snort2-docker/docker/etc/rules/server-iis.rules
2020-02-24 08:56:30 -05:00

218 lines
77 KiB
Plaintext

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#------------------
# SERVER-IIS RULES
#------------------
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7000 (msg:"SERVER-IIS Microsoft Windows Server 2012 IIS OData protocol nested replace filter dos attempt"; flow:to_server,established; content:"replace|28|replace|28|replace|28|replace|28|"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2013-0005; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-007; classtype:attempted-dos; sid:25274; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS .NET null character username truncation attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:".asp"; nocase; http_uri; content:"email="; http_client_body; pcre:"/(^|&)email=[^&$]*?(\x00|%00)/Pims"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-100; classtype:suspicious-login; sid:25251; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS UNC mapped virtual host file source code access attempt"; flow:to_server,established; content:"htr|25|5C"; nocase; http_raw_uri; pcre:"/htr\x255C$/Ii"; metadata:service http; reference:bugtraq,1081; reference:cve,2000-0246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-019; classtype:attempted-recon; sid:24867; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS UNC mapped virtual host file source code access attempt"; flow:to_server,established; content:"asp|25|5C"; nocase; http_raw_uri; pcre:"/asp\x255c$/Ii"; metadata:service http; reference:bugtraq,1081; reference:cve,2000-0246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-019; classtype:attempted-recon; sid:24866; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt"; flow:to_server,established; content:"aaa: aa|0D 0A|aab: aa|0D 0A|aac: aa|0D 0A|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43138; reference:cve,2010-2730; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-admin; sid:24380; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt"; flow:to_server,established; content:"HTTP/1."; fast_pattern:only; pcre:"/(^[^\r\n]+?\r?\n){16}/mH"; metadata:service http; reference:bugtraq,43138; reference:cve,2010-2730; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-admin; sid:24379; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt"; flow:to_server,established; content:"HEAD"; nocase; http_method; content:"|0D 0A 0D 0A|"; distance:0; pcre:"/^(?P<p1>\w+)=(?P<v1>\w+)\&((?P=p1)=(?P=v1)\&){15}/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43140; reference:cve,2010-1899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-dos; sid:24276; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt"; flow:to_server,established; content:"Q=M&Q=M&Q=M&Q=M&Q=M&"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43140; reference:cve,2010-1899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-dos; sid:24275; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt"; flow:to_server,established; content:"C=A&C=A&C=A&C=A&C=A&"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43140; reference:cve,2010-1899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-dos; sid:24274; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS tilde character file name discovery attempt"; flow:to_server,established; content:"~1."; fast_pattern:only; http_uri; metadata:service http; reference:url,soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/; classtype:attempted-recon; sid:23362; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS tilde character file name discovery attempt"; flow:to_server,established; content:"%3f%3f"; fast_pattern:only; content:"%3f%3f"; http_raw_uri; metadata:service http; reference:url,soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/; classtype:attempted-recon; sid:23361; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS tilde character file name discovery attempt"; flow:to_server,established,only_stream; content:"~1"; http_uri; content:"?aspxerrorpath=/"; distance:0; http_uri; detection_filter:track by_src, count 10, seconds 5; metadata:service http; reference:url,soroush.secproject.com/blog/2012/06/microsoft-iis-tilde-character-vulnerabilityfeature-short-filefolder-name-disclosure/; classtype:attempted-recon; sid:23360; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt"; flow:to_server,established; content:"|2E|php|3B|"; fast_pattern:only; http_uri; pcre:"/\x2ephp\x3b[^\x3f\x3b]*\x2e(bmp|jpg|gif|txt|png|pdf|htm)/Ui"; metadata:service http; reference:bugtraq,37460; reference:cve,2009-4444; reference:url,blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx; classtype:web-application-attack; sid:21606; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt"; flow:to_server,established; content:"|2E|stm|3B|"; fast_pattern:only; http_uri; pcre:"/\x2estm\x3b[^\x3f\x3b]*\x2e(bmp|jpg|gif|txt|png|pdf|htm)/Ui"; metadata:service http; reference:bugtraq,37460; reference:cve,2009-4444; reference:url,blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx; classtype:web-application-attack; sid:21605; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt"; flow:to_server,established; content:"|2E|shtml|3B|"; fast_pattern:only; http_uri; pcre:"/\x2eshtml\x3b[^\x3f\x3b]*\x2e(bmp|jpg|gif|txt|png|pdf|htm)/Ui"; metadata:service http; reference:bugtraq,37460; reference:cve,2009-4444; reference:url,blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx; classtype:web-application-attack; sid:21604; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt"; flow:to_server,established; content:"|2E|shtm|3B|"; fast_pattern:only; http_uri; pcre:"/\x2eshtm\x3b[^\x3f\x3b]*\x2e(bmp|jpg|gif|txt|png|pdf|htm)/Ui"; metadata:service http; reference:bugtraq,37460; reference:cve,2009-4444; reference:url,blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx; classtype:web-application-attack; sid:21603; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt"; flow:to_server,established; content:"|2E|cer|3B|"; fast_pattern:only; http_uri; pcre:"/\x2ecer\x3b[^\x3f\x3b]*\x2e(bmp|jpg|gif|txt|png|pdf|htm)/Ui"; metadata:service http; reference:bugtraq,37460; reference:cve,2009-4444; reference:url,blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx; classtype:web-application-attack; sid:21602; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt"; flow:to_server,established; content:"|2E|cdx|3B|"; fast_pattern:only; http_uri; pcre:"/\x2ecdx\x3b[^\x3f\x3b]*\x2e(bmp|jpg|gif|txt|png|pdf|htm)/Ui"; metadata:service http; reference:bugtraq,37460; reference:cve,2009-4444; reference:url,blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx; classtype:web-application-attack; sid:21601; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt"; flow:to_server,established; content:"|2E|asp|3B|"; fast_pattern:only; http_uri; pcre:"/\x2easp\x3b[^\x3f\x3b]*\x2e(bmp|jpg|gif|txt|png|pdf|htm)/Ui"; metadata:service http; reference:bugtraq,37460; reference:cve,2009-4444; reference:url,blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx; classtype:web-application-attack; sid:21600; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt"; flow:to_server,established; content:"|2E|asa|3B|"; fast_pattern:only; http_uri; pcre:"/\x2easa\x3b[^\x3f\x3b]*\x2e(bmp|jpg|gif|txt|png|pdf|htm)/Ui"; metadata:service http; reference:bugtraq,37460; reference:cve,2009-4444; reference:url,blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx; classtype:web-application-attack; sid:21599; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS5 NTLM and basic authentication bypass attempt"; flow:to_server,established; content:"/null.htw"; nocase; http_uri; content:"CiWebhitsfile="; nocase; http_uri; pcre:"/null\.htw[^$]*?[\x3f\x26]CiWebhitsfile=[^\x26]+\x26/Ui"; metadata:service http; reference:bugtraq,24105; reference:cve,2007-2815; reference:url,support.microsoft.com/kb/328832; classtype:attempted-user; sid:21161; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-IIS Microsoft Active Directory Federation Services code execution attempt"; flow:to_client,established; content:"pFilterCtxHdr"; nocase; http_header; metadata:service http; reference:cve,2009-2509; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-070; reference:url,www.securityfocus.com/bid/37214; classtype:web-application-attack; sid:20675; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS UNC mapped virtual host file source code access attempt"; flow:to_server,established; content:"htr|5C|"; nocase; http_raw_uri; pcre:"/htr\x5C$/Ii"; metadata:service http; reference:bugtraq,1081; reference:cve,2000-0246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-019; classtype:attempted-recon; sid:20665; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS UNC mapped virtual host file source code access attempt"; flow:to_server,established; content:"asp|5C|"; nocase; http_raw_uri; pcre:"/asp\x5C$/Ii"; metadata:service http; reference:bugtraq,1081; reference:cve,2000-0246; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-019; classtype:attempted-recon; sid:20664; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS source code disclosure attempt"; flow:to_server,established; content:"http|3A 2F|localhost"; depth:16; nocase; http_uri; content:"Host: localhost"; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2678; reference:url,secunia.com/advisories/16548; classtype:misc-attack; sid:17652; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS source code disclosure attempt"; flow:to_server,established; content:"Translate|3A| "; nocase; byte_test:1,=,102,0,relative; pcre:"/%.*%/smiI"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14764; classtype:attempted-recon; sid:17648; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS RSA authentication agent for web redirect buffer overflow attempt"; flow:to_server,established; content:"IISWebAgentIF.dll"; fast_pattern:only; http_uri; content:"Redirect"; nocase; http_uri; content:"url="; distance:0; nocase; http_uri; pcre:"/IISWebAgentIF\.dll[^\n]*?Redirect[^\n]*?[?&]url=[^\n&]{256}/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26424; reference:cve,2005-1471; reference:cve,2005-4734; classtype:attempted-admin; sid:17440; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS multiple extension code execution attempt"; flow:to_server,established; content:".asp|3B|."; nocase; http_uri; metadata:service http; reference:cve,2009-4444; classtype:web-application-attack; sid:16356; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS ADFS custom header arbitrary code execution attempt "; flow:to_server,established; content:"pFilterCtxHdr"; nocase; http_header; metadata:service http; reference:cve,2009-2509; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-070; classtype:attempted-admin; sid:16312; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS malicious ASP file upload attempt"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; http_header; content:"form-data"; within:20; nocase; http_header; content:"filename="; nocase; http_header; content:"<!--|23|include"; distance:0; fast_pattern; nocase; pcre:"/filename\x3d\x22[^\x22]*asp/smiH"; pcre:"/\x3c\x21\x2d\x2d\x23include\s+file\s*=\s*.{250,}-->/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,18858; reference:cve,2006-0026; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-034; classtype:attempted-user; sid:12595; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS w3svc _vti_bin null pointer dereference attempt"; flow:to_server,established; content:"/_vti_bin/.dll/"; pcre:"/\/_vti_bin\/\.dll\/(%(0[1-9]|1[0-f])|%3f|\x22|\x2a|\x3a|<|>)[\\\/]~[0-9]/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,15921; reference:cve,2005-4360; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-041; classtype:attempted-dos; sid:12064; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft XML parser IIS WebDAV attack attempt"; flow:established,to_server; content:"PROPFIND"; depth:8; nocase; pcre:"/(xmlns\x3A.*?){15}/"; metadata:service http; reference:bugtraq,11384; reference:cve,2003-0718; classtype:denial-of-service; sid:12043; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Content Management Server memory corruption"; flow:to_server,established; content:"/NR/exeres/"; fast_pattern; nocase; http_uri; content:"frameless"; http_uri; content:!",frameless"; http_uri; metadata:service http; reference:bugtraq,22861; reference:cve,2007-0938; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-018; classtype:attempted-user; sid:11191; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ASP.NET 2.0 cross-site scripting attempt"; flow:to_server,established; content:"__LASTFOCUS="; fast_pattern:only; pcre:"/__LASTFOCUS=(?!([_a-z]\w*|)([\x26\x3B]|$))/i"; metadata:service http; reference:bugtraq,20337; reference:cve,2006-3436; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-056; classtype:attempted-user; sid:8700; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Indexing Service ciRestriction cross-site scripting attempt"; flow:to_server,established; content:"default.idq"; nocase; content:"ciRestriction"; distance:0; nocase; content:"script"; distance:0; nocase; pcre:"/default\.idq[^\r\n]*ciRestriction[^\r\n]*script/smi"; metadata:service http; reference:bugtraq,19927; reference:cve,2006-0032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-053; classtype:misc-attack; sid:8349; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt"; flow:to_server,established; content:"_vti_bin/_vti_adm/fpadmdll.dll"; fast_pattern:only; http_uri; content:"name="; nocase; http_client_body; pcre:"/name\x3D[^\x26]*?(\x2D|\x252D){2}(\x3E|\x253E)/iP"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17452; reference:cve,2006-0015; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-017; classtype:attempted-user; sid:7029; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt"; flow:to_server,established; content:"_vti_bin/_vti_adm/fpadmdll.dll"; fast_pattern:only; http_uri; content:"command="; nocase; http_client_body; pcre:"/command\x3D[^\x26]*?(\x2D|\x252D){2}(\x3E|\x253E)/iP"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17452; reference:cve,2006-0015; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-017; classtype:attempted-user; sid:7028; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS httpodbc.dll access - nimda"; flow:to_server,established; content:"/httpodbc.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-activity; sid:3201; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .bat executable file parsing attack"; flow:to_server,established; content:".bat|22|"; nocase; http_uri; pcre:"/\x2ebat\x22.*?\x26/Usmi"; metadata:ruleset community, service http; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3194; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cmd executable file parsing attack"; flow:to_server,established; content:".cmd|22|"; nocase; http_uri; pcre:"/\x2ecmd\x22.*?\x26/smUi"; metadata:ruleset community, service http; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3193; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS SQLXML content type overflow"; flow:to_server,established; pcre:"/\.x[sm]l/Ui"; content:"contenttype="; http_uri; pcre:"/contenttype=[^\r\n\x3b\x38]{100}/smiU"; metadata:ruleset community, service http; reference:bugtraq,5004; reference:cve,2002-0186; reference:nessus,11304; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-030; reference:url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt; classtype:attempted-admin; sid:3150; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ping.asp access"; flow:to_server,established; content:"/ping.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS SmarterTools SmarterMail frmCompose.asp access"; flow:to_server,established; content:"/frmCompose.aspx"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,9805; reference:cve,2004-2585; classtype:web-application-activity; sid:2573; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"; flow:to_server,established; content:"/login.aspx"; nocase; http_uri; content:"txtusername="; isdataat:980,relative; content:!"|0A|"; within:980; nocase; metadata:ruleset community, service http; reference:bugtraq,9805; reference:cve,2004-2585; classtype:web-application-attack; sid:2572; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"; flow:to_server,established; content:"/frmGetAttachment.aspx"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,9805; reference:cve,2004-2585; classtype:web-application-activity; sid:2571; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS NTLM ASN1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Negotiate"; within:20; nocase; http_header; content:"YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; within:100; http_header; metadata:ruleset community, service http; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:attempted-dos; sid:2386; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS sgdynamo.exe access"; flow:to_server,established; content:"/sgdynamo.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4720; reference:cve,2002-0375; reference:nessus,11955; classtype:web-application-activity; sid:2326; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established; content:"/ShopDisplayProducts.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2325; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS VP-ASP shopsearch.asp access"; flow:to_server,established; content:"/shopsearch.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2324; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS foxweb.dll access"; flow:to_server,established; content:"/foxweb.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11939; classtype:web-application-activity; sid:2322; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS foxweb.exe access"; flow:to_server,established; content:"/foxweb.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11939; classtype:web-application-activity; sid:2321; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /pcadmin/login.asp access"; flow:to_server,established; content:"/pcadmin/login.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,8103; reference:nessus,11785; classtype:web-application-activity; sid:2249; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS DirectoryListing.asp access"; flow:to_server,established; content:"/DirectoryListing.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2001-0938; classtype:web-application-activity; sid:2248; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS UploadScript11.asp access"; flow:to_server,established; content:"/UploadScript11.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3608; reference:cve,2001-0938; reference:nessus,11746; classtype:web-application-activity; sid:2247; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS IISProtect globaladmin.asp access"; flow:to_server,established; content:"/iisprotect/admin/GlobalAdmin.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11661; classtype:web-application-activity; sid:2157; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS register.asp access"; flow:to_server,established; content:"/register.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11621; classtype:web-application-activity; sid:2134; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MS BizTalk server access"; flow:to_server,established; content:"/biztalkhttpreceive.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,2003-0117; reference:cve,2003-0118; reference:nessus,11638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-016; classtype:web-application-activity; sid:2133; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Synchrologic Email Accelerator userid list access attempt"; flow:to_server,established; content:"/en/admin/aggregate.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11657; classtype:web-application-activity; sid:2132; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS IISProtect access"; flow:to_server,established; content:"/iisprotect/admin/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11661; classtype:web-application-activity; sid:2131; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS IISProtect siteadmin.asp access"; flow:to_server,established; content:"/iisprotect/admin/SiteAdmin.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,7675; reference:cve,2003-0377; reference:nessus,11662; classtype:web-application-activity; sid:2130; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS nsiislog.dll access"; flow:to_server,established; content:"/nsiislog.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8035; reference:cve,2003-0227; reference:cve,2003-0349; reference:nessus,11664; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-018; classtype:web-application-activity; sid:2129; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Battleaxe Forum login.asp access"; flow:to_server,established; content:"myaccount/login.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,7416; reference:cve,2003-0215; reference:nessus,11548; classtype:web-application-activity; sid:2117; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; metadata:ruleset community, service http; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:2091; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; http_header; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; http_header; metadata:ruleset community, service http; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:2090; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; content:"/msadcs.dll"; nocase; http_uri; content:"Content-Type|3A|"; nocase; isdataat:50,relative; content:!"|0A|"; within:50; pcre:"/^POST\s/smi"; metadata:ruleset community, service http; reference:bugtraq,6214; reference:cve,2002-1142; reference:nessus,11161; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS98-004; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; classtype:web-application-attack; sid:1970; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MS Site Server admin attempt"; flow:to_server,established; content:"/Site Server/Admin/knowledge/persmbr/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11018; classtype:web-application-attack; sid:1818; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MS Site Server default login attempt"; flow:to_server,established; content:"/SiteServer/Admin/knowledge/persmbr/"; nocase; http_uri; pcre:"/^Authorization\x3A\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; metadata:ruleset community, service http; reference:nessus,11018; reference:url,attack.mitre.org/techniques/T1078; classtype:web-application-attack; sid:1817; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .htr chunked Transfer-Encoding"; flow:to_server,established; content:".htr"; nocase; http_uri; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked"; nocase; http_header; metadata:ruleset community, service http; reference:bugtraq,4855; reference:bugtraq,5003; reference:cve,2002-0364; reference:nessus,11028; classtype:web-application-attack; sid:1806; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cdx HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; content:".cdx"; fast_pattern; nocase; http_uri; content:"|3A|"; content:"|0A|"; content:"|00|"; metadata:ruleset community, service http; reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:web-application-attack; sid:1804; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cer HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; content:".cer"; fast_pattern; nocase; http_uri; content:"|3A|"; content:"|0A|"; content:"|00|"; metadata:ruleset community, service http; reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:web-application-attack; sid:1803; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .asa HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; content:".asa"; fast_pattern; nocase; http_uri; content:"|3A|"; content:"|0A|"; content:"|00|"; metadata:ruleset community, service http; reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:web-application-attack; sid:1802; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS pbserver access"; flow:to_server,established; content:"/pbserver/pbserver.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2000-1089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-094; classtype:web-application-activity; sid:1772; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS NewsPro administration authentication attempt"; flow:to_server,established; content:"logged,true"; metadata:ruleset community, service http; reference:bugtraq,4672; reference:cve,2002-1734; classtype:web-application-activity; sid:1756; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS as_web4.exe access"; flow:to_server,established; content:"/as_web4.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4670; reference:cve,2002-1727; reference:cve,2002-1728; classtype:web-application-activity; sid:1754; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS as_web.exe access"; flow:to_server,established; content:"/as_web.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4670; reference:cve,2002-1727; reference:cve,2002-1728; classtype:web-application-activity; sid:1753; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS users.xml access"; flow:to_server,established; content:"/users.xml"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1750; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS doctodep.btr access"; flow:to_server,established; content:"doctodep.btr"; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1726; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS +.htr code fragment attempt"; flow:to_server,established; content:" .htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-044; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004 ; classtype:web-application-attack; sid:1725; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1661; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS trace.axd access"; flow:to_server,established; content:"/trace.axd"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10993; classtype:web-application-activity; sid:1660; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /StoreCSVS/InstantOrder.asmx request"; flow:to_server,established; content:"/StoreCSVS/InstantOrder.asmx"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1626; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .asp chunked Transfer-Encoding"; flow:to_server,established; content:".asp"; nocase; http_uri; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked"; nocase; http_header; metadata:ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071; reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack; sid:1618; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS htimage.exe access"; flow:to_server,established; content:"/htimage.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1117; reference:bugtraq,964; reference:cve,2000-0122; reference:cve,2000-0256; reference:nessus,10376; classtype:web-application-activity; sid:1595; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /exchange/root.asp access"; flow:to_server,established; content:"/exchange/root.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; classtype:web-application-activity; sid:1568; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /exchange/root.asp attempt"; flow:to_server,established; content:"/exchange/root.asp?"; nocase; http_uri; content:"acs=anon"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-047; classtype:web-application-attack; sid:1567; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; content:"/iisadmpwd/aexp2.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ctss.idc access"; flow:to_server,established; content:"/ctss.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10359; classtype:web-application-activity; sid:1486; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS mkilog.exe access"; flow:to_server,established; content:"/mkilog.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10359; classtype:web-application-activity; sid:1485; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS iissamples access"; flow:to_server,established; content:"/iissamples/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /msadc/samples/ access"; flow:to_server,established; content:"/msadc/samples/"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /scripts/samples/ access"; flow:to_server,established; content:"/scripts/samples/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10370; classtype:web-application-attack; sid:1400; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Form_VBScript.asp access"; flow:to_server,established; content:"/Form_VBScript.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1380; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS _mem_bin access"; flow:to_server,established; content:"/_mem_bin/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1286; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS msdac access"; flow:to_server,established; content:"/msdac/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1285; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Office Outlook web dos"; flow:to_server,established; content:"/exchange/LogonFrm.asp?"; fast_pattern; nocase; http_uri; content:"mailbox="; nocase; content:"%%%"; metadata:ruleset community, service http; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .idq access"; flow:to_server,established; content:".idq"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .idq attempt"; flow:to_server,established; content:".idq?"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:cve,2001-0500; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:28;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .ida attempt"; flow:to_server,established; content:".ida?"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; reference:cve,2001-0500; classtype:web-application-attack; sid:1243; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .ida access"; flow:to_server,established; content:".ida"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS repost.asp access"; flow:to_server,established; content:"/scripts/repost.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS postinfo.asp access"; flow:to_server,established; content:"/scripts/postinfo.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS site/iisamples access"; flow:to_server,established; content:"/site/iisamples"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:20;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-IIS Unauthorized IP Access Attempt"; flow:to_client,established; content:"403"; content:"Forbidden|3A|"; metadata:ruleset community, service http; classtype:web-application-attack; sid:1045; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS webhits access"; flow:to_server,established; content:".htw"; http_uri; metadata:ruleset community, service http; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1044; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode.asp access"; flow:to_server,established; content:"/viewcode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS uploadn.asp access"; flow:to_server,established; content:"/scripts/uploadn.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1041; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS srchadm access"; flow:to_server,established; content:"/srchadm"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1040; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS srch.htm access"; flow:to_server,established; content:"/samples/isapi/srch.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1039; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS site server config access"; flow:to_server,established; content:"/adsamples/config/site.csc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS showcode.asp access"; flow:to_server,established; content:"/showcode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-013; classtype:web-application-activity; sid:1037; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode access"; flow:to_server,established; content:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1036; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode access"; flow:to_server,established; content:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1035; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode access"; flow:to_server,established; content:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1034; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode access"; flow:to_server,established; content:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1033; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS showcode access"; flow:to_server,established; content:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1032; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; content:"/SiteServer/Publishing/viewcode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS search97.vts access"; flow:to_server,established; content:"/search97.vts"; http_uri; metadata:ruleset community, service http; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS scripts-browse access"; flow:to_server,established; content:"/scripts/ "; fast_pattern:only; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-attack; sid:1029; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS perl-browse space attempt"; flow:to_server,established; content:" .pl"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,6833; reference:cve,2003-1365; classtype:web-application-attack; sid:1027; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS perl-browse newline attempt"; flow:to_server,established; content:"|0A|.pl"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,6833; reference:cve,2003-1365; classtype:web-application-attack; sid:1026; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS perl access"; flow:to_server,established; content:"/scripts/perl"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1025; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS newdsn.exe access"; flow:to_server,established; content:"/scripts/tools/newdsn.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS msadcs.dll access"; flow:to_server,established; content:"/msadcs.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-025; classtype:web-application-activity; sid:1023; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS jet vba access"; flow:to_server,established; content:"/advworks/equipment/catalog_type.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,286; reference:cve,1999-0874; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-030; classtype:web-application-activity; sid:1022; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ism.dll attempt"; flow:to_server,established; content:" .htr"; nocase; http_uri; pcre:"/\s{230,}\.htr/U"; metadata:ruleset community, service http; reference:bugtraq,1193; reference:cve,2000-0457; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-031; classtype:web-application-attack; sid:1021; rev:29;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS isc$data attempt"; flow:to_server,established; content:".idc|3A 3A 24|data"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-attack; sid:1020; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Malformed Hit-Highlighting Argument File Access Attempt"; flow:to_server,established; content:"CiWebHitsFile="; nocase; http_uri; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; content:"CiRestriction=none"; fast_pattern; nocase; http_uri; content:"ciHiliteType=Full"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,950; reference:cve,2000-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-006; reference:url,www.securityfocus.com/archive/1/43762; classtype:web-application-attack; sid:1019; rev:30;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS iisadmpwd attempt"; flow:to_server,established; content:"/iisadmpwd/aexp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; reference:nessus,10371; classtype:web-application-attack; sid:1018; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc"; fast_pattern:only; metadata:ruleset community, service http; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS global.asa access"; flow:to_server,established; content:"/global.asa"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2000-0778; reference:cve,2001-0004; reference:nessus,10491; reference:nessus,10991; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:web-application-activity; sid:1016; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS getdrvs.exe access"; flow:to_server,established; content:"/scripts/tools/getdrvs.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1015; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS fpcount access"; flow:to_server,established; content:"/fpcount.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS fpcount attempt"; flow:to_server,established; content:"/fpcount.exe"; fast_pattern; nocase; http_uri; content:"Digits="; nocase; metadata:ruleset community, service http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1011; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS encoding access"; flow:to_server,established; content:"%1u"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,886; reference:cve,2000-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-061; classtype:web-application-activity; sid:1010; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS directory listing"; flow:to_server,established; content:"/ServerVariables_Jscript.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1008; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Form_JScript.asp access"; flow:to_server,established; content:"/Form_JScript.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1007; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS codebrowser SDK access"; flow:to_server,established; content:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS codebrowser Exair access"; flow:to_server,established; content:"/iissamples/exair/howitworks/codebrws.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd? access"; flow:to_server,established; content:".cmd?&"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1003; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1002; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS bdir.htr access"; flow:to_server,established; content:"/bdir.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS bdir access"; flow:to_server,established; content:"/scripts/iisadmin/bdir.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2280; classtype:web-application-activity; sid:999; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS asp-srch attempt"; flow:to_server,established; content:"|23|filename=*.asp"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:998; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS asp-dot attempt"; flow:to_server,established; content:".asp."; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1814; reference:nessus,10363; classtype:web-application-attack; sid:997; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS anot.htr access"; flow:to_server,established; content:"/iisadmpwd/anot"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ism.dll access"; flow:to_server,established; content:"/scripts/iisadmin/ism.dll?http/dir"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; content:"/scripts/iisadmin/default.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:994; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS iisadmin access"; flow:to_server,established; content:"/iisadmin"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS adctest.asp access"; flow:to_server,established; content:"/msadc/samples/adctest.asp"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:992; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS achg.htr access"; flow:to_server,established; content:"/iisadmpwd/achg.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MSProxy access"; flow:to_server,established; content:"/scripts/proxy/w3proxy.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-activity; sid:986; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS JET VBA access"; flow:to_server,established; content:"/scripts/samples/details.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS JET VBA access"; flow:to_server,established; content:"/scripts/samples/ctguestb.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-activity; sid:984; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CGImail.exe access"; flow:to_server,established; content:"/scripts/CGImail.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:980; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ASP contents view"; flow:to_server,established; content:".htw?CiWebHitsFile"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1861; reference:cve,2000-0942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:979; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:978; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cnf access"; flow:to_server,established; content:".cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; content:".asp|3A 3A 24|DATA"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; classtype:web-application-attack; sid:975; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS *.idc attempt"; flow:to_server,established; content:"/*.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK "; depth:5; metadata:ruleset community, service http; reference:bugtraq,2736; reference:nessus,10732; classtype:web-application-activity; sid:969; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows ASP .NET denial of service attempt"; flow:to_server,established,only_stream; content:".aspx"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"Expect|3A| 100-continue"; http_header; content:"Connection|3A| Keep-Alive"; http_header; detection_filter:track by_src, count 1000, seconds 1; metadata:service http; reference:cve,2014-0253; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-009; classtype:denial-of-service; sid:29715; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-IIS Microsoft Windows Server 2012 IIS OData protocol nested replace filter dos attempt"; flow:to_server,established; content:"replace|28|replace|28|replace|28|replace|28|"; depth:250; nocase; content:"HTTP|2F|"; within:500; nocase; content:"Host|3A|"; nocase; reference:cve,2013-0005; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-007; classtype:attempted-dos; sid:29866; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Web.config information disclosure attempt"; flow:to_server,established; content:"/ /"; fast_pattern:only; http_uri; pcre:"/\x2F\x20\x2F$/U"; metadata:service http; reference:cve,2015-1648; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-041; classtype:web-application-attack; sid:34088; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft IIS Range header integer overflow attempt"; flow:to_server,established; content:"Range"; nocase; http_header; content:"bytes"; distance:0; nocase; http_header; content:!"|0A|"; within:12; http_header; pcre:"/^Range\s*\x3a\s*bytes\s*\x3d[^\x0a]*?\d{11}/Him"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,74013; reference:cve,2015-1635; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-034; classtype:attempted-dos; sid:34061; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS .NET null character username truncation attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:".asp"; nocase; http_uri; content:"user"; nocase; http_client_body; content:"="; within:5; http_client_body; pcre:"/(^|&)user(name|id)?=[^&$]*?(\x00|%00)/Pims"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-100; classtype:suspicious-login; sid:25250; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; fast_pattern:only; http_client_body; pcre:"/\bcmd\x2eexe\b/Pis"; metadata:policy max-detect-ips drop, service http; classtype:web-application-attack; sid:23626; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS .NET null character username truncation attempt"; flow:to_server,established; content:"CreateUserStepContainer|25|24"; fast_pattern:only; http_client_body; pcre:"/(^|\x26|\x24|%24|%26)User[^\x3D]*\x3D[^\x26]+(\x00|%00)/Pi"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-100; classtype:suspicious-login; sid:20829; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS aspx login ReturnURL arbitrary redirect attempt"; flow:to_server,established; content:"ReturnURL=http:/"; nocase; http_uri; pcre:"/ReturnURL=http\x3a\x2f\x2f[^\r\n\x26]+(\x5c|%5C)[\s\x26]/si"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3415; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-100; classtype:web-application-attack; sid:20828; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt"; flow:to_server,established; content:"p=1&p=1&p=1&p=1&p=1&"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43140; reference:cve,2010-1899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-dos; sid:19192; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt"; flow:to_server,established; content:"poc1: poc|0D 0A|poc2: poc|0D 0A|poc3: poc"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43138; reference:cve,2010-2730; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-admin; sid:19183; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-IIS Microsoft Windows 7 IIS7.5 FTPSVC buffer overflow attempt"; flow:to_server,established; content:"|BF FF EF EF BB BF FE FF EF BB BF FF EF FF EF EF BB BF EF BB|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,45542; reference:cve,2010-3972; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-004; classtype:attempted-admin; sid:18243; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-IIS Microsoft IIS 7.5 client verify null pointer attempt"; flow:established,to_server; ssl_state:client_keyx; ssl_version:tls1.0; content:"|16 03 01|"; depth:3; content:"|10|"; within:1; distance:2; byte_jump:2,-3,relative; content:"|16 03 01|"; within:3; content:"|0F|"; within:1; distance:2; metadata:policy max-detect-ips drop; reference:cve,2010-3229; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-085; classtype:attempted-dos; sid:17750; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS web agent chunked encoding overflow attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/WebID/IISWebAgentIF.dll"; fast_pattern; nocase; http_uri; content:"Transfer-Encoding|3A| chunked"; nocase; http_header; content:"|0D 0A 0D 0A|"; byte_test:4,>,16,0,relative,string,hex; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13524; reference:cve,2005-1471; classtype:web-application-attack; sid:17705; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS source code disclosure attempt"; flow:to_server,established; content:".asp"; nocase; http_uri; pcre:"/\x2easp([\?\x5c\x2f]|$)/smiU"; content:"host"; nocase; http_header; content:"localhost"; nocase; http_header; pcre:"/^Host\s*\x3A\s*localhost\s/miH"; metadata:policy max-detect-ips drop, service http; reference:cve,2005-2678; reference:url,secunia.com/advisories/16548; classtype:misc-attack; sid:17653; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WebDAV Request Directory Security Bypass attempt"; flow:to_server,established; content:"/%c0%af/"; pcre:"/^(GET|OPTIONS|HEAD|POST|PUT|DELETE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK)[^\r\n]*\s+[^\r\n]*\x2f\x25c0\x25af\x2f/mi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,34993; reference:cve,2009-1535; classtype:attempted-admin; sid:17564; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS 5.0 WebDav Request Directory Security Bypass"; flow:to_server,established; content:"POST"; nocase; content:"|25 32 35 25 33 37 25 33 30 25 32 35 25 33 37 25|"; within:16; distance:2; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35232; reference:cve,2009-1122; classtype:attempted-admin; sid:17525; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-IIS Microsoft Windows IIS SChannel improper certificate verification"; flow:to_server,established; ssl_state:client_keyx; content:"|1D 1D 55 69 8B 83 B2 CF 4A 71 6F A1 45 62 8C 7C BD 98 79 15 E5 85 EB 87 5B FC 06 04 D7 14 03 01 00 01 01 16 03|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ssl; reference:cve,2009-0085; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-007; classtype:misc-activity; sid:17431; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS stack exhaustion DoS attempt"; flow:to_server,established; content:"id=1&id=1&id=1&id=1&id=1&"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2010-1899; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-dos; sid:17254; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS IIS 5.1 alternate data stream authentication bypass attempt"; flow:to_server,established; content:"$i30:$INDEX_ALLOCATION"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-2731; reference:cve,2011-4963; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:web-application-attack; sid:17103; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS malformed URL .dll denial of service attempt"; flow:to_server,established; content:".dll/"; http_uri; content:"/~"; within:10; distance:-1; http_uri; pcre:"/\.dll\/.{0,10}\x7e\d/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,15921; reference:cve,2005-4360; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-041; classtype:attempted-dos; sid:16147; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Office FrontPage server extensions 2002 cross site scripting attempt"; flow:to_server,established; content:"_vti_bin/_vti_adm/fpadmdll.dll"; fast_pattern:only; http_uri; content:"operation="; nocase; http_client_body; pcre:"/operation\x3D[^\x26]*?(\x2D|\x252D){2}(\x3E|\x253E)/iP"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,17452; reference:cve,2006-0015; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-017; classtype:attempted-user; sid:7027; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS w3who.dll buffer overflow attempt"; flow:to_server,established; content:"/w3who.dll?"; nocase; http_uri; pcre:"/w3who\.dll\x3F[^\r\n]{519}/i"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,11820; reference:cve,2004-1134; classtype:attempted-admin; sid:3087; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,14764; reference:bugtraq,1578; reference:cve,2000-0778; reference:nessus,10491; classtype:web-application-activity; sid:1042; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS query.asp access"; flow:to_server,established; content:"/issamples/query.asp"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS directory traversal attempt"; flow:to_server,established; content:"..|5C|.."; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .printer access"; flow:to_server,established; content:".printer"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-023; classtype:web-application-activity; sid:971; rev:28;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft IIS ASP handling buffer overflow attempt "; flow:to_server,established; content:"%f4%8f%bf%bf%f4%8f%bf%bf"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,27676; reference:cve,2008-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-006; classtype:web-application-attack; sid:15974; rev:7;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-IIS Microsoft ASP.NET bad request denial of service attempt "; flow:to_client,established,only_stream; content:"400"; http_stat_code; content:"Server|3A| Microsoft-IIS/"; nocase; http_header; content:"X-Powered-By|3A| ASP.NET"; nocase; http_header; detection_filter:track by_dst, count 11, seconds 1; metadata:policy max-detect-ips drop, service http; reference:cve,2009-1536; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-036; classtype:attempted-dos; sid:15851; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow "; flow:to_server,established; content:"%ud"; pcre:"/%ud[8-f]..%ud[8-f]../"; metadata:policy max-detect-ips drop; reference:cve,2008-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-006; classtype:web-application-attack; sid:13922; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow "; flow:to_server,established; content:"%d"; pcre:"/%d[8-f]%..%d[8-f]%../"; metadata:policy max-detect-ips drop, service http; reference:cve,2008-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-006; classtype:web-application-attack; sid:13476; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft Active Directory Federation Services wct parameter cross site scripting attempt"; flow:to_server,established; content:"/adfs/ls/"; fast_pattern:only; http_uri; content:"wct="; nocase; http_uri; pcre:"/[?&]wct=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:cve,2015-1757; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-062; classtype:attempted-user; sid:34769; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft ASP.NET bad request denial of service attempt"; flow:to_server,established; content:".aspx"; fast_pattern:only; http_uri; content:"%"; http_raw_uri; pcre:"/%([01]|2([056A]|E%2E)|3[ACEF]|5C)/Ii"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-1536; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-036; classtype:denial-of-service; sid:43808; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft ASP.NET bad request denial of service attempt"; flow:to_server,established; content:".asmx"; fast_pattern:only; http_uri; content:"%"; http_raw_uri; pcre:"/%([01]|2([056A]|E%2E)|3[ACEF]|5C)/Ii"; metadata:policy max-detect-ips drop, service http; reference:cve,2009-1536; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-036; classtype:denial-of-service; sid:43807; rev:1;)