# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #-------------------- # SERVER-OTHER RULES #-------------------- # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt"; flow:to_server,established; content:"/%5C.."; fast_pattern:only; content:"/%5C.."; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22960; reference:bugtraq,67244; reference:bugtraq,99515; reference:cve,2007-0450; reference:cve,2014-0130; reference:cve,2017-10974; reference:cve,2017-16744; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; reference:url,weblog.rubyonrails.org/2014/5/6/Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/; classtype:web-application-attack; sid:17391; rev:16;) # alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any (msg:"SERVER-OTHER Trillian AIM XML tag handling heap buffer overflow attempt"; flow:to_client,established; content:"*|02|"; depth:2; content:"|00 04 00 07|"; within:4; distance:4; content:"<>"; distance:0; isdataat:1023; content:!"|00|"; within:1023; metadata:policy max-detect-ips drop; reference:bugtraq,32645; reference:cve,2008-5403; reference:url,dev.aol.com/aim/oscar/; classtype:attempted-user; sid:16514; rev:10;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER multiple products blacknurse ICMP denial of service attempt"; icode:3; itype:3; detection_filter:track by_src,count 250,seconds 1; metadata:ruleset community; reference:cve,2011-1871; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-083; classtype:attempted-dos; sid:19678; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"SERVER-OTHER BrightStor ARCserve backup tape engine buffer overflow attempt"; flow:established, to_server; dce_iface:dc246bf0-7a7a-11ce-9f88-00805fe43838; dce_opnum:45; isdataat:500; metadata:policy max-detect-ips drop; reference:bugtraq,21221; reference:cve,2006-6076; classtype:attempted-admin; sid:18285; rev:6;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"SERVER-OTHER Oracle Java Runtime Environment .hotspotrc file load exploit attempt"; flow:to_server,established; content:".|00|h|00|o|00|t|00|s|00|p|00|o|00|t|00|r|00|c|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,secunia.com/advisories/45173; classtype:attempted-user; sid:19601; rev:5;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"SERVER-OTHER Oracle Java Runtime Environment .hotspot_compiler file load exploit attempt"; flow:to_server,established; content:".|00|h|00|o|00|t|00|s|00|p|00|o|00|t|00|_|00|c|00|o|00|m|00|p|00|i|00|l|00|e|00|r|00 00 00|"; fast_pattern:only; metadata:service netbios-ssn; reference:url,secunia.com/advisories/45173; classtype:attempted-user; sid:19602; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-OTHER Novell Client NetIdentity Agent remote arbitrary pointer dereference code execution attempt"; flow:to_server,established; content:"|EC 6B 4D 0F 47 DE 0B 4A 7A 53 54 6C 69 63 4E 45 6E 58 44 46 4C 53 48 70 53 6E 64 65 58 76 57 56|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,34400; reference:cve,2009-1350; classtype:attempted-admin; sid:29536; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-OTHER Novell Client NetIdentity Agent remote arbitrary pointer dereference code execution attempt"; flow:to_server,established; content:"|02 00 00 00 FF FF FF FF 60 07 A0 00 5C 07 A0 00 68 07 A0 00 6A 4A 59 D9 EE D9 74 24|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,34400; reference:cve,2009-1350; classtype:attempted-admin; sid:18589; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-OTHER Novell Client NetIdentity Agent remote arbitrary pointer dereference code execution attempt"; flow:to_server,established; content:"|02 00 00 00 FF FF FF FF|PPPPAAAA"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,34400; reference:cve,2009-1350; classtype:attempted-admin; sid:17057; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-OTHER Novell NetIdentity Agent XTIERRPCPIPE remote code execution attempt"; flow:to_server,established; content:"|02 00 00 00 00 00 00 00 40 09 B9 00|"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,34400; reference:cve,2009-1350; classtype:attempted-admin; sid:17056; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER ntp monlist denial of service attempt"; flow:to_server,no_stream; content:"|17 00 03 2A|"; depth:4; detection_filter:track by_dst, count 1000, seconds 5; metadata:service ntp; reference:cve,2013-5211; reference:url,attack.mitre.org/techniques/T1209; classtype:attempted-dos; sid:29393; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER McAfee LHA Type-2 file handling overflow attempt"; flow:to_server,established; content:"IcMtbGgwLRgAAAAFAAAA+rttMCABCHRlc3RmaWxl+BtVBQBQtIGUAQFVVVVV"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,12832; reference:cve,2005-0644; classtype:attempted-user; sid:17736; rev:10;) # alert udp any 19 <> any 7 (msg:"SERVER-OTHER UDP echo+chargen bomb"; flow:to_server; metadata:ruleset community; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"SERVER-OTHER RealNetworks Audio Server denial of service attempt"; flow:to_server,established; content:"|FF F4 FF FD 06|"; fast_pattern:only; metadata:ruleset community; reference:cve,1999-0271; reference:nessus,10183; classtype:attempted-dos; sid:276; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; reference:nessus,10461; classtype:attempted-dos; sid:277; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:13;) # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SERVER-OTHER Bay/Nortel Nautica Marlin"; flow:to_server; dsize:0; metadata:ruleset community; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"SERVER-OTHER Ascend Route"; flow:to_server; content:"NAMENAME"; depth:50; offset:25; metadata:ruleset community; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"SERVER-OTHER Winnuke attack"; flow:stateless; flags:U+; metadata:ruleset community; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"SERVER-OTHER MSDTC attempt"; flow:to_server,established; dsize:>1023; metadata:ruleset community; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"SERVER-OTHER iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; metadata:ruleset community; reference:bugtraq,6844; reference:cve,1999-1566; reference:nessus,10111; classtype:misc-attack; sid:1605; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"SERVER-OTHER DB2 dos attempt"; flow:to_server,established; dsize:1; metadata:ruleset community; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cisco denial of service attempt"; flow:to_server,established; dsize:1; content:"|13|"; metadata:ruleset community, service http; classtype:web-application-attack; sid:1545; rev:14;) # alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP invalid identification payload attempt"; flow:to_server; content:"|05|"; depth:1; offset:16; byte_test:1,!&,1,19; byte_test:1,>,8,32; byte_test:2,>,0,30; byte_test:2,<,10,30; byte_test:2,!=,8,30; metadata:ruleset community; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:13;) # alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt"; flow:to_server; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; metadata:ruleset community; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 646 (msg:"SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt"; flow:to_server; content:"|00 00|"; depth:2; offset:12; reference:bugtraq,13389; reference:cve,2005-1279; reference:url,www.frsirt.com/english/advisories/2005/0410; classtype:attempted-dos; sid:4141; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 646 (msg:"SERVER-OTHER tcpdump tcp LDP print zero length message denial of service attempt"; flow:stateless; content:"|00 00|"; depth:2; offset:12; reference:bugtraq,13389; reference:cve,2005-1279; reference:url,www.frsirt.com/english/advisories/2005/0410; classtype:attempted-dos; sid:4140; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 9191 (msg:"SERVER-OTHER CA eTrust key handling dos -- password"; flow:to_server,established; content:"|01 06 00 00 00|"; depth:5; offset:2; byte_test:4,<,4,128,relative, little; metadata:policy max-detect-ips drop; reference:bugtraq,22743; reference:cve,2007-1005; classtype:denial-of-service; sid:11186; rev:7;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-OTHER Oracle TNS Service_CurLoad command"; flow:to_server,established; content:"COMMAND=SERVICE_CURLOAD"; fast_pattern:only; reference:bugtraq,5678; reference:cve,2002-1118; classtype:attempted-dos; sid:12594; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER utf8 filename transfer attempt"; flow:to_server,established; content:"filename*=utf-8"; fast_pattern:only; metadata:service smtp; reference:bugtraq,15408; reference:cve,2005-3573; classtype:suspicious-filename-detect; sid:12597; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"SERVER-OTHER Spiffit UDP denial of service attempt"; flow:to_server,no_stream; dsize:10; content:"@0"; fast_pattern:only; pcre:"/@0\x00*$/sm"; detection_filter:track by_src, count 10, seconds 100; reference:cve,1999-0194; classtype:attempted-dos; sid:9622; rev:10;) # alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"SERVER-OTHER BGP spoofed connection reset attempt"; flow:established,no_stream; flags:RSF*; detection_filter:track by_dst,count 10,seconds 10; metadata:ruleset community; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:15;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 2775 (msg:"SERVER-OTHER Curse of Silence Nokia SMS DoS attempt"; flow:to_server,established; content:"|02|03|3A|"; content:"|09|052|3A|2|09|"; distance:0; content:"|09|033|3A|"; pcre:"/\x09033\x3a(?=[^\s]+\x40[^\s]+)[^\x20\x09]{33}/"; reference:bugtraq,33072; classtype:attempted-dos; sid:15572; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-OTHER IBM DB2 database server SQLSTT denial of service attempt"; flow:to_server,established; content:"|24 14|"; content:"|D0|"; within:1; distance:-8; byte_test:1,!&,1,0,relative; byte_test:1,!&,2,0,relative; byte_test:1,&,4,0,relative; byte_test:1,!&,8,0,relative; metadata:policy max-detect-ips drop; reference:cve,2009-0173; classtype:denial-of-service; sid:16364; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x53 command denial of service attempt"; flow:to_server,established; content:"S"; depth:1; dsize:<4; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-dos; sid:15892; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"SERVER-OTHER SolarWinds TFTP Server Read request denial of service attempt"; flow:to_server; content:"|00 01|"; depth:2; pcre:"/^[^\x00]*?[\x01-\x1F\x7F-\xFF]/R"; reference:bugtraq,40333; reference:cve,2010-2115; classtype:attempted-dos; sid:18933; rev:3;) # alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"SERVER-OTHER ntp mode 7 denial of service attempt"; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; reference:bugtraq,37255; reference:cve,2009-3563; reference:url,attack.mitre.org/techniques/T1209; classtype:attempted-dos; sid:16350; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER SpamAssassin GTube string denial of service attempt"; flow:to_server,established; content:"XJS|2A|C4JDBQADN1|2E|NSBN3|2A|2IDNEN|2A|GTUBE|2D|STANDARD|2D|ANTI|2D|UBE|2D|TEST|2D|EMAIL|2A|C|2E|34X"; nocase; metadata:service smtp; reference:cve,2004-0796; classtype:attempted-dos; sid:20741; rev:4;) # alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"SERVER-OTHER vsFTPd denial of service attempt"; flow:to_client,established,no_stream; content:"220"; depth:3; content:"vsFTPd"; nocase; isdataat:6; content:!"|0D 0A|"; within:6; content:"1."; byte_test:1,<=,2,0,relative,string,dec; byte_test:1,<,2,2,relative,string,dec; detection_filter:track by_src, count 50, seconds 30; metadata:service ftp; reference:cve,2004-2259; classtype:attempted-dos; sid:21445; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [7145,7144] (msg:"SERVER-OTHER EMC RepliStor denial of service attempt"; flow:to_server,established; content:"|54 93 00 00|"; depth:4; byte_test:4,>,0xFFFF,12,relative,little; reference:cve,2009-3744; classtype:attempted-dos; sid:21485; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"SERVER-OTHER Blue Coat Systems WinProxy telnet denial of service attempt"; flow:to_server,established; isdataat:750; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:32; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; within:32; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; within:32; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; within:32; pcre:"/\xff{32}$/"; metadata:service telnet; reference:cve,2005-3654; classtype:attempted-dos; sid:21662; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER CA BrightStor ARCserve Backup denial of service attempt"; flow:to_server,established; content:"|00 06 09 82|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; byte_jump:4,16,relative,align; content:"|00 00|"; within:2; distance:-2; reference:cve,2007-5332; classtype:attempted-dos; sid:21763; rev:2;) # alert udp $HOME_NET 68 -> $HOME_NET 67 (msg:"SERVER-OTHER ISC dhcpd discover hostname overflow attempt"; flow:to_server; content:"|01 01 06 00|"; depth:4; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:18; distance:6; content:"|63 82 53 63 35 01 01|"; distance:0; fast_pattern; content:"|0C 40|"; distance:0; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; content:"|0C 40|"; within:2; distance:64; reference:bugtraq,10590; reference:cve,2004-0460; classtype:attempted-dos; sid:21952; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8200 (msg:"SERVER-OTHER Multiple Vendors SOAP large array parameter DoS attempt"; flow:to_server,established; content:"SOAP-ENC:"; nocase; pcre:"/^(arraytype|position)\x3d\x22[^\x5b]*?\x5b[^\x5d]{7}/iR"; metadata:service http; reference:bugtraq,9877; reference:cve,2004-1815; classtype:attempted-dos; sid:23359; rev:2;) # alert udp $HOME_NET 68 -> 255.255.255.255 67 (msg:"SERVER-OTHER DHCP discover broadcast flood attempt"; flow:to_server,no_stream; content:"|63 82 53 63 35|"; fast_pattern:only; detection_filter:track by_dst, count 1000, seconds 1; metadata:service dhcp; reference:bugtraq,53649; reference:url,funoverip.net/2010/12/dhcp-denial-of-service-with-scapy/; classtype:denial-of-service; sid:23998; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A|"; depth:1; byte_test:1,!&,0x80,0,relative; content:"|00|"; within:1; distance:2; metadata:service kerberos; reference:cve,2011-0283; reference:url,attack.mitre.org/techniques/T1097; classtype:denial-of-service; sid:24372; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 2427 (msg:"SERVER-OTHER VxWorks RPC request to MGCP service attempt"; content:"|00 00 00 00 00 00 00 02 00 01 86 A0 00 01 97 7C 00 00 00 00|"; depth:24; offset:4; byte_jump:4,4,relative; byte_jump:4,4,relative; content:"|00|"; within:1; classtype:denial-of-service; sid:24522; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 37452 (msg:"SERVER-OTHER Quest NetVault SmartDisk libnvbasics.dll denial of service attempt"; flow:to_server,established; content:"|01 00 00 00 C8|"; depth:5; offset:8; byte_extract:4,0,sizeOfEntries,relative,little; isdataat:!sizeOfEntries; reference:bugtraq,48029; reference:url,telussecuritylabs.com/threats/show/TSL20110602-02; classtype:denial-of-service; sid:20690; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 37452 (msg:"SERVER-OTHER Quest NetVault SmartDisk libnvbasics.dll denial of service attempt"; flow:to_server,established; byte_test:4,>,1000000000,0,little; isdataat:!5; reference:bugtraq,48029; reference:url,telussecuritylabs.com/threats/show/TSL20110602-02; classtype:denial-of-service; sid:24627; rev:2;) # alert udp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"SERVER-OTHER Cisco IOS syslog message flood denial of service attempt"; flow:to_server,no_stream; content:"%%%%%X"; fast_pattern:only; detection_filter:track by_dst, count 50, seconds 1; metadata:service syslog; reference:bugtraq,3096; reference:cve,2001-1097; classtype:attempted-dos; sid:25101; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 464 (msg:"SERVER-OTHER MIT Kerberos kpasswd process_chpw_request denial of service attempt"; flow:to_server,established; content:"|A1 03 02 01 05 A2 03 02 01|"; depth:9; offset:10; content:!"|FF 80|"; depth:2; offset:6; reference:bugtraq,47310; reference:cve,2011-0285; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-004.txt; classtype:attempted-dos; sid:26769; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER MIT Kerberos libkdb_ldap principal name handling denial of service attempt"; flow:to_server,no_stream; content:"|A1 03 02 01 05 A2|"; depth:12; content:"|1B|"; within:50; pcre:"/[^\xa2\x1b]+?[*()\x5c#\x22+,\x3b<>]/R"; detection_filter:track by_src, count 25, seconds 5; metadata:service kerberos; reference:bugtraq,46265; reference:bugtraq,46271; reference:cve,2011-0281; reference:cve,2011-0282; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt; classtype:attempted-dos; sid:26759; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Foswiki/Twiki MAKETEXT command execution attempt"; flow:to_server,established; content:"WIKISID="; http_cookie; content:"MAKETEXT"; http_client_body; content:"sh"; distance:0; http_client_body; metadata:service http; reference:bugtraq,56950; reference:cve,2012-6329; classtype:attempted-admin; sid:26906; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Apache Struts2 skillName remote code execution attempt"; flow:to_server,established; content:"edit.action?"; http_uri; content:"skillName=|7B 28 23|"; fast_pattern:only; http_uri; pcre:"/skillName\x3D\x7B\x28\x23/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,60082; reference:cve,2013-1965; classtype:attempted-admin; sid:26772; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER SSL TLS deflate compression weakness brute force attempt"; flow:to_server,established,no_stream; flowbits:isset,tls.deflate; dsize:1<>1000; detection_filter:track by_src,count 500,seconds 1; metadata:service ssl; reference:bugtraq,55704; reference:cve,2012-4929; reference:url,attack.mitre.org/techniques/T1110; classtype:attempted-recon; sid:26645; rev:5;) # alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER SSL TLS DEFLATE compression detected"; flow:to_client,established; ssl_state:server_hello; ssl_version:tls1.0,tls1.1; content:"|16 03|"; depth:2; byte_test:1,&,1,78; flowbits:set,tls.deflate; flowbits:noalert; metadata:service ssl; classtype:misc-activity; sid:26644; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Adobe ColdFusion adminapi information disclosure attempt"; flow:to_server,established; content:"/CFIDE/adminapi/customtags/l10n.cfm"; fast_pattern; nocase; http_uri; content:"../"; distance:0; http_uri; metadata:service http; reference:bugtraq,59773; reference:cve,2013-3336; reference:url,www.adobe.com/support/security/advisories/apsa13-03.html; classtype:attempted-recon; sid:26621; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"SERVER-OTHER PostgreSQL database name command line injection attempt"; flow:to_server,established; content:"user|00|"; depth:5; offset:8; content:"database|00|-"; within:70; pcre:"/^.{8}user\x00[^\x00]+?\x00database\x00-[^\x00]+?\x00/"; metadata:service http; reference:cve,2013-1899; reference:url,www.postgresql.org/support/security/faq/2013-04-04/; classtype:attempted-user; sid:26586; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Autonomy Ultraseek cs.html url parameter with url - possible malicious redirection attempt"; flow:to_server,established; content:"/cs.html?url=http://"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2009-0347; classtype:misc-attack; sid:26542; rev:3;) # alert tcp $EXTERNAL_NET 5900 -> $HOME_NET any (msg:"SERVER-OTHER UltraVNC Listening mode stack buffer overflow attempt"; flow:to_client,established; content:"RFB 0"; depth:5; content:".016|0A|"; within:5; distance:2; isdataat:1100,relative; content:!"|00|"; within:1100; distance:2; metadata:service vnc-server; reference:cve,2008-0610; classtype:attempted-user; sid:26455; rev:2;) # alert tcp $EXTERNAL_NET 5900 -> $HOME_NET any (msg:"SERVER-OTHER UltraVNC Listening mode stack buffer overflow attempt"; flow:to_client,established; content:"RFB 0"; depth:5; content:".014|0A|"; within:5; distance:2; isdataat:1100,relative; content:!"|00|"; within:1100; distance:2; metadata:service vnc-server; reference:cve,2008-0610; classtype:attempted-user; sid:26454; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 19810 (msg:"SERVER-OTHER Bopup Communications server buffer overflow attempt"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; isdataat:300,relative; reference:bugtraq,43836; reference:cve,2009-2227; classtype:attempted-user; sid:26394; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6661 (msg:"SERVER-OTHER BigAnt Document Service DUPF command arbitrary file upload attempt"; flow:to_server,established; content:"cmdid: "; fast_pattern:only; content:"DUPF"; depth:4; content:"filename:"; distance:0; nocase; content:"/../"; distance:0; metadata:policy max-detect-ips drop; reference:bugtraq,57214; reference:cve,2012-6274; classtype:attempted-admin; sid:26390; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6661 (msg:"SERVER-OTHER BigAnt Document Service DUPF command arbitrary file upload attempt"; flow:to_server,established; content:"cmdid: "; fast_pattern:only; content:"DUPF"; depth:4; content:"filename:"; distance:0; nocase; content:"|5C|..|5C|"; distance:0; metadata:policy max-detect-ips drop; reference:bugtraq,57214; reference:cve,2012-6274; classtype:attempted-admin; sid:26389; rev:5;) # alert tcp any any -> $HOME_NET 23 (msg:"SERVER-OTHER Polycom HDX authorization bypass attempt"; flow:to_server,established; content:"setenv othbootargs |22|devboot=bogus|22|"; fast_pattern:only; metadata:service telnet; reference:bugtraq,58523; classtype:attempted-admin; sid:26386; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Squid proxy Accept-Language denial of service attempt"; flow:to_server,established; content:"Accept-Language|3A 20 2C|"; fast_pattern:only; http_header; metadata:service http; reference:bugtraq,58316; reference:cve,2013-1839; classtype:denial-of-service; sid:26379; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [13838] (msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra snmp request buffer overflow attempt"; flow:to_server,established; content:"set|3A|/lhn/public/network/snmp/traps/testTrap"; fast_pattern:only; byte_test:4,>,1066,8; metadata:policy security-ips drop; reference:cve,2012-3284; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03661318; classtype:attempted-admin; sid:26336; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [13838] (msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra diag request buffer overflow attempt"; flow:to_server,established; content:"set|3A|/lhn/public/system/diag/getListSupportTest/"; fast_pattern:only; byte_test:4,>=,4143,8; metadata:policy security-ips drop; reference:cve,2012-3283; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03661318; classtype:attempted-admin; sid:26334; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [13838] (msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra diag request buffer overflow attempt"; flow:to_server,established; content:"set|3A|/lhn/public/system/diag/getListSafeTest/"; fast_pattern:only; byte_test:4,>=,4140,8; metadata:policy security-ips drop; reference:cve,2012-3283; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03661318; classtype:attempted-admin; sid:26333; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; content:"picEditor.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"clipval="; http_client_body; content:"newimage="; http_client_body; content:"../"; distance:0; http_client_body; metadata:service http; reference:cve,2008-0506; classtype:attempted-admin; sid:26316; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; content:"picEditor.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"quality="; http_client_body; content:"newimage="; http_client_body; content:"../"; distance:0; http_client_body; metadata:service http; reference:cve,2008-0506; classtype:attempted-admin; sid:26315; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Coppermine Photo Gallery picEditor.php command execution attempt"; flow:to_server,established; content:"picEditor.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"angle="; http_client_body; content:"newimage="; http_client_body; content:"../"; distance:0; http_client_body; metadata:service http; reference:cve,2008-0506; classtype:attempted-admin; sid:26314; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"SERVER-OTHER MongoDB nativeHelper.apply method command injection attempt"; flow:to_server,established; content:"nativeHelper.apply("; fast_pattern:only; pcre:"/nativeHelper\.apply\(\s*?\{\s*?[\x22\x27]\s*?x\s*?[\x22\x27]\s*?:\s*?(0x)?\d/i"; reference:bugtraq,58695; reference:cve,2013-1892; classtype:attempted-admin; sid:26262; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 998 (msg:"SERVER-OTHER Novell ZENworks Configuration Management Preboot service code overflow attempt"; flow:to_server,established; content:"|00 00 00 21|"; depth:4; byte_test:4,>,0x200,0,relative,big; reference:bugtraq,40486; classtype:attempted-admin; sid:26180; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2207 (msg:"SERVER-OTHER HP Linux Imaging and Printing Project hpssd daemon command injection attempt"; flow:to_server,established; content:"email-to-address"; nocase; content:"&"; distance:0; pcre:"/^email-to-address(es)?=[^\r\n]*?[\x3b\x26]/mi"; reference:bugtraq,26054; reference:cve,2007-5208; classtype:attempted-admin; sid:26108; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2207 (msg:"SERVER-OTHER HP Linux Imaging and Printing Project hpssd daemon command injection attempt"; flow:to_server,established; content:"email-from-address="; nocase; content:"&"; distance:0; pcre:"/^email-from-address=[^\r\n]*?[\x3b\x26]/mi"; reference:bugtraq,26054; reference:cve,2007-5208; classtype:attempted-admin; sid:26107; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [3600:3699,3900:3999] (msg:"SERVER-OTHER SAP NetWeaver Message Server buffer overflow attempt"; flow:to_server,established; content:"**MESSAGE**|00|"; depth:12; offset:4; content:"|05|"; within:1; distance:55; content:"AD-EYECATCH|00|"; within:12; distance:42; content:"|15|"; within:1; distance:24; byte_test:1,>,78,6,relative; reference:cve,2013-1593; reference:url,service.sap.com/sap/support/notes/1800603; classtype:attempted-admin; sid:26074; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [3600:3699,3900:3999] (msg:"SERVER-OTHER SAP NetWeaver Message Server buffer overflow attempt"; flow:to_server,established; content:"**MESSAGE**|00|"; depth:12; offset:4; byte_test:1,>=,0x0c,55,relative; byte_test:1,<=,0x0d,55,relative; byte_test:4,>,256,106,relative; reference:cve,2013-1592; reference:url,service.sap.com/sap/support/notes/1800603; classtype:attempted-admin; sid:26073; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER SSLv3 plaintext recovery attempt"; flow:to_client,established,only_stream; isdataat:53; isdataat:!54; ssl_version:sslv3; content:"|15 03 00 00 30|"; depth:5; detection_filter:track by_dst, count 100, seconds 5; metadata:service ssl; reference:cve,2013-0169; classtype:attempted-recon; sid:25828; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER TLSv1.2 plaintext recovery attempt"; flow:to_client,established,only_stream; isdataat:53; isdataat:!54; ssl_version:tls1.2; content:"|15 03 03 00 30|"; depth:5; detection_filter:track by_dst, count 100, seconds 5; metadata:service ssl; reference:cve,2013-0169; classtype:attempted-recon; sid:25827; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER TLSv1.1 plaintext recovery attempt"; flow:to_client,established,only_stream; isdataat:53; isdataat:!54; ssl_version:tls1.1; content:"|15 03 02 00 30|"; depth:5; detection_filter:track by_dst, count 100, seconds 5; metadata:service ssl; reference:cve,2013-0169; classtype:attempted-recon; sid:25826; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER TLSv1.0 plaintext recovery attempt"; flow:to_client,established,only_stream; isdataat:53; isdataat:!54; ssl_version:tls1.0; content:"|15 03 01 00 30|"; depth:5; detection_filter:track by_dst, count 100, seconds 5; metadata:service ssl; reference:cve,2013-0169; classtype:attempted-recon; sid:25825; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,5555] (msg:"SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt"; flow:to_server,established; content:"SOAPAction|3A|"; fast_pattern:only; http_header; pcre:"/SOAPAction\x3A\s*?\x22[^\x22\x23]+?\x23([^\x22]{2048}|[^\x22]+$)/Hsi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-0230; reference:cve,2013-1462; classtype:attempted-admin; sid:25780; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 19813 (msg:"SERVER-OTHER HP Data Protector Media Operations directory traversal attempt"; flow:to_client,established; content:"|10|"; content:!"|00 00 00 00|"; within:4; distance:3; content:"|10 00 00 00|"; within:4; distance:11; content:".."; within:50; reference:bugtraq,50531; classtype:attempted-user; sid:25658; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 19813 (msg:"SERVER-OTHER HP Data Protector Media Operations directory traversal attempt"; flow:to_server,established; content:"|03|"; content:!"|00 00 00 00|"; within:4; distance:3; content:"|10 00 00 00|"; within:4; distance:11; content:".."; within:50; reference:bugtraq,50531; classtype:attempted-user; sid:25657; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector exec_cmd buffer overflow attempt"; flow:to_server,established; content:"|FE FF|"; depth:2; offset:4; content:"|32 00|"; distance:0; content:"|32 00 30 00|"; distance:0; isdataat:2046,relative; content:!"|00 00 00 00|"; within:2046; reference:bugtraq,48488; reference:cve,2011-1866; classtype:attempted-admin; sid:25656; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector exec_cmd buffer overflow attempt"; flow:to_server,established; content:"|FF FE|"; depth:2; offset:4; content:"|32 00|"; content:"|32 30 00|"; distance:0; isdataat:2046,relative; content:!"|00 00|"; within:2046; reference:bugtraq,48488; reference:cve,2011-1866; classtype:attempted-admin; sid:25655; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector exec_cmd buffer overflow attempt"; flow:to_server,established; content:!"|FF FE|"; depth:2; offset:4; content:!"|FE FF|"; depth:2; offset:4; content:"|32 00|"; content:"|32 30 00|"; distance:0; isdataat:1023,relative; content:!"|00 00|"; within:1023; reference:bugtraq,48488; reference:cve,2011-1866; classtype:attempted-admin; sid:25654; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [5001,5002] (msg:"SERVER-OTHER Sybase Open Server TDS login packet stack memory corruption attempt"; flow:to_server,established; flowbits:isset,sybase.tds.connection; content:"|02 01|"; depth:2; content:"|00 00 00 00|"; within:4; distance:2; byte_test:1,>,6,59,relative; metadata:policy max-detect-ips drop; reference:url,www.sybase.com/detail?id=1094235; classtype:attempted-admin; sid:25603; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET [5001,5002] (msg:"SERVER-OTHER Sybase Open Server TDS login request"; flow:to_server,established; content:"|02 00 02 00 00 00 00 00|"; depth:8; content:"|06 04 08|"; within:3; distance:126; content:"DBISQL"; within:6; distance:11; content:"jConnect"; within:8; distance:316; fast_pattern; flowbits:set,sybase.tds.connection; flowbits:noalert; reference:url,en.wikipedia.org/wiki/Tabular_Data_Stream; classtype:protocol-command-decode; sid:25602; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStor Device Manager command injection attempt"; flow:to_server,established; content:"|75|"; depth:1; content:"nsrmm"; distance:0; pcre:"/nsrmm[^\x00]*?([\x3b\x7c\x26\x60]|\x24\x28)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57472; reference:cve,2013-0928; classtype:attempted-admin; sid:25585; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStor Device Manager command injection attempt"; flow:to_server,established; content:"|75|"; depth:1; content:"mmpool"; distance:0; pcre:"/mmpool[^\x00]*?([\x3b\x7c\x26\x60]|\x24\x28)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57472; reference:cve,2013-0928; classtype:attempted-admin; sid:25584; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStor Device Manager command injection attempt"; flow:to_server,established; content:"|75|"; depth:1; content:"mmlocate"; distance:0; pcre:"/mmlocate[^\x00]*?([\x3b\x7c\x26\x60]|\x24\x28)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57472; reference:cve,2013-0928; classtype:attempted-admin; sid:25583; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStor Device Manager command injection attempt"; flow:to_server,established; content:"|75|"; depth:1; content:"nsrjb"; distance:0; pcre:"/nsrjb[^\x00]*?([\x3b\x7c\x26\x60]|\x24\x28)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57472; reference:cve,2013-0928; classtype:attempted-admin; sid:25581; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"SERVER-OTHER RaySharp CCTV derivative command injection attempt"; flow:to_server,established; content:"REMOTE HI_SRDK_NET_SetPppoeAttr"; depth:40; fast_pattern; content:"udhcpc"; distance:0; pcre:"/\x3b\s*udhcpc\s*\x3b.*\x26/smi"; reference:url,community.rapid7.com/community/metasploit/blog/2013/01/23/ray-sharp-cctv-dvr-password-retrieval-remote-root; reference:url,console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html; classtype:attempted-admin; sid:25557; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"SERVER-OTHER RaySharp CCTV derivative user credential retrieval attempt"; flow:to_server,established; content:"|01 00 00 00 0E 0F 00 00 00 00 00 00 00 00 00 00 14 00 00 00|"; depth:20; offset:10; reference:url,community.rapid7.com/community/metasploit/blog/2013/01/23/ray-sharp-cctv-dvr-password-retrieval-remote-root; reference:url,console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html; classtype:attempted-admin; sid:25556; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Rails JSON to YAML parsing deserialization attempt"; flow:to_server,established; content:"application/json"; http_header; content:"!ruby/hash"; content:"NamedRouteCollection"; within:140; metadata:service http; reference:cve,2013-0333; classtype:attempted-user; sid:25552; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER Citrix Access Gateway legacy authentication attempt"; flow:to_server,established; content:"SESSION_TOKEN"; content:"LoginType=Explicit&username="; fast_pattern:only; content:"&password=%7c"; metadata:service ssl; reference:cve,2010-4566; reference:url,exploit-db.com/exploits/15806; classtype:attempted-admin; sid:25474; rev:3;) # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt"; flow:to_client; content:"|31 32 33 34 35 36 37 38 39 09 63 63 63 63 63 63 63 63 63 09 64 64 64 64|"; fast_pattern:only; metadata:service dns; reference:cve,2011-1889; classtype:attempted-admin; sid:25381; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CakePHP unserialize method vulnerability exploitation attempt"; flow:to_server,established; content:"data%5b_Token%5d%5bkey%5d="; http_client_body; content:"&data%5b_Token%5d%5bfields%5d="; within:50; http_client_body; content:"&_method=POST"; distance:0; http_client_body; content:"..%2Fgzc%2Fpnpur%2Fcrefvfgrag%2Fpnxr_pber_svyr_znc"; fast_pattern:only; http_client_body; metadata:service http; reference:cve,2010-4335; classtype:attempted-admin; sid:25370; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Ruby on Rails authlogic session cookie SQL injection attempt"; flow:to_server,established; content:"user_credentials="; content:"_session="; content:"user_credentials="; http_cookie; content:"_session="; http_cookie; base64_decode:relative; base64_data; content:"user_credentials_id"; pcre:"/(SELECT|UPDATE|INSERT)[^\x3b]+?--/iR"; metadata:service http; reference:cve,2012-6496; reference:url,blog.phusion.nl/2013/01/03; classtype:web-application-attack; sid:25285; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8088 (msg:"SERVER-OTHER Digium Asterisk oversized Content-Length memory corruption attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; byte_test:10,>,200000,0,relative,string; metadata:service http; reference:cve,2012-5976; reference:cve,2013-2686; reference:url,downloads.Asterisk.org/pub/security/AST-2013-002.html; reference:url,downloads.asterisk.org/pub/security/AST-2012-014; classtype:attempted-admin; sid:25276; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Adobe ColdFusion Admin API arbitrary command execution attempt"; flow:to_server,established; content:"/CFIDE/Administrator/scheduler/scheduleedit.cfm"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-0625; reference:cve,2013-0629; reference:cve,2013-0631; reference:url,forums.adobe.com/message/4962104; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; reference:url,www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat; classtype:attempted-user; sid:25267; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Adobe ColdFusion Admin API arbitrary command execution attempt"; flow:to_server,established; content:"/CFIDE/adminapi/administrator.cfc"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-0625; reference:cve,2013-0629; reference:cve,2013-0631; reference:url,forums.adobe.com/message/4962104; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; reference:url,www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat; classtype:attempted-user; sid:25266; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 10051 (msg:"SERVER-OTHER Zabbix Server arbitrary command execution attempt"; flow:to_server,established; content:"Command|AD|0|AD|"; depth:10; nocase; content:"sh"; within:10; nocase; reference:bugtraq,37989; reference:cve,2009-4498; classtype:attempted-admin; sid:25103; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 10050 (msg:"SERVER-OTHER Zabbix Agent net.tcp.listen command injection attempt"; flow:to_server,established; content:"net.tcp.listen|5B|"; depth:15; nocase; pcre:"/^net\x2etcp\x2elisten\x5b\s*?\d+?\s*?[\x22\x27]\s*?\x3b/i"; reference:cve,2009-4502; classtype:attempted-admin; sid:25102; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 30000 (msg:"SERVER-OTHER SAP Business One License Manager buffer overflow attempt"; flow:to_server,established; content:"GIOP|01 00 01 00|"; depth:8; isdataat:1024,relative; reference:bugtraq,35933; reference:cve,2009-4988; classtype:attempted-admin; sid:25059; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6988 (msg:"SERVER-OTHER IBM Director CIM server alert indication request dll injection attempt"; flow:to_server,established; content:"/CIMListener/"; fast_pattern:only; http_uri; content:"M-POST"; http_method; content:"/CIMListener/|5C 5C|"; nocase; http_raw_uri; metadata:service http; reference:bugtraq,34065; reference:cve,2009-0880; classtype:attempted-admin; sid:25058; rev:2;) # alert udp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER Free Software Foundation GnuTLS record application integer overflow attempt"; content:"|17 FE FF|"; depth:3; content:"|00 20|"; within:2; distance:8; metadata:policy max-detect-ips drop, service ssl; reference:cve,2012-1573; classtype:attempted-admin; sid:24996; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER lighthttpd connection header denial of service attempt"; flow:to_server,established; content:"Connection|3A|"; http_header; content:",,"; distance:0; fast_pattern; http_header; pcre:"/^Connection\x3A\s*[^\r\n]*?\x2c\x2c/Hsmi"; metadata:service http; reference:cve,2012-5533; classtype:denial-of-service; sid:24805; rev:2;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1811 (msg:"SERVER-OTHER HP Intelligent Management Center uam.exe stack buffer overflow attempt"; flow:to_server; content:"|F7 10 3D 21|"; depth:4; content:"|02 02|"; within:2; distance:18; isdataat:4000,relative; metadata:policy security-ips drop; reference:bugtraq,55271; reference:cve,2012-3274; classtype:attempted-admin; sid:24538; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1811 (msg:"SERVER-OTHER HP Intelligent Management Center uam.exe stack buffer overflow attempt"; flow:to_server; content:"|F7 10 3D 21|"; depth:4; content:"|01 02|"; within:2; distance:18; isdataat:4000,relative; metadata:policy security-ips drop; reference:bugtraq,55271; reference:cve,2012-3274; classtype:attempted-admin; sid:24537; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1811 (msg:"SERVER-OTHER HP Intelligent Management Center uam.exe stack buffer overflow attempt"; flow:to_server; content:"|F7 10 3D 21|"; depth:4; content:"|01 01|"; within:2; distance:18; isdataat:4000,relative; metadata:policy security-ips drop; reference:bugtraq,55271; reference:cve,2012-3274; classtype:attempted-admin; sid:24536; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services opcode buffer overflow attempt"; flow:to_server; content:"|02 40|"; depth:2; offset:2; content:"|01 00 00|"; within:38; isdataat:256,relative; content:!"|00 00|"; within:256; reference:bugtraq,45914; reference:bugtraq,49803; classtype:attempted-user; sid:24513; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services opcode buffer overflow attempt"; flow:to_server,established; content:"|02 40|"; depth:2; offset:2; content:"|01 00 00|"; within:38; isdataat:256,relative; content:!"|00 00|"; within:256; reference:bugtraq,45914; reference:bugtraq,49803; classtype:attempted-user; sid:24512; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 03 00 00 00 04|"; within:8; distance:8; byte_test:4,>,0x10000,504,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24333; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 55 00 00 00 16|"; within:8; distance:8; byte_test:4,>,0x10000,467,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24332; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 55 00 00 00 01|"; within:8; distance:8; byte_test:4,>,0x10000,405,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24331; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 41 00 00 00 12|"; within:8; distance:8; byte_test:4,>,0x10000,375,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24330; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 14 00 00 07 E7|"; within:8; distance:8; byte_test:4,>,0x10000,252,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24328; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 14 00 00 07 F8|"; within:8; distance:8; byte_test:4,>,0x10000,136,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24327; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 2D 00 00 11 94|"; within:8; distance:8; byte_test:4,>,0x10000,100,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24326; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 32 00 00 00 3C|"; within:8; distance:8; byte_test:4,>,0x10000,517,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24325; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8045 (msg:"SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt"; flow:to_server,established; content:"|31 00 00 00|"; depth:4; content:"|00 00 00 32 00 00 00 2A|"; within:8; distance:8; byte_test:4,>,0x10000,80,relative; metadata:policy max-detect-ips drop; reference:cve,2012-0409; classtype:attempted-admin; sid:24324; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Fortinet FortiOS appliedTags field cross site scripting attempt"; flow:to_client,established; file_data; content:"/firewall/policy"; fast_pattern:only; http_uri; pcre:"/\s*?]+>\s*?<[^>]+?[\x22\x27\x60]\s*? $HOME_NET any (msg:"SERVER-OTHER telephone URI to USSD code for factory reset"; flow:to_client,established; file_data; content:"tel|3A 2A|2767|2A|3855"; fast_pattern:only; metadata:service http; reference:url,twitter.com/pof/status/250540790491787264; reference:url,www.youtube.com/watch?v=Q2-0B04HPhs; classtype:attempted-dos; sid:24250; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector client EXEC_CMD command execution attempt"; flow:to_server,established; content:"|FE FF 00 32|"; depth:4; offset:4; content:"|30|"; distance:0; content:"|30|"; within:10; pcre:"/(\x5C\x5C|\x2F\x2F)|(\x2E\x2E[\x2F\x5C]){1,5}/"; reference:bugtraq,46234; reference:cve,2011-0923; classtype:attempted-user; sid:24223; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector client EXEC_CMD command execution attempt"; flow:to_server,established; content:"|FF FE 32 00|"; depth:4; offset:4; content:"|30|"; distance:0; content:"|30|"; within:10; pcre:"/(\x5C\x5C|\x2F\x2F)|(\x2E\x2E[\x2F\x5C]){1,5}/"; reference:bugtraq,46234; reference:cve,2011-0923; classtype:attempted-user; sid:24222; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector client EXEC_CMD command execution attempt"; flow:to_server,established; content:"|20 32 00 20|"; depth:4; offset:4; content:"|20 30 00 20 30 00 20|"; distance:0; pcre:"/^(\x5C\x5C|\x2F\x2F)|(\x2E\x2E[\x2F\x5C]){1,5}/R"; reference:bugtraq,46234; reference:cve,2011-0923; classtype:attempted-user; sid:24221; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|"; depth:2; content:"|02 02 02 32 06 00 00 00|"; within:8; distance:2; isdataat:104,relative; content:"|60 03|"; within:2; distance:104; isdataat:210,relative; content:!"|00|"; within:1500; distance:210; metadata:policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23983; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|"; depth:2; content:"|02 02 02 32 06 00 00 00|"; within:8; distance:2; isdataat:104,relative; content:"|50 03|"; within:2; distance:104; isdataat:210,relative; content:!"|00|"; within:1500; distance:210; metadata:policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23982; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|"; depth:2; content:"|02 02 02 32 06 00 00 00|"; within:8; distance:2; isdataat:104,relative; content:"|40 03|"; within:2; distance:104; isdataat:210,relative; content:!"|00|"; within:1500; distance:210; metadata:policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23981; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|"; depth:2; content:"|02 02 02 32 06 00 00 00|"; within:8; distance:2; isdataat:104,relative; content:"|30 03|"; within:2; distance:104; isdataat:210,relative; content:!"|00|"; within:1500; distance:210; metadata:policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23980; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"SERVER-OTHER HP Data Protector Express stack buffer overflow attempt"; flow:to_server,established; content:"|51 84|"; depth:2; content:"|02 02 02 32 06 00 00 00|"; within:8; distance:2; isdataat:104,relative; content:"|10 03|"; within:2; distance:104; isdataat:210,relative; content:!"|00|"; within:1500; distance:210; metadata:policy security-ips drop; reference:bugtraq,52431; reference:cve,2012-0124; classtype:attempted-admin; sid:23979; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Ubisoft Uplay browser plugin backdoor attempt"; flow:to_client,established; file_data; content:"|2E|open|28|"; content:"-orbit_product_id 1"; distance:0; content:"-orbit_exe_path"; content:"-uplay_steam_mode"; content:"-uplay_dev_mode"; content:"-uplay_dev_mode_auto_play"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-4177; reference:url,news.ycombinator.com/item?id=4311264; reference:url,seclists.org/fulldisclosure/2012/Jul/375; classtype:attempted-user; sid:23624; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1582 (msg:"SERVER-OTHER IBM Tivoli name overflow attempt"; flow:to_server,established; content:"|26 A5|"; depth:2; offset:2; byte_test:2,>,128,2,relative; metadata:policy max-detect-ips drop; reference:cve,2009-3853; classtype:attempted-user; sid:23456; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6905 (msg:"SERVER-OTHER Citrix Provisioning Services stack buffer overflow attempt"; flow:to_server,established; content:"|06 00 02 40|"; depth:4; content:"|00 00 00 00|"; within:4; distance:22; classtype:attempted-admin; sid:23397; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET [1234,2049] (msg:"SERVER-OTHER Novell Netware XNFS.NLM NFS v2 xdrdecodeString heap buffer overflow attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00|"; depth:19; offset:4; pcre:"/^[\x04\x09\x0a\x0b\x0d\x0e\x0f]/R"; byte_jump:4,5,relative; byte_jump:4,4,relative; byte_test:4,>,255,32,relative; metadata:policy max-detect-ips drop; reference:bugtraq,50804; reference:cve,2011-4191; classtype:misc-attack; sid:23366; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET [1234,2049] (msg:"SERVER-OTHER Novell Netware XNFS.NLM NFS v3 xdrdecodeString heap buffer overflow attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00|"; depth:19; offset:4; pcre:"/^[\x03\x08\x09\x0a\x0c\x0d\x0e]/R"; byte_jump:4,5,relative; byte_jump:4,4,relative; byte_test:4,>,255,4,relative; metadata:policy max-detect-ips drop; reference:bugtraq,50804; reference:cve,2011-4191; classtype:misc-attack; sid:23365; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET [1234,2049] (msg:"SERVER-OTHER Novell Netware XNFS.NLM v2 xdrdecodeString heap buffer overflow attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 0D|"; depth:20; offset:4; byte_jump:4,4,relative; byte_jump:4,4,relative; byte_jump:4,32,relative; byte_test:4,>,255,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,50804; reference:cve,2011-4191; classtype:misc-attack; sid:23364; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET [1234,2049] (msg:"SERVER-OTHER Novell Netware XNFS.NLM xdrdecodeString heap buffer overflow attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 0B|"; depth:20; offset:4; byte_jump:4,4,relative; byte_jump:4,4,relative; byte_jump:4,32,relative; byte_test:4,>,10496,32,relative; metadata:policy max-detect-ips drop; reference:bugtraq,50804; reference:cve,2011-4191; classtype:misc-attack; sid:23363; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Wireshark console.lua file load exploit attempt"; flow:to_server,established; content:"|2F|console.lua"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,49528; reference:cve,2011-3360; reference:url,www.wireshark.org/security/wnpa-sec-2011-15.html; classtype:attempted-user; sid:23239; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Lync Online wlanapi.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wlanapi.dll"; nocase; http_uri; pcre:"/\x2Fwlanapi\x2Edll([\?\x5C\x2F]|$)/miU"; content:!"Host: msdl.microsoft.com|0D 0A|"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2012-1849; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-039; classtype:attempted-user; sid:23165; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|ncrypt.dll"; nocase; http_uri; pcre:"/\x2Fncrypt\x2Edll([\?\x5C\x2F]|$)/miU"; content:!"Host: msdl.microsoft.com|0D 0A|"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2012-1849; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-039; classtype:attempted-user; sid:23164; rev:8;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER known malicious SSL certificate derived from Microsoft CA detected"; flow:to_client,established; ssl_state:server_hello; content:"|30 82 01 0A 02 82 01 01 00 A6 89 43 6F C6 CA 9D 42 AD BD 28 D5 46 49 E0 55 F2 CC 38 E0 3D C0 7C BA 1D CA|"; fast_pattern:only; metadata:service ssl; reference:url,technet.microsoft.com/en-us/security/advisory/2718704; classtype:misc-attack; sid:23090; rev:3;) # alert tcp $EXTERNAL_NET 8300 -> $HOME_NET any (msg:"SERVER-OTHER Novell Groupwise HTTP response message parsing overflow"; flow:to_client,established; isdataat:512; content:"NM_A_SZ_TRANSACTION_ID"; fast_pattern:only; pcre:"/[^\x0a]{512}/"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-2703; classtype:attempted-user; sid:21917; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [8181,8443,14300] (msg:"SERVER-OTHER Symantic multiple products VRTSweb code execution"; flow:to_server, established; content:" $EXTERNAL_NET 6014 (msg:"SERVER-OTHER IBM Tivoli kuddb2 denial of service attempt"; flow:to_server,established; content:"|00 05 03 31 41|"; depth:5; metadata:policy max-detect-ips drop; reference:cve,2010-0472; classtype:attempted-dos; sid:21351; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024,5555] (msg:"SERVER-OTHER HP OpenView Storage Data Protector stack overflow attempt"; flow:to_server,established; content:"|32 36 37 00|"; depth:4; offset:4; isdataat:80,relative; pcre:"/^([^\x00]+\x00){3}([^\x00]{64}|[^\x00]+\x00[^\x00]{256})/R"; reference:bugtraq,37250; reference:cve,2009-3844; classtype:attempted-admin; sid:21350; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024,5555] (msg:"SERVER-OTHER HP OpenView Storage Data Protector stack overflow attempt"; flow:to_server,established; content:"|FF FE 32 00 36 00 37 00 00 00|"; depth:10; offset:4; isdataat:80,relative; pcre:"/^([\x01\x20]\x00)?((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)?){3}((\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){64}|(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00])\x00\x00([\x01\x20]\x00)(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){256})/R"; reference:bugtraq,37250; reference:cve,2009-3844; classtype:attempted-admin; sid:21349; rev:5;) # alert tcp $EXTERNAL_NET 24800 -> $HOME_NET any (msg:"SERVER-OTHER Synergy clipboard format client integer overflow attempt"; flow:established,to_client; flowbits:isset,synergy; content:"DCLP"; pcre:"/^.{13}\x00\x00\x00[\x00\x01\x02]/R"; byte_test:4,>,3,9,big,relative; classtype:attempted-user; sid:21331; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 24800 (msg:"SERVER-OTHER Synergy clipboard format server integer overflow attempt"; flow:to_server,established; flowbits:isset,synergy; content:"DCLP"; pcre:"/^.{13}\x00\x00\x00[\x00\x01\x02]/R"; byte_test:4,>,3,9,big,relative; classtype:attempted-user; sid:21330; rev:3;) # alert tcp $EXTERNAL_NET 24800 -> $HOME_NET any (msg:"SERVER-OTHER Synergy clipboard format client integer overflow attempt"; flow:established,to_client; flowbits:isset,synergy; content:"DCLP"; pcre:"/^.{9}\x00\x00\x00\x01(?!\x00\x00\x00[\x00\x01\x02])/R"; classtype:attempted-user; sid:21329; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 24800 (msg:"SERVER-OTHER Synergy clipboard format server integer overflow attempt"; flow:to_server,established; flowbits:isset,synergy; content:"DCLP"; pcre:"/^.{9}\x00\x00\x00\x01(?!\x00\x00\x00[\x00\x01\x02])/R"; classtype:attempted-user; sid:21328; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 37452 (msg:"SERVER-OTHER Quest NetVault SmartDisk libnvbasics.dll DOS attempt"; flow:to_server,established; content:"|17 04 00 20 13 04 00 20 01 00 00 00 C8 06 00 00 20 6F 78 3B|"; fast_pattern:only; reference:url,aluigi.org/poc/percolator_1.zip; classtype:denial-of-service; sid:21315; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1099 (msg:"SERVER-OTHER Oracle Java RMI services remote object execution attempt"; flow:to_server,established; content:"|F6 B6 89 8D 8B F2 86 43|"; fast_pattern:only; content:"java.rmi.server"; content:"http|3A 2F 2F|"; nocase; metadata:policy max-detect-ips drop, service java_rmi; reference:cve,2015-2342; reference:url,www.exploit-db.com/exploits/17535; classtype:misc-attack; sid:21268; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Embarcadero Interbase connect request buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 01|"; byte_jump:4,12,relative,align; pcre:"/^.{8}[\x01\x02\x04\x05\x07]/sR"; byte_test:1,>,0x80,0,relative; reference:url,www.securityfocus.com/bid/47644; classtype:misc-attack; sid:21263; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Xitami if-modified-since header buffer overflow attempt"; flow:to_server,established; content:"If-Modified-Since"; nocase; http_header; pcre:"/If\x2DModified\x2DSince\x3A[^\x0D]{50}/iH"; metadata:service http; reference:bugtraq,25772; reference:cve,2007-5067; classtype:attempted-user; sid:21261; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER multiple vendors host buffer overflow attempt"; flow:to_server,established; content:"Host|3A|"; fast_pattern:only; http_header; pcre:"/Host\x3a\s+[^\r\n]{253}/iH"; metadata:service http; reference:bugtraq,6870; reference:cve,2003-0178; reference:cve,2013-4115; classtype:web-application-attack; sid:21248; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER IBM Lotusnotes s_viewname buffer overflow attempt"; flow:to_server,established; content:"PresetFields="; fast_pattern:only; http_uri; pcre:"/PresetFields=[^\x26]*?(s_viewname|Foldername)\x3b\x28[^\x29]{100}/iU"; metadata:service http; reference:bugtraq,6871; reference:cve,2003-0178; classtype:web-application-attack; sid:21247; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"SERVER-OTHER Remote Desktop Protocol brute force attempt"; flow:to_server,established,no_stream; content:"|E0|"; depth:1; offset:5; content:"mstshash="; distance:0; nocase; detection_filter:track by_src, count 10, seconds 15; metadata:service rdp; reference:cve,2015-0079; reference:url,attack.mitre.org/techniques/T1076; reference:url,attack.mitre.org/techniques/T1110; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-030; classtype:misc-activity; sid:21232; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 3217 (msg:"SERVER-OTHER Avaya WinPDM Unite host router buffer overflow attempt"; flow:to_server; content:"UTP/1 To|3A|"; nocase; content:!"|0D 0A|"; within:260; pcre:"/^UTP\x2f1 To\x3a\s*[^\s]+\s+[^\n]{256}/smi"; reference:bugtraq,47947; classtype:attempted-user; sid:21105; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1315,1964,2315] (msg:"SERVER-OTHER IBM solidDB solid.exe authentication bypass attempt"; flow:to_server,established; content:"|04 03 02 01|"; depth:4; offset:11; byte_test:2,=,1,3,little; byte_jump:4,23,little,align,post_offset -1; content:"|02 00 00 00|"; within:4; reference:bugtraq,47137; reference:url,www-304.ibm.com/support/docview.wss?uid=swg21474552; classtype:attempted-user; sid:20876; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP OpenView Storage Data Protector buffer overflow attempt"; flow:to_server,established; content:"|FF FE 32 00 00 00|"; depth:6; offset:4; content:"|20 00 61 00 00 00 20 00 00 00|"; fast_pattern:only; pcre:"/\x20\x00\x61\x00\x00\x00\x20\x00\x00\x00([^\x00].|.[^\x00]){255}/Osmi"; reference:bugtraq,48486; reference:cve,2011-1865; classtype:attempted-admin; sid:20761; rev:5;) # alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"SERVER-OTHER Yahoo Messenger possible file transfer spoofing"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; pcre:"/YMSG.{6}\x00\x4d.*?\x32\x37\xc0\x80(.{24,39}[\x2e\s])\.\w+\xc0\x80/i"; reference:cve,2005-0243; classtype:attempted-user; sid:20748; rev:4;) # alert ip any any -> $HOME_NET any (msg:"SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt"; ip_proto:2; content:"A"; depth:1; byte_test:1,>,64,12,relative; reference:bugtraq,9952; reference:cve,2004-0176; reference:url,secunia.com/advisories/11185; classtype:attempted-admin; sid:20747; rev:4;) # alert ip any any -> $HOME_NET any (msg:"SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt"; ip_proto:2; content:"A"; depth:1; byte_test:1,>,16,11,relative; reference:bugtraq,9952; reference:cve,2004-0176; reference:url,secunia.com/advisories/11185; classtype:attempted-admin; sid:20746; rev:4;) # alert udp any any -> $HOME_NET 2055 (msg:"SERVER-OTHER Ethereal Netflow dissector buffer overflow attempt"; flow:to_server; content:"|00 09|"; depth:2; byte_test:2,>,64,24,big,relative; reference:bugtraq,9952; reference:cve,2004-0176; reference:url,secunia.com/advisories/11185/; classtype:attempted-admin; sid:20745; rev:2;) # alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Check Point vpn-1 ISAKMP buffer overflow attempt"; flow:to_server; content:"|08 07 07 30 28 31 0B 30 09 06 03 55 04 06 13|"; depth:15; offset:501; reference:cve,2004-0040; classtype:attempted-user; sid:20738; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6129 (msg:"SERVER-OTHER Dameware Mini Remote Control username buffer overflow"; flow:to_server,established; content:"|10 27|"; depth:2; content:"|00|"; within:1; distance:202; isdataat:361,relative; content:!"|00|"; within:362; reference:bugtraq,14707; reference:cve,2005-2842; classtype:attempted-admin; sid:20662; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER sl.php script injection"; flow:to_client,established; file_data; content:"script src=http|3A 2F 2F|"; nocase; content:"|2F|sl.php"; within:50; fast_pattern; nocase; metadata:service http; reference:url,isc.sans.edu/diary.html?storyid=12127; classtype:misc-activity; sid:20660; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1707 (msg:"SERVER-OTHER Sage SalesLogix database credential disclosure attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00|"; depth:10; content:"|00 00 00|"; within:3; distance:1; pcre:"/(GetConnection|ProcessQueueFile)\x00/Ri"; content:"|00 00 00 00 00 00|"; reference:bugtraq,11450; reference:cve,2004-1612; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; classtype:attempted-admin; sid:20618; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7144 (msg:"SERVER-OTHER Peercast Basic HTTP authentication buffer overflow attempt"; flow:to_server,established; content:"GET"; depth:3; content:"Authorization|3A| Basic"; distance:0; nocase; isdataat:128,relative; content:!"|0A|"; within:128; metadata:service http; reference:cve,2008-2040; reference:url,bugs.debian.org/cgi-bin/bugreport.cgi?bug=478573; classtype:attempted-user; sid:20616; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER BOOTP overflow"; flow:to_server; dsize:>300; content:"|01 01 06 00|"; depth:4; content:!"|63 82 53 63|"; distance:0; reference:cve,1999-0799; classtype:attempted-admin; sid:20611; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2001 (msg:"SERVER-OTHER Sunway ForceControl SNMP NetDBServer stack buffer overflow attempt"; flow:to_server,established; content:"|EB 50 EB 50|"; depth:4; byte_test:2,=,83,0,little,relative; byte_test:1,>,64,10,little,relative; reference:url,secunia.com/advisories/46146; reference:url,www.exploit-db.com/exploits/17885; classtype:attempted-user; sid:20609; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 9850 (msg:"SERVER-OTHER Novell Groupwise internet agent http uri buffer overflow attempt"; flow:to_server,established; content:"/gwia|2E|css?"; fast_pattern; nocase; isdataat:239,relative; content:!"|20| HTTP"; within:239; nocase; metadata:service http; reference:cve,2011-0334; classtype:attempted-user; sid:20608; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1761 (msg:"SERVER-OTHER Novell ZENworks Remote Management overflow attempt"; flow:to_server,established; content:"|00 01 00 06|"; depth:4; content:"|00 06|"; within:22; distance:6; content:"|7F FF|"; within:6; distance:2; metadata:policy max-detect-ips drop; reference:bugtraq,13678; reference:cve,2005-1543; classtype:attempted-admin; sid:20576; rev:6;) # alert tcp $EXTERNAL_NET 20031 -> $HOME_NET any (msg:"SERVER-OTHER BakBone NetVault client heap overflow attempt"; flow:to_client,established; stream_size:server,>,32784; byte_test:4,>,32784,0,little; metadata:policy max-detect-ips drop; reference:bugtraq,12967; reference:cve,2005-1009; classtype:attempted-admin; sid:20546; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"SERVER-OTHER CA BrightStor cheyenneds mailslot overflow"; flow:to_server,established; content:"m|00|a|00|i|00|l|00|s|00|l|00|o|00|t|00 5C 00|c|00|h|00|e|00|y|00|e|00|n|00|n|00|e|00|d|00|s|00|"; nocase; isdataat:44,relative; content:!"|00 00|"; within:40; distance:4; reference:bugtraq,20364; reference:cve,2006-5142; classtype:attempted-admin; sid:20442; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"SERVER-OTHER CA BrightStor cheyenneds mailslot overflow"; flow:to_server; content:"m|00|a|00|i|00|l|00|s|00|l|00|o|00|t|00 5C 00|c|00|h|00|e|00|y|00|e|00|n|00|n|00|e|00|d|00|s|00|"; nocase; isdataat:44,relative; content:!"|00 00|"; within:40; distance:4; reference:bugtraq,20364; reference:cve,2006-5142; classtype:attempted-admin; sid:20441; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"SERVER-OTHER CA BrightStor cheyenneds mailslot overflow"; flow:to_server,established; content:"mailslot|5C|cheyenneds"; nocase; isdataat:24,relative; content:!"|00|"; within:20; distance:4; reference:bugtraq,20364; reference:cve,2006-5142; classtype:attempted-admin; sid:20440; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 9092 (msg:"SERVER-OTHER PointBase 4.6 database DoS"; flow:to_server,established; content:"sun.misc.MessageUtils::toStderr"; fast_pattern:only; content:"CREATE FUNCTION"; nocase; pcre:"/CREATE FUNCTION\s+([^\s\x28]+).*?\1\s*\x28null/smi"; reference:cve,2003-1573; classtype:attempted-dos; sid:20251; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1025:1200,1500:1502] (msg:"SERVER-OTHER IBM Tivoli Storage Manager Client Remote Heap Buffer Overflow"; flow:to_server,established; content:"|00 00 08 A5|"; byte_test:2,>,0xc350,6,relative; metadata:policy max-detect-ips drop; reference:cve,2008-4801; classtype:attempted-admin; sid:20250; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Oracle Java Web Start BasicService arbitrary command execution attempt"; flow:to_client,established; file_data; content:"javax.jnlp.BasicService"; fast_pattern:only; content:"file|3A 5C 5C|"; nocase; content:"showDocument"; distance:0; metadata:service http; reference:cve,2008-4910; classtype:attempted-user; sid:20249; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Oracle Java calendar deserialize vulnerability"; flow:to_client,established; file_data; content:"|50 4B 05 06 00 00 00 00 06 00 06 00 93 01 00 00 65 16 00 00 00 00|"; fast_pattern:only; metadata:service http; reference:cve,2008-5353; classtype:attempted-user; sid:20238; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER SSL CBC encryption mode weakness brute force attempt"; flow:to_server,established,no_stream; isdataat:1; isdataat:!1001; detection_filter:track by_src,count 100,seconds 1; metadata:service ssl; reference:cve,2011-3389; reference:url,attack.mitre.org/techniques/T1110; reference:url,technet.microsoft.com/en-us/security/advisory/2588513; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-006; reference:url,vnhacker.blogspot.com/2011/09/beast.html; classtype:attempted-recon; sid:20212; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SERVER-OTHER Nortel Networks Multiple UNIStim VoIP Products Remote Eavesdrop Attempt"; flow:stateless,no_stream; content:"|02 01 16 1A 30 FF 00 00 08 01 00 B8 B8 06 06 81 14 50 14 51 14 50 14 50 C0 A8 0B C9 00 00|"; offset:4; detection_filter:track by_src, count 10, seconds 1; reference:bugtraq,26120; reference:cve,2007-5637; classtype:attempted-recon; sid:20138; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER ALTAP Salamander PE Viewer PDB Filename Buffer Overflow"; flow:to_client,established; file_data; content:"|B8 81 01 10 FF 25 BC 81 01 10 FF 25 C0 81 01 10 FF 25 68 81 01 10 FF 25 C4 81 01 10 FF 25 C8 81|"; fast_pattern:only; metadata:service http; reference:cve,2007-3314; reference:url,vuln.sg/salamander25-en.html; classtype:attempted-user; sid:20084; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [514,2401] (msg:"SERVER-OTHER CVS annotate command buffer overflow attempt"; flow:to_server,established; content:"Entry|20 2F|"; content:"annotate|0A|"; distance:0; fast_pattern; pcre:"/Entry\x20\x2f[^\x2f]*\x2f[^\x2f]{68}/"; reference:bugtraq,13217; reference:cve,2005-0573; classtype:attempted-dos; sid:20060; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 912 (msg:"SERVER-OTHER VMWare authorization service user credential parsing DoS attempt"; flow:to_server,established; content:"USER"; depth:4; content:"PASS"; distance:0; pcre:"/(USER|PASS)[^\x80-\xff]*[\x80-\xff]/"; reference:bugtraq,36630; reference:cve,2009-3707; classtype:attempted-dos; sid:20058; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2690 (msg:"SERVER-OTHER HP OpenView Network Node Manager denial of service attempt"; flow:to_server, established; content:"|02 00|"; depth:2; byte_test:2, &, 0x8000, 1, relative, little; byte_test:2, <, 0xfffb, 1, relative, little; reference:cve,2009-3840; classtype:denial-of-service; sid:20054; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7210 (msg:"SERVER-OTHER SAP MaxDB malformed handshake request buffer overflow attempt"; flow:to_server,established; content:"|63 00 00 00 03 2F 00 00 01 00 00 00 FF FF FF FF 00 00 04 00 63 00 00 00 00 02 4B 00 04 09 00 00 44 20 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 6D 61 08 F1 A0 00 00 00 00 00 00 00 00 00 00 00 07 49|"; depth:66; isdataat:512,relative; content:!"|00|"; within:512; reference:bugtraq,38769; reference:cve,2010-1185; classtype:attempted-admin; sid:20051; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Trend Micro Control Manager CasLogDirectInsertHandler.cs cross site request forgery attempt"; flow:to_client,established; file_data; content:"SrcDataFile="; nocase; content:"|2E|xml"; distance:0; nocase; content:"SchemaFile="; nocase; content:"|2E|xml"; distance:0; nocase; content:"MsgType="; distance:0; nocase; metadata:service http; reference:url,esupport.trendmicro.com/solution/en-us/1058280.aspx; classtype:attempted-user; sid:20048; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 (msg:"SERVER-OTHER Symantec Alert Management System modem string buffer overflow attempt"; flow:to_server,established; content:"ModemString|00|"; byte_test:2,>,32,0,relative; content:"|0B 00 32|400,E,7,1|00|"; within:13; distance:2; metadata:policy max-detect-ips drop; reference:cve,2010-0110; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00; classtype:attempted-user; sid:19892; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [8080,8081] (msg:"SERVER-OTHER HP Operations Manager Server Default Credientials in use attempt"; flow:to_server,established; content:"Authorization|3A 20|Basic|20|b3Z3ZWJ1c3I6T3ZXKmJ1c3Ix"; metadata:policy max-detect-ips drop; reference:cve,2009-4189; classtype:default-login-attempt; sid:19815; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Alucar php shell download attempt"; flow:to_client,established; file_data; content:"dHA6Ly9YZ3IwdXBWbi5vcmc8L2E+IHwgPGEgaHJlZj0naHR0cDovL2hjZWdyb3VwLm5ldCc+SEBjaytDckBjaz1FbmoweSE8L2E+IHwgRGVzaWduIGJ5OkFsdUNhUiB8IF0t"; fast_pattern:only; metadata:service http; reference:bugtraq,47374; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:attempted-user; sid:19661; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2398 (msg:"SERVER-OTHER Novell ZENworks Handheld Management upload directory traversal attempt"; flow:to_server,established; byte_jump:4,14,little; content:"|06|"; within:1; distance:17; byte_extract:4,4,messageID,relative,little; content:"|2E 2E|"; within:messageID; distance:4; reference:bugtraq,48467; classtype:attempted-admin; sid:19609; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 2400 (msg:"SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt"; flow:to_server,established; content:"|02 00 00 00 01 00 01 00|"; fast_pattern:only; flowbits:set,zenworks_opcode; flowbits:noalert; reference:bugtraq,46024; reference:cve,2011-0742; classtype:attempted-admin; sid:19323; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER banner.txt access - possible compromised multi-mesh injection server"; flow:to_server,established; content:"/banner.txt"; nocase; http_uri; flowbits:set,http.multimesh; flowbits:noalert; metadata:service http; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:misc-activity; sid:19299; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER cssminibar.js script injection"; flow:to_server,established; content:"/cssminibar.js"; nocase; http_uri; flowbits:set,http.multimesh; metadata:service http; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:attempted-user; sid:19298; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER sidename.js script injection"; flow:to_server,established; content:"/sidename.js"; nocase; http_uri; flowbits:set,http.multimesh; metadata:service http; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:attempted-user; sid:19297; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER CA Discovery Serice Overflow Attempt"; isdataat:100; content:"|9C|"; depth:1; content:!"|00|"; within:100; metadata:policy max-detect-ips drop; reference:cve,2006-6379; classtype:attempted-admin; sid:19090; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER CA Discovery Service Overflow Attempt"; isdataat:100; content:"|9B|"; depth:1; content:!"|00|"; within:100; metadata:policy max-detect-ips drop; reference:cve,2006-6379; classtype:attempted-admin; sid:19089; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER CA Discovery Service Overflow Attempt"; flow:to_server, established; isdataat:100; content:"|9C|"; depth:1; content:!"|00|"; within:100; metadata:policy max-detect-ips drop; reference:cve,2006-6379; classtype:attempted-admin; sid:19088; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER CA Discovery Service Overflow Attempt"; flow:to_server, established; isdataat:100; content:"|9B|"; depth:1; content:!"|00|"; within:100; metadata:policy max-detect-ips drop; reference:cve,2006-6379; classtype:attempted-admin; sid:19087; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER LDAP Novell eDirectory evtFilteredMonitorEventsRequest function heap overflow attempt"; flow:to_server,established; content:"2.16.840.1.113719.1.27.100."; pcre:"/^(79|84)\x81(\x82..|\x83...|\x84....)\x30(\x82..|\x83...|\x84....)\x02(\x04|\x81\x04|\x82\x00\x04|\x83\x00\x00\x04|\x84\x00\x00\x00\x04)[\x10-\xff]/R"; metadata:policy max-detect-ips drop, service ldap; reference:cve,2006-4509; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=427; classtype:attempted-admin; sid:18769; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER ActFax Server LPD/LPR Remote Buffer Overflow"; flow:to_server,established; isdataat:500; content:"|7D 4B 4A 00|"; depth:4; offset:257; reference:url,www.exploit-db.com/exploits/16176/; classtype:attempted-admin; sid:18763; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"SERVER-OTHER Tecnomatix FactoryLink CSService null pointer attempt"; flow:to_server,established; content:"|00 00 00 00 04 00 00 00 04 00 00 00 00 03 00 00 00 04|"; fast_pattern:only; content:"LEN|00|"; depth:4; nocase; reference:bugtraq,46934; classtype:attempted-dos; sid:18617; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SERVER-OTHER GoodTech SSH Server SFTP Processing Buffer Overflow"; flow:to_server,established; content:"|85 79 28 23 7B C0 0E E2 F3 A9 E1 63 F2 ED 19 63|"; fast_pattern:only; reference:bugtraq,31879; reference:cve,2008-4726; classtype:attempted-user; sid:18598; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt"; flow:to_server,established; content:"|17 03 01 04 00 5E 4E 64 80 C8 08 94 6D 3F 7C 86 41 B7 C9 BA 2A 26 21 83 D7 95 14 7A 3C 4E E4 1D B1 42 0B 5D 60|"; depth:37; metadata:policy max-detect-ips drop, service ssl; reference:bugtraq,27387; reference:cve,2008-0401; classtype:attempted-user; sid:18582; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER IBM Tivoli Provisioning Manager long URI request buffer overflow attempt"; flow:to_server,established; content:"|17 03 01 09 00 47 AE 1F 40 B1 9E 05 B1 F2 1A F9 09 A9 21 16 F9 FA 66 44 22 7E B9 92 49 D4 84 1A 0F 68 20 30 E8|"; depth:37; metadata:policy max-detect-ips drop, service ssl; reference:bugtraq,27387; reference:cve,2008-0401; classtype:attempted-user; sid:18581; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Multiple Vendors iacenc.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|iacenc.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,42730; reference:cve,2010-3138; reference:cve,2010-3150; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-014; classtype:attempted-user; sid:18531; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1761 (msg:"SERVER-OTHER Novell ZENworks Remote Management overflow attempt"; flow:to_server,established; content:"|00 06 05 01 10 E6 01 00 34 5A F4 77 80 95 F8 77|"; content:"|00 01 00 06|"; within:4; content:"|00 06|"; within:4; distance:6; content:"|7F FF|"; within:4; distance:6; metadata:policy max-detect-ips drop; reference:bugtraq,13678; reference:cve,2005-1543; classtype:attempted-admin; sid:18512; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7144 (msg:"SERVER-OTHER PeerCast format string exploit attempt"; flow:established, to_server; content:"/html/en/index.html"; nocase; content:"|25|1265|24|"; within:50; fast_pattern; reference:bugtraq,13808; reference:cve,2005-1806; classtype:attempted-admin; sid:18509; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER HP DDMI Agent spoofing - command execution"; flow:to_server,established; content:"SOAPMethodName|3A| urn|3A|aiagent|23|executeProcess"; nocase; metadata:service http; reference:bugtraq,35250; reference:cve,2009-1419; classtype:attempted-admin; sid:18397; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3690 (msg:"SERVER-OTHER Subversion 1.0.2 get-dated-rev buffer overflow attempt"; flow:to_server,established; content:"get-dated-rev"; fast_pattern:only; pcre:"/get-dated-rev\s*\x28\s*([^\x29]{75}|[\s\x20-\x28\x2A-\x7E]{0,74}[^\s\x20-\x7E])/ims"; reference:bugtraq,10386; reference:cve,2004-0397; classtype:attempted-user; sid:18312; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia Network Backup Client Buffer Overflow Type 84 Attempt"; flow:to_server,established; content:"|00 54|"; depth:2; byte_test:2,>,255,4,relative; metadata:policy max-detect-ips drop; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-user; sid:18292; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia Network Backup Client Buffer Overflow Type 77 Attempt"; flow:to_server,established; content:"|00 4D|"; depth:2; byte_test:2,>,23,4,relative; metadata:policy max-detect-ips drop; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-user; sid:18291; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [3985,3986] (msg:"SERVER-OTHER Unisys Business Information Server stack buffer overflow attempt"; flow:to_server,established; content:"|16 07|"; depth:2; byte_test:2,>,24,2,big; metadata:policy max-detect-ips drop; reference:bugtraq,35494; reference:cve,2009-1628; classtype:attempted-admin; sid:18248; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Thinkpoint fake antivirus binary download"; flow:to_client,established; file_data; content:"|30 B6 AD D9 C7 B7 41 8E 75 6E 65 78 70 30 65 B4 26 6D|"; content:"|BA 3A 0D 0A 4F E8 7A 65 7E 66 B5 05 EF AD 61 49 C9 80 75 6D 58|"; within:100; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99; classtype:trojan-activity; sid:17817; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1339 (msg:"SERVER-OTHER CA BrightStor ARCServe logger servie null-pointer dereference attempt"; flow:to_server, established; content:"|00 00 00 00 00 00 00 02 00 06 09 82 00 00 00 01 00 00 00 01|"; content:"|FF FF FF FF|"; distance:8; metadata:policy max-detect-ips drop; reference:cve,2007-2772; classtype:attempted-admin; sid:17643; rev:4;) alert tcp $EXTERNAL_NET 41523 -> $HOME_NET any (msg:"SERVER-OTHER Products Discovery Service Buffer Overflow"; flow:to_client,established; flowbits:set,CA.response; content:"|9B 17 F6 4A 1D 01 E7 52 11 C3 61 7B 9B B0 62 52|"; fast_pattern:only; isdataat:990; metadata:policy max-detect-ips alert; reference:bugtraq,20364; reference:cve,2006-5143; classtype:attempted-user; sid:17621; rev:7;) # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"SERVER-OTHER Squid proxy DNS response spoofing attempt"; flow:to_client,no_stream; content:"|C0 10 00 02 00 01 00 01 51 80 00 05 02 6E 73 C0 10|"; detection_filter:track by_src, count 500, seconds 30; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,13592; reference:cve,2005-1519; classtype:attempted-dos; sid:17495; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8443 (msg:"SERVER-OTHER Symantec Backup Exec System Recovery Manager unauthorized file upload attempt"; flow:to_server,established; content:"|17 03 00 02 01 87 09 6B 5D 64 67 5D 86 54 D0 F4 27 EF 2B 32 CA A3 D3 FA 97 AA 40 14 ED 27 15 D2 9B 06 EA 07 09 7D B8 D2 61 69 CD 6D 74 52 F9 8A|"; depth:48; nocase; metadata:service ssl; reference:cve,2008-0457; reference:url,seer.entsupport.symantec.com/docs/297171.htm; classtype:misc-activity; sid:17445; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Palo Alto Networks Firewall editUser.esp XSS attempt"; flow:to_server,established; content:"/esp/editUser.esp"; fast_pattern; nocase; http_uri; content:"role="; nocase; http_uri; pcre:"/[\x3f\x26]role=[^\x26]*?[^\x26a-z0-9\x5b\x5d\x2d]/Usmi"; metadata:service http; reference:cve,2010-0475; classtype:web-application-attack; sid:16689; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER IBM WebSphere application server cross site scripting attempt"; flow:to_server, established; content:"/ibm/console/"; nocase; http_uri; content:" $HOME_NET any (msg:"SERVER-OTHER Green Dam URL handling overflow attempt"; flow:to_client,established; file_data; content:"<=2035"; fast_pattern:only; content:"window.location="; content:"'.html'|3B|"; within:30; nocase; content:"classid=|22|"; distance:0; nocase; content:".dll|23|"; within:100; nocase; metadata:service http; reference:url,secunia.com/advisories/35435; classtype:attempted-user; sid:16598; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SERVER-OTHER Squid Proxy http version number overflow attempt"; flow:to_server,established; content:" http/"; nocase; pcre:"/^[^\s]+\s+[^\s]+\s+http\x2f(\d+\x2e)?\d{10}/i"; metadata:policy max-detect-ips drop; reference:bugtraq,33604; reference:cve,2009-0478; classtype:attempted-user; sid:16521; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Entry line flag remote heap overflow attempt"; flow:to_server,established; content:"Entry"; fast_pattern:only; cvs:invalid-entry; reference:bugtraq,10384; reference:cve,2004-0396; classtype:attempted-admin; sid:16437; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER Oracle Internet Directory heap corruption attempt"; flow:to_server,established; content:"|82 82 82 82 82 82 82 82 82 82 82 82 82 82 82 82|"; fast_pattern:only; metadata:service ldap; classtype:attempted-admin; sid:16374; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Kaspersky Online Scanner trojaned Dll download attempt"; flow:to_server,established; content:"kos-main.jar"; nocase; http_uri; content:!"Host|3A| www.kaspersky.com|0D 0A|"; nocase; http_header; metadata:service http; reference:url,intevydis.com/blog/?p=77; classtype:trojan-activity; sid:16141; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER KAME racoon X509 certificate verification bypass attempt"; flow:to_server; content:"|AA FF|Fk|09 89 01 B9 B2 F4 E2|^Pdx|17 05 10 02 01 00 00 00 00|"; depth:24; reference:bugtraq,10546; reference:cve,2004-0607; classtype:attempted-user; sid:16080; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER Tripwire format string vulnerability ftp exploit attempt"; flow:to_server,established; content:"STOR asd%nmv|0D 0A|"; fast_pattern:only; metadata:service ftp; reference:bugtraq,10454; reference:cve,2004-0536; classtype:attempted-admin; sid:16077; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"SERVER-OTHER Tripwire format string vulnerability nfs exploit attempt"; flow:to_server; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 00 00 09|"; within:4; distance:12; content:"|CA BA EB FE CB|F|00 00 02 00 00 00 08 03 00 00 08 03 00 00 CB|F|00 00 AF|H|C3 8E 00 00 00 00 00 00 00 07|asd%nmv"; reference:bugtraq,10454; reference:cve,2004-0536; classtype:attempted-admin; sid:16076; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 783 (msg:"SERVER-OTHER SpamAssassin spamd vpopmail and paranoid options code execution attempt"; flow:to_server,established; content:"user"; fast_pattern:only; pcre:"/^user\s*\x3a[^\r\n]*[\x3b\x26\x7c]/mi"; reference:bugtraq,18290; reference:cve,2006-2447; classtype:attempted-user; sid:16040; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"SERVER-OTHER Norton Internet Security NBNS response processing stack overflow attempt"; flow:to_server; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:cve,2004-0444; classtype:attempted-admin; sid:16015; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 3401 (msg:"SERVER-OTHER Squid ASN.1 header parsing denial of service attempt"; flow:to_server; content:"0|84 FF FF FF|"; byte_test:1,>,0xf9,0,relative; reference:bugtraq,11385; reference:cve,2004-0918; classtype:attempted-dos; sid:15989; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Check Point VPN-1 ASN.1 Decoding heap overflow attempt"; flow:to_server; content:"|84 FF FF FF FE|"; fast_pattern:only; pcre:"/[\x04\x0c\x14\x16\x1c\x1e\x24\x34]\x84\xff{3}\xfe/"; reference:bugtraq,10820; reference:cve,2004-0699; classtype:attempted-dos; sid:15979; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER single byte encoded name response"; content:"|00 03 80| |00 01 00 01 00 00 00 00 01|V|01|"; byte_test:1, &, 128, 2; byte_test:2, >, 0, 4; byte_test:2, >, 0, 6; pcre:"/^.{12}(\x01.){20}/"; reference:cve,2004-0444; classtype:misc-attack; sid:15972; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [514,1999,2401] (msg:"SERVER-OTHER CVS Argumentx command double free attempt"; flow:to_server,established; content:"Argumentx"; fast_pattern:only; pcre:!"/^Argument[^x\x0a]+\x0aArgumentx/mi"; reference:bugtraq,10499; reference:cve,2004-0416; classtype:attempted-admin; sid:15971; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3690 (msg:"SERVER-OTHER Subversion svn pProtocol string parsing heap overflow attempt"; flow:to_server,established; content:"|28| 2 |28| edit-pipeline |29| 4294967295|3A|AAAA"; reference:bugtraq,10519; reference:cve,2004-0413; classtype:attempted-admin; sid:15970; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Symantec Multiple Products ISAKMPd denial of service attempt"; flow:to_server; content:"|A8|`|87|o|15 A9|0|F4 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00|0|00 00 00 14 00 00 00 01 00 00 00 05 00 00 7F FF|"; reference:bugtraq,11039; reference:cve,2004-0369; classtype:attempted-dos; sid:15969; rev:5;) # alert udp any any -> any 5190 (msg:"SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt"; flow:to_server; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:15967; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 12168 (msg:"SERVER-OTHER CA Multiple Products Console Server login credentials handling overflow attempt"; flow:to_server,established; content:"|96|8|9E 04|"; depth:8; offset:4; byte_test:4,>,83,0; byte_test:1,&,192,20; metadata:policy max-detect-ips drop; reference:bugtraq,23906; reference:cve,2007-2522; classtype:attempted-user; sid:15943; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 4244 (msg:"SERVER-OTHER MSN Messenger IRC bot calling home attempt"; flow:to_server,established; content:"PASS gooback"; classtype:trojan-activity; sid:15939; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"SERVER-OTHER protos h323 buffer overflow"; flow:to_server,established; content:"|00 00 00 01 80 88 19 08 16|aaaaaaaaaaaaaaaaaa"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html; classtype:attempted-admin; sid:15937; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x34 command buffer overflow attempt"; flow:to_server,established; isdataat:400; content:"4"; depth:1; isdataat:400,relative; content:!"|0A|"; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15891; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x33 command buffer overflow attempt"; flow:to_server,established; isdataat:400; content:"3"; depth:1; isdataat:400,relative; content:!"|0A|"; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15890; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x32 command buffer overflow attempt"; flow:to_server,established; isdataat:400; content:"2"; depth:1; isdataat:400,relative; content:!"|0A|"; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15889; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x31 command buffer overflow attempt"; flow:to_server,established; isdataat:400; content:"1"; depth:1; isdataat:400,relative; content:!"|0A|"; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15888; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x05 command buffer overflow attempt"; flow:to_server,established; isdataat:400; content:"|05|"; depth:1; isdataat:400,relative; content:!" "; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15887; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x04 command buffer overflow attempt"; flow:to_server,established; content:"|04|"; depth:1; content:" "; distance:0; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15886; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x03 command buffer overflow attempt"; flow:to_server,established; content:"|03|"; depth:1; isdataat:1458,relative; content:!"|0A|"; within:1458; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15885; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x02 command buffer overflow attempt"; flow:to_server,established; content:"|02|"; depth:1; isdataat:400,relative; content:!"|0A|"; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15884; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER SAPLPD 0x01 command buffer overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; isdataat:400,relative; content:!"|0A|"; within:400; reference:bugtraq,27613; reference:cve,2008-0621; classtype:attempted-admin; sid:15883; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1718 (msg:"SERVER-OTHER McAfee E-Business Server remote preauth code execution attempt"; flow:to_server,established; content:"|01|?/|05|%*"; depth:6; isdataat:300,relative; content:!"|0D 0A|"; within:300; reference:cve,2008-0127; reference:url,www.infigo.hr/en/in_focus/advisories/INFIGO-2008-01-06; classtype:attempted-admin; sid:15882; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SERVER-OTHER Squid NTLM fakeauth_auth Helper denial of service attempt"; flow:to_server,established; content:"Proxy-Authorization|3A|"; nocase; http_header; content:"TlRMTVNTUAADAAAAGAAYAFcAAAAYABgAbwAAAAQABABIAAAABwAHAEwAAAAEAAQAUwAAAAAAAACHAAAABoIAAgUAkwgAAAAPQUxJRgNTVE9JQU5BTElG0rctVCv8MHcFVYLyVeJ+Bz+VWpKGpuw68j7CBi5V2JlRVrF65wtddQTYeTHCnpF3"; fast_pattern:only; http_header; metadata:service http; reference:bugtraq,12220; reference:cve,2005-0097; classtype:attempted-dos; sid:15579; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"SERVER-OTHER DCERPC NCADG-IP-UDP lsarpc LsarLookupSids translated_names overflow attempt"; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:15; dce_stub_data; byte_test:4,>,255,36,dce; metadata:policy max-detect-ips drop; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:15508; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SERVER-OTHER Oracle Java System sockd authentication buffer overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; byte_jump:1, 0, relative; content:"|FF|"; within:1; isdataat:300,relative; metadata:policy max-detect-ips drop; reference:cve,2007-2881; classtype:attempted-admin; sid:15482; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix Server RTSP Request Proxy-Require header heap buffer overflow attempt"; flow:to_server,established; content:"Proxy-Require"; fast_pattern:only; pcre:"/^Proxy-Require\s*\x3a\s*[^\x0a]{33}/mi"; metadata:policy max-detect-ips drop, service rtsp; reference:bugtraq,33059; reference:cve,2008-5911; classtype:attempted-admin; sid:15479; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1500 (msg:"SERVER-OTHER IBM Tivoli Storage Manager Express Backup message length heap corruption attempt"; flow:to_server,established; flowbits:isset,tivoli.backup; content:"*|A5|"; offset:4; byte_test:2,<,0x17,-4,relative,big; metadata:policy max-detect-ips drop; reference:bugtraq,34077; reference:cve,2008-4563; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21377388; classtype:attempted-admin; sid:15437; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6988 (msg:"SERVER-OTHER IBM Director CIM server consumer name handling denial of service attempt"; flow:to_server,established; content:"POST"; fast_pattern; content:"HTTP"; distance:1; nocase; pcre:"/^.*POST\s+\x2f[^\s\x2f]{9,}\x2f[^\s]{235}/i"; reference:bugtraq,34061; reference:cve,2009-0879; classtype:attempted-dos; sid:15435; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SERVER-OTHER Sun One web proxy server overflow attempt"; flow:to_server,established; content:"|01 06|"; depth:2; content:"PPPPPPPPPPPPXXXXXXXXXXXX"; metadata:policy max-detect-ips drop; reference:bugtraq,24165; reference:cve,2007-2881; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-102927-1; classtype:attempted-admin; sid:15422; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"SERVER-OTHER Multiple vendors CUPS HPGL filter remote code execution attempt"; flow:to_server,established; content:"PW"; fast_pattern:only; pcre:"/PW\x2D?\x2E?[0-9]+\s*,\s/"; byte_test:4,>=,1024,0,relative,string,dec; metadata:policy max-detect-ips drop; reference:bugtraq,31688; reference:cve,2008-3641; classtype:attempted-user; sid:15186; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"SERVER-OTHER Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt"; flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:"IHDR"; content:"|06|"; within:1; distance:9; byte_test:4,>,1431655765,-6,relative; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32518; reference:cve,2008-5286; reference:url,www.cups.org/str.php?L2974; classtype:attempted-admin; sid:15146; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER CA ARCserve LGServer handshake buffer overflow attempt"; flow:to_server,established; content:"00000000"; depth:8; content:"AAAAAAAAAAAAAA"; within:14; distance:4; metadata:policy max-detect-ips drop; reference:bugtraq,30472; reference:cve,2008-3175; classtype:attempted-admin; sid:14773; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 4888 (msg:"SERVER-OTHER Symantec Veritas Foundation Service NULL service authentication attempt"; flow:to_server,established; content:"NTLMSSP|00 03 00 00 00|"; nocase; content:"|00 00|"; within:2; distance:24; reference:cve,2007-2279; classtype:attempted-admin; sid:14741; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [898,1024:] (msg:"SERVER-OTHER Oracle Java web console format string attempt"; flow:to_server,established; content:"com.sun.management.viperimpl.services.authentication.AuthenticationPrincipal"; fast_pattern:only; content:"UserDesc"; nocase; content:"t|00|"; distance:0; isdataat:100,relative; content:"%"; within:50; reference:cve,2007-1681; classtype:attempted-user; sid:14615; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt"; flow:to_server,established; dsize:>61; content:"|00 06 09|~"; depth:4; offset:16; pcre:"/.{4}\x00\x00\x00(\xF0|\xEF|\xE8|\xF5|\xED).{36}(?!_[^_]{1,64}_[^_]{1,64}_)/smiR"; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,23635; reference:cve,2007-2139; classtype:attempted-admin; sid:14607; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland Interbase open_marker_file overflow attempt"; flow:to_server,established; content:"|00 00 00 13|"; byte_test:4,>,1024,4,relative; reference:bugtraq,25917; reference:cve,2007-5244; classtype:attempted-user; sid:14602; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [8100,3600] (msg:"SERVER-OTHER SAP Message Server Heap buffer overflow attempt"; flow:to_server,established; content:"GET /msgserver/html/group?group="; nocase; isdataat:498,relative; content:!" "; within:498; metadata:service http; reference:bugtraq,24765; reference:cve,2007-3624; classtype:attempted-user; sid:14600; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt - 2"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; content:"text/xml"; nocase; http_header; content:"xsl|3A|version"; fast_pattern:only; http_header; content:"crypto|3A|rc4_"; nocase; http_header; pcre:"/crypto\x3Arc4_(encrypt|decrypt)\x28\x27[^\x27]{129}/smiH"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30467; reference:cve,2008-2935; reference:url,attack.mitre.org/techniques/T1220; classtype:attempted-user; sid:14041; rev:16;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER GNOME Project libxslt RC4 key string buffer overflow attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; content:"text/xml"; within:20; nocase; http_header; content:"xsl|3A|transform"; fast_pattern:only; http_header; content:"crypto|3A|rc4_"; nocase; http_header; pcre:"/crypto\x3Arc4_(encrypt|decrypt)\x28\x27[^\x27]{129}/smiH"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30467; reference:cve,2008-2935; reference:url,attack.mitre.org/techniques/T1220; classtype:attempted-user; sid:14040; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland Interbase operation buffer overflow"; flow:to_server,established; content:"|00 00 00 13|"; depth:4; byte_test:4, >, 1024, 4, relative; reference:cve,2007-5243; classtype:attempted-admin; sid:13842; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland Interbase create operation buffer overflow"; flow:to_server,established; content:"|00 00 00 14|"; depth:4; byte_test:4, >, 540, 4, relative; reference:cve,2007-5243; classtype:attempted-admin; sid:13841; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland Interbase service attach operation buffer overflow"; flow:to_server,established; content:"|00 00 00|R"; depth:4; byte_test:4, >, 152, 4, relative; reference:cve,2007-5243; classtype:attempted-admin; sid:13840; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland Software InterBase ibserver.exe Service Attach Request buffer overflow attempt"; flow:to_server,established; content:"|00 00 00|R"; depth:4; byte_test:4,>,848,8; metadata:policy max-detect-ips drop; reference:bugtraq,28730; reference:cve,2008-1910; classtype:attempted-admin; sid:13804; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix RTSP long setup request exploit attempt"; flow:to_server,established; content:"SETUP"; depth:5; nocase; isdataat:256,relative; content:!"|0A|"; within:256; metadata:service rtsp; reference:bugtraq,6454; reference:cve,2002-1643; classtype:attempted-user; sid:13695; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix RTSP long get request exploit attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; isdataat:200; content:!"|0A|"; depth:200; metadata:service rtsp; reference:bugtraq,6454; reference:cve,2002-1643; classtype:attempted-user; sid:13694; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER Zango adware installation request"; flow:to_server,established; content:"Zango/Setup.exe"; http_uri; metadata:service http; reference:url,www.ftc.gov/os/caselist/0523130/index.shtm; classtype:policy-violation; sid:13632; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER CA Brightstor discovery service alternate buffer overflow attempt"; flow:to_server,established; content:"|99 99 99 99 99 99 99 99 99 99|"; pcre:"/\x99{40}\xeb\x12\x01\x99{4}\x18A{5}.{4}A{6}/sm"; reference:cve,2005-0260; classtype:attempted-admin; sid:13620; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Argument overflow"; flow:to_server,established; content:"Event"; nocase; content:"ac1db1tch3z/blackhat4life"; reference:cve,2004-0396; classtype:attempted-admin; sid:13616; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Argument overflow attempt"; flow:to_server,established; content:"Event"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:cve,2004-0396; classtype:attempted-admin; sid:13615; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Argument overflow attempt"; flow:to_server,established; content:"Argument"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:cve,2004-0396; classtype:attempted-admin; sid:13614; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2439 (msg:"SERVER-OTHER Sybase SQL Anywhere Mobilink remoteID string buffer overflow"; flow:to_server,established; content:"|03 22 00|"; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; byte_test:2,>,128,0,relative,little; metadata:policy max-detect-ips drop; reference:bugtraq,27914; reference:cve,2008-0912; reference:url,aluigi.altervista.org/adv/mobilinkhof-adv.txt; classtype:attempted-admin; sid:13555; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2439 (msg:"SERVER-OTHER Sybase SQL Anywhere Mobilink version string buffer overflow"; flow:to_server,established; content:"|03|"; content:"|03 22 00|"; distance:0; byte_jump:2,0,relative,little; byte_test:2,>,128,0,relative,little; metadata:policy max-detect-ips drop; reference:bugtraq,27914; reference:cve,2008-0912; reference:url,aluigi.altervista.org/adv/mobilinkhof-adv.txt; classtype:attempted-admin; sid:13554; rev:9;) # alert tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any (msg:"SERVER-OTHER Nullsoft Winamp Ultravox streaming malicious metadata"; flow:to_client,established; content:"misc/ultravox"; content:""; distance:0; nocase; isdataat:266,relative; content:!""; within:256; pcre:"/Content-Type\x3A\s*misc\/ultravox.+?(\r?\n){2}\x5A.9\x01/is"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0065; classtype:attempted-user; sid:13521; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"SERVER-OTHER CA BrightStor cheyenneds mailslot overflow"; flow:to_server; content:"mailslot|5C|cheyenneds"; nocase; isdataat:24,relative; content:!"|00|"; within:20; distance:4; reference:bugtraq,20364; reference:cve,2006-5142; classtype:attempted-admin; sid:13415; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 407 (msg:"SERVER-OTHER Motorola Timbuktu crafted login request buffer overflow attempt"; flow:to_server; content:"|00 01|"; depth:2; content:"|00 23 07|"; depth:3; offset:6; byte_test:1,>,31,30; metadata:policy max-detect-ips drop; reference:bugtraq,25454; reference:cve,2007-4221; reference:url,ftp-xo.netopia.com/evaluation/docs/timbuktu/win/865/relnotes/TB2Win865Evalrn.pdf; classtype:attempted-admin; sid:13222; rev:7;) # alert udp $EXTERNAL_NET 554 -> $HOME_NET any (msg:"SERVER-OTHER Apple Quicktime UDP RTSP sdp type buffer overflow attempt"; flow:to_client; content:"RTSP"; depth:4; fast_pattern; content:"Content-Type"; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/Content-Type\s*\x3A[^\n\x3A]{256}/smi"; metadata:policy max-detect-ips drop; reference:bugtraq,26549; reference:cve,2007-6166; classtype:attempted-user; sid:12742; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-OTHER ASN.1 constructed bit string"; flow:to_server,established; content:"|FF|SMB"; depth:8; content:"+|06 01 05 05 02|"; content:"AAAAAAAAAA"; within:10; distance:21; reference:bugtraq,9633; reference:cve,2003-0818; reference:cve,2005-1935; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; classtype:attempted-admin; sid:12710; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix RTSP long describe request exploit attempt"; flow:to_server,established; content:"DESCRIBE"; depth:8; nocase; isdataat:200; content:!"|0A|"; depth:200; metadata:service rtsp; reference:bugtraq,6454; reference:cve,2002-1643; classtype:attempted-user; sid:12422; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER RealNetworks Helix RTSP long transport header"; flow:to_server,established; content:"SETUP"; depth:5; nocase; content:"Transport|3A|"; nocase; isdataat:256,relative; content:!"|0A|"; within:256; metadata:service rtsp; reference:bugtraq,6454; reference:cve,2002-1643; classtype:attempted-user; sid:12421; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Apple mDNSresponder excessive HTTP headers"; flow:to_client; content:"HTTP"; depth:16; pcre:"/^.*HTTP.*\r\n(.+\x3a\s+.+\r\n){31,}/"; metadata:service http; reference:bugtraq,25159; reference:cve,2007-3744; classtype:attempted-admin; sid:12357; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1526,1625] (msg:"SERVER-OTHER IBM Informix Dynamic Server long username buffer overflow attempt"; flow:to_server,established; content:"sqlexec "; depth:20; isdataat:127,relative; content:!" "; within:127; reference:bugtraq,19264; reference:cve,2006-3853; reference:cve,2006-3854; classtype:attempted-admin; sid:12220; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"SERVER-OTHER Borland interbase string length buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 13|"; depth:4; isdataat:1032; content:!"|00|"; within:1024; distance:8; metadata:policy max-detect-ips drop; reference:bugtraq,25048; reference:cve,2007-3566; classtype:attempted-admin; sid:12217; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER CA BrightStor ARCserve LGServer stack buffer overflow attempt"; flow:to_server,established; byte_test:10,>,284,0,big,dec,string; isdataat:295; content:!"~~"; depth:284; offset:10; metadata:policy max-detect-ips drop; reference:bugtraq,22342; reference:cve,2007-0449; classtype:attempted-admin; sid:12079; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER niprint_lpd module attack attempt"; flow:to_server,established; content:"|EB|3"; depth:2; isdataat:53; content:"6B@|00|"; depth:4; offset:49; reference:bugtraq,8968; reference:cve,2003-1141; classtype:attempted-admin; sid:11682; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER Openview Omni II command bypass attempt"; flow:to_server,established; content:"|00 00 00|.2|00| a|00| 0|00| 0|00| 0|00| A|00| 28|00|"; depth:25; pcre:"/^[^\x00]*\x2e\x2e/R"; reference:bugtraq,11032; reference:cve,2001-0311; classtype:attempted-admin; sid:11681; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 44334 (msg:"SERVER-OTHER Kerio Personal Firewall authentication buffer overflow attempt"; flow:to_server,established; isdataat:1000; pcre:"/^[^\x00]{1000}/m"; reference:bugtraq,7180; reference:cve,2003-0220; classtype:attempted-admin; sid:11266; rev:2;) # alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"SERVER-OTHER Sentinel license manager buffer overflow attempt"; flow:to_server; dsize:>836; reference:bugtraq,12742; reference:cve,2005-0353; classtype:attempted-admin; sid:11265; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-OTHER MaxDB WebDBM get buffer overflow"; flow:to_server,established; content:"GET"; isdataat:500,relative; content:!"|0A|"; within:500; metadata:policy max-detect-ips drop; reference:bugtraq,13368; reference:cve,2005-0684; classtype:attempted-admin; sid:11196; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER CA Brightstor discovery service buffer overflow attempt"; flow:to_server; content:"|B0 8E 80 23|"; content:!"|00|"; within:1399; isdataat:1400; reference:bugtraq,12491; reference:cve,2005-0260; classtype:attempted-admin; sid:10134; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 11000 (msg:"SERVER-OTHER bomberclone buffer overflow attempt"; flow:to_server; content:"|00 00 00 00|8|03|A"; depth:7; isdataat:764; reference:bugtraq,16697; reference:cve,2006-0460; classtype:attempted-user; sid:10125; rev:8;) # alert tcp $EXTERNAL_NET 5900 -> $HOME_NET any (msg:"SERVER-OTHER VNC password request buffer overflow attempt"; flow:to_client,established; content:"|00 00 00 00 00 00 04 06|"; depth:8; isdataat:1029,relative; metadata:policy max-detect-ips drop; reference:bugtraq,17378; reference:bugtraq,2305; reference:cve,2001-0167; reference:cve,2006-1652; classtype:web-application-attack; sid:10087; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7144 (msg:"SERVER-OTHER Peercast URL Parameter overflow attempt"; flow:to_server,established; content:"/stream/?"; http_uri; isdataat:700; pcre:"/^[^\n]{700}/si"; metadata:service http; reference:bugtraq,17040; reference:cve,2006-1148; classtype:attempted-user; sid:10064; rev:10;) # alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"SERVER-OTHER Putty Server key exchange buffer overflow attempt"; flow:to_client,established,no_stream; content:"SSH-"; depth:4; isdataat:1000,relative; pcre:"/SSH-0*([2-9]\d*|1\d+)\.[^-]*-[^\n]*\n\x00\x00.{3}\x14.{1000}/s"; reference:bugtraq,6407; reference:cve,2002-1359; reference:url,www.rapid7.com/advisories/R7-0009.html; classtype:attempted-user; sid:10010; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER HP-UX lpd command execution attempt"; flow:to_server,established; content:"|02|"; depth:1; pcre:"/^\x02[^\x0a\x20]*\x60[^\x0a\x20]*?\x0a/smi"; reference:bugtraq,15136; reference:cve,2005-3277; classtype:attempted-admin; sid:9790; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER Computer Associates Product Discovery Service type 9C remote buffer overflow attempt UDP"; flow:to_server; content:"|9C|"; depth:1; isdataat:256,relative; content:!"|00|"; within:256; metadata:policy max-detect-ips drop; reference:bugtraq,21502; reference:cve,2006-6379; classtype:attempted-admin; sid:9636; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER Computer Associates Product Discovery Service type 9B remote buffer overflow attempt UDP"; flow:to_server; content:"|9B|"; depth:1; isdataat:256,relative; content:!"|00|"; within:256; metadata:policy max-detect-ips drop; reference:bugtraq,21502; reference:cve,2006-6379; classtype:attempted-admin; sid:9635; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER Computer Associates Product Discovery Service type 9C remote buffer overflow attempt TCP"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:256,relative; content:!"|00|"; within:256; metadata:policy max-detect-ips drop; reference:bugtraq,21502; reference:cve,2006-6379; classtype:attempted-admin; sid:9634; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2000 (msg:"SERVER-OTHER Shixxnote font buffer overflow attempt"; flow:to_server,established; content:"~~"; depth:2; offset:8; isdataat:33,relative; content:!"~"; within:32; content:"~"; distance:32; reference:bugtraq,11409; reference:cve,2004-1595; classtype:attempted-user; sid:8729; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [80,8000] (msg:"SERVER-OTHER IceCast header buffer overflow attempt"; flow:to_server,established; content:"GET / HTTP/1.0|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|"; fast_pattern:only; reference:bugtraq,11271; reference:cve,2004-1561; reference:url,archives.neohapsis.com/archives/bugtraq/2004-09/0366.html; classtype:attempted-admin; sid:8703; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [80,8000] (msg:"SERVER-OTHER IceCast header buffer overflow attempt"; flow:to_server,established; content:"|EB 0C| / HTTP/1.1 "; nocase; pcre:"/\xeb\x0c \/ HTTP\/1\.1\s+\S+/smi"; reference:bugtraq,11271; reference:cve,2004-1561; reference:url,archives.neohapsis.com/archives/bugtraq/2004-09/0366.html; classtype:attempted-admin; sid:8702; rev:6;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion sourcewindow.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/docs/sourcewindow.cfm"; nocase; http_uri; metadata:service http; reference:bugtraq,3154; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,1999-0922; classtype:attempted-recon; sid:8493; rev:13;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion openfile.cfm access"; flow:to_server,established; content:"/cfdocs/expeval/openfile.cfm"; nocase; http_uri; metadata:service http; reference:bugtraq,3154; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:8492; rev:13;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion eval.cfm access"; flow:to_server,established; content:"/cfdocs/expeval/eval.cfm"; nocase; http_uri; metadata:service http; reference:bugtraq,3154; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:8491; rev:13;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion viewexample.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/viewexample.cfm"; nocase; http_uri; metadata:service http; reference:bugtraq,3154; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:8490; rev:13;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_DELETE access"; flow:to_server,established; content:"CFADMIN_REGISTRY_DELETE|28 29|"; fast_pattern:only; metadata:service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:8489; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_GET access"; flow:to_server,established; content:"CFADMIN_REGISTRY_GET|28 29|"; fast_pattern:only; metadata:service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:8488; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_SET access"; flow:to_server,established; content:"CFADMIN_REGISTRY_SET|28 29|"; fast_pattern:only; metadata:service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:8487; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFNEWINTERNALREGISTRY access"; flow:to_server,established; content:"CFNEWINTERNALREGISTRY|28 29|"; fast_pattern:only; metadata:service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:8486; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFNEWINTERNALADMINSECURITY access"; flow:to_server,established; content:"CFNEWINTERNALADMINSECURITY|28 29|"; fast_pattern:only; metadata:service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:8485; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5800 (msg:"SERVER-OTHER UltraVNC VNCLog buffer overflow"; flow:to_server,established; content:"GET"; depth:3; nocase; pcre:"/GET\s\x2f[^\r\n]{900}/smi"; metadata:policy max-detect-ips drop; reference:bugtraq,17378; reference:cve,2006-1652; classtype:attempted-admin; sid:8060; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt"; flow:to_server,established; content:"fp40reg.dll"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; isdataat:300,relative; pcre:"/^Host\x3A\s[^\r\n]{300}/smi"; metadata:service http; reference:bugtraq,9008; reference:cve,2003-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-051; classtype:attempted-admin; sid:6411; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt"; flow:to_server,established; content:"fp30reg.dll"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; isdataat:300,relative; pcre:"/^Host\x3A\s[^\r\n]{300}/smi"; metadata:service http; reference:bugtraq,9008; reference:cve,2003-0822; reference:cve,2003-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-051; classtype:attempted-admin; sid:6410; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt"; flow:to_server,established; content:"shtml.dll"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; pcre:"/^Host\x3A\s[^\r\n]{300,}/smiH"; metadata:service http; reference:bugtraq,9008; reference:cve,2003-0824; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-051; classtype:attempted-admin; sid:6409; rev:13;) alert tcp $EXTERNAL_NET any -> $HOME_NET 13724 (msg:"SERVER-OTHER VERITAS NetBackup vnetd connection attempt"; flow:to_server,established; content:"6|00|bpspsserver|00|"; flowbits:set,vnetd.bpspsserver.connection; flowbits:noalert; classtype:protocol-command-decode; sid:6010; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"SERVER-OTHER pcAnywhere buffer overflow attempt"; flow:to_server,established; content:"o"; depth:1; byte_test:1,>,96,1; byte_test:1,<,101,1; byte_test:2,>,512,3; isdataat:510,relative; reference:bugtraq,15646; reference:cve,2005-3934; classtype:attempted-dos; sid:5317; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"SERVER-OTHER Ethereal Distcc SOUT buffer overflow attempt"; flow:stateless; content:"SOUT"; nocase; byte_test:8,>,2147483647,0,relative,string,hex; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:attempted-dos; sid:4641; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"SERVER-OTHER Ethereal Distcc SERR buffer overflow attempt"; flow:stateless; content:"SERR"; nocase; byte_test:8,>,2147483647,0,relative,string,hex; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:attempted-dos; sid:4640; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"SERVER-OTHER Ethereal Distcc ARGV buffer overflow attempt"; flow:stateless; content:"ARGV"; nocase; byte_test:8,>,2147483647,0,relative,string,hex; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:attempted-dos; sid:4639; rev:2;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER RSVP Protocol zero length object DoS attempt"; ip_proto:46; content:"|01|"; depth:1; offset:11; byte_test:1,<,4,13; pcre:"/^.{10}[\x14\x15]\x01.[\x00-\x03]/sm"; reference:url,www.frsirt.com/english/advisories/2005/0411; classtype:attempted-dos; sid:4638; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1761 (msg:"SERVER-OTHER Novell ZenWorks Remote Management Agent large login packet DoS attempt"; flow:to_server,established; content:"|00 01|"; depth:2; offset:16; byte_jump:2,0,relative; byte_jump:2,0,relative; byte_test:2,>,1499,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,13678; reference:cve,2005-1543; classtype:attempted-dos; sid:4129; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-OTHER IBM DB2 DTS empty format string dos attempt"; flow:to_server,established; content:"SELECT"; fast_pattern:only; pcre:"/SELECT\s*(TO_(DATE|CHAR)|(VARCHAR|TIMESTAMP)_FORMAT)\s*\('[^']*'\s*,\s*''\)/smi"; reference:bugtraq,11400; reference:cve,2005-4869; reference:url,www-1.ibm.com/support/docview.wss?uid=swg1IY61781; classtype:attempted-dos; sid:3675; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"SERVER-OTHER PPTP echo request buffer overflow attempt"; flow:to_server,established; content:"|1A 2B 3C 4D|"; depth:4; offset:2; byte_test:2,<,2,0; reference:bugtraq,7316; reference:cve,2003-0213; reference:nessus,11540; reference:url,www.debian.org/security/2003/dsa-295; classtype:attempted-admin; sid:3664; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"SERVER-OTHER ARCserve universal backup agent option 03 buffer overflow attempt"; flow:to_server,established; content:"|00 03|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6; byte_test:2,<,1705,6; metadata:policy max-detect-ips drop; reference:bugtraq,13102; reference:cve,2005-1018; reference:nessus,18041; classtype:attempted-admin; sid:3663; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"SERVER-OTHER ARCserve universal backup agent option 03 little endian buffer overflow attempt"; flow:to_server,established; content:"|03 00|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6,little; byte_test:2,<,1705,6,little; metadata:policy max-detect-ips drop; reference:bugtraq,13102; reference:cve,2005-1018; reference:nessus,18041; classtype:attempted-admin; sid:3662; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"SERVER-OTHER ARCserve universal backup agent option 00 buffer overflow attempt"; flow:to_server,established; content:"|00 00|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6; byte_test:2,<,1705,6; metadata:policy max-detect-ips drop; reference:bugtraq,13102; reference:cve,2005-1018; reference:nessus,18041; classtype:attempted-admin; sid:3661; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"SERVER-OTHER ARCserve universal backup agent option 00 little endian buffer overflow attempt"; flow:to_server,established; content:"|00 00|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6,little; byte_test:2,<,1705,6,little; metadata:policy max-detect-ips drop; reference:bugtraq,13102; reference:cve,2005-1018; reference:nessus,18041; classtype:attempted-admin; sid:3660; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"SERVER-OTHER ARCserve universal backup agent option 1000 buffer overflow attempt"; flow:to_server,established; content:"|03 E8|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6; byte_test:2,<,1705,6; metadata:policy max-detect-ips drop; reference:bugtraq,13102; reference:cve,2005-1018; reference:nessus,18041; classtype:attempted-admin; sid:3659; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS pserver annotate revision overflow attempt"; flow:to_server,established; content:"|0A|annotate|0A|"; fast_pattern:only; pcre:"/^Entry \/file\/[0-9.]{71,}\/\/.*\x0aannotate\x0a/smi"; reference:bugtraq,13217; reference:cve,2005-0753; reference:nessus,18097; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142; classtype:attempted-dos; sid:3652; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"SERVER-OTHER CVS rsh annotate revision overflow attempt"; flow:to_server,established; content:"|0A|annotate|0A|"; fast_pattern:only; pcre:"/^Entry \/file\/[0-9.]{71,}\/\/.*\x0aannotate\x0a/smi"; reference:bugtraq,13217; reference:cve,2005-0753; reference:nessus,18097; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142; classtype:attempted-dos; sid:3651; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"SERVER-OTHER Computer Associates license PUTOLF directory traversal attempt"; flow:to_server,established; content:"PUTOLF"; pcre:"/(0x)?[0-9a-f]+\s+PUTOLF\s+((0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*))\s+\S+\s+\S+\s+((0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*))\s+\S*\.\.[\x2f\x5c]/i"; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3637; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 699 (msg:"SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt"; flow:to_server; content:"|01 01 1A|"; depth:3; offset:28; content:"|00 00 15 9F|"; depth:4; offset:32; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^(\x03|[\x14-\x17]).{19}(\x25|\x26).{15}(\x0A|\x34)/smi"; reference:bugtraq,12759; reference:cve,2005-0699; reference:nessus,19120; classtype:attempted-admin; sid:3541; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 699 (msg:"SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt"; flow:to_server; content:"|01|"; depth:1; content:"|01 01 1A|"; depth:3; offset:32; content:"|00 00 15 9F|"; depth:4; offset:36; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^\x01.{23}(\x25|\x26).{15}(\x0A|\x34)/smi"; reference:bugtraq,12759; reference:cve,2005-0699; reference:nessus,19120; classtype:attempted-admin; sid:3540; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 699 (msg:"SERVER-OTHER RADIUS MSID overflow attempt"; flow:to_server; content:"|01 01 1F|"; depth:3; offset:28; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^(\x03|[\x14-\x17]).{19}(\x25|\x26)/smi"; reference:bugtraq,12759; reference:cve,2005-0699; reference:nessus,19120; classtype:attempted-admin; sid:3539; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 699 (msg:"SERVER-OTHER RADIUS registration MSID overflow attempt"; flow:to_server; content:"|01|"; depth:1; content:"|01 01 1F|"; depth:3; offset:32; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^\x01.{23}(\x25|\x26)/smi"; reference:bugtraq,12759; reference:cve,2005-0699; reference:nessus,19120; classtype:attempted-admin; sid:3538; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP msg 0x99 client domain overflow"; flow:to_server; content:"|99|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3531; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP msg 0x99 client name overflow"; flow:to_server; content:"|99|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3530; rev:7;) # alert tcp $EXTERNAL_NET 10202 -> $HOME_NET any (msg:"SERVER-OTHER Computer Associates license GETCONFIG client overflow attempt"; flow:to_client,established; content:"GETCONFIG SELF "; depth:15; offset:3; nocase; isdataat:200,relative; content:!""; within:204; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3529; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"SERVER-OTHER Computer Associates license invalid GCR NETWORK attempt"; flow:to_server,established; content:"GCR NETWORK<"; depth:12; offset:3; nocase; pcre:!"/^\S+\s+\S+\s+\S+/Ri"; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-dos; sid:3525; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"SERVER-OTHER Computer Associates license invalid GCR CHECKSUMS attempt"; flow:to_server,established; content:"GCR CHECKSUMS<"; depth:14; offset:3; nocase; pcre:!"/^(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+/Ri"; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-dos; sid:3524; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"SERVER-OTHER Computer Associates license GCR CHECKSUMS overflow attempt"; flow:to_server,established; content:"GCR CHECKSUMS<"; depth:14; offset:3; nocase; pcre:"/(0x)?[0-9a-f]+\s+\S{65}|(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S{65}|(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S{65}|(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S{65}/Ri"; metadata:policy max-detect-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3521; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP product info msg 0x9c client domain overflow"; flow:to_server; content:"|9C|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3485; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP product info msg 0x9c client name overflow"; flow:to_server; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3484; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP product info msg 0x9b client domain overflow"; flow:to_server; content:"|9B|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3483; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP product info msg 0x9b client name overflow"; flow:to_server; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3482; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP slot info msg client domain overflow"; flow:to_server; content:"|98|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3481; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve backup UDP slot info msg client name overflow"; flow:to_server; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3480; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER ARCserve backup TCP product info msg 0x9c client name overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3479; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER ARCserve backup TCP product info msg 0x9c client domain overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3478; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER ARCserve backup TCP product info msg 0x9b client name overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3477; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER ARCserve backup TCP product info msg 0x9b client domain overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3476; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER ARCserve backup TCP slot info msg client domain overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3475; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"SERVER-OTHER ARCserve backup TCP slot info msg client name overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; metadata:policy max-detect-ips drop; reference:bugtraq,12536; reference:cve,2005-2535; classtype:attempted-admin; sid:3474; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"SERVER-OTHER ARCserve discovery service overflow"; flow:to_server; dsize:>966; reference:bugtraq,12491; reference:cve,2005-0260; classtype:attempted-admin; sid:3472; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia backup client type 84 overflow attempt"; flow:to_server,established; content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|00|"; depth:255; offset:8; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-user; sid:3458; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5001 (msg:"SERVER-OTHER Bontago Game Server Nickname buffer overflow"; flow:to_server,established; content:"|FF 01 00 00 00 00 01|"; isdataat:512,relative; metadata:ruleset community; reference:bugtraq,12603; reference:cve,2005-0501; reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt; classtype:attempted-user; sid:3455; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia client backup generic info probe"; flow:to_server,established; content:"ARKFS|00|root|00|root"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-recon; sid:3454; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia client backup system info probe"; flow:to_server,established; content:"ARKADMIN_GET_"; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-recon; sid:3453; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt"; flow:to_client,established; file_data; content:"aim|3A|goaway?message="; nocase; isdataat:500,relative; pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:ruleset community, service http; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:3085; rev:12;) # alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"SERVER-OTHER Unreal Tournament secure overflow attempt"; flow:to_server; content:"|5C|secure|5C|"; fast_pattern:only; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; metadata:ruleset community; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:8;) # alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"SERVER-OTHER Volition Freespace 2 buffer overflow attempt"; flow:to_client; content:"|00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; metadata:ruleset community; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; fast_pattern:only; content:"ExecuteFile"; nocase; metadata:ruleset community; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:8;) # alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"SERVER-OTHER eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; fast_pattern:only; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; metadata:ruleset community; reference:bugtraq,10039; reference:cve,2004-1892; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; fast_pattern:only; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; metadata:ruleset community; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; metadata:ruleset community, service kerberos; reference:cve,2003-0072; reference:nessus,11512; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2579; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos principal name overflow UDP"; flow:to_server; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; metadata:ruleset community, service kerberos; reference:cve,2003-0072; reference:nessus,11512; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2578; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"SERVER-OTHER rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; fast_pattern:only; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; metadata:ruleset community; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2561; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2560; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2559; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2558; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2557; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2556; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2555; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2554; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2553; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2552; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2551; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; fast_pattern:only; content:"WriteToFile"; nocase; metadata:ruleset community; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,9972; reference:cve,2004-1857; reference:nessus,12120; classtype:web-application-activity; sid:2548; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9971; reference:cve,2004-1856; classtype:web-application-activity; sid:2547; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"SERVER-OTHER AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; metadata:ruleset community; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-OTHER esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:""; nocase; isdataat:1024,relative; content:!""; within:1052; nocase; metadata:ruleset community; reference:bugtraq,9978; reference:cve,2004-1868; classtype:attempted-admin; sid:2490; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-OTHER esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:""; nocase; isdataat:1040,relative; content:!""; within:1040; nocase; metadata:ruleset community; reference:bugtraq,9978; reference:cve,2004-1868; classtype:attempted-admin; sid:2489; rev:9;) # alert ip any any -> any any (msg:"SERVER-OTHER Ethereal EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; metadata:ruleset community; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:10;) # alert ip any any -> any any (msg:"SERVER-OTHER Ethereal IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; metadata:ruleset community; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:10;) # alert ip any any -> any any (msg:"SERVER-OTHER Ethereal IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; metadata:ruleset community; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:10;) # alert udp any 4000 -> any any (msg:"SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm"; flow:to_server; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; metadata:ruleset community; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:15;) # alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt"; flow:to_server; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; metadata:ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:15;) # alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP initial contact notification without SPI attempt"; flow:to_server; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; metadata:ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:15;) # alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP delete hash with empty hash attempt"; flow:to_server; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; metadata:ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:15;) # alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP third payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP second payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP first payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"SERVER-OTHER ebola USER overflow attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s[^\n]{49}/smi"; metadata:ruleset community; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"SERVER-OTHER ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s[^\n]{49}/smi"; metadata:ruleset community; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR"; metadata:ruleset community; reference:bugtraq,9178; reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack; sid:2318; rev:8;) # alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"SERVER-OTHER BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; metadata:ruleset community; reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043; classtype:bad-unknown; sid:2159; rev:15;) # alert tcp any any <> any 179 (msg:"SERVER-OTHER BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; metadata:ruleset community; reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"SERVER-OTHER rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; metadata:ruleset community; classtype:misc-activity; sid:2047; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp hostname format string attempt"; flow:to_server; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; metadata:ruleset community; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"SERVER-OTHER xfs overflow attempt"; flow:to_server,established; isdataat:512; content:"B|00 02|"; depth:3; metadata:ruleset community; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:11;) # alert udp $EXTERNAL_NET any -> 255.255.255.255 27155 (msg:"SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt"; flow:to_server; content:"gstsearch"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,6100; reference:cve,2002-2137; classtype:misc-activity; sid:1966; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp invalid hardware type"; flow:to_server; content:"|01|"; depth:1; byte_test:1,>,7,1; metadata:ruleset community; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp hardware address length overflow"; flow:to_server; content:"|01|"; depth:1; byte_test:1,>,6,2; metadata:ruleset community; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:9;) # alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful kadmind buffer overflow attempt"; flow:to_client,established; content:"*GOBBLE*"; depth:8; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901; rev:16;) # alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful kadmind buffer overflow attempt"; flow:to_client,established; content:"*GOBBLE*"; depth:8; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; fast_pattern:only; metadata:ruleset community, service ssl; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:9;) # alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"SERVER-OTHER SSH server banner overflow"; flow:to_client,established; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s?[^\n]{200}/ism"; metadata:ruleset community; reference:bugtraq,5287; reference:cve,2002-1059; reference:nessus,15822; classtype:misc-attack; sid:1838; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; metadata:ruleset community; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"SERVER-OTHER Alcatel PABX 4400 connection attempt"; flow:to_server,established; content:"|00 01|C"; depth:3; metadata:ruleset community; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SERVER-OTHER gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0639; reference:nessus,11031; classtype:misc-attack; sid:1812; rev:13;) # alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful gobbles ssh exploit uname"; flow:to_client,established; content:"uname"; metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0640; reference:nessus,11031; classtype:misc-attack; sid:1811; rev:17;) # alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful gobbles ssh exploit GOBBLE"; flow:to_client,established; content:"*GOBBLE*"; metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0640; classtype:successful-admin; sid:1810; rev:19;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"SERVER-OTHER cachefsd buffer overflow attempt"; flow:to_server,established; isdataat:720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:1751; rev:12;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion sendmail.cfm access"; flow:to_server,established; content:"/sendmail.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0760; reference:cve,2001-0535; classtype:attempted-recon; sid:1659; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"SERVER-OTHER Xtramail Username overflow attempt"; flow:to_server,established; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; metadata:ruleset community; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:1636; rev:14;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt"; flow:to_server,established; content:"Mode=debug"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0760; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:19;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"SERVER-OTHER CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; metadata:ruleset community; reference:bugtraq,3517; reference:cve,2001-0803; reference:nessus,10833; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:14;) # alert tcp any any -> any 6666:7000 (msg:"SERVER-OTHER CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; fast_pattern:only; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; metadata:ruleset community; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"SERVER-OTHER rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; metadata:ruleset community; reference:bugtraq,3474; reference:cve,2001-0838; reference:nessus,10790; classtype:misc-attack; sid:1323; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; fast_pattern:only; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:16;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER readme.eml download attempt"; flow:to_server,established; content:"/readme.eml"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"SERVER-OTHER AIX pdnsd overflow"; flow:to_server,established; isdataat:1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; metadata:ruleset community; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access"; flow:to_server,established; content:"/fp4areg.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2906; reference:cve,2001-0341; reference:nessus,10699; classtype:web-application-activity; sid:1249; rev:24;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access"; flow:to_server,established; content:"/fp30reg.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2906; reference:cve,2001-0341; reference:cve,2003-0822; reference:nessus,10699; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-035; classtype:web-application-activity; sid:1248; rev:30;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"SERVER-OTHER MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1252; reference:cve,2000-0446; reference:nessus,10422; classtype:attempted-admin; sid:1240; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage _vti_inf.html access"; flow:to_server,established; content:"/_vti_inf.html"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:20;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage register.htm access"; flow:to_server,established; content:"/_private/register.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:968; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage dvwssr.dll access"; flow:to_server,established; content:"/dvwssr.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:nessus,10369; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-025; classtype:web-application-activity; sid:967; rev:25;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage .... request"; flow:to_server,established; content:"..../"; http_uri; metadata:ruleset community, service http; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:24;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage writeto.cnf access"; flow:to_server,established; content:"/_vti_pvt/writeto.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:21;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage users.pwd access"; flow:to_server,established; content:"/users.pwd"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:964; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage svcacl.cnf access"; flow:to_server,established; content:"/_vti_pvt/svcacl.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:21;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage shtml.exe access"; flow:to_server,established; content:"/_vti_bin/shtml.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:24;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage services.cnf access"; flow:to_server,established; content:"/_vti_pvt/services.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:21;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.stp access"; flow:to_server,established; content:"/_vti_pvt/service.stp"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:960; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.pwd"; flow:to_server,established; content:"/service.pwd"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.cnf access"; flow:to_server,established; content:"/_vti_pvt/service.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:21;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage registrations.txt access"; flow:to_server,established; content:"/_private/registrations.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:957; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage register.txt access"; flow:to_server,established; content:"/_private/register.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:956; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage access.cnf access"; flow:to_server,established; content:"/_vti_pvt/access.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:22;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage form_results.htm access"; flow:to_server,established; content:"/_private/form_results.htm"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:19;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage administrators.pwd access"; flow:to_server,established; content:"/administrators.pwd"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:18;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage author.exe access"; flow:to_server,established; content:"/_vti_bin/_vti_aut/author.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:952; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage authors.pwd access"; flow:to_server,established; content:"/authors.pwd"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:21;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage cfgwiz.exe access"; flow:to_server,established; content:"/cfgwiz.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:950; rev:18;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage registrations.htm access"; flow:to_server,established; content:"/_private/registrations.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:949; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage form_results access"; flow:to_server,established; content:"/_private/form_results.txt"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:19;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage orders.txt access"; flow:to_server,established; content:"/_private/orders.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:947; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access"; flow:to_server,established; content:"/scripts/Fpadmcgi.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:946; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpadmin.htm access"; flow:to_server,established; content:"/admisapi/fpadmin.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:945; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpremadm.exe access"; flow:to_server,established; content:"/fpremadm.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:944; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access"; flow:to_server,established; content:"/fpsrvadm.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:943; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage orders.htm access"; flow:to_server,established; content:"/_private/orders.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:942; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage contents.htm access"; flow:to_server,established; content:"/admcgi/contents.htm"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:941; rev:16;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage shtml.dll access"; flow:to_server,established; content:"/_vti_bin/shtml.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-060; classtype:web-application-activity; sid:940; rev:28;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage posting"; flow:to_server,established; content:"POST"; content:"/author.dll"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-100; classtype:web-application-activity; sid:939; rev:22;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:21;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access "; flow:to_server,established; content:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:936; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion startstop DOS access"; flow:to_server,established; content:"/cfide/administrator/startstop.html"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,247; reference:cve,1999-0756; classtype:web-application-attack; sid:935; rev:18;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion onrequestend.cfm access"; flow:to_server,established; content:"/onrequestend.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:20;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; content:"/application.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:20;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access"; flow:to_server,established; content:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:931; rev:18;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion snippets attempt"; flow:to_server,established; content:"/cfdocs/snippets/"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:930; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:929; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exampleapp access"; flow:to_server,established; content:"/cfdocs/exampleapp/"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2001-0535; classtype:attempted-recon; sid:928; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:927; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:926; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion mainframeset access"; flow:to_server,established; content:"/cfdocs/examples/mainframeset.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:925; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:924; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:923; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion displayfile access"; flow:to_server,established; content:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:922; rev:18;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:921; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:920; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:919; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion expeval access"; flow:to_server,established; content:"/cfdocs/expeval/"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0477; reference:cve,1999-0760; classtype:attempted-user; sid:918; rev:18;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:917; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:916; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:915; rev:18;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion beaninfo access"; flow:to_server,established; content:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:914; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfappman access"; flow:to_server,established; content:"/cfappman/index.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:913; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion parks access"; flow:to_server,established; content:"/cfdocs/examples/parks/detail.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:912; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exprcalc access"; flow:to_server,established; content:"/cfdocs/expeval/exprcalc.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; reference:cve,1999-0760; classtype:attempted-recon; sid:911; rev:19;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion fileexists.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/fileexists.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:910; rev:17;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:909; rev:14;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion administrator access"; flow:to_server,established; content:"/cfide/administrator/index.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1314; reference:cve,2000-0538; reference:nessus,10581; classtype:attempted-recon; sid:908; rev:20;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion addcontent.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2001-0535; classtype:attempted-recon; sid:907; rev:16;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getfile.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,229; reference:cve,1999-0800; reference:cve,2001-0535; classtype:attempted-recon; sid:906; rev:21;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:905; rev:21;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exampleapp application.cfm"; flow:to_server,established; content:"/cfdocs/exampleapp/email/application.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:904; rev:21;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfcache.map access"; flow:to_server,established; content:"/cfcache.map"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:18;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"SERVER-OTHER ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; metadata:ruleset community; classtype:bad-unknown; sid:514; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"SERVER-OTHER gopher proxy"; flow:to_server,established; content:"ftp|3A|"; fast_pattern:only; content:"@/"; metadata:ruleset community; classtype:bad-unknown; sid:508; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"SERVER-OTHER Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; metadata:ruleset community; classtype:bad-unknown; sid:505; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:22;) # alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"SERVER-OTHER NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; metadata:ruleset community, service ftp; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"SERVER-OTHER CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; metadata:ruleset community; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-OTHER VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; metadata:ruleset community; reference:bugtraq,1610; reference:cve,2000-0766; reference:nessus,10354; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER delegate proxy overflow"; flow:to_server,established; isdataat:1000; content:"whois|3A|//"; nocase; metadata:ruleset community; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"SERVER-OTHER SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; metadata:ruleset community; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; metadata:ruleset community, service dns; reference:bugtraq,2302; reference:cve,2001-0010; reference:nessus,10605; classtype:attempted-admin; sid:303; rev:23;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service dns; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:19;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:18;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records"; flow:to_server,established; content:"../../../"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1761 (msg:"SERVER-OTHER Novell ZENWorks Remote Management overflow attempt"; flow:to_server,established; content:"|00 06|"; depth:2; content:"|00 06|"; within:2; distance:6; content:"|7F FF|"; within:2; distance:6; metadata:policy max-detect-ips drop; reference:bugtraq,13678; reference:cve,2005-1543; classtype:attempted-admin; sid:27001; rev:3;) alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt"; flow:to_server; content:"|06 00 FF 07 06 10 00 00 00 00 00 00 00 00|"; depth:14; content:"|00 00 00 00|"; within:4; distance:2; content:"|00 00 00 08 00|"; within:5; distance:4; fast_pattern; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:cve,2013-4782; reference:cve,2013-4783; reference:cve,2013-4784; reference:url,www.fish2.com/ipmi/cipherzero.html; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; classtype:attempted-admin; sid:27210; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A 83|"; depth:2; content:"|00|"; within:1; distance:3; metadata:service kerberos; reference:cve,2011-0283; reference:url,attack.mitre.org/techniques/T1097; classtype:denial-of-service; sid:27195; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A 82|"; depth:2; content:"|00|"; within:1; distance:2; metadata:service kerberos; reference:cve,2011-0283; reference:url,attack.mitre.org/techniques/T1097; classtype:denial-of-service; sid:27194; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER Kerberos KDC null pointer dereference denial of service attempt"; content:"|6A 81|"; depth:2; content:"|00|"; within:1; distance:1; metadata:service kerberos; reference:cve,2011-0283; reference:url,attack.mitre.org/techniques/T1097; classtype:denial-of-service; sid:27193; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Citrix XenApp password buffer overflow attempt"; flow:to_server,established; content:"scripts/wpnbr.dll"; fast_pattern:only; http_uri; content:"POST"; http_method; content:""; http_client_body; content:""; within:18; http_client_body; isdataat:300,relative; content:!""; within:300; http_client_body; metadata:service http; reference:bugtraq,48898; reference:url,support.citrix.com/article/CTX129430; classtype:attempted-admin; sid:27236; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt"; flow:to_server,established; content:"cn="; depth:20; content:"dc="; within:20; content:"|A3 06 04 01|"; within:75; content:"|04 01|"; within:10; content:"|04 01|"; within:10; content:"|04 01|"; within:10; metadata:service ldap; reference:cve,2013-1282; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-032; classtype:denial-of-service; sid:27234; rev:5;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-OTHER Adobe ColdFusion JRun error page getWriter denial of service attempt"; flow:to_client,established,only_stream; content:"500"; http_stat_code; content:"JRun Servlet Error"; fast_pattern:only; detection_filter:track by_dst, count 50, seconds 1; metadata:service http; reference:bugtraq,61039; reference:cve,2013-3349; reference:url,www.adobe.com/support/security/bulletins/apsb13-19.html; classtype:attempted-dos; sid:27225; rev:4;) alert tcp $HOME_NET 8575 -> $EXTERNAL_NET any (msg:"SERVER-OTHER Adobe ColdFusion websocket invoke method access"; flow:to_client,established; content:"|22|ns|22 3A 22|coldfusion.websocket"; nocase; content:"|22|reqType|22 3A 22|invoke|22|"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,61042; reference:cve,2013-3350; reference:url,www.adobe.com/support/security/bulletins/apsb13-19.html; classtype:policy-violation; sid:27224; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt"; flow:to_server,no_stream; content:"|06 00 FF 07 06 10|"; depth:6; detection_filter:track by_dst, count 100, seconds 1; reference:cve,2013-4786; reference:url,attack.mitre.org/techniques/T1110; classtype:attempted-admin; sid:27240; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"SERVER-OTHER IPMI default username - USERID"; flow:to_server; content:"|06 00 FF 07 06 12|"; depth:6; content:"USERID"; distance:0; fast_pattern; nocase; reference:cve,2013-4786; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:27239; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"SERVER-OTHER IPMI default username - admin"; flow:to_server; content:"|06 00 FF 07 06 12|"; depth:6; content:"admin"; distance:0; fast_pattern; nocase; reference:cve,2013-4786; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:27238; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"SERVER-OTHER IPMI default username - root"; flow:to_server; content:"|06 00 FF 07 06 12|"; depth:6; content:"root"; distance:0; fast_pattern; nocase; reference:cve,2013-4786; reference:url,attack.mitre.org/techniques/T1078; classtype:policy-violation; sid:27237; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER GuildFTPd LIST command heap overflow attempt"; flow:to_server,established; dsize:>74; content:"list "; depth:5; nocase; pcre:"/^list [\w]{70}/i"; metadata:service ftp; reference:bugtraq,31729; reference:cve,2008-4572; classtype:attempted-admin; sid:27270; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER GuildFTPd CWD command heap overflow attempt"; flow:to_server,established; dsize:>74; content:"cwd "; depth:4; nocase; content:"/./././././././."; fast_pattern:only; pcre:"/(\/\.){70}/i"; metadata:service ftp; reference:bugtraq,31729; reference:cve,2008-4572; classtype:attempted-admin; sid:27269; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5001:5002 (msg:"SERVER-OTHER Sybase Open Server function pointer array code execution attempt"; flow:to_server,established; content:"|FF|"; content:"DBISQ"; within:5; distance:15; content:"jConnect"; within:8; distance:317; reference:bugtraq,48934; reference:url,www.sybase.com/detail?id=1094235; classtype:attempted-admin; sid:27579; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER OpenX POST to known backdoored file"; flow:to_server,established; content:"POST"; nocase; http_method; content:"file_to_serve=flowplayer/3.1.1/flowplayer-3.1.1.min.js"; fast_pattern:only; http_uri; content:"deliveryLog|3A|vastServeVideoPlayer|3A|player"; nocase; http_uri; metadata:service http; reference:cve,2013-4211; reference:url,isc.sans.edu/diary/OpenX+Ad+Server+Backdoor/16303; classtype:attempted-admin; sid:27578; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Joomla media.php arbitrary file upload attempt"; flow:to_server,established; content:"option=com_media"; nocase; http_uri; content:"task=file.upload"; nocase; http_uri; content:"filename="; nocase; http_client_body; content:".php."; within:50; nocase; http_client_body; pcre:"/filename=[\x22\x27][^\x22\x27]+?\.php\.[\x22\x27]/smiP"; metadata:service http; reference:bugtraq,61582; reference:cve,2013-5576; reference:url,developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads; reference:url,joomlacode.org/gf/project/joomla/tracker/action=TrackerItemEdit&tracker_item_id=31626; classtype:attempted-admin; sid:27623; rev:5;) # alert tcp $DNS_SERVERS 53 -> $EXTERNAL_NET any (msg:"SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt"; flow:to_client,established; content:"|FF FD|"; offset:12; byte_test:2,>=,4,6,relative; byte_test:2,<=,15,6,relative; pcre:"/\S+?\x00\xff\xfd/i"; metadata:policy max-detect-ips drop, service dns; reference:bugtraq,61479; reference:cve,2013-4854; reference:url,kb.isc.org/article/AA-01015; reference:url,kb.isc.org/article/AA-01016; classtype:denial-of-service; sid:27666; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [13838] (msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra login request buffer overflow attempt"; flow:to_server,established; content:"login|3A 2F|"; depth:7; offset:32; content:"global$agent|2F|"; within:14; byte_test:4,>,1000,8; metadata:policy max-detect-ips drop; reference:bugtraq,60884; reference:cve,2013-2343; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03661318; classtype:attempted-admin; sid:27646; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft SharePoint denial of service attempt"; flow:to_server,established; content:"/_vti_bin/ws.asmx?wsdl"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-0081; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-067; classtype:web-application-attack; sid:27819; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft SharePoint denial of service attempt"; flow:to_server,established; content:"/_vti_bin/ws.asmx?disco"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-0081; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-067; classtype:web-application-attack; sid:27818; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CA Total Defense Suite UNCWS ReportFilterID/reportTemplateID SQL injection attempt"; flow:to_server, established; content:"POST"; nocase; http_method; content:"/UNCWS/Management.asmx"; fast_pattern:only; http_uri; content:"report"; nocase; http_client_body; content:"ID"; within:10; nocase; http_client_body; pcre:"/<\s*report(Filter|Template)ID\s*>[^<]*?[\x3b\x29]/iP"; metadata:service http; reference:cve,2011-1655; classtype:attempted-admin; sid:28102; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CA Total Defense Suite UNCWS reGenerateReports/DeleteReports SQL injection attempt"; flow:to_server, established; content:"POST"; nocase; http_method; content:"/UNCWS/Management.asmx"; fast_pattern:only; http_uri; content:"ReportIDs="; nocase; http_client_body; pcre:"/<\s*ReportIDs\s*>[^<]*?[\x3b\x29]/iP"; metadata:service http; reference:cve,2011-1655; classtype:attempted-admin; sid:28101; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CA Total Defense Suite UNCWS deleteReportFilter SQL injection attempt"; flow:to_server, established; content:"POST"; nocase; http_method; content:"/UNCWS/Management.asmx/deleteReportFilter"; fast_pattern:only; http_uri; content:"reportFilterID="; nocase; http_client_body; pcre:"/reportFilterID=[^&]*?[\x3b\x29]/iP"; metadata:service http; reference:cve,2011-1655; classtype:attempted-admin; sid:28100; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CA Total Defense Suite UNCWS reGenerateReports/DeleteReports SQL injection attempt"; flow:to_server, established; content:"POST"; nocase; http_method; content:"/UNCWS/Management.asmx/DeleteReports"; fast_pattern:only; http_uri; content:"ReportIDs="; nocase; http_client_body; pcre:"/ReportIDs=[^&]*?[\x3b\x29]/iP"; metadata:service http; reference:cve,2011-1655; classtype:attempted-admin; sid:28099; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CA Total Defense Suite UNCWS reGenerateReports/DeleteReports SQL injection attempt"; flow:to_server, established; content:"POST"; nocase; http_method; content:"/UNCWS/Management.asmx/reGenerateReports"; fast_pattern:only; http_uri; content:"ReportIDs="; nocase; http_client_body; pcre:"/ReportIDs=[^&]*?[\x3b\x29]/iP"; metadata:service http; reference:cve,2011-1655; classtype:attempted-admin; sid:28098; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Microsoft SharePoint XSS attempt"; flow:to_server,established; content:"/Lists/Links/AllItems.aspx"; nocase; http_uri; content:"UrlFieldUrl="; nocase; http_client_body; content:"javascript|3B|"; within:50; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3895; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-084; classtype:attempted-admin; sid:28201; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1984 (msg:"SERVER-OTHER Quest Software Big Brother attempted arbitrary file upload "; flow:to_server,established; content:"ack "; depth:4; content:".."; within:16; distance:10; classtype:attempted-user; sid:28150; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1984 (msg:"SERVER-OTHER Quest Software Big Brother attempted arbitrary file deletion"; flow:to_server,established; content:"page "; depth:5; content:".."; within:3; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; classtype:attempted-user; sid:28149; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6542] (msg:"SERVER-OTHER EMC Replication Manager irccd remote command execution attempt"; flow:to_server,established; content:"EMC_"; depth:4; content:" $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/ComputerMgmt/sysDetPanelSummary.do"; fast_pattern:only; http_uri; pcre:"/uid=\s?\D{1,3}/i"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28827; rev:2;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/ComputerMgmt/sysDetPanelSummary.do?sysDetPanelSummary="; fast_pattern:only; http_uri; pcre:"/[?&]sysDetPanelSummary=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28826; rev:1;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/ComputerMgmt/sysDetPanelQry.do?sysDetPanelQry="; fast_pattern:only; http_uri; pcre:"/[?&]sysDetPanelQry=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28825; rev:1;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/ComputerMgmt/sysDetPanelQry.do"; fast_pattern:only; http_uri; pcre:"/uid=\s?\D{1,3}/i"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28824; rev:2;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/ComputerMgmt/sysDetPanelBoolPie.do?uid="; fast_pattern:only; http_uri; pcre:"/uid=\s?\D{1,3}/Ui"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28823; rev:1;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/console/createDashboardContainer.do?monitorUrl="; fast_pattern:only; http_uri; pcre:"/[?&]monitorUrl=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28822; rev:1;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS [$HTTP_PORTS,443,8443] (msg:"SERVER-OTHER McAfee ePolicy Orchestrator XSS attempt"; flow:to_server,established; content:"/core/loadDisplayType.do"; fast_pattern:only; http_uri; pcre:"/[?&]instanceId=[^&]+?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:service http, service ssl; reference:bugtraq,59505; reference:cve,2013-0141; reference:url,funoverip.net/2013/06/mcafee-epolicy-0wner-preview/; classtype:attempted-admin; sid:28821; rev:2;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Nagios core config manager tfpassword sql injection attempt"; flow:to_server,established; content:"/nagiosql/"; fast_pattern:only; http_uri; content:"tfpassword="; nocase; http_client_body; pcre:"/tfpassword=[^&]*?(%27%29|\x27\x29)/imsP"; metadata:service http; reference:cve,2013-6875; reference:url,attack.mitre.org/techniques/T1190; classtype:web-application-attack; sid:28908; rev:5;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Squid HTTP Host header port parameter denial of service attempt"; flow:to_server,established; content:"Host|3A| "; fast_pattern:only; http_header; pcre:"/Host\x3a\s*.*?:\D/H"; metadata:policy max-detect-ips drop, service http; reference:cve,2013-4123; classtype:attempted-user; sid:28955; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cisco Prime Data Center Network Manager arbitrary file read attempt"; flow:to_server,established; content:"/downloadServlet"; fast_pattern:only; http_uri; content:"showFile="; http_uri; content:".."; distance:0; http_uri; metadata:service http; reference:bugtraq,62483; reference:cve,2013-5487; classtype:web-application-attack; sid:29266; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"SERVER-OTHER Novell NetWare AFP denial of service attempt"; flow:to_server,established,no_stream; content:"|0D 0A 0D 0A|"; fast_pattern:only; content:!"|00|"; depth:1; content:!"|01|"; depth:1; detection_filter:track by_src, count 1000, seconds 4; reference:bugtraq,37616; reference:cve,2010-0317; classtype:attempted-dos; sid:29362; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Mediawiki DjVu and PDF handling code execution attempt"; flow:to_server,established; content:"thumb.php"; http_uri; pcre:"/thumb\.php.*?[whp]=[^\x26]*?(\x60|\x24\x28)/Ui"; metadata:service http; reference:cve,2014-1610; classtype:attempted-admin; sid:29582; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt"; flow:to_server,established; dsize:>61; content:"|00 00 06 09|"; depth:4; offset:16; pcre:"/.{4}\x00\x00\x00(\xF0|\xEF|\xE8|\xF5|\xED).{36}(?!_[^_]{1,64}_[^_]{1,64}_)/smiR"; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,23635; reference:cve,2007-2139; classtype:attempted-admin; sid:29581; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2954 (msg:"SERVER-OTHER OpenView Network Node Manager ovalarmsrv opcode 81 integer overflow attempt"; flow:to_server,established; content:"81"; depth:2; pcre:"/^81\s+([0-9]+\s+){2}([2-9][0-9]{8}|[0-9]{10})/m"; metadata:policy max-detect-ips drop; reference:bugtraq,34738; reference:cve,2008-2438; classtype:attempted-admin; sid:29532; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2954 (msg:"SERVER-OTHER OpenView Network Node Manager ovalarmsrv opcode 25 integer overflow attempt"; flow:to_server,established; content:"25"; depth:2; pcre:"/^25\s+([0-9]+\s+){2}([2-9][0-9]{8}|[0-9]{10})/m"; metadata:policy max-detect-ips drop; reference:bugtraq,34738; reference:cve,2008-2438; classtype:attempted-admin; sid:29531; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2954 (msg:"SERVER-OTHER OpenView Network Node Manager ovalarmsrv opcode 54 integer overflow attempt"; flow:to_server,established; content:"54"; depth:2; pcre:"/^54\s+[0-9]+\s+([2-9][0-9]{8}|[0-9]{10})/m"; metadata:policy max-detect-ips drop; reference:bugtraq,34738; reference:cve,2008-2438; classtype:attempted-admin; sid:29530; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2954 (msg:"SERVER-OTHER OpenView Network Node Manager ovalarmsrv opcode 47 integer overflow attempt"; flow:to_server,established; content:"47"; depth:2; pcre:"/^47\s+[0-9]+\s+([2-9][0-9]{8}|[0-9]{10})/m"; metadata:policy max-detect-ips drop; reference:bugtraq,34738; reference:cve,2008-2438; classtype:attempted-admin; sid:29529; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2954 (msg:"SERVER-OTHER OpenView Network Node Manager ovalarmsrv opcode 46 integer overflow attempt"; flow:to_server,established; content:"46"; depth:2; pcre:"/^46\s+[0-9]+\s+([2-9][0-9]{8}|[0-9]{10})/m"; metadata:policy max-detect-ips drop; reference:bugtraq,34738; reference:cve,2008-2438; classtype:attempted-admin; sid:29528; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 13841 (msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra information disclosure attempt"; flow:to_server,established; content:"|02 80 1D 00 00 00 00 00 00|"; depth:13; reference:bugtraq,57754; reference:cve,2012-3282; classtype:misc-activity; sid:29517; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 13841 (msg:"SERVER-OTHER HP LeftHand Virtual SAN hydra information disclosure attempt"; flow:to_server,established; content:"|02 00 00 00 00 00 00 00 00|"; depth:13; reference:bugtraq,57754; reference:cve,2012-3282; classtype:misc-activity; sid:29516; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 0A|"; content:"|FF FF FF FF|"; within:4; distance:16; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29591; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 0A FF FF FF FF|"; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29590; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 7 buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 07|"; byte_test:4,<,0xF00,0,relative,big; byte_jump:4,0,relative,big; content:"|00 00 00 00|"; within:4; byte_test:4,>=,0x7fffffff,0,relative,big; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29589; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 7 buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 07 FF FF FF FF|"; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29588; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 06|"; byte_test:4,<,0xF00,0,relative,big; byte_jump:4,0,relative,big; content:"|00 00 00 00 FF FF FF FF|"; within:8; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29587; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 06 FF FF FF FF|"; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29586; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2148 (msg:"SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 3 buffer overflow attempt"; flow:to_server,established; content:"|0D 0A|--#UCL_DATA_HEAD#--|00|"; fast_pattern:only; content:"|00 00 00 03 FF FF FF FF|"; reference:bugtraq,49014; reference:cve,2011-0547; classtype:attempted-admin; sid:29585; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector Backup Client Service code execution attempt"; flow:to_server,established; content:"|FE FF|"; depth:2; offset:4; content:"|00 32 00 00 00|"; within:9; content:"|00 00 00|"; distance:0; isdataat:254,relative; content:!"|00 00 00|"; within:254; metadata:policy max-detect-ips drop; reference:cve,2011-0922; classtype:suspicious-filename-detect; sid:29603; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 2400 (msg:"SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt"; flow:to_server,established; content:"|01 00 00 00 01 00 01 00|"; fast_pattern:only; flowbits:set,zenworks_opcode; flowbits:noalert; reference:bugtraq,46024; reference:cve,2011-0742; classtype:attempted-admin; sid:29607; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"SERVER-OTHER HP Data Protector Backup Client Service code execution attempt"; flow:to_server,established; content:"|32 00|"; depth:7; offset:4; isdataat:254,relative; content:!"|00 20 32 37 00|"; within:254; metadata:policy max-detect-ips drop; reference:cve,2011-0922; classtype:suspicious-filename-detect; sid:29630; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2400 (msg:"SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt"; flow:to_server,established; flowbits:isset,zenworks_opcode; content:"|22|"; depth:1; byte_extract:1,13,offsetvar; byte_test:4,>,436,offsetvar; reference:bugtraq,46024; reference:cve,2011-0742; classtype:attempted-admin; sid:29629; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2400 (msg:"SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt"; flow:to_server,established; flowbits:isset,zenworks_opcode; content:"|0C|"; depth:1; byte_extract:1,13,offsetvar; byte_test:4,>,436,offsetvar; reference:bugtraq,46024; reference:cve,2011-0742; classtype:attempted-admin; sid:29628; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2400 (msg:"SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt"; flow:to_server,established; flowbits:isset,zenworks_opcode; content:"|0B|"; depth:1; byte_extract:1,13,offsetvar; byte_test:4,>,436,offsetvar; metadata:policy max-detect-ips drop; reference:bugtraq,46024; reference:cve,2011-0742; classtype:attempted-admin; sid:29627; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2400 (msg:"SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt"; flow:to_server,established; flowbits:isset,zenworks_opcode; content:"|0A|"; depth:1; byte_extract:1,13,offsetvar; byte_test:4,>,436,offsetvar; reference:bugtraq,46024; reference:cve,2011-0742; classtype:attempted-admin; sid:29626; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5498 (msg:"SERVER-OTHER IBM Cognos TM1 Server tm1admsd.exe buffer overflow attempt"; flow:to_server,established; content:"|00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03|"; fast_pattern:only; reference:bugtraq,52847; reference:cve,2012-0202; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21590314; classtype:attempted-admin; sid:29611; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [5495,5498] (msg:"SERVER-OTHER IBM Cognos TM1 Server tm1admsd.exe buffer overflow attempt"; flow:to_server,established; content:"|00 08|"; depth:2; offset:6; isdataat:1000,relative; reference:bugtraq,52847; reference:cve,2012-0202; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21590314; classtype:attempted-admin; sid:29610; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER D-Link IP Cameras access the ASCII video stream via image luminance"; flow:to_server,established; content:"/md/lums.cgi"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-1601; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-user; sid:29795; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER D-Link IP Cameras access to the video stream via HTTP"; flow:to_server,established; content:"/upnp/asf-mp4.asf"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-1600; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-user; sid:29794; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER D-Link IP Cameras execution of commands from administration web interface"; flow:to_server,established; content:"/cgi-bin/rtpd.cgi|3F|"; fast_pattern:only; http_uri; urilen:>18; metadata:service http; reference:cve,2013-1599; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-user; sid:29793; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER Novell iPrint Server remote code execution attempt"; flow:established,to_server; content:"|01|"; depth:1; isdataat:124,relative; content:!"|0A|"; within:124; reference:bugtraq,46309; reference:cve,2010-4328; classtype:attempted-user; sid:29792; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStore buffer overflow attempt"; flow:to_server,established; content:"r"; depth:1; isdataat:28,relative; content:!"|00|"; within:28; reference:cve,2013-0930; classtype:attempted-admin; sid:29942; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-OTHER EMC AlphaStore buffer overflow attempt"; flow:to_server,established; content:"A"; depth:1; isdataat:28,relative; content:!"|00|"; within:28; reference:cve,2013-0930; classtype:attempted-admin; sid:29941; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3500 (msg:"SERVER-OTHER EMC AlphaStore buffer overflow attempt"; flow:to_server,established; content:"O"; depth:1; content:"|7E|"; distance:0; isdataat:256,relative; content:!"|00|"; within:256; reference:cve,2013-0946; classtype:attempted-admin; sid:29940; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3500 (msg:"SERVER-OTHER EMC AlphaStore buffer overflow attempt"; flow:to_server,established; content:"O"; depth:1; content:"|7E|"; distance:0; content:"|2C|"; distance:0; isdataat:32,relative; content:!"|2C|"; within:32; reference:cve,2013-0946; classtype:attempted-admin; sid:29939; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 4322 (msg:"SERVER-OTHER InduSoft Web Studio Remote Agent buffer overflow attempt"; flow:to_server,established; content:"|15|"; depth:1; isdataat:104,relative; content:!"|00|"; within:104; reference:cve,2011-4052; classtype:attempted-user; sid:29938; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [3200:3299] (msg:"SERVER-OTHER SAP NetWeaver Dispatcher DiagTraceR3Info buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 10 06 20|"; depth:13; offset:11; content:!"|00 0C|"; within:17; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,53424; reference:cve,2012-2611; classtype:attempted-admin; sid:29937; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Python socket.recvfrom_into remote buffer overflow attempt"; flow:to_server,established; content:"|08 59 38 08|"; depth:4; offset:4; content:"|08 59 38 08|"; within:4; distance:8; content:"|1C 59 38 08|"; within:250; reference:bugtraq,65379; reference:cve,2014-1912; reference:url,bugs.python.org/issue20246; classtype:attempted-user; sid:29968; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Python socket.recvfrom_into remote buffer overflow attempt"; flow:to_server,established; content:"|08 79 AE B7|"; depth:4; offset:4; content:"|08 79 AE B7|"; within:4; distance:8; content:"|E0 B7 05 08|"; within:250; reference:bugtraq,65379; reference:cve,2014-1912; reference:url,bugs.python.org/issue20246; classtype:attempted-user; sid:29967; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER Ubiquiti airCam RTSP service buffer overflow attempt"; flow:to_server; content:"DESCRIBE rtsp://"; depth:16; isdataat:256,relative; content:!"|20|"; within:256; content:!"|3A|"; within:256; content:"|3A|"; distance:256; metadata:service rtsp; reference:bugtraq,60487; reference:cve,2013-1606; reference:url,packetstormsecurity.com/files/121986/Ubiquiti-airCam-RTSP-Service-Buffer-Overflow.html; classtype:attempted-admin; sid:29966; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER multiple products HTTP HEAD request buffer overflow attempt"; flow:to_server,established; content:"HEAD |2F|"; depth:6; isdataat:1000,relative; content:!"HTTP|2F|1"; within:1000; metadata:service http; reference:cve,2002-2268; reference:cve,2012-5876; classtype:attempted-user; sid:29958; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt"; flow:to_server,established; urilen:>200,norm; content:"Content-Length: 0"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2002-2268; reference:cve,2014-4158; classtype:attempted-user; sid:29957; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-OTHER Ubiquiti airCam RTSP service buffer overflow attempt"; flow:to_server; content:"DESCRIBE rtsp://"; depth:16; isdataat:256,relative; content:!"|20|"; within:256; content:!"|3A|"; within:256; content:"|3A|"; distance:256; metadata:service rtsp; reference:bugtraq,60487; reference:cve,2013-1606; reference:url,packetstormsecurity.com/files/121986/Ubiquiti-airCam-RTSP-Service-Buffer-Overflow.html; classtype:attempted-admin; sid:29953; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET [443,5003,50500,54345] (msg:"SERVER-OTHER HP LoadRunner XDR handling heap buffer overflow"; flow:to_server,established; content:"|00 00 00 19|"; depth:4; fast_pattern; isdataat:60; content:"|FF FF FF|"; distance:45; byte_test:1,>,244,0,relative; byte_test:1,<,253,0,relative; reference:cve,2013-4799; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03862772; classtype:attempted-user; sid:29952; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 4559 (msg:"SERVER-OTHER HylaFAX plus LDAP authentication username buffer overflow attempt"; flow:established, to_server; content:"USER "; depth:5; content:!"|0A|"; within:256; metadata:service ftp; reference:bugtraq,62729; reference:cve,2013-5680; classtype:attempted-admin; sid:29951; rev:1;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER TP-Link TL-WR740N wireless router remote denial of service attempt"; flow:to_server,established; urilen:4; content:"/..."; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,58623; reference:url,www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5135.php; classtype:attempted-dos; sid:29950; rev:2;) # alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"SERVER-OTHER Borland VisiBroker Smart Agent heap overflow attempt"; flow:to_server; content:"DSRequest"; depth:20; offset:10; nocase; byte_test:4, =, 4294967295, 1, relative; reference:bugtraq,28084; reference:cve,2008-7126; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; classtype:attempted-user; sid:30032; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 257 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|5|00|7|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1300,relative; content:!"|00 00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6195; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30097; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 219 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|1|00|9|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1300,relative; content:!"|00 00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6195; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30096; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 216 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|1|00|6|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1300,relative; content:!"|00 00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6195; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30095; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 214 buffer overflow attempt"; flow:to_server,established; flowbits:isset,hp_openview_sdp; content:"2|00|1|00|4|00 00 00 20 00|"; depth:10; offset:6; content:"|20 00|"; distance:0; isdataat:1300,relative; content:!"|00 00|"; within:1300; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,64647; reference:cve,2013-6195; reference:url,h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03822422; classtype:attempted-admin; sid:30094; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET [19985,19988] (msg:"SERVER-OTHER HP AIO Archive Query Server stack buffer overflow attempt"; flow:to_server,established; content:"GIOP|01 01|"; depth:6; fast_pattern; content:"|00|"; within:1; distance:1; content:"|00 00 00|"; within:3; distance:13; byte_jump:4,0,relative; byte_jump:4,2,relative; byte_jump:4,0,relative; content:"|0D|"; within:1; distance:6; byte_test:1,>,9,0,relative; byte_test:1,>,0x11,1,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,64557; reference:cve,2013-6189; classtype:attempted-admin; sid:30207; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET [19985,19988] (msg:"SERVER-OTHER HP AIO Archive Query Server stack buffer overflow attempt"; flow:to_server,established; content:"GIOP|01 01|"; depth:6; fast_pattern; content:"|00|"; within:1; distance:1; content:"|00 00 00|"; within:3; distance:13; byte_jump:4,0,relative; byte_jump:4,2,relative; byte_jump:4,0,relative; content:"|0D|"; within:1; distance:6; byte_test:1,<,2,0,relative; byte_test:1,>,0x11,1,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,64557; reference:cve,2013-6189; classtype:attempted-admin; sid:30206; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET [19985,19988] (msg:"SERVER-OTHER HP AIO Archive Query Server stack buffer overflow attempt"; flow:to_server,established; content:"GIOP|01 01|"; depth:6; fast_pattern; content:"|00|"; within:1; distance:1; content:"|00 00 00|"; within:3; distance:13; byte_jump:4,0,relative; byte_jump:4,2,relative; byte_jump:4,0,relative; content:"|0D 06|"; within:2; distance:6; byte_test:1,>,0x11,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,64557; reference:cve,2013-6189; classtype:attempted-admin; sid:30205; rev:2;) # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"SERVER-OTHER Cisco Catalyst telnet memory leak denial of service attempt"; flow:to_server,established,no_stream; content:"AAA"; nocase; detection_filter:track by_src, count 10, seconds 1; metadata:service telnet; reference:bugtraq,2072; reference:url,www.cisco.com/en/US/products/hw/routers/ps295/products_security_notice09186a008020ce3f.html; classtype:attempted-dos; sid:30339; rev:2;) # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"SERVER-OTHER Cisco 677-678 telnet buffer overflow attempt"; flow:to_server,established; content:"%%%%%XX%%%%%?????????????????a~"; fast_pattern:only; metadata:service telnet; reference:url,www.cisco.com/en/US/products/hw/routers/ps295/products_security_notice09186a008020ce3f.html; classtype:attempted-dos; sid:30338; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"SERVER-OTHER Cisco Catalyst SSH protocol mismatch denial of service attempt"; flow:to_server,established; content:"a%a%a%a%a%a%a%"; fast_pattern:only; metadata:service ssh; reference:bugtraq,2117; reference:url,www.cisco.com/en/US/products/hw/routers/ps295/products_security_notice09186a008020ce3f.html; classtype:attempted-dos; sid:30337; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER McAfee Asset Manager downloadReport information disclosure attempt"; flow:to_server,established; content:"/servlet/downloadReport"; fast_pattern:only; http_uri; content:"reportFileName="; http_uri; pcre:"/reportFileName=[^&]*\x2e\x2e/U"; metadata:service http; reference:bugtraq,66302; reference:cve,2014-2588; classtype:attempted-recon; sid:30330; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER McAfee Asset Manager downloadReport information disclosure attempt"; flow:to_server,established; content:"/servlet/downloadReport"; fast_pattern:only; http_uri; content:"reportFileName="; http_client_body; pcre:"/reportFileName=[^&]*(\x2e\x2e|%2e%2e)/P"; metadata:service http; reference:bugtraq,66302; reference:cve,2014-2588; classtype:attempted-recon; sid:30329; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,5555] (msg:"SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt"; flow:to_server,established; content:"SOAPAction|3A|"; isdataat:1024,relative; content:!"|22|"; within:1024; metadata:service http; reference:cve,2013-0230; classtype:attempted-admin; sid:30507; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"SERVER-OTHER Zilab Chat and Instant Messaging server connection heap overflow attempt"; flow:to_server,established; content:"|0F 02|"; depth:2; byte_test:4,>,0xFFF,8,relative,little; reference:bugtraq,27940; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; classtype:attempted-user; sid:30489; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"SERVER-OTHER Zilab Chat and Instant Messaging server channel join heap overflow attempt"; flow:to_server,established; content:"|13 01|"; depth:2; byte_test:4,>,160,0,relative,little; reference:bugtraq,27940; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; classtype:attempted-user; sid:30488; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"SERVER-OTHER Zilab Chat and Instant Messaging server heap overflow attempt"; flow:to_server,established; content:"|11 01|"; depth:2; byte_test:4,>,512,0,relative,little; reference:bugtraq,27940; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; classtype:attempted-user; sid:30487; rev:1;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 03|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30517; rev:9;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 02|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30516; rev:9;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 01|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30515; rev:9;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 00|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30514; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 03|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30513; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 02|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30512; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 01|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30511; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 00|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30510; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 03|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30523; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 02|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30522; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 01|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30521; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 00|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30520; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established; dsize:69; content:"|18 03 03 00 40|"; depth:5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30525; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established; dsize:8; content:"|18 03 02 00 03 01 40 00|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30524; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL Heartbleed masscan access exploitation attempt"; flow:to_server,established; content:"[masscan/1.0]"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30549; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Wordpress linenity theme LFI attempt"; flow:to_server, established; content:"/wp-content/themes/linenity/functions/download.php"; http_uri; content:"imgurl="; distance:0; http_uri; content:"../"; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,66921; classtype:attempted-admin; sid:30769; rev:2;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30788; rev:3;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30787; rev:3;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30786; rev:3;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30785; rev:3;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30784; rev:3;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30783; rev:3;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30782; rev:3;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30781; rev:3;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30780; rev:3;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30779; rev:3;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30778; rev:3;) alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30777; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER SAP NetWeaver dir content listing attempt"; flow:to_server, established; content:"/sap/bc/soap/rfc"; fast_pattern:only; http_uri; content:"SOAPAction: urn:sap-com:document:sap:rfc:functions"; http_header; content:"RZL_READ_DIR_LOCAL"; http_client_body; content:""; http_client_body; content:""; distance:0; http_client_body; content:"/"; within:100; http_client_body; content:""; within:100; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:30928; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER UNIX platform forwardslash directory traversal"; flow:to_server,established; content:"/..%2F"; fast_pattern:only; content:"/..%2F"; http_raw_uri; metadata:service http; reference:bugtraq,67244; reference:cve,2014-0130; reference:url,weblog.rubyonrails.org/2014/5/6/Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/; classtype:web-application-attack; sid:31013; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER CMSimple remote file inclusion attempt"; flow:to_server, established; content:"plugins/filebrowser/classes/required_classes.php"; fast_pattern; http_uri; content:"=http"; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/download/32930; classtype:attempted-admin; sid:30996; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Oracle Demantra arbitrary file retrieval with authentication bypass attempt"; flow:to_server,established; content:"/../../"; fast_pattern:only; content:"/demantra/"; depth:10; http_uri; content:"/../../GraphServlet"; offset:10; http_raw_uri; metadata:service http; reference:bugtraq,64836; reference:cve,2013-5880; classtype:attempted-user; sid:31045; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-OTHER F5 BIG-IP iControl API hostname command injection attempt"; flow:to_server,established; content:"/iControl/iControlPortal.cgi"; fast_pattern:only; content:"urn:iControl:System/Inet"; nocase; content:""; nocase; pcre:"/.{0,250}[\x60\x3b\x7c\x24\x28\x26]/sim"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,67278; reference:cve,2014-2928; reference:url,support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html; classtype:attempted-admin; sid:31068; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg:"SERVER-OTHER Vino VNC multiple client authentication denial of service attempt"; flow:to_server,established,no_stream; content:"RFB 003."; depth:8; detection_filter:track by_src, count 1, seconds 1; reference:cve,2013-5745; classtype:attempted-dos; sid:31082; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER TrendMicro InterScan Viruswall directory traversal attempt"; flow:to_server,established; content:"/ishttpd/localweb/java/?"; nocase; http_uri; content:"../"; distance:0; http_uri; metadata:service http; reference:cve,2004-1859; reference:url,www.securityfocus.com/bid/9966; classtype:misc-activity; sid:31102; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Sharetronix cross site request forgery attempt"; flow:to_server,established; content:"POST"; http_method; content:"admin/administrators"; fast_pattern:only; http_uri; content:"admin="; depth:6; nocase; http_client_body; pcre:"/^admin=[a-z0-9-_]{3,30}/Pi"; metadata:service http; reference:bugtraq,67681; reference:cve,2014-3414; classtype:attempted-admin; sid:31101; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Beetel 450TC2 CSRF attempt"; flow:to_server,established; content:"Forms/tools_admin_1"; fast_pattern:only; http_uri; content:"uiViewTools_Password="; depth:21; http_client_body; content:"&uiViewTools_PasswordConfirm="; distance:0; http_client_body; metadata:service http; reference:bugtraq,67169; reference:cve,2014-3792; classtype:attempted-admin; sid:31162; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER AuraCMS LFI attempt"; flow:to_server, established; content:"filemanager.php"; http_uri; content:"viewdir="; distance:0; http_uri; content:"../"; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.exploit-db.com/exploits/33555; classtype:attempted-admin; sid:31161; rev:2;) # alert udp $EXTERNAL_NET any -> $HOME_NET [4433,443,10000:] (msg:"SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt"; flow:to_client; content:"|16 FE|"; depth:2; content:"|00 0C 00 00 00 00 00 00 00 00 00 00 00 00|"; within:14; distance:9; detection_filter:track by_src, count 20, seconds 5; reference:cve,2014-0221; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31181; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET [4433,443] (msg:"SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt"; flow:to_client; content:"|16 FE FF|"; depth:3; content:"|01|"; within:1; distance:10; byte_extract:3,0,frag,relative; byte_test:3,!=,frag,5,relative; detection_filter:track by_src, count 20, seconds 1; reference:cve,2014-0221; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31180; rev:6;) # alert tcp $EXTERNAL_NET [25,443,465,587,636,992,993,995,2484,8443] -> $HOME_NET any (msg:"SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt"; flow:to_client,established; content:"|16 03 03|"; depth:3; content:"|02|"; within:1; distance:2; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_test:1,>,32,33,relative; metadata:service ssl; reference:bugtraq,67741; reference:cve,2014-3466; reference:url,gnutls.org/security.html#GNUTLS-SA-2014-3; classtype:attempted-user; sid:31179; rev:4;) # alert tcp $EXTERNAL_NET [25,443,465,587,636,992,993,995,2484,8443] -> $HOME_NET any (msg:"SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt"; flow:to_client,established; content:"|16 03 02|"; depth:3; content:"|02|"; within:1; distance:2; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_test:1,>,32,33,relative; metadata:service ssl; reference:bugtraq,67741; reference:cve,2014-3466; reference:url,gnutls.org/security.html#GNUTLS-SA-2014-3; classtype:attempted-user; sid:31178; rev:4;) # alert tcp $EXTERNAL_NET [25,443,465,587,636,992,993,995,2484,8443] -> $HOME_NET any (msg:"SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt"; flow:to_client,established; content:"|16 03 01|"; depth:3; content:"|02|"; within:1; distance:2; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_test:1,>,32,33,relative; metadata:service ssl; reference:bugtraq,67741; reference:cve,2014-3466; reference:url,gnutls.org/security.html#GNUTLS-SA-2014-3; classtype:attempted-user; sid:31177; rev:4;) # alert tcp $EXTERNAL_NET [25,443,465,587,636,992,993,995,2484,8443] -> $HOME_NET any (msg:"SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt"; flow:to_client,established; content:"|16 03 02 01 50 45 32 49 E7 23 DF BD 9B 4E CA 35 D6 7D 32 8C 15 F0 EF 74 79 58 F5 87 2B 2B 96 02 F5 7C 2B A3|"; fast_pattern:only; metadata:service ssl; reference:bugtraq,67741; reference:cve,2014-3466; reference:url,gnutls.org/security.html#GNUTLS-SA-2014-3; classtype:attempted-user; sid:31176; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Xerox DocuShare SQL injection attempt"; flow:to_server,established; content:"/docushare/dsweb/ResultBackgroundJobMultiple/"; fast_pattern:only; http_uri; pcre:"/\/docushare\/dsweb\/ResultBackgroundJobMultiple\/\d*[^\d]/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,66922; classtype:attempted-admin; sid:31300; rev:3;) # alert udp $EXTERNAL_NET 7001 -> $HOME_NET 7000 (msg:"SERVER-OTHER OpenAFS GetStatistics buffer overflow attempt"; flow:to_server; content:"|01|"; depth:1; offset:20; content:"|00 01 00 06 00 00 00|"; within:7; distance:7; content:!"|10|"; within:1; reference:bugtraq,66776; reference:cve,2014-0159; classtype:denial-of-service; sid:31338; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5666 (msg:"SERVER-OTHER Nagios NRPE command execution attempt"; flow:to_server,established; content:"|00 02 00 01|"; depth:4; content:"|0A|"; distance:6; reference:bugtraq,66969; reference:cve,2014-2913; classtype:attempted-admin; sid:31337; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Samsung TV denial of service attempt"; flow:to_server,established; urilen:>300; content:"Content-Length: 0|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2013-4890; classtype:attempted-dos; sid:31406; rev:3;) alert tcp any any -> $HTTP_SERVERS 443 (msg:"SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_server,established; content:"|16 03 01|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 03|"; within:2; distance:3; byte_test:2,!=,0,33,relative; flowbits:set,tlsv1.2_handshake; flowbits:noalert; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31484; rev:1;) alert tcp any any -> $HTTP_SERVERS 443 (msg:"SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_server,established; content:"|16 03 01|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 02|"; within:2; distance:3; byte_test:2,!=,0,33,relative; flowbits:set,tlsv1.1_handshake; flowbits:noalert; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31483; rev:1;) alert tcp any any -> $HTTP_SERVERS 443 (msg:"SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_server,established; content:"|16 03 01|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 01|"; within:2; distance:3; byte_test:2,!=,0,33,relative; flowbits:set,tlsv1.0_handshake; flowbits:noalert; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31482; rev:1;) alert tcp any any -> $HTTP_SERVERS 443 (msg:"SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 00|"; within:2; distance:3; byte_test:2,!=,0,33,relative; flowbits:set,ssl_handshake; flowbits:noalert; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31481; rev:1;) # alert tcp $HTTP_SERVERS 443 -> any any (msg:"SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_client,established; flowbits:isset,tlsv1.2_handshake; content:"|14 03 03 00 01 01 14 03 03 00 01 01|"; fast_pattern:only; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31480; rev:2;) # alert tcp $HTTP_SERVERS 443 -> any any (msg:"SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_client,established; flowbits:isset,tlsv1.1_handshake; content:"|14 03 02 00 01 01 14 03 02 00 01 01|"; fast_pattern:only; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31479; rev:2;) # alert tcp $HTTP_SERVERS 443 -> any any (msg:"SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_client,established; flowbits:isset,tlsv1.0_handshake; content:"|14 03 01 00 01 01 14 03 01 00 01 01|"; fast_pattern:only; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31478; rev:2;) # alert tcp $HTTP_SERVERS 443 -> any any (msg:"SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt"; flow:to_client,established; flowbits:isset,ssl_handshake; content:"|14 03 00 00 01 01 14 03 00 00 01 01|"; fast_pattern:only; metadata:service ssl; reference:bugtraq,67899; reference:cve,2014-0224; reference:url,www.openssl.org/news/secadv_20140605.txt; classtype:attempted-dos; sid:31477; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER D-Link Multiple Products HNAP request buffer overflow attempt"; flow:to_server,established; urilen:6<>7,norm; content:"/HNAP1"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"Content-Length|3A|"; http_raw_header; byte_test:10,>,10000,0,relative,string,dec; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,67651; reference:cve,2014-3936; classtype:attempted-admin; sid:31529; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt"; flow:to_server,established; content:"/autopass/cs/pdfupload"; fast_pattern:only; http_uri; content:"multipart"; http_header; content:"filename"; nocase; http_client_body; pcre:"/filename\s*?=\s*?[\x22\x27]?[^\r\n]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,67989; reference:cve,2013-6221; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04333125; classtype:attempted-admin; sid:31526; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER HP AutoPass License Server CommunicationServlet directory traversal attempt"; flow:to_server,established; content:"/autopass/cs/pdfupload"; fast_pattern:only; http_uri; content:"urlencoded"; http_header; content:"filename="; nocase; http_client_body; pcre:"/filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,67989; reference:cve,2013-6221; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04333125; classtype:attempted-admin; sid:31525; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cougar-LG configuration file access attempt"; flow:to_server,established; content:"/lg/"; nocase; http_uri; content:"lg.conf"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2014-3928; reference:url,s3.eurecom.fr/cve/CVE-2014-3928.txt; classtype:attempted-recon; sid:31709; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cougar-LG SSH key path access attempt"; flow:to_server,established; content:"/lg/"; nocase; http_uri; content:"/.ssh"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2014-3929; reference:url,s3.eurecom.fr/cve/CVE-2014-3929.txt; classtype:attempted-recon; sid:31708; rev:1;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER FCKeditor textinputs cross site scripting attempt"; flow:to_server,established; content:"/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"; fast_pattern:only; http_uri; content:"