# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#---------------------
# SERVER-WEBAPP RULES
#---------------------
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt"; flow:to_server,established; content:"_mdm_session=BAhvOkBB"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71424; reference:cve,2014-6140; classtype:attempted-user; sid:33169; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt"; flow:to_server,established; content:"_trusted-services-provider_session=BAhvOkBB"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71424; reference:cve,2014-6140; classtype:attempted-user; sid:33168; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt"; flow:to_server,established; content:"_self-service-portal_session=BAhvOkBB"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71424; reference:cve,2014-6140; classtype:attempted-user; sid:33167; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt"; flow:to_server,established; content:"_admin-portal_session=BAhvOkBB"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71424; reference:cve,2014-6140; classtype:attempted-user; sid:33166; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products HTTP connection header overflow attempt"; flow:to_server,established; content:"Connection|3A 20|"; nocase; http_header; isdataat:50,relative; content:!"|0D 0A|"; within:100; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,99137; reference:cve,2017-7668; reference:url,ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/; classtype:attempted-user; sid:43587; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"SERVER-WEBAPP Reprise License Manager licfile stack buffer overflow attempt"; flow:to_server,established; content:"/goform/service_setup_doit"; depth:35; nocase; content:"licfile="; nocase; isdataat:500,relative; content:!"&"; within:500; content:!"|0D|"; within:500; content:!"|0A|"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6946; reference:url,redr2e.com/cve-to-poc-cve-2015-6946/; classtype:attempted-admin; sid:38288; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"SERVER-WEBAPP Reprise License Manager akey stack buffer overflow attempt"; flow:to_server,established; content:"/goform/activate_doit"; depth:35; nocase; content:"akey="; nocase; isdataat:500,relative; content:!"&"; within:500; content:!"|0D|"; within:500; content:!"|0A|"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6946; reference:url,redr2e.com/cve-to-poc-cve-2015-6946/; classtype:attempted-admin; sid:38287; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5054 (msg:"SERVER-WEBAPP Reprise License Manager actserver stack buffer overflow attempt"; flow:to_server,established; content:"/goform/activate_doit"; depth:35; nocase; content:"actserver="; nocase; isdataat:500,relative; content:!"&"; within:500; content:!"|0D|"; within:500; content:!"|0A|"; within:500; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6946; reference:url,redr2e.com/cve-to-poc-cve-2015-6946/; classtype:attempted-admin; sid:38286; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-100 User-Agent backdoor access attempt"; flow:to_server,established; content:"User-Agent: xmlset_roodkcableoj28840ybtide|0D 0A|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62990; reference:cve,2013-6026; reference:url,www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor; classtype:attempted-admin; sid:28240; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress login denial of service attempt"; flow:to_server,established,only_stream; content:"wp-postpass_"; fast_pattern:only; content:"wp-postpass_"; http_cookie; content:"|25|24P|25|24Spaddding"; http_cookie; detection_filter:track by_src, count 500, seconds 5; metadata:service http; reference:url,seclists.org/bugtraq/2013/Jun/41; classtype:denial-of-service; sid:26981; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP D-Link DIR-300/DIR-600 unauthenticated remote command execution attempt"; flow:to_server,established; content:"POST"; depth:4; nocase; http_method; content:"/command.php"; fast_pattern:only; http_uri; content:"cmd="; nocase; http_client_body; metadata:service http; reference:bugtraq,57734; reference:url,exploit-db.com/exploits/24453/; reference:url,www.s3cur1ty.de/m1adv2013-003; classtype:attempted-admin; sid:26953; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-WEBAPP SAP ConfigServlet command execution attempt"; flow:to_server,established; content:"/ctc/servlet/ConfigServlet"; http_uri; content:"param=com.sap.ctc.util.FileSystemConfig"; distance:0; http_uri; content:"EXECUTE_CMD"; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf; classtype:attempted-admin; sid:26929; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TWiki search function remote code execution attempt"; flow:to_server,established; content:"POST"; http_method; content:"/twiki/"; fast_pattern:only; http_uri; pcre:"/[?&](search|topic)=[^&]*?(\x27|%27)(\s*|(%20)*)(\x3b|%3b)/Psi"; metadata:service http; reference:bugtraq,11674; reference:cve,2004-1037; classtype:attempted-user; sid:26908; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TWiki search function remote code execution attempt"; flow:to_server,established; content:"/twiki/"; fast_pattern:only; http_uri; pcre:"/[?&](search|topic)=[^&]*?(\x27|%27)(\s*|(%20)*)(\x3b|%3b)/Usi"; metadata:service http; reference:bugtraq,11674; reference:cve,2004-1037; classtype:attempted-user; sid:26907; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP FosWiki and TWiki MAKETEXT macro memory consumption denial of service attempt"; flow:to_server,established; content:"WIKISID="; http_cookie; content:"MAKETEXT"; fast_pattern:only; http_client_body; content:"%5b%5f"; http_client_body; pcre:"/\%5b\%5f[0-9]{16}/Psm"; metadata:service http; reference:bugtraq,56950; reference:cve,2012-6329; reference:cve,2012-6330; reference:url,foswiki.org/Support/SecurityAlert-CVE-2012-6330; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2012-6329; classtype:attempted-dos; sid:26905; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Mutiny editdocument servlet arbitrary file upload attempt"; flow:to_server,established; content:"/interface/editdocument"; fast_pattern:only; http_uri; content:"uploadFile"; nocase; http_client_body; content:"uploadPath"; nocase; http_client_body; pcre:"/uploadPath[^-]+?(%2e|\x2e){2}(%2f|\x2f)/miP"; metadata:policy security-ips drop, service http; reference:cve,2013-0136; classtype:attempted-admin; sid:26798; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Mutiny editdocument servlet arbitrary file access attempt"; flow:to_server,established; content:"/interface/editdocument"; fast_pattern:only; http_uri; content:"operation="; nocase; http_client_body; content:"paths"; nocase; http_client_body; pcre:"/(^|&)paths(%5b|\x5b)(%5d|\x5d)=[^&]*?(%2e|\x2e){2}(%2f|\x2f)/miP"; metadata:policy security-ips drop, service http; reference:cve,2013-0136; classtype:attempted-recon; sid:26797; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center UAM acmServletDownload information disclosure attempt"; flow:to_server,established; content:"/imc/download?"; fast_pattern:only; http_uri; content:"Name="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&](path|file)Name=[^&]*?\x2e\x2e\x2f/iU"; metadata:service http; reference:bugtraq,58385; reference:cve,2012-5211; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; classtype:attempted-recon; sid:26794; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center SyslogDownloadServlet information disclosure attempt"; flow:to_server,established; content:"/imc/tmp/syslog/download?"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; content:"../"; distance:0; http_uri; metadata:service http; reference:bugtraq,58385; reference:cve,2012-5206; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; classtype:attempted-recon; sid:26669; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Windows 2012 Server additional empty Accept-Encoding field denial of service attempt"; flow:to_server,established; content:"Accept-Encoding:"; http_header; content:"Accept-Encoding:|0D 0A|"; distance:0; http_header; metadata:service http; reference:cve,2013-1305; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-039; classtype:attempted-dos; sid:26632; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt"; flow:to_server,established; content:"ї|3B|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51860; reference:url,bugs.php.net/bug.php?id=60965; classtype:attempted-admin; sid:26593; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress brute-force login attempt"; flow:to_server,established,only_stream; content:"POST"; nocase; http_method; content:"|2F|wp|2D|login|2E|php"; fast_pattern:only; http_uri; detection_filter:track by_src, count 26, seconds 60; metadata:service http; reference:url,blog.spiderlabs.com/2013/04/defending-wordpress-logins-from-brute-force-attacks.html; reference:url,blog.sucuri.net/2013/04/mass-wordpress-brute-force-attacks-myth-or-reality.html; classtype:suspicious-login; sid:26557; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center ReportImgServlet information disclosure attempt"; flow:to_server,established; content:"/imc/reportImg?"; fast_pattern:only; http_uri; content:"path="; nocase; http_uri; content:"../"; distance:0; http_uri; metadata:service http; reference:bugtraq,58672; reference:cve,2012-5203; reference:url,h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276; classtype:attempted-recon; sid:26523; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP Intelligent Management Center IctDownloadServlet information disclosure attempt"; flow:to_server,established; content:"/imc/tmp/ict/download"; fast_pattern:only; http_uri; content:"fileName="; nocase; http_uri; content:"../"; distance:0; http_uri; metadata:service http; reference:bugtraq,58676; reference:bugtraq,68546; reference:cve,2012-5204; reference:cve,2014-2621; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03689276; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c04369484; classtype:attempted-recon; sid:26505; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt"; flow:to_server,established; content:"User-Agent|3A|