecute"; distance:0; nocase; http_client_body; pcre:"/\x0d\x0a\x0d\x0a\xff\xd8\xff((?!^--).)*?cfexecute/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190/; classtype:attempted-user; sid:49454; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CFM webshell upload attempt"; flow:to_server,established; content:"GIF8"; http_client_body; content:"a"; within:1; distance:1; http_client_body; content:"cfexecute"; distance:0; nocase; http_client_body; pcre:"/GIF8[79]a((?!^--).)*?cfexecute/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190/; classtype:attempted-user; sid:49453; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Perl webshell upload attempt"; flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|"; http_client_body; content:"/usr/bin/perl"; distance:0; nocase; http_client_body; pcre:"/\x89PNG\x0d\x0a\x1a\x0a((?!^--).)*?\x2fusr\x2fbin\x2fperl/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190/; classtype:attempted-user; sid:49452; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER webshell upload attempt"; flow:to_server,established; content:"|0D 0A 0D 0A FF D8 FF|"; http_client_body; content:"<%"; distance:0; http_client_body; content:"language"; within:25; nocase; http_client_body; content:"%>"; within:35; http_client_body; pcre:"/\x0d\x0a\x0d\x0a\xff\xd8\xff((?!^--).)*?\x3c\x25.{0,25}language.{0,35}\x25\x3e/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:49451; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CFM webshell upload attempt"; flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|"; http_client_body; content:"cfexecute"; distance:0; nocase; http_client_body; pcre:"/\x89PNG\x0d\x0a\x1a\x0a((?!^--).)*?cfexecute/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190/; classtype:attempted-user; sid:49450; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER ASP webshell upload attempt"; flow:to_server,established; content:"GIF8"; http_client_body; content:"a"; within:1; distance:1; http_client_body; content:"<%"; distance:0; http_client_body; content:"language"; within:25; nocase; http_client_body; content:"%>"; within:35; http_client_body; pcre:"/GIF8[79]a((?!^--).)*?\x3c\x25.{0,25}language.{0,35}\x25\x3e/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190/; classtype:attempted-user; sid:49449; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER OpenMRS getExactPatients.action information disclosure attempt"; flow:to_server,established; content:"/registrationapp/matchingPatients/getExactPatients|2E|action"; fast_pattern:only; http_uri; content:"appId"; nocase; http_uri; content:"referenceapplication|2E|registrationapp|2E|registerPatient"; within:200; nocase; http_uri; content:!"jsessionid"; nocase; http_header; metadata:service http; reference:url,openmrs.org; classtype:attempted-admin; sid:49554; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER WordPress wp_user_roles configuration change attempt"; flow:to_server,established; content:"/admin-post.php"; fast_pattern:only; http_uri; content:"default_role"; nocase; http_client_body; content:"administrator"; within:45; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190/; reference:url,plugins.trac.wordpress.org/changeset/2052058/easy-wp-smtp/trunk/easy-wp-smtp.php; classtype:web-application-attack; sid:49540; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER WordPress wp_user_roles configuration change attempt"; flow:to_server,established; content:"/admin-ajax.php"; fast_pattern:only; http_uri; content:"default_role"; nocase; http_client_body; content:"administrator"; within:45; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1190/; reference:url,plugins.trac.wordpress.org/changeset/2052058/easy-wp-smtp/trunk/easy-wp-smtp.php; classtype:web-application-attack; sid:49539; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 800 (msg:"SERVER-OTHER Century Star SCADA directory traversal attempt"; flow:to_server,established; content:"POST"; depth:4; content:"..|5C 2F|"; distance:0; reference:url,chncla.com/chinese/product/Showproduct.asp?ID=768; classtype:attempted-admin; sid:49602; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 800 (msg:"SERVER-OTHER Century Star SCADA directory traversal attempt"; flow:to_server,established; content:"GET"; depth:3; content:"..|5C 2F|"; distance:0; reference:url,chncla.com/chinese/product/Showproduct.asp?ID=768; classtype:attempted-admin; sid:49601; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER ipTime G104BE directory traversal attempt"; flow:to_server,established; content:"testbin/"; fast_pattern:only; content:"testbin/"; depth:9; http_raw_uri; pcre:"/testbin\/[^&]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Ii"; metadata:service http; reference:url,iptime.com/iptime/; classtype:web-application-attack; sid:49652; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4840 (msg:"SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt"; flow:to_server,established; content:"MSG"; content:"|01 00 77 02|"; distance:0; content:"external_filecontents"; distance:0; flowbits:isset,afbsetup; flowbits:isset,afbreload; reference:url,atvise.com/en/products-solutions/atvise-scada; classtype:web-application-attack; sid:49634; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4840 (msg:"SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt"; flow:to_server,established; content:"MSG"; content:"|01 00 C8 02|"; distance:0; content:"AGENT.GENERATOR.METHODS.reloadExternalFiles"; distance:0; flowbits:isset,afbsetup; flowbits:set,afbreload; flowbits:noalert; reference:url,atvise.com/en/products-solutions/atvise-scada; classtype:web-application-attack; sid:49633; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4840 (msg:"SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt"; flow:to_server,established; content:"MSG"; content:"|01 00 A1 02|"; distance:0; content:".external_filenames"; distance:0; content:"file://"; distance:0; flowbits:set,afbsetup; flowbits:noalert; reference:url,atvise.com/en/products-solutions/atvise-scada; classtype:web-application-attack; sid:49632; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> any any (msg:"SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file download attempt"; flow:to_client,established; file_data; content:"imagecreatetruecolor(1, 1)"; fast_pattern:only; content:"imagecreate(1, 1)"; nocase; content:"imagecolormatch"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-6977; reference:url,bugs.php.net/bug.php?id=77270; classtype:web-application-attack; sid:49673; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file upload attempt"; flow:to_server,established; content:"imagecreatetruecolor(1, 1)"; fast_pattern:only; http_client_body; content:"imagecreate(1, 1)"; nocase; http_client_body; content:"imagecolormatch"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-6977; reference:url,bugs.php.net/bug.php?id=77270; classtype:web-application-attack; sid:49672; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8500 (msg:"SERVER-OTHER Hashicorp Consul services API remote code exectuion attempt"; flow:to_server,established; content:"/v1/agent/service/register"; fast_pattern:only; http_uri; content:"PUT"; http_method; file_data; content:"check"; content:"script"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.rapid7.com/db/modules/exploit/multi/misc/consul_service_exec; classtype:attempted-admin; sid:49670; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5404:5406 (msg:"SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected"; flow:stateless; content:"|FE FE 00 00|"; depth:4; dsize:0<>64; reference:cve,2018-1084; reference:url,www.securityfocus.com/bid/103758/info; classtype:misc-attack; sid:49884; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5404:5406 (msg:"SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected"; flow:stateless; content:"|FE FE 00 00|"; depth:4; dsize:0<>48; reference:cve,2018-1084; reference:url,www.securityfocus.com/bid/103758/info; classtype:misc-attack; sid:49883; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5404:5406 (msg:"SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected"; flow:stateless; content:"|FE FE 00 00|"; depth:4; dsize:0<>32; reference:cve,2018-1084; reference:url,www.securityfocus.com/bid/103758/info; classtype:misc-attack; sid:49882; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5404:5406 (msg:"SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected"; flow:stateless; content:"|FE FE 00 00|"; depth:4; dsize:0<>16; reference:cve,2018-1084; reference:url,www.securityfocus.com/bid/103758/info; classtype:misc-attack; sid:49881; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5404:5406 (msg:"SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected"; flow:stateless; content:"|FE FE 00 00|"; depth:4; dsize:0<>20; reference:cve,2018-1084; reference:url,www.securityfocus.com/bid/103758/info; classtype:misc-attack; sid:49880; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Drager X-Dock dxmanager denial of service attempt"; flow:to_server,established; isdataat:87; content:"|4C 3C 9C 89 8F 50 EC C5 2B 69 9B E7 C1 CC ED 48 B8 96 4D 1F 70 C9 CC 31 EE 45 3B 11 ED 4F 3F|"; fast_pattern:only; classtype:attempted-dos; sid:49872; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt"; flow:to_server,established; content:"|00 00|"; depth:2; content:"2|00 00|"; content:"2|00|8|00|"; content:".|00|e|00|x|00|e"; within:100; nocase; metadata:policy max-detect-ips drop; reference:cve,2011-0922; reference:cve,2013-2347; reference:cve,2014-2623; classtype:attempted-admin; sid:49893; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt"; flow:to_server,established; content:"|00 00|"; depth:2; content:"2|00|"; content:"11|00|"; content:".exe"; nocase; pcre:"/(\x31\x31\0)([^\0]+\0){11}([^\0]+.exe)/i"; metadata:policy max-detect-ips drop; reference:cve,2011-0922; reference:cve,2013-2347; reference:cve,2014-2623; classtype:attempted-admin; sid:49892; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt"; flow:to_server,established; content:"|00 00|"; depth:2; content:"2|00 00|"; content:"1|00|1|00|"; content:".|00|e|00|x|00|e"; distance:0; nocase; metadata:policy max-detect-ips drop; reference:cve,2011-0922; reference:cve,2013-2347; reference:cve,2014-2623; classtype:attempted-admin; sid:49891; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt"; flow:to_server,established; content:"|00 00|"; depth:2; content:"2|00|"; content:"28|00|"; content:".exe"; within:100; nocase; pcre:"/(\x32\x38\0)([^\0]+.exe)/i"; metadata:policy max-detect-ips drop; reference:cve,2011-0922; reference:cve,2013-2347; reference:cve,2014-2623; classtype:attempted-admin; sid:49890; rev:1;)