VERSION 1.00.00.00 MODIFIED SECS 1086351126 ########################################## # # ATTACK-RESPONSES # ########################################## BEGIN GROUPNAME FROM_INT_ATTACK_RESPONSES TYPE ATTACKSIG NAME "ATTACK-RESPONSES directory listing" LOGMSG "ATTACK-RESPONSES directory listing" PROTO TCP DIRECTION FROM_TERM CONTENT "Volume Serial Number" NAME "ATTACK-RESPONSES oracle one hour install" LOGMSG "ATTACK-RESPONSES oracle one hour install" PROTO TCP SRCPORT 8002 8002 DIRECTION FROM_TERM CONTENT "Oracle Applications One-Hour Install" NAME "ATTACK-RESPONSES successful kadmind buffer overflow attempt" LOGMSG "ATTACK-RESPONSES successful kadmind buffer overflow attempt" PROTO TCP SRCPORT 749 749 DIRECTION FROM_TERM CONTENT "*GOBBLE*" DEPTH 8 NAME "ATTACK-RESPONSES successful kadmind buffer overflow attempt" LOGMSG "ATTACK-RESPONSES successful kadmind buffer overflow attempt" PROTO TCP SRCPORT 751 751 DIRECTION FROM_TERM CONTENT "*GOBBLE*" DEPTH 8 NAME "ATTACK-RESPONSES successful gobbles ssh exploit (GOBBLE)" LOGMSG "ATTACK-RESPONSES successful gobbles ssh exploit (GOBBLE)" PROTO TCP SRCPORT 22 22 DIRECTION FROM_TERM CONTENT "|2a|GOBBLE|2a|" NAME "ATTACK-RESPONSES successful gobbles ssh exploit (uname)" LOGMSG "ATTACK-RESPONSES successful gobbles ssh exploit (uname)" PROTO TCP SRCPORT 22 22 DIRECTION FROM_TERM CONTENT "uname" NAME "ATTACK-RESPONSES rexec username too long response" LOGMSG "ATTACK-RESPONSES rexec username too long response" PROTO TCP SRCPORT 512 512 DIRECTION FROM_TERM CONTENT "username too long" OFFSET 0 DEPTH 17 # NAME "ATTACK-RESPONSES command completed" LOGMSG "ATTACK-RESPONSES command completed" PROTO TCP DIRECTION FROM_TERM CONTENT "Command completed" NOCASE # NAME "ATTACK-RESPONSES command error" LOGMSG "ATTACK-RESPONSES command error" PROTO TCP DIRECTION FROM_TERM CONTENT "Bad command or filename" NOCASE # NAME "ATTACK-RESPONSES file copied ok" LOGMSG "ATTACK-RESPONSES file copied ok" PROTO TCP DIRECTION FROM_TERM CONTENT "1 file(s) copied" NOCASE # NAME "ATTACK-RESPONSES Invalid URL" LOGMSG "ATTACK-RESPONSES Invalid URL" PROTO TCP DIRECTION FROM_TERM CONTENT "Invalid URL" NOCASE NAME "ATTACK-RESPONSES index of /cgi-bin/ response" LOGMSG "ATTACK-RESPONSES index of /cgi-bin/ response" PROTO TCP DIRECTION FROM_TERM CONTENT "Index of /cgi-bin/" NOCASE NAME "ATTACK-RESPONSES 403 Forbidden" LOGMSG "ATTACK-RESPONSES 403 Forbidden" PROTO TCP DIRECTION FROM_TERM CONTENT "HTTP/1.1 403" DEPTH 12 NAME "ATTACK-RESPONSES Microsoft cmd.exe banner" LOGMSG "ATTACK-RESPONSES Microsoft cmd.exe banner" PROTO TCP SRCPORT 24 65535 DIRECTION FROM_TERM CONTENT "Microsoft Windows" CONTENT "(C) Copyright 1985-" DISTANCE 0 CONTENT "Microsoft Corp." DISTANCE 0 NAME "ATTACK-RESPONSES successful cross site scripting forced download attempt" LOGMSG "ATTACK-RESPONSES successful cross site scripting forced download attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "|0a|Referer\: res\:/C\:" END ########################################## # # BACKDOOR # ########################################## BEGIN GROUPNAME FROM_EXT_BACKDOOR TYPE ATTACKSIG NAME "BACKDOOR subseven 22" LOGMSG "BACKDOOR subseven 22" PROTO TCP SRCPORT 27374 27374 DIRECTION FROM_ORIG CONTENT "|0d0a5b52504c5d3030320d0a|" NAME "BACKDOOR netbus getinfo" LOGMSG "BACKDOOR netbus getinfo" PROTO TCP DESTPORT 12345 12346 DIRECTION FROM_ORIG CONTENT "GetInfo|0d|" NAME "BACKDOOR DeepThroat 3.1 Connection attempt" LOGMSG "BACKDOOR DeepThroat 3.1 Connection attempt" PROTO UDP DESTPORT 2140 2140 CONTENT "00" DEPTH 2 NAME "BACKDOOR DeepThroat 3.1 Connection attempt [3150]" LOGMSG "BACKDOOR DeepThroat 3.1 Connection attempt [3150]" PROTO UDP DESTPORT 3150 3150 CONTENT "00" DEPTH 2 NAME "BACKDOOR DeepThroat 3.1 Connection attempt [4120]" LOGMSG "BACKDOOR DeepThroat 3.1 Connection attempt [4120]" PROTO UDP DESTPORT 4120 4120 CONTENT "00" DEPTH 2 NAME "BACKDOOR - Dagger_1.4.0_client_connect" LOGMSG "BACKDOOR - Dagger_1.4.0_client_connect" PROTO TCP SRCPORT 1024 65535 DESTPORT 2589 2589 DIRECTION FROM_ORIG CONTENT "|0b 00 00 00 07 00 00 00|Connect" DEPTH 16 NAME "BACKDOOR QAZ Worm Client Login access" LOGMSG "BACKDOOR QAZ Worm Client Login access" PROTO TCP DESTPORT 7597 7597 DIRECTION FROM_ORIG CONTENT "|71 61 7a 77 73 78 2e 68 73 71|" NAME "BACKDOOR Infector 1.6 Client to Server Connection Request" LOGMSG "BACKDOOR Infector 1.6 Client to Server Connection Request" PROTO TCP SRCPORT 1000 1300 DESTPORT 146 146 DIRECTION FROM_ORIG CONTENT "FC " NAME "BACKDOOR BackConstruction 2.1 Client FTP Open Request" LOGMSG "BACKDOOR BackConstruction 2.1 Client FTP Open Request" PROTO TCP DESTPORT 666 666 DIRECTION FROM_ORIG CONTENT "FTPON" NAME "BACKDOOR NetMetro File List" LOGMSG "BACKDOOR NetMetro File List" PROTO TCP DESTPORT 5032 5032 DIRECTION FROM_ORIG CONTENT "|2D 2D|" NAME "BACKDOOR Matrix 2.0 Client connect" LOGMSG "BACKDOOR Matrix 2.0 Client connect" PROTO UDP SRCPORT 3344 3344 DESTPORT 3345 3345 CONTENT "activate" NAME "BACKDOOR Matrix 2.0 Server access" LOGMSG "BACKDOOR Matrix 2.0 Server access" PROTO UDP SRCPORT 3345 3345 DESTPORT 3344 3344 CONTENT "logged in" NAME "BACKDOOR CDK" LOGMSG "BACKDOOR CDK" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "ypi0ca" NOCASE DEPTH 15 NAME "BACKDOOR w00w00 attempt" LOGMSG "BACKDOOR w00w00 attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "w00w00" NAME "BACKDOOR attempt" LOGMSG "BACKDOOR attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "backdoor" NOCASE NAME "BACKDOOR MISC r00t attempt" LOGMSG "BACKDOOR MISC r00t attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "r00t" NAME "BACKDOOR MISC rewt attempt" LOGMSG "BACKDOOR MISC rewt attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "rewt" NAME "BACKDOOR MISC Linux rootkit attempt" LOGMSG "BACKDOOR MISC Linux rootkit attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "wh00t!" NAME "BACKDOOR MISC Linux rootkit attempt lrkr0x" LOGMSG "BACKDOOR MISC Linux rootkit attempt lrkr0x" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "lrkr0x" NAME "BACKDOOR MISC Linux rootkit attempt" LOGMSG "BACKDOOR MISC Linux rootkit attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "d13hh[" NOCASE NAME "BACKDOOR MISC Linux rootkit satori attempt" LOGMSG "BACKDOOR MISC Linux rootkit satori attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "satori" NAME "BACKDOOR MISC sm4ck attempt" LOGMSG "BACKDOOR MISC sm4ck attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "hax0r" NAME "BACKDOOR MISC Solaris 2.5 attempt" LOGMSG "BACKDOOR MISC Solaris 2.5 attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "friday" NAME "BACKDOOR HidePak backdoor attempt" LOGMSG "BACKDOOR HidePak backdoor attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "StoogR" NAME "BACKDOOR HideSource backdoor attempt" LOGMSG "BACKDOOR HideSource backdoor attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "wank" NAME "BACKDOOR win-trin00 connection attempt" LOGMSG "BACKDOOR win-trin00 connection attempt" PROTO UDP DESTPORT 35555 35555 CONTENT "png []..Ks l44" OFFSET 0 DEPTH 14 NAME "BACKDOOR trinity connection attempt" LOGMSG "BACKDOOR trinity connection attempt" PROTO TCP DESTPORT 33270 33270 DIRECTION FROM_ORIG CONTENT "|21 40 23|" OFFSET 0 DEPTH 3 NAME "BACKDOOR Remote PC Access connection attempt" LOGMSG "BACKDOOR Remote PC Access connection attempt" PROTO TCP DESTPORT 34012 34012 DIRECTION FROM_ORIG CONTENT "|28 00 01 00 04 00 00 00 00 00 00 00|" OFFSET 0 DEPTH 12 NAME "BACKDOOR DoomJuice file upload attempt" LOGMSG "BACKDOOR DoomJuice file upload attempt" PROTO TCP DESTPORT 3127 3199 DIRECTION FROM_ORIG CONTENT "|85 13 3C 9E A2|" OFFSET 0 DEPTH 5 NAME "BACKDOOR GirlFriendaccess" LOGMSG "BACKDOOR GirlFriendaccess" PROTO TCP SRCPORT 81 65535 DESTPORT 21554 21554 DIRECTION FROM_ORIG CONTENT "Girl" END BEGIN GROUPNAME FROM_INT_BACKDOOR TYPE ATTACKSIG NAME "BACKDOOR subseven DEFCON8 2.1 access" LOGMSG "BACKDOOR subseven DEFCON8 2.1 access" PROTO TCP SRCPORT 16959 16959 DIRECTION FROM_TERM CONTENT "PWD" NAME "BACKDOOR netbus active" LOGMSG "BACKDOOR netbus active" PROTO TCP SRCPORT 12345 12346 DIRECTION FROM_TERM CONTENT "NetBus" NAME "BACKDOOR netbus active" LOGMSG "BACKDOOR netbus active" PROTO TCP SRCPORT 20034 20034 DIRECTION FROM_ORIG CONTENT "NetBus" NAME "BACKDOOR DeepThroat 3.1 Server Response" LOGMSG "BACKDOOR DeepThroat 3.1 Server Response" PROTO UDP SRCPORT 2140 2140 CONTENT "Ahhhh My Mouth Is Open" NAME "BACKDOOR DeepThroat 3.1 Server Response [3150]" LOGMSG "BACKDOOR DeepThroat 3.1 Server Response [3150]" PROTO UDP SRCPORT 3150 3150 CONTENT "Ahhhh My Mouth Is Open" NAME "BACKDOOR DeepThroat 3.1 Server Response [4120]" LOGMSG "BACKDOOR DeepThroat 3.1 Server Response [4120]" PROTO UDP SRCPORT 4120 4120 CONTENT "Ahhhh My Mouth Is Open" NAME "BACKDOOR Doly 2.0 access" LOGMSG "BACKDOOR Doly 2.0 access" PROTO TCP SRCPORT 6789 6789 DIRECTION FROM_TERM CONTENT "Wtzup Use" DEPTH 32 NAME "BACKDOOR Doly 1.5 server response" LOGMSG "BACKDOOR Doly 1.5 server response" PROTO TCP DESTPORT 1094 1094 DIRECTION FROM_TERM CONTENT "Connected." NAME "BACKDOOR - Dagger_1.4.0" LOGMSG "BACKDOOR - Dagger_1.4.0" PROTO TCP SRCPORT 2589 2589 DESTPORT 1024 65535 DIRECTION FROM_TERM CONTENT "|3200000006000000|Drives|2400|" DEPTH 16 NAME "BACKDOOR Infector.1.x" LOGMSG "BACKDOOR Infector.1.x" PROTO TCP SRCPORT 146 146 DESTPORT 1024 65535 DIRECTION FROM_TERM CONTENT "WHATISIT" NAME "BACKDOOR SatansBackdoor.2.0.Beta" LOGMSG "BACKDOOR SatansBackdoor.2.0.Beta" PROTO TCP SRCPORT 666 666 DESTPORT 1024 65535 DIRECTION FROM_TERM CONTENT "Remote|3A| You are connected to me." NAME "BACKDOOR Infector 1.6 Server to Client" LOGMSG "BACKDOOR Infector 1.6 Server to Client" PROTO TCP SRCPORT 146 146 DESTPORT 1000 1300 DIRECTION FROM_TERM CONTENT "WHATISIT" NAME "BACKDOOR HackAttack 1.20 Connect" LOGMSG "BACKDOOR HackAttack 1.20 Connect" PROTO TCP SRCPORT 31785 31785 DIRECTION FROM_TERM CONTENT "host" NAME "BACKDOOR NetSphere access" LOGMSG "BACKDOOR NetSphere access" PROTO TCP SRCPORT 30100 30100 DIRECTION FROM_TERM CONTENT "NetSphere" NAME "BACKDOOR GateCrasher" LOGMSG "BACKDOOR GateCrasher" PROTO TCP SRCPORT 6969 6969 DIRECTION FROM_TERM CONTENT "GateCrasher" NAME "BACKDOOR BackConstruction 2.1 Connection" LOGMSG "BACKDOOR BackConstruction 2.1 Connection" PROTO TCP SRCPORT 5401 5402 DIRECTION FROM_TERM CONTENT "c|3A|\\" NAME "BACKDOOR DonaldDick 1.53 Traffic" LOGMSG "BACKDOOR DonaldDick 1.53 Traffic" PROTO TCP SRCPORT 23476 23476 DIRECTION FROM_TERM CONTENT "pINg" NAME "BACKDOOR NetSphere 1.31.337 access" LOGMSG "BACKDOOR NetSphere 1.31.337 access" PROTO TCP SRCPORT 30100 30102 DIRECTION FROM_TERM CONTENT "NetSphere" NAME "BACKDOOR BackConstruction 2.1 Server FTP Open Reply" LOGMSG "BACKDOOR BackConstruction 2.1 Server FTP Open Reply" PROTO TCP SRCPORT 666 666 DIRECTION FROM_TERM CONTENT "FTP Port open" NAME "BACKDOOR PhaseZero Server Active on Network" LOGMSG "BACKDOOR PhaseZero Server Active on Network" PROTO TCP SRCPORT 555 555 DIRECTION FROM_TERM CONTENT "phAse" NAME "BACKDOOR SubSeven 2.1 Gold server connection response" LOGMSG "BACKDOOR SubSeven 2.1 Gold server connection response" PROTO TCP DIRECTION FROM_TERM CONTENT "connected. time/date\: " DEPTH 22 CONTENT "version\: GOLD 2.1" DISTANCE 1 NAME "BACKDOOR FsSniffer connection attempt" LOGMSG "BACKDOOR FsSniffer connection attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "RemoteNC Control Password\:" END ########################################## # # CHAT # ########################################## BEGIN GROUPNAME FROM_EXT_CHAT TYPE ATTACKSIG NAME "CHAT ICQ forced user addition" LOGMSG "CHAT ICQ forced user addition" PROTO TCP SRCPORT 80 80 DIRECTION FROM_TERM CONTENT "Content-Type\: application/x-icq" CONTENT "[ICQ User]" NAME "CHAT IRC dns response" LOGMSG "CHAT IRC dns response" PROTO TCP SRCPORT 6666 7000 DIRECTION FROM_TERM CONTENT "\:" OFFSET 0 CONTENT " 302 " CONTENT "=+" NAME "CHAT MSN message" LOGMSG "CHAT MSN message" PROTO TCP SRCPORT 1863 1863 CONTENT "MSG " DEPTH 4 CONTENT "Content-Type\:" CONTENT "text/plain" DISTANCE 1 NAME "CHAT MSN file transfer request" LOGMSG "CHAT MSN file transfer request" PROTO TCP SRCPORT 1863 1863 CONTENT "MSG " DEPTH 4 CONTENT "Content-Type\:" NOCASE DISTANCE 0 CONTENT "text/x-msmsgsinvite" NOCASE DISTANCE 0 CONTENT "Application-Name\:" CONTENT "File Transfer" NOCASE DISTANCE 0 NAME "CHAT MSN file transfer accept" LOGMSG "CHAT MSN file transfer accept" PROTO TCP SRCPORT 1863 1863 CONTENT "MSG " DEPTH 4 CONTENT "Content-Type\:" CONTENT "text/x-msmsgsinvite" DISTANCE 0 CONTENT "Invitation-Command\:" CONTENT "ACCEPT" DISTANCE 1 NAME "CHAT MSN file transfer reject" LOGMSG "CHAT MSN file transfer reject" PROTO TCP SRCPORT 1863 1863 CONTENT "MSG " DEPTH 4 CONTENT "Content-Type\:" CONTENT "text/x-msmsgsinvite" DISTANCE 0 CONTENT "Invitation-Command\:" CONTENT "CANCEL" DISTANCE 0 CONTENT "Cancel-Code\:" NOCASE CONTENT "REJECT" NOCASE DISTANCE 0 # NAME "CHAT IRC message" LOGMSG "CHAT IRC message" PROTO TCP SRCPORT 6666 7000 CONTENT "PRIVMSG " NOCASE NAME "CHAT Yahoo IM conference invitation" LOGMSG "CHAT Yahoo IM conference invitation" PROTO TCP SRCPORT 5050 5050 DIRECTION FROM_TERM CONTENT "YMSG" NOCASE OFFSET 0 DEPTH 4 CONTENT "|0018|" OFFSET 10 DEPTH 2 NAME "CHAT Yahoo IM conference logon success" LOGMSG "CHAT Yahoo IM conference logon success" PROTO TCP SRCPORT 5050 5050 DIRECTION FROM_TERM CONTENT "YMSG" NOCASE OFFSET 0 DEPTH 4 CONTENT "|0019|" OFFSET 10 DEPTH 2 NAME "CHAT Yahoo IM successful chat join" LOGMSG "CHAT Yahoo IM successful chat join" PROTO TCP SRCPORT 5050 5050 DIRECTION FROM_TERM CONTENT "YMSG" NOCASE OFFSET 0 DEPTH 4 CONTENT "|0098|" OFFSET 10 DEPTH 2 NAME "CHAT Yahoo IM successful logon" LOGMSG "CHAT Yahoo IM successful logon" PROTO TCP SRCPORT 5050 5050 DIRECTION FROM_TERM CONTENT "YMSG" NOCASE OFFSET 0 DEPTH 4 CONTENT "|0001|" OFFSET 10 DEPTH 2 NAME "CHAT Yahoo IM webcam watch" LOGMSG "CHAT Yahoo IM webcam watch" PROTO TCP SRCPORT 5100 5100 DIRECTION FROM_TERM CONTENT "|0d00 0500|" OFFSET 0 DEPTH 4 NAME "CHAT Yahoo IM voicechat" LOGMSG "CHAT Yahoo IM voicechat" PROTO TCP SRCPORT 5050 5050 DIRECTION FROM_TERM CONTENT "YMSG" NOCASE OFFSET 0 DEPTH 4 CONTENT "|004a|" OFFSET 10 DEPTH 2 NAME "CHAT Yahoo IM message" LOGMSG "CHAT Yahoo IM message" PROTO TCP DESTPORT 5101 5101 CONTENT "YMSG" NOCASE OFFSET 0 DEPTH 4 NAME "CHAT Yahoo IM file transfer request" LOGMSG "CHAT Yahoo IM file transfer request" PROTO TCP DESTPORT 5050 5050 CONTENT "YMSG" NOCASE OFFSET 0 DEPTH 4 CONTENT "|004d|" OFFSET 10 DEPTH 2 END BEGIN GROUPNAME FROM_INT_CHAT TYPE ATTACKSIG NAME "CHAT ICQ access" LOGMSG "CHAT ICQ access" PROTO TCP DIRECTION FROM_ORIG CONTENT "User-Agent\:ICQ" NAME "CHAT MSN user search" LOGMSG "CHAT MSN user search" PROTO TCP DESTPORT 1863 1863 DIRECTION FROM_ORIG CONTENT "CAL " NOCASE DEPTH 4 NAME "CHAT MSN login attempt" LOGMSG "CHAT MSN login attempt" PROTO TCP DESTPORT 1863 1863 DIRECTION FROM_ORIG CONTENT "USR " NOCASE DEPTH 4 CONTENT " TWN " NOCASE DISTANCE 1 NAME "CHAT IRC nick change" LOGMSG "CHAT IRC nick change" PROTO TCP DESTPORT 6666 7000 DIRECTION FROM_ORIG CONTENT "NICK " OFFSET 0 NAME "CHAT IRC DCC file transfer request" LOGMSG "CHAT IRC DCC file transfer request" PROTO TCP DESTPORT 6666 7000 DIRECTION FROM_ORIG CONTENT "PRIVMSG " NOCASE OFFSET 0 CONTENT " \:.DCC SEND" NOCASE NAME "CHAT IRC DCC chat request" LOGMSG "CHAT IRC DCC chat request" PROTO TCP DESTPORT 6666 7000 DIRECTION FROM_ORIG CONTENT "PRIVMSG " NOCASE OFFSET 0 CONTENT " \:.DCC CHAT chat" NOCASE NAME "CHAT IRC channel join" LOGMSG "CHAT IRC channel join" PROTO TCP DESTPORT 6666 7000 DIRECTION FROM_ORIG CONTENT "JOIN \: \#" NOCASE OFFSET 0 NAME "CHAT IRC dns request" LOGMSG "CHAT IRC dns request" PROTO TCP DESTPORT 6666 7000 DIRECTION FROM_ORIG CONTENT "USERHOST " NOCASE OFFSET 0 NAME "CHAT AIM login" LOGMSG "CHAT AIM login" PROTO TCP DIRECTION FROM_ORIG CONTENT "|2a 01|" OFFSET 0 DEPTH 2 NAME "CHAT AIM send message" LOGMSG "CHAT AIM send message" PROTO TCP DIRECTION FROM_ORIG CONTENT "|2a 02|" OFFSET 0 DEPTH 2 CONTENT "|00 04 00 06|" OFFSET 6 DEPTH 4 NAME "CHAT MSN message" LOGMSG "CHAT MSN message" PROTO TCP DESTPORT 1863 1863 CONTENT "MSG " DEPTH 4 CONTENT "Content-Type\:" CONTENT "text/plain" DISTANCE 1 NAME "CHAT MSN file transfer request" LOGMSG "CHAT MSN file transfer request" PROTO TCP DESTPORT 1863 1863 CONTENT "MSG " DEPTH 4 CONTENT "Content-Type\:" NOCASE DISTANCE 0 CONTENT "text/x-msmsgsinvite" NOCASE DISTANCE 0 CONTENT "Application-Name\:" CONTENT "File Transfer" NOCASE DISTANCE 0 NAME "CHAT MSN file transfer accept" LOGMSG "CHAT MSN file transfer accept" PROTO TCP DESTPORT 1863 1863 CONTENT "MSG " DEPTH 4 CONTENT "Content-Type\:" CONTENT "text/x-msmsgsinvite" DISTANCE 0 CONTENT "Invitation-Command\:" CONTENT "ACCEPT" DISTANCE 1 NAME "CHAT MSN file transfer reject" LOGMSG "CHAT MSN file transfer reject" PROTO TCP DESTPORT 1863 1863 CONTENT "MSG " DEPTH 4 CONTENT "Content-Type\:" CONTENT "text/x-msmsgsinvite" DISTANCE 0 CONTENT "Invitation-Command\:" CONTENT "CANCEL" DISTANCE 0 CONTENT "Cancel-Code\:" NOCASE CONTENT "REJECT" NOCASE DISTANCE 0 # NAME "CHAT IRC message" LOGMSG "CHAT IRC message" PROTO TCP DESTPORT 6666 7000 CONTENT "PRIVMSG " NOCASE NAME "CHAT AIM receive message" LOGMSG "CHAT AIM receive message" PROTO TCP DIRECTION FROM_TERM CONTENT "|2a 02|" OFFSET 0 DEPTH 2 CONTENT "|00 04 00 07|" OFFSET 6 DEPTH 4 NAME "CHAT Yahoo IM conference message" LOGMSG "CHAT Yahoo IM conference message" PROTO TCP DESTPORT 5050 5050 DIRECTION FROM_ORIG CONTENT "YMSG" NOCASE OFFSET 0 DEPTH 4 CONTENT "|001d|" OFFSET 10 DEPTH 2 NAME "CHAT Yahoo IM ping" LOGMSG "CHAT Yahoo IM ping" PROTO TCP DESTPORT 5050 5050 DIRECTION FROM_ORIG CONTENT "YMSG" NOCASE OFFSET 0 DEPTH 4 CONTENT "|0012|" OFFSET 10 DEPTH 2 NAME "CHAT Yahoo IM webcam offer invitation" LOGMSG "CHAT Yahoo IM webcam offer invitation" PROTO TCP DESTPORT 5050 5050 DIRECTION FROM_ORIG CONTENT "YMSG" NOCASE OFFSET 0 DEPTH 4 CONTENT "|0050|" OFFSET 10 DEPTH 2 NAME "CHAT Yahoo IM message" LOGMSG "CHAT Yahoo IM message" PROTO TCP DESTPORT 5101 5101 CONTENT "YMSG" NOCASE OFFSET 0 DEPTH 4 NAME "CHAT Yahoo IM file transfer request" LOGMSG "CHAT Yahoo IM file transfer request" PROTO TCP DESTPORT 5050 5050 CONTENT "YMSG" NOCASE OFFSET 0 DEPTH 4 CONTENT "|004d|" OFFSET 10 DEPTH 2 END ########################################## # # DDOS # ########################################## BEGIN GROUPNAME FROM_EXT_DDOS TYPE ATTACKSIG NAME "DDOS Trin00\:DaemontoMaster(PONGdetected)" LOGMSG "DDOS Trin00\:DaemontoMaster(PONGdetected)" PROTO UDP DESTPORT 31335 31335 CONTENT "PONG" NAME "DDOS Trin00\:DaemontoMaster(messagedetected)" LOGMSG "DDOS Trin00\:DaemontoMaster(messagedetected)" PROTO UDP DESTPORT 31335 31335 CONTENT "l44" NAME "DDOS Trin00\:DaemontoMaster(*HELLO*detected)" LOGMSG "DDOS Trin00\:DaemontoMaster(*HELLO*detected)" PROTO UDP DESTPORT 31335 31335 CONTENT "*HELLO*" NAME "DDOS Trin00\:Attacker to Master default startup password" LOGMSG "DDOS Trin00\:Attacker to Master default startup password" PROTO TCP DESTPORT 27665 27665 DIRECTION FROM_ORIG CONTENT "betaalmostdone" NAME "DDOS Trin00 Attacker to Master default password" LOGMSG "DDOS Trin00 Attacker to Master default password" PROTO TCP DESTPORT 27665 27665 DIRECTION FROM_ORIG CONTENT "gOrave" NAME "DDOS Trin00 Attacker to Master default mdie password" LOGMSG "DDOS Trin00 Attacker to Master default mdie password" PROTO TCP DESTPORT 27665 27665 DIRECTION FROM_ORIG CONTENT "killme" NAME "DDOS Trin00\:MastertoDaemon(defaultpassdetected!)" LOGMSG "DDOS Trin00\:MastertoDaemon(defaultpassdetected!)" PROTO UDP DESTPORT 27444 27444 CONTENT "l44adsl" NAME "DDOS shaft handler to agent" LOGMSG "DDOS shaft handler to agent" PROTO UDP DESTPORT 18753 18753 CONTENT "alive tijgu" NAME "DDOS shaft agent to handler" LOGMSG "DDOS shaft agent to handler" PROTO UDP DESTPORT 20433 20433 CONTENT "alive" NAME "DDOS mstream agent to handler" LOGMSG "DDOS mstream agent to handler" PROTO UDP DESTPORT 6838 6838 CONTENT "newserver" NAME "DDOS mstream handler to agent" LOGMSG "DDOS mstream handler to agent" PROTO UDP DESTPORT 10498 10498 CONTENT "stream/" NAME "DDOS mstream client to handler" LOGMSG "DDOS mstream client to handler" PROTO TCP DESTPORT 12754 12754 DIRECTION FROM_ORIG CONTENT ">" END BEGIN GROUPNAME FROM_INT_DDOS TYPE ATTACKSIG NAME "DDOS mstream handler to client" LOGMSG "DDOS mstream handler to client" PROTO TCP SRCPORT 12754 12754 DIRECTION FROM_TERM CONTENT ">" NAME "DDOS mstream handler to client" LOGMSG "DDOS mstream handler to client" PROTO TCP SRCPORT 15104 15104 DIRECTION FROM_TERM CONTENT ">" END ########################################## # # DNS # ########################################## BEGIN GROUPNAME FROM_EXT_DNS TYPE ATTACKSIG # NAME "DNS zone transfer TCP" LOGMSG "DNS zone transfer TCP" PROTO TCP DESTPORT 53 53 DIRECTION FROM_ORIG CONTENT "|00 00 FC|" OFFSET 15 # NAME "DNS zone transfer UDP" LOGMSG "DNS zone transfer UDP" PROTO UDP DESTPORT 53 53 CONTENT "|00 00 FC|" OFFSET 14 NAME "DNS named authors attempt" LOGMSG "DNS named authors attempt" PROTO TCP DESTPORT 53 53 DIRECTION FROM_ORIG CONTENT "|07|authors" NOCASE OFFSET 12 CONTENT "|04|bind" NOCASE OFFSET 12 NAME "DNS named authors attempt" LOGMSG "DNS named authors attempt" PROTO UDP DESTPORT 53 53 CONTENT "|07|authors" NOCASE OFFSET 12 CONTENT "|04|bind" NOCASE OFFSET 12 NAME "DNS named version attempt" LOGMSG "DNS named version attempt" PROTO TCP DESTPORT 53 53 DIRECTION FROM_ORIG CONTENT "|07|version" NOCASE OFFSET 12 CONTENT "|04|bind" NOCASE OFFSET 12 NAME "DNS named version attempt" LOGMSG "DNS named version attempt" PROTO UDP DESTPORT 53 53 CONTENT "|07|version" NOCASE OFFSET 12 CONTENT "|04|bind" NOCASE OFFSET 12 NAME "DNS SPOOF query response PTR with TTL\: 1 min. and no authority" LOGMSG "DNS SPOOF query response PTR with TTL\: 1 min. and no authority" PROTO UDP SRCPORT 53 53 CONTENT "|85800001000100000000|" CONTENT "|c00c000c00010000003c000f|" NAME "DNS SPOOF query response with ttl\: 1 min. and no authority" LOGMSG "DNS SPOOF query response with ttl\: 1 min. and no authority" PROTO UDP SRCPORT 53 53 CONTENT "|81 80 00 01 00 01 00 00 00 00|" CONTENT "|c0 0c 00 01 00 01 00 00 00 3c 00 04|" NAME "DNS EXPLOIT named 8.2->8.2.1" LOGMSG "DNS EXPLOIT named 8.2->8.2.1" PROTO TCP DESTPORT 53 53 DIRECTION FROM_ORIG CONTENT "../../../" NAME "DNS EXPLOIT named tsig overflow attempt" LOGMSG "DNS EXPLOIT named tsig overflow attempt" PROTO TCP DESTPORT 53 53 DIRECTION FROM_ORIG CONTENT "|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|" NAME "DNS EXPLOIT named tsig overflow attempt" LOGMSG "DNS EXPLOIT named tsig overflow attempt" PROTO UDP DESTPORT 53 53 CONTENT "|80 00 07 00 00 00 00 00 01 3F 00 01 02|" NAME "DNS EXPLOIT named overflow (ADM)" LOGMSG "DNS EXPLOIT named overflow (ADM)" PROTO TCP DESTPORT 53 53 DIRECTION FROM_ORIG CONTENT "thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool" NAME "DNS EXPLOIT named overflow (ADMROCKS)" LOGMSG "DNS EXPLOIT named overflow (ADMROCKS)" PROTO TCP DESTPORT 53 53 DIRECTION FROM_ORIG CONTENT "ADMROCKS" NAME "DNS EXPLOIT named overflow attempt" LOGMSG "DNS EXPLOIT named overflow attempt" PROTO TCP DESTPORT 53 53 DIRECTION FROM_ORIG CONTENT "|CD80 E8D7 FFFF FF|/bin/sh" NAME "DNS EXPLOIT x86 Linux overflow attempt" LOGMSG "DNS EXPLOIT x86 Linux overflow attempt" PROTO TCP DESTPORT 53 53 DIRECTION FROM_ORIG CONTENT "|31c0 b03f 31db b3ff 31c9 cd80 31c0|" NAME "DNS EXPLOIT x86 Linux overflow attempt" LOGMSG "DNS EXPLOIT x86 Linux overflow attempt" PROTO TCP DESTPORT 53 53 DIRECTION FROM_ORIG CONTENT "|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|" NAME "DNS EXPLOIT x86 Linux overflow attempt (ADMv2)" LOGMSG "DNS EXPLOIT x86 Linux overflow attempt (ADMv2)" PROTO TCP DESTPORT 53 53 DIRECTION FROM_ORIG CONTENT "|89f7 29c7 89f3 89f9 89f2 ac3c fe|" NAME "DNS EXPLOIT x86 FreeBSD overflow attempt" LOGMSG "DNS EXPLOIT x86 FreeBSD overflow attempt" PROTO TCP DESTPORT 53 53 DIRECTION FROM_ORIG CONTENT "|eb6e 5ec6 069a 31c9 894e 01c6 4605|" NAME "DNS EXPLOIT sparc overflow attempt" LOGMSG "DNS EXPLOIT sparc overflow attempt" PROTO TCP DESTPORT 53 53 DIRECTION FROM_ORIG CONTENT "|90 1a c0 0f 90 02 20 08 92 02 20 0f d0 23 bf f8|" END ########################################## # # DOS # ########################################## BEGIN GROUPNAME FROM_EXT_DOS TYPE ATTACKSIG NAME "DOS Real Audio Server" LOGMSG "DOS Real Audio Server" PROTO TCP DESTPORT 7070 7070 DIRECTION FROM_ORIG CONTENT "|fff4 fffd 06|" NAME "DOS Real Server template.html" LOGMSG "DOS Real Server template.html" PROTO TCP DESTPORT 7070 7070 DIRECTION FROM_ORIG CONTENT "/viewsource/template.html?" NOCASE NAME "DOS Real Server template.html" LOGMSG "DOS Real Server template.html" PROTO TCP DESTPORT 8080 8080 DIRECTION FROM_ORIG CONTENT "/viewsource/template.html?" NOCASE NAME "DOS Ascend Route" LOGMSG "DOS Ascend Route" PROTO UDP DESTPORT 9 9 CONTENT "|4e 41 4d 45 4e 41 4d 45|" OFFSET 25 DEPTH 50 NAME "DOS iParty DOS attempt" LOGMSG "DOS iParty DOS attempt" PROTO TCP DESTPORT 6004 6004 DIRECTION FROM_ORIG CONTENT "|FF FF FF FF FF FF|" OFFSET 0 END ########################################## # # EXPLOIT # ########################################## BEGIN GROUPNAME FROM_EXT_EXPLOIT TYPE ATTACKSIG NAME "EXPLOIT ssh CRC32 overflow /bin/sh" LOGMSG "EXPLOIT ssh CRC32 overflow /bin/sh" PROTO TCP DESTPORT 22 22 DIRECTION FROM_ORIG CONTENT "/bin/sh" NAME "EXPLOIT ssh CRC32 overflow NOOP" LOGMSG "EXPLOIT ssh CRC32 overflow NOOP" PROTO TCP DESTPORT 22 22 DIRECTION FROM_ORIG CONTENT "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|" NAME "EXPLOIT ssh CRC32 overflow" LOGMSG "EXPLOIT ssh CRC32 overflow" PROTO TCP DESTPORT 22 22 DIRECTION FROM_ORIG CONTENT "|00 01 57 00 00 00 18|" OFFSET 0 DEPTH 7 CONTENT "|FF FF FF FF 00 00|" OFFSET 8 DEPTH 14 NAME "EXPLOIT Netscape 4.7 client overflow" LOGMSG "EXPLOIT Netscape 4.7 client overflow" PROTO TCP SRCPORT 80 80 DIRECTION FROM_TERM CONTENT "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|" NAME "EXPLOIT nlps x86 Solaris overflow" LOGMSG "EXPLOIT nlps x86 Solaris overflow" PROTO TCP DESTPORT 2766 2766 DIRECTION FROM_ORIG CONTENT "|eb23 5e33 c088 46fa 8946 f589 36|" NAME "EXPLOIT LPRng overflow" LOGMSG "EXPLOIT LPRng overflow" PROTO TCP DESTPORT 515 515 DIRECTION FROM_ORIG CONTENT "|43 07 89 5B 08 8D 4B 08 89 43 0C B0 0B CD 80 31 C0 FE C0 CD 80 E8 94 FF FF FF 2F 62 69 6E 2F 73 68 0A|" NAME "EXPLOIT Redhat 7.0 lprd overflow" LOGMSG "EXPLOIT Redhat 7.0 lprd overflow" PROTO TCP DESTPORT 515 515 DIRECTION FROM_ORIG CONTENT "|58 58 58 58 25 2E 31 37 32 75 25 33 30 30 24 6E|" NAME "EXPLOIT SCO calserver overflow" LOGMSG "EXPLOIT SCO calserver overflow" PROTO TCP DESTPORT 6373 6373 DIRECTION FROM_ORIG CONTENT "|eb7f 5d55 fe4d 98fe 4d9b|" NAME "EXPLOIT VQServer admin" LOGMSG "EXPLOIT VQServer admin" PROTO TCP DESTPORT 9090 9090 DIRECTION FROM_ORIG CONTENT "GET / HTTP/1.1" NOCASE NAME "EXPLOIT NextFTP client overflow" LOGMSG "EXPLOIT NextFTP client overflow" PROTO TCP SRCPORT 21 21 DIRECTION FROM_TERM CONTENT "|b420 b421 8bcc 83e9 048b 1933 c966 b910|" NAME "EXPLOIT x86 windows MailMax overflow" LOGMSG "EXPLOIT x86 windows MailMax overflow" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "|eb45 eb20 5bfc 33c9 b182 8bf3 802b|" NAME "EXPLOIT ntalkd x86 Linux overflow" LOGMSG "EXPLOIT ntalkd x86 Linux overflow" PROTO UDP DESTPORT 518 518 CONTENT "|0103 0000 0000 0001 0002 02e8|" NAME "EXPLOIT x86 Linux mountd overflow" LOGMSG "EXPLOIT x86 Linux mountd overflow" PROTO UDP DESTPORT 635 635 CONTENT "|5eb0 0289 06fe c889 4604 b006 8946|" NAME "EXPLOIT x86 Linux mountd overflow" LOGMSG "EXPLOIT x86 Linux mountd overflow" PROTO UDP DESTPORT 635 635 CONTENT "|eb56 5E56 5656 31d2 8856 0b88 561e|" NAME "EXPLOIT x86 Linux mountd overflow" LOGMSG "EXPLOIT x86 Linux mountd overflow" PROTO UDP DESTPORT 635 635 CONTENT "|eb40 5E31 c040 8946 0489 c340 8906|" NAME "EXPLOIT MDBMS overflow" LOGMSG "EXPLOIT MDBMS overflow" PROTO TCP DESTPORT 2224 2224 DIRECTION FROM_ORIG CONTENT "|0131 DBCD 80E8 5BFF FFFF|" NAME "EXPLOIT rwhoisd format string attempt" LOGMSG "EXPLOIT rwhoisd format string attempt" PROTO TCP DESTPORT 4321 4321 DIRECTION FROM_ORIG CONTENT "-soa %p" NAME "EXPLOIT CDE dtspcd exploit attempt" LOGMSG "EXPLOIT CDE dtspcd exploit attempt" PROTO TCP DESTPORT 6112 6112 DIRECTION FROM_ORIG CONTENT "1" OFFSET 10 DEPTH 1 CONTENT !"000" OFFSET 11 DEPTH 3 NAME "EXPLOIT kadmind buffer overflow attempt" LOGMSG "EXPLOIT kadmind buffer overflow attempt" PROTO TCP DESTPORT 749 749 DIRECTION FROM_ORIG CONTENT "|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|" NAME "EXPLOIT kadmind buffer overflow attempt" LOGMSG "EXPLOIT kadmind buffer overflow attempt" PROTO TCP DESTPORT 751 751 DIRECTION FROM_ORIG CONTENT "|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|" NAME "EXPLOIT kadmind buffer overflow attempt" LOGMSG "EXPLOIT kadmind buffer overflow attempt" PROTO TCP DESTPORT 749 749 DIRECTION FROM_ORIG CONTENT "|ff ff 4b 41 44 4d 30 2e 30 41 00 00 fb 03|" NAME "EXPLOIT kadmind buffer overflow attempt" LOGMSG "EXPLOIT kadmind buffer overflow attempt" PROTO TCP DESTPORT 751 751 DIRECTION FROM_ORIG CONTENT "|ff ff 4b 41 44 4d 30 2e 30 41 00 00 fb 03|" NAME "EXPLOIT kadmind buffer overflow attempt" LOGMSG "EXPLOIT kadmind buffer overflow attempt" PROTO TCP DESTPORT 749 749 DIRECTION FROM_ORIG CONTENT "|2F 73 68 68 2F 2F 62 69|" NAME "EXPLOIT kadmind buffer overflow attempt" LOGMSG "EXPLOIT kadmind buffer overflow attempt" PROTO TCP DESTPORT 751 751 DIRECTION FROM_ORIG CONTENT "|2F 73 68 68 2F 2F 62 69|" NAME "EXPLOIT gobbles SSH exploit attempt" LOGMSG "EXPLOIT gobbles SSH exploit attempt" PROTO TCP DESTPORT 22 22 DIRECTION FROM_ORIG CONTENT "GOBBLES" NAME "EXPLOIT LPD dvips remote command execution attempt" LOGMSG "EXPLOIT LPD dvips remote command execution attempt" PROTO TCP DESTPORT 515 515 DIRECTION FROM_ORIG CONTENT "psfile=|2260|" NAME "EXPLOIT SSH server banner overflow" LOGMSG "EXPLOIT SSH server banner overflow" PROTO TCP SRCPORT 22 22 DIRECTION FROM_TERM CONTENT "SSH-" OFFSET 0 DEPTH 4 CONTENT !"|0a|" WITHIN 600 NAME "EXPLOIT CHAT IRC topic overflow" LOGMSG "EXPLOIT CHAT IRC topic overflow" PROTO TCP DESTPORT 6666 7000 DIRECTION FROM_TERM CONTENT "|eb 4b 5b 53 32 e4 83 c3 0b 4b 88 23 b8 50 77|" NAME "EXPLOIT CHAT IRC Ettercap parse overflow attempt" LOGMSG "EXPLOIT CHAT IRC Ettercap parse overflow attempt" PROTO TCP DESTPORT 6666 7000 DIRECTION FROM_ORIG CONTENT "PRIVMSG nickserv IDENTIFY" NOCASE OFFSET 0 CONTENT !"|0a|" WITHIN 150 NAME "EXPLOIT x86 Linux samba overflow" LOGMSG "EXPLOIT x86 Linux samba overflow" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|eb2f 5feb 4a5e 89fb 893e 89f2|" NAME "EXPLOIT ISAKMP delete hash with empty hash attempt" LOGMSG "EXPLOIT ISAKMP delete hash with empty hash attempt" PROTO UDP DESTPORT 500 500 CONTENT "|08|" OFFSET 16 DEPTH 1 CONTENT "|0c|" OFFSET 28 DEPTH 1 CONTENT "|00 04|" OFFSET 30 DEPTH 2 NAME "EXPLOIT ISAKMP initial contact notification without SPI attempt" LOGMSG "EXPLOIT ISAKMP initial contact notification without SPI attempt" PROTO UDP DESTPORT 500 500 CONTENT "|0b|" OFFSET 16 DEPTH 1 CONTENT "|00 0c 00 00 00 01 01 00 06 02|" OFFSET 30 DEPTH 10 END BEGIN GROUPNAME FROM_INT_EXPLOIT TYPE ATTACKSIG NAME "EXPLOIT Netscape 4.7 unsucessful overflow" LOGMSG "EXPLOIT Netscape 4.7 unsucessful overflow" PROTO TCP DESTPORT 80 80 DIRECTION FROM_ORIG CONTENT "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|" END ########################################## # # FINGER # ########################################## BEGIN GROUPNAME FROM_EXT_FINGER TYPE ATTACKSIG NAME "FINGER cmd_rootsh backdoor attempt" LOGMSG "FINGER cmd_rootsh backdoor attempt" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "cmd_rootsh" NAME "FINGER account enumeration attempt" LOGMSG "FINGER account enumeration attempt" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "a b c d e f" NOCASE NAME "FINGER search query" LOGMSG "FINGER search query" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "search" NAME "FINGER root query" LOGMSG "FINGER root query" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "root" NAME "FINGER null request" LOGMSG "FINGER null request" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "|00|" NAME "FINGER remote command \; execution attempt" LOGMSG "FINGER remote command \; execution attempt" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "|3b|" NAME "FINGER remote command pipe execution attempt" LOGMSG "FINGER remote command pipe execution attempt" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "|7c|" NAME "FINGER bomb attempt" LOGMSG "FINGER bomb attempt" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "@@" NAME "FINGER redirection attempt" LOGMSG "FINGER redirection attempt" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "@" NAME "FINGER cybercop query" LOGMSG "FINGER cybercop query" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "|0A| " DEPTH 10 NAME "FINGER 0 query" LOGMSG "FINGER 0 query" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "0" NAME "FINGER . query" LOGMSG "FINGER . query" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "." NAME "FINGER version query" LOGMSG "FINGER version query" PROTO TCP DESTPORT 79 79 DIRECTION FROM_ORIG CONTENT "version" END ########################################## # # FTP # ########################################## BEGIN GROUPNAME FROM_EXT_FTP TYPE ATTACKSIG NAME "FTP CEL overflow attempt" LOGMSG "FTP CEL overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "CEL " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP CWD overflow attempt" LOGMSG "FTP CWD overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "CWD " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP CMD overflow attempt" LOGMSG "FTP CMD overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "CMD " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP STAT overflow attempt" LOGMSG "FTP STAT overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "STAT " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP SITE CHOWN overflow attempt" LOGMSG "FTP SITE CHOWN overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "SITE " NOCASE CONTENT " CHOWN " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP SITE NEWER overflow attempt" LOGMSG "FTP SITE NEWER overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "SITE " NOCASE CONTENT " NEWER " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP SITE CPWD overflow attempt" LOGMSG "FTP SITE CPWD overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "SITE " NOCASE CONTENT " CPWD " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP SITE EXEC format string attempt" LOGMSG "FTP SITE EXEC format string attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "SITE" NOCASE CONTENT "EXEC " NOCASE DISTANCE 0 CONTENT "%" DISTANCE 1 CONTENT "%" DISTANCE 1 NAME "FTP SITE overflow attempt" LOGMSG "FTP SITE overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "SITE " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP USER overflow attempt" LOGMSG "FTP USER overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "USER " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP PASS overflow attempt" LOGMSG "FTP PASS overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "PASS " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP RMDIR overflow attempt" LOGMSG "FTP RMDIR overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "RMDIR " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP MKD overflow attempt" LOGMSG "FTP MKD overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "MKD " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP REST overflow attempt" LOGMSG "FTP REST overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "REST " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP DELE overflow attempt" LOGMSG "FTP DELE overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "DELE " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP RMD overflow attempt" LOGMSG "FTP RMD overflow attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "RMD " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP invalid MODE" LOGMSG "FTP invalid MODE" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "MODE " NOCASE CONTENT !" B" NOCASE CONTENT !" A" NOCASE CONTENT !" S" NOCASE CONTENT !" C" NOCASE NAME "FTP CWD C\:\\" LOGMSG "FTP CWD C\:\\" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "CWD" NOCASE CONTENT "C\:\\" DISTANCE 1 NAME "FTP SITE ZIPCHK attempt" LOGMSG "FTP SITE ZIPCHK attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "SITE " NOCASE CONTENT " ZIPCHK " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "FTP SITE NEWER attempt" LOGMSG "FTP SITE NEWER attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "SITE " NOCASE CONTENT " NEWER " NOCASE NAME "FTP site exec" LOGMSG "FTP site exec" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "SITE " NOCASE CONTENT "EXEC " NOCASE DISTANCE 0 NAME "FTP EXPLOIT STAT * dos attempt" LOGMSG "FTP EXPLOIT STAT * dos attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "STAT" NOCASE CONTENT "*" DISTANCE 1 NAME "FTP EXPLOIT STAT ? dos attempt" LOGMSG "FTP EXPLOIT STAT ? dos attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "STAT" NOCASE CONTENT "?" DISTANCE 1 NAME "FTP CWD ~root attempt" LOGMSG "FTP CWD ~root attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "CWD " CONTENT " ~root" NOCASE NAME "FTP CWD ..." LOGMSG "FTP CWD ..." PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "CWD " CONTENT " ..." NAME "FTP CWD ~ attempt" LOGMSG "FTP CWD ~ attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "CWD " CONTENT " ~|0A|" NAME "FTP CWD ~ attempt" LOGMSG "FTP CWD ~ attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "CWD " CONTENT " ~|0D0A|" NAME "FTP CWD .... attempt" LOGMSG "FTP CWD .... attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "CWD " CONTENT " ...." NAME "FTP serv-u directory transversal" LOGMSG "FTP serv-u directory transversal" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT ".%20." NOCASE NAME "FTP wu-ftp bad file completion attempt [" LOGMSG "FTP wu-ftp bad file completion attempt [" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "~" CONTENT "[" DISTANCE 1 NAME "FTP wu-ftp bad file completion attempt {" LOGMSG "FTP wu-ftp bad file completion attempt {" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "~" CONTENT "{" DISTANCE 1 NAME "FTP format string attempt" LOGMSG "FTP format string attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "%p" NOCASE NAME "FTP RNFR ././ attempt" LOGMSG "FTP RNFR ././ attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "RNFR " NOCASE CONTENT " ././" NOCASE NAME "FTP LIST directory traversal attempt" LOGMSG "FTP LIST directory traversal attempt" PROTO TCP DESTPORT 21 21 CONTENT "LIST" CONTENT ".." DISTANCE 1 CONTENT ".." DISTANCE 1 NAME "FTP .forward" LOGMSG "FTP .forward" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT ".forward" NAME "FTP .rhosts" LOGMSG "FTP .rhosts" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT ".rhosts" NAME "FTP authorized_keys" LOGMSG "FTP authorized_keys" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "authorized_keys" NAME "FTP passwd retrieval attempt" LOGMSG "FTP passwd retrieval attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "RETR" NOCASE CONTENT "passwd" NAME "FTP shadow retrieval attempt" LOGMSG "FTP shadow retrieval attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "RETR" NOCASE CONTENT "shadow" NAME "FTP ADMw0rm ftp login attempt" LOGMSG "FTP ADMw0rm ftp login attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "USER w0rm|0D0A|" NAME "FTP adm scan" LOGMSG "FTP adm scan" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "PASS ddd@|0a|" NAME "FTP iss scan" LOGMSG "FTP iss scan" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "pass -iss@iss" NAME "FTP pass wh00t" LOGMSG "FTP pass wh00t" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "pass wh00t" NOCASE NAME "FTP piss scan" LOGMSG "FTP piss scan" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "pass -cklaus" NAME "FTP saint scan" LOGMSG "FTP saint scan" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "pass -saint" NAME "FTP satan scan" LOGMSG "FTP satan scan" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "pass -satan" NAME "FTP CWD Root directory transversal attempt" LOGMSG "FTP CWD Root directory transversal attempt" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "CWD" NOCASE CONTENT "C\:\\" DISTANCE 1 END ########################################## # # IMAP # ########################################## BEGIN GROUPNAME FROM_EXT_IMAP TYPE ATTACKSIG NAME "IMAP login buffer overflow attempt" LOGMSG "IMAP login buffer overflow attempt" PROTO TCP DESTPORT 143 143 DIRECTION FROM_ORIG CONTENT " LOGIN " CONTENT !"|0a|" WITHIN 100 NAME "IMAP authenticate overflow attempt" LOGMSG "IMAP authenticate overflow attempt" PROTO TCP DESTPORT 143 143 DIRECTION FROM_ORIG CONTENT " AUTHENTICATE " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "IMAP lsub overflow attempt" LOGMSG "IMAP lsub overflow attempt" PROTO TCP DESTPORT 143 143 CONTENT " LSUB " CONTENT !"|0a|" WITHIN 100 NAME "IMAP list overflow attempt" LOGMSG "IMAP list overflow attempt" PROTO TCP DESTPORT 143 143 DIRECTION FROM_ORIG CONTENT " LIST " NOCASE CONTENT !"|0a|" WITHIN 100 NAME "IMAP rename overflow attempt" LOGMSG "IMAP rename overflow attempt" PROTO TCP DESTPORT 143 143 DIRECTION FROM_ORIG CONTENT " RENAME " NOCASE CONTENT !"|0a|" WITHIN 1024 NAME "IMAP find overflow attempt" LOGMSG "IMAP find overflow attempt" PROTO TCP DESTPORT 143 143 DIRECTION FROM_ORIG CONTENT " FIND " NOCASE CONTENT !"|0a|" WITHIN 1024 NAME "IMAP partial body buffer overflow attempt" LOGMSG "IMAP partial body buffer overflow attempt" PROTO TCP DESTPORT 143 143 DIRECTION FROM_ORIG CONTENT " PARTIAL " CONTENT " BODY[" CONTENT !"]" WITHIN 1024 NAME "IMAP partial body.peek buffer overflow attempt" LOGMSG "IMAP partial body.peek buffer overflow attempt" PROTO TCP DESTPORT 143 143 DIRECTION FROM_ORIG CONTENT " PARTIAL " CONTENT " BODY.PEEK[" CONTENT !"]" WITHIN 1024 NAME "IMAP create buffer overflow attempt" LOGMSG "IMAP create buffer overflow attempt" PROTO TCP DESTPORT 143 143 DIRECTION FROM_ORIG CONTENT " CREATE " CONTENT !"|0a|" WITHIN 1024 NAME "IMAP invalid SSLv3 data version attempt" LOGMSG "IMAP invalid SSLv3 data version attempt" PROTO TCP DESTPORT 993 993 DIRECTION FROM_ORIG CONTENT "|16|" DISTANCE 0 WITHIN 1 CONTENT "|03|" DISTANCE 0 WITHIN 1 CONTENT "|01|" DISTANCE 3 WITHIN 1 CONTENT !"|03|" DISTANCE 3 WITHIN 1 END ########################################## # # INFO # ########################################## BEGIN GROUPNAME FROM_EXT_INFO TYPE ATTACKSIG NAME "INFO Connection Closed MSG from Port 80" LOGMSG "INFO Connection Closed MSG from Port 80" PROTO TCP SRCPORT 80 80 DIRECTION FROM_TERM CONTENT "Connection closed by foreign host" NOCASE NAME "INFO FTP No Password" LOGMSG "INFO FTP No Password" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "PASS" NOCASE OFFSET 0 DEPTH 4 CONTENT "|0a|" WITHIN 3 NAME "INFO battle-mail traffic" LOGMSG "INFO battle-mail traffic" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "BattleMail" END BEGIN GROUPNAME FROM_INT_INFO TYPE ATTACKSIG NAME "INFO FTP Bad login" LOGMSG "INFO FTP Bad login" PROTO TCP SRCPORT 21 21 DIRECTION FROM_TERM CONTENT "530 Login " NOCASE NAME "INFO TELNET Bad Login" LOGMSG "INFO TELNET Bad Login" PROTO TCP SRCPORT 23 23 DIRECTION FROM_TERM CONTENT "Login failed" NOCASE NAME "INFO TELNET Bad Login" LOGMSG "INFO TELNET Bad Login" PROTO TCP SRCPORT 23 23 DIRECTION FROM_TERM CONTENT "Login incorrect" NOCASE NAME "INFO psyBNC access" LOGMSG "INFO psyBNC access" PROTO TCP DIRECTION FROM_TERM CONTENT "Welcome!psyBNC@lam3rz.de" END ########################################## # # MISC # ########################################## BEGIN GROUPNAME FROM_EXT_MISC TYPE ATTACKSIG NAME "MISC Insecure TIMBUKTU Password" LOGMSG "MISC Insecure TIMBUKTU Password" PROTO TCP DESTPORT 1417 1417 DIRECTION FROM_ORIG CONTENT "|05 00 3E|" DEPTH 16 NAME "MISC PCAnywhere Attempted Administrator Login" LOGMSG "MISC PCAnywhere Attempted Administrator Login" PROTO TCP DESTPORT 5631 5631 DIRECTION FROM_ORIG CONTENT "ADMINISTRATOR" NOCASE NAME "MISC gopher proxy" LOGMSG "MISC gopher proxy" PROTO TCP DESTPORT 70 70 DIRECTION FROM_ORIG CONTENT "ftp|3a|" NOCASE CONTENT "@/" NAME "MISC SNMP NT UserList" LOGMSG "MISC SNMP NT UserList" PROTO UDP DESTPORT 161 161 CONTENT "|2b 06 10 40 14 d1 02 19|" NAME "MISC xdmcp query" LOGMSG "MISC xdmcp query" PROTO UDP DESTPORT 177 177 CONTENT "|00 01 00 03 00 01 00|" NAME "MISC xdmcp info query" LOGMSG "MISC xdmcp info query" PROTO UDP DESTPORT 177 177 CONTENT "|00 01 00 02 00 01 00|" NAME "MISC UPnP malformed advertisement" LOGMSG "MISC UPnP malformed advertisement" PROTO UDP DESTPORT 1900 1900 CONTENT "NOTIFY * " NOCASE NAME "MISC UPnP Location overflow" LOGMSG "MISC UPnP Location overflow" PROTO UDP DESTPORT 1900 1900 CONTENT "|0d|Location|3a|" NOCASE CONTENT !"|0a|" WITHIN 128 NAME "MISC AFS access" LOGMSG "MISC AFS access" PROTO UDP DESTPORT 7001 7001 CONTENT "|00 00 03 e7 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 0d 05 00 00 00 00 00 00 00|" NAME "MISC OpenSSL Worm traffic" LOGMSG "MISC OpenSSL Worm traffic" PROTO TCP DESTPORT 443 443 DIRECTION FROM_ORIG CONTENT "TERM=xterm" NOCASE NAME "MISC slapper worm admin traffic" LOGMSG "MISC slapper worm admin traffic" PROTO UDP SRCPORT 2002 2002 DESTPORT 2002 2002 CONTENT "|0000 4500 0045 0000 4000|" OFFSET 0 DEPTH 10 NAME "MISC MS Terminal server request (RDP)" LOGMSG "MISC MS Terminal server request (RDP)" PROTO TCP DESTPORT 3389 3389 DIRECTION FROM_ORIG CONTENT "|03 00 00 0b 06 E0 00 00 00 00 00|" OFFSET 0 DEPTH 11 NAME "MISC MS Terminal server request" LOGMSG "MISC MS Terminal server request" PROTO TCP DESTPORT 3389 3389 DIRECTION FROM_ORIG CONTENT "|03 00 00|" OFFSET 0 DEPTH 3 CONTENT "|e0 00 00 00 00 00|" OFFSET 5 DEPTH 6 NAME "MISC Alcatel PABX 4400 connection attempt" LOGMSG "MISC Alcatel PABX 4400 connection attempt" PROTO TCP DESTPORT 2533 2533 DIRECTION FROM_ORIG CONTENT "|000143|" OFFSET 0 DEPTH 3 NAME "MISC bootp hostname format string attempt" LOGMSG "MISC bootp hostname format string attempt" PROTO UDP DESTPORT 67 67 CONTENT "|01|" OFFSET 0 DEPTH 1 CONTENT "|0C|" DISTANCE 240 CONTENT "%" DISTANCE 0 CONTENT "%" DISTANCE 1 WITHIN 8 CONTENT "%" DISTANCE 1 WITHIN 8 NAME "MISC GlobalSunTech Access Point Information Disclosure attempt" LOGMSG "MISC GlobalSunTech Access Point Information Disclosure attempt" PROTO UDP DESTPORT 27155 27155 CONTENT "gstsearch" NAME "MISC rsyncd module list access" LOGMSG "MISC rsyncd module list access" PROTO TCP DESTPORT 873 873 DIRECTION FROM_ORIG CONTENT "|23|list" OFFSET 0 DEPTH 5 NAME "MISC LDAP invalid SSLv3 data version attempt" LOGMSG "MISC LDAP invalid SSLv3 data version attempt" PROTO TCP DESTPORT 636 636 DIRECTION FROM_ORIG CONTENT "|16|" DISTANCE 0 WITHIN 1 CONTENT "|03|" DISTANCE 0 WITHIN 1 CONTENT "|01|" DISTANCE 3 WITHIN 1 CONTENT !"|03|" DISTANCE 3 WITHIN 1 # NAME "MISC MS Terminal Server no encryption session initiation attmept" LOGMSG "MISC MS Terminal Server no encryption session initiation attmept" PROTO TCP DESTPORT 3389 3389 DIRECTION FROM_ORIG CONTENT "|03 00 01|" DEPTH 3 CONTENT "|00|" OFFSET 288 DEPTH 1 END BEGIN GROUPNAME FROM_INT_MISC TYPE ATTACKSIG NAME "MISC PCAnywhere Failed Login" LOGMSG "MISC PCAnywhere Failed Login" PROTO TCP SRCPORT 5631 5632 DIRECTION FROM_TERM CONTENT "Invalid login" DEPTH 16 NAME "MISC ramen worm" LOGMSG "MISC ramen worm" PROTO TCP DESTPORT 27374 27374 DIRECTION FROM_ORIG CONTENT "GET " NOCASE DEPTH 8 NAME "MISC xtacacs failed login response" LOGMSG "MISC xtacacs failed login response" PROTO UDP SRCPORT 49 49 CONTENT "|80 02|" OFFSET 0 DEPTH 2 CONTENT "|02|" DISTANCE 4 NAME "MISC isakmp login failed" LOGMSG "MISC isakmp login failed" PROTO UDP SRCPORT 500 500 DESTPORT 500 500 CONTENT "|10 05|" OFFSET 17 DEPTH 2 CONTENT "|00 00 00 01 01 00 00 18|" DISTANCE 13 WITHIN 8 NAME "MISC CVS invalid user authentication response" LOGMSG "MISC CVS invalid user authentication response" PROTO TCP SRCPORT 2401 2401 DIRECTION FROM_TERM CONTENT "E Fatal error, aborting." CONTENT "|3a| no such user" NAME "MISC CVS invalid repository response" LOGMSG "MISC CVS invalid repository response" PROTO TCP SRCPORT 2401 2401 DIRECTION FROM_TERM CONTENT "error " CONTENT "\: no such repository" CONTENT "I HATE YOU" NAME "MISC CVS double free exploit attempt response" LOGMSG "MISC CVS double free exploit attempt response" PROTO TCP SRCPORT 2401 2401 DIRECTION FROM_TERM CONTENT "free()\: warning\: chunk is already free" NAME "MISC CVS invalid directory response" LOGMSG "MISC CVS invalid directory response" PROTO TCP SRCPORT 2401 2401 DIRECTION FROM_TERM CONTENT "E protocol error\: invalid directory syntax in" NAME "MISC CVS missing cvsroot response" LOGMSG "MISC CVS missing cvsroot response" PROTO TCP SRCPORT 2401 2401 DIRECTION FROM_TERM CONTENT "E protocol error\: Root request missing" NAME "MISC CVS invalid module response" LOGMSG "MISC CVS invalid module response" PROTO TCP SRCPORT 2401 2401 DIRECTION FROM_TERM CONTENT "cvs server\: cannot find module" CONTENT "error" DISTANCE 1 NAME "MISC AIM AddGame attempt" LOGMSG "MISC AIM AddGame attempt" PROTO TCP DIRECTION FROM_TERM CONTENT "aim\:AddGame?" NOCASE NAME "MISC AIM AddExternalApp attempt" LOGMSG "MISC AIM AddExternalApp attempt" PROTO TCP DIRECTION FROM_TERM CONTENT "aim\:AddExternalApp?" NOCASE NAME "MISC CVS non-relative path error response" LOGMSG "MISC CVS non-relative path error response" PROTO TCP SRCPORT 2401 2401 DIRECTION FROM_TERM CONTENT "E cvs server\: warning\: cannot make directory CVS in /" END ########################################## # # MULTIMEDIA # ########################################## # BEGIN # GROUPNAME FROM_EXT_MULTIMEDIA # TYPE ATTACKSIG # NAME "MULTIMEDIA Windows Media audio download" LOGMSG "MULTIMEDIA Windows Media audio download" PROTO TCP SRCPORT 80 80 DIRECTION FROM_TERM CONTENT "Content-type\: audio/x-ms-wma" CONTENT "|0a|" WITHIN 2 # NAME "MULTIMEDIA Windows Media Video download" LOGMSG "MULTIMEDIA Windows Media Video download" PROTO TCP SRCPORT 80 80 DIRECTION FROM_TERM CONTENT "Content-type\: video/x-ms-asf" CONTENT "|0a|" WITHIN 2 # NAME "MULTIMEDIA Shoutcast playlist redirection" LOGMSG "MULTIMEDIA Shoutcast playlist redirection" PROTO TCP SRCPORT 80 80 DIRECTION FROM_TERM CONTENT "Content-type\: audio/x-scpls" CONTENT "|0a|" WITHIN 2 # NAME "MULTIMEDIA Icecast playlist redirection" LOGMSG "MULTIMEDIA Icecast playlist redirection" PROTO TCP SRCPORT 80 80 DIRECTION FROM_TERM CONTENT "Content-type\: audio/x-mpegurl" CONTENT "|0a|" WITHIN 2 # END # # BEGIN # GROUPNAME FROM_INT_MULTIMEDIA # TYPE ATTACKSIG # NAME "MULTIMEDIA Quicktime User Agent access" LOGMSG "MULTIMEDIA Quicktime User Agent access" PROTO TCP DESTPORT 80 80 DIRECTION FROM_ORIG CONTENT "User-Agent\: Quicktime" # NAME "MULTIMEDIA audio galaxy keepalive" LOGMSG "MULTIMEDIA audio galaxy keepalive" PROTO TCP CONTENT "|45 5F 00 03 05|" OFFSET 0 DEPTH 5 # END ########################################## # # MYSQL # ########################################## BEGIN GROUPNAME FROM_EXT_MYSQL TYPE ATTACKSIG NAME "MYSQL root login attempt" LOGMSG "MYSQL root login attempt" PROTO TCP DESTPORT 3306 3306 DIRECTION FROM_ORIG CONTENT "|0A 00 00 01 85 04 00 00 80 72 6F 6F 74 00|" NAME "MYSQL show databases attempt" LOGMSG "MYSQL show databases attempt" PROTO TCP DESTPORT 3306 3306 DIRECTION FROM_ORIG CONTENT "|0f 00 00 00 03|show databases" END ########################################## # # NETBIOS # ########################################## BEGIN GROUPNAME FROM_EXT_NETBIOS TYPE ATTACKSIG NAME "NETBIOS nimda .eml" LOGMSG "NETBIOS nimda .eml" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|00|.|00|E|00|M|00|L" NAME "NETBIOS nimda .nws" LOGMSG "NETBIOS nimda .nws" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|00|.|00|N|00|W|00|S" NAME "NETBIOS nimda RICHED20.DLL" LOGMSG "NETBIOS nimda RICHED20.DLL" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "R|00|I|00|C|00|H|00|E|00|D|00|2|00|0" NAME "NETBIOS DOS RFPoison" LOGMSG "NETBIOS DOS RFPoison" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|5C 00 5C 00 2A 00 53 00 4D 00 42 00 53 00 45 00 52 00 56 00 45 00 52 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|" NAME "NETBIOS NT NULL session" LOGMSG "NETBIOS NT NULL session" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|" NAME "NETBIOS RFParalyze Attempt" LOGMSG "NETBIOS RFParalyze Attempt" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "BEAVIS" CONTENT "yep yep" NAME "NETBIOS SMB ADMIN$access" LOGMSG "NETBIOS SMB ADMIN$access" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "\\ADMIN$|00 41 3a 00|" NAME "NETBIOS SMB C$ access" LOGMSG "NETBIOS SMB C$ access" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|5c|C$|00 41 3a 00|" NAME "NETBIOS SMB CD.." LOGMSG "NETBIOS SMB CD.." PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "\\..|2f 00 00 00|" NAME "NETBIOS SMB CD..." LOGMSG "NETBIOS SMB CD..." PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "\\...|00 00 00|" NAME "NETBIOS SMB D$access" LOGMSG "NETBIOS SMB D$access" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "\\D$|00 41 3a 00|" NAME "NETBIOS SMB IPC$ share access" LOGMSG "NETBIOS SMB IPC$ share access" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|00|" OFFSET 0 DEPTH 1 CONTENT "|FF|SMB|75|" OFFSET 4 DEPTH 5 CONTENT "\\IPC$|00|" NOCASE NAME "NETBIOS SMB IPC$ share access (unicode)" LOGMSG "NETBIOS SMB IPC$ share access (unicode)" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|00|" OFFSET 0 DEPTH 1 CONTENT "|FF|SMB|75|" OFFSET 4 DEPTH 5 CONTENT "|5c00|I|00|P|00|C|00|$|00|" NOCASE NAME "NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt" LOGMSG "NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|00|" OFFSET 0 DEPTH 1 CONTENT "|FF|SMB|25|" OFFSET 4 DEPTH 5 CONTENT "|00 00 00 00|" OFFSET 43 DEPTH 4 NAME "NETBIOS SMB winreg access" LOGMSG "NETBIOS SMB winreg access" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|00|" OFFSET 0 DEPTH 1 CONTENT "|FF|SMB|a2|" OFFSET 4 DEPTH 5 CONTENT "\\winreg|00|" NOCASE OFFSET 85 NAME "NETBIOS SMB winreg unicode access" LOGMSG "NETBIOS SMB winreg unicode access" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|00|" OFFSET 0 DEPTH 1 CONTENT "|FF|SMB|a2|" OFFSET 4 DEPTH 5 CONTENT "\\|00|w|00|i|00|n|00|r|00|e|00|g|00|" NOCASE OFFSET 85 NAME "NETBIOS SMB startup folder access" LOGMSG "NETBIOS SMB startup folder access" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|00|" OFFSET 0 DEPTH 1 CONTENT "|FF|SMB|32|" OFFSET 4 DEPTH 5 CONTENT "Documents and Settings\\All Users\\Start Menu\\Programs\\Startup|00|" NOCASE DISTANCE 0 NAME "NETBIOS SMB startup folder unicode access" LOGMSG "NETBIOS SMB startup folder unicode access" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|00|" OFFSET 0 DEPTH 1 CONTENT "|FF|SMB|32|" OFFSET 4 DEPTH 5 CONTENT "\\|00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00|\\|00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00|\\|00|S|00|t|00|a|00|r|00|t|00|u|00|p" NOCASE DISTANCE 0 END ########################################## # # NNTP # ########################################## BEGIN GROUPNAME FROM_EXT_NNTP TYPE ATTACKSIG NAME "NNTP return code buffer overflow attempt" LOGMSG "NNTP return code buffer overflow attempt" PROTO TCP SRCPORT 119 119 DIRECTION FROM_ORIG CONTENT "200 " OFFSET 0 DEPTH 4 CONTENT !"|0a|" WITHIN 64 NAME "NNTP AUTHINFO USER overflow attempt" LOGMSG "NNTP AUTHINFO USER overflow attempt" PROTO TCP DESTPORT 119 119 DIRECTION FROM_ORIG CONTENT "AUTHINFO USER " NOCASE DEPTH 14 CONTENT !"|0a|" WITHIN 500 END ########################################## # # ORACLE # ########################################## BEGIN GROUPNAME FROM_EXT_ORACLE TYPE ATTACKSIG NAME "ORACLE EXECUTE_SYSTEM attempt" LOGMSG "ORACLE EXECUTE_SYSTEM attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "EXECUTE_SYSTEM" NOCASE NAME "ORACLE connect_data remote version detection attempt" LOGMSG "ORACLE connect_data remote version detection attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "connect_data\(command=version\)" NOCASE NAME "ORACLE misparsed login response" LOGMSG "ORACLE misparsed login response" PROTO TCP DIRECTION FROM_TERM CONTENT "description=\(" NOCASE CONTENT !"connect_data=\(sid=" NOCASE CONTENT !"address=\(protocol=tcp" NOCASE NAME "ORACLE select union attempt" LOGMSG "ORACLE select union attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "select " NOCASE CONTENT " union " NOCASE NAME "ORACLE select like '%' attempt" LOGMSG "ORACLE select like '%' attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT " where " NOCASE CONTENT " like '%'" NOCASE NAME "ORACLE describe attempt" LOGMSG "ORACLE describe attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "describe " NOCASE NAME "ORACLE all_constraints access" LOGMSG "ORACLE all_constraints access" PROTO TCP DIRECTION FROM_ORIG CONTENT "all_constraints" NOCASE NAME "ORACLE all_views access" LOGMSG "ORACLE all_views access" PROTO TCP DIRECTION FROM_ORIG CONTENT "all_views" NOCASE NAME "ORACLE all_source access" LOGMSG "ORACLE all_source access" PROTO TCP DIRECTION FROM_ORIG CONTENT "all_source" NOCASE NAME "ORACLE all_tables access" LOGMSG "ORACLE all_tables access" PROTO TCP DIRECTION FROM_ORIG CONTENT "all_tables" NOCASE NAME "ORACLE all_tab_columns access" LOGMSG "ORACLE all_tab_columns access" PROTO TCP DIRECTION FROM_ORIG CONTENT "all_tab_columns" NOCASE NAME "ORACLE all_tab_privs access" LOGMSG "ORACLE all_tab_privs access" PROTO TCP DIRECTION FROM_ORIG CONTENT "all_tab_privs" NOCASE NAME "ORACLE dba_tablespace access" LOGMSG "ORACLE dba_tablespace access" PROTO TCP DIRECTION FROM_ORIG CONTENT "dba_tablespace" NOCASE NAME "ORACLE dba_tables access" LOGMSG "ORACLE dba_tables access" PROTO TCP DIRECTION FROM_ORIG CONTENT "dba_tables" NOCASE NAME "ORACLE user_tablespace access" LOGMSG "ORACLE user_tablespace access" PROTO TCP DIRECTION FROM_ORIG CONTENT "user_tablespace" NOCASE NAME "ORACLE sys.all_users access" LOGMSG "ORACLE sys.all_users access" PROTO TCP DIRECTION FROM_ORIG CONTENT "sys.all_users" NOCASE NAME "ORACLE grant attempt" LOGMSG "ORACLE grant attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "grant " NOCASE CONTENT " to " NOCASE NAME "ORACLE ALTER USER attempt" LOGMSG "ORACLE ALTER USER attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "alter user" NOCASE CONTENT " identified by " NOCASE NAME "ORACLE drop table attempt" LOGMSG "ORACLE drop table attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "drop table" NOCASE NAME "ORACLE create table attempt" LOGMSG "ORACLE create table attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "create table" NOCASE NAME "ORACLE alter table attempt" LOGMSG "ORACLE alter table attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "alter table" NOCASE NAME "ORACLE truncate table attempt" LOGMSG "ORACLE truncate table attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "truncate table" NOCASE NAME "ORACLE create database attempt" LOGMSG "ORACLE create database attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "create database" NOCASE NAME "ORACLE alter database attempt" LOGMSG "ORACLE alter database attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "alter database" NOCASE END ########################################## # # P2P # ########################################## BEGIN GROUPNAME FROM_EXT_P2P TYPE ATTACKSIG NAME "P2P napster download attempt" LOGMSG "P2P napster download attempt" PROTO TCP DESTPORT 8888 8888 DIRECTION FROM_ORIG CONTENT "|00 cb00|" OFFSET 1 DEPTH 3 NAME "P2P napster upload request" LOGMSG "P2P napster upload request" PROTO TCP SRCPORT 8888 8888 DIRECTION FROM_TERM CONTENT "|00 5f02|" OFFSET 1 DEPTH 3 NAME "P2P Napster Client Data" LOGMSG "P2P Napster Client Data" PROTO TCP DESTPORT 6699 6699 CONTENT ".mp3" NOCASE NAME "P2P Napster Client Data" LOGMSG "P2P Napster Client Data" PROTO TCP DESTPORT 7777 7777 DIRECTION FROM_ORIG CONTENT ".mp3" NOCASE NAME "P2P Napster Client Data" LOGMSG "P2P Napster Client Data" PROTO TCP DESTPORT 6666 6666 CONTENT ".mp3" NOCASE NAME "P2P Napster Client Data" LOGMSG "P2P Napster Client Data" PROTO TCP DESTPORT 5555 5555 CONTENT ".mp3" NOCASE NAME "P2P Napster Server Login" LOGMSG "P2P Napster Server Login" PROTO TCP DESTPORT 8875 8875 CONTENT "anon@napster.com" NAME "P2P Fastrack (kazaa/morpheus) GET request" LOGMSG "P2P Fastrack (kazaa/morpheus) GET request" PROTO TCP DESTPORT 1214 1214 DIRECTION FROM_ORIG CONTENT "GET " DEPTH 4 END BEGIN GROUPNAME FROM_INT_P2P TYPE ATTACKSIG NAME "P2P napster login" LOGMSG "P2P napster login" PROTO TCP DESTPORT 8888 8888 DIRECTION FROM_ORIG CONTENT "|00 0200|" OFFSET 1 DEPTH 3 NAME "P2P napster new user login" LOGMSG "P2P napster new user login" PROTO TCP DESTPORT 8888 8888 DIRECTION FROM_ORIG CONTENT "|00 0600|" OFFSET 1 DEPTH 3 NAME "P2P GNUTella GET" LOGMSG "P2P GNUTella GET" PROTO TCP DESTPORT 81 65535 DIRECTION FROM_ORIG CONTENT "GET " OFFSET 0 DEPTH 4 NAME "P2P Outbound GNUTella client request" LOGMSG "P2P Outbound GNUTella client request" PROTO TCP DIRECTION FROM_ORIG CONTENT "GNUTELLA CONNECT" DEPTH 40 NAME "P2P GNUTella client request" LOGMSG "P2P GNUTella client request" PROTO TCP DIRECTION FROM_ORIG CONTENT "GNUTELLA OK" DEPTH 40 NAME "P2P Fastrack (kazaa/morpheus) traffic" LOGMSG "P2P Fastrack (kazaa/morpheus) traffic" PROTO TCP DIRECTION FROM_ORIG CONTENT "GET" DEPTH 3 CONTENT "UserAgent\: KazaaClient" NAME "P2P BitTorrent announce request" LOGMSG "P2P BitTorrent announce request" PROTO TCP DIRECTION FROM_ORIG CONTENT "GET" OFFSET 0 DEPTH 4 CONTENT "/announce" DISTANCE 1 CONTENT "info_hash=" OFFSET 4 CONTENT "event=started" OFFSET 4 NAME "P2P BitTorrent transfer" LOGMSG "P2P BitTorrent transfer" PROTO TCP DESTPORT 6881 6889 DIRECTION FROM_ORIG CONTENT "|13|BitTorrent protocol" OFFSET 0 DEPTH 20 NAME "P2P Napster Client Data" LOGMSG "P2P Napster Client Data" PROTO TCP DESTPORT 6699 6699 CONTENT ".mp3" NOCASE NAME "P2P Napster Client Data" LOGMSG "P2P Napster Client Data" PROTO TCP DESTPORT 7777 7777 DIRECTION FROM_ORIG CONTENT ".mp3" NOCASE NAME "P2P Napster Client Data" LOGMSG "P2P Napster Client Data" PROTO TCP DESTPORT 6666 6666 CONTENT ".mp3" NOCASE NAME "P2P Napster Client Data" LOGMSG "P2P Napster Client Data" PROTO TCP DESTPORT 5555 5555 CONTENT ".mp3" NOCASE NAME "P2P Napster Server Login" LOGMSG "P2P Napster Server Login" PROTO TCP DESTPORT 8875 8875 CONTENT "anon@napster.com" END ########################################## # # POLICY # ########################################## BEGIN GROUPNAME FROM_EXT_POLICY TYPE ATTACKSIG # NAME "POLICY VNC server response" LOGMSG "POLICY VNC server response" PROTO TCP CONTENT "RFB 0" OFFSET 0 DEPTH 5 CONTENT ".0" OFFSET 7 DEPTH 2 # NAME "POLICY PCAnywhere server response" LOGMSG "POLICY PCAnywhere server response" PROTO UDP DESTPORT 5632 5632 CONTENT "ST" DEPTH 2 NAME "POLICY HP JetDirect LCD modification attempt" LOGMSG "POLICY HP JetDirect LCD modification attempt" PROTO TCP DESTPORT 9100 9100 DIRECTION FROM_ORIG CONTENT "@PJL RDYMSG DISPLAY =" NAME "POLICY HP JetDirect LCD modification attempt" LOGMSG "POLICY HP JetDirect LCD modification attempt" PROTO TCP DESTPORT 9000 9002 DIRECTION FROM_ORIG CONTENT "@PJL RDYMSG DISPLAY =" # NAME "POLICY vncviewer Java applet download attempt" LOGMSG "POLICY vncviewer Java applet download attempt" PROTO TCP DESTPORT 5800 5802 DIRECTION FROM_ORIG CONTENT "/vncviewer.jar" NAME "POLICY FTP file_id.diz access possible warez site" LOGMSG "POLICY FTP file_id.diz access possible warez site" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "RETR" NOCASE CONTENT "file_id.diz" NOCASE DISTANCE 1 NAME "POLICY FTP 'STOR 1MB' possible warez site" LOGMSG "POLICY FTP 'STOR 1MB' possible warez site" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "STOR" NOCASE CONTENT "1MB" NOCASE DISTANCE 1 NAME "POLICY FTP 'RETR 1MB' possible warez site" LOGMSG "POLICY FTP 'RETR 1MB' possible warez site" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "RETR" NOCASE CONTENT "1MB" NOCASE DISTANCE 1 NAME "POLICY FTP 'CWD ' possible warez site" LOGMSG "POLICY FTP 'CWD ' possible warez site" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "CWD " NOCASE DEPTH 5 NAME "POLICY FTP 'MKD ' possible warez site" LOGMSG "POLICY FTP 'MKD ' possible warez site" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "MKD " NOCASE DEPTH 5 NAME "POLICY FTP 'MKD .' possible warez site" LOGMSG "POLICY FTP 'MKD .' possible warez site" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "MKD ." NOCASE DEPTH 5 NAME "POLICY FTP 'CWD / ' possible warez site" LOGMSG "POLICY FTP 'CWD / ' possible warez site" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "CWD" NOCASE CONTENT "/ " DISTANCE 1 NAME "POLICY FTP 'MKD / ' possible warez site" LOGMSG "POLICY FTP 'MKD / ' possible warez site" PROTO TCP DESTPORT 21 21 DIRECTION FROM_ORIG CONTENT "MKD" NOCASE CONTENT "/ " DISTANCE 1 # NAME "POLICY PPTP Start Control Request attempt" LOGMSG "POLICY PPTP Start Control Request attempt" PROTO TCP DESTPORT 1723 1723 DIRECTION FROM_ORIG CONTENT "|00 01|" OFFSET 2 DEPTH 2 CONTENT "|00 01|" OFFSET 8 DEPTH 2 NAME "POLICY xtacacs login attempt" LOGMSG "POLICY xtacacs login attempt" PROTO UDP DESTPORT 49 49 CONTENT "|80 01|" OFFSET 0 DEPTH 2 CONTENT "|00|" DISTANCE 4 NAME "POLICY IPSec PGPNet connection attempt" LOGMSG "POLICY IPSec PGPNet connection attempt" PROTO UDP DESTPORT 500 500 CONTENT "|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00 50 01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01 51 80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01 51 80 00 00 00 10|" END BEGIN GROUPNAME FROM_INT_POLICY TYPE ATTACKSIG NAME "POLICY WinGate telnet server response" LOGMSG "POLICY WinGate telnet server response" PROTO TCP SRCPORT 23 23 DIRECTION FROM_TERM CONTENT "WinGate>" NAME "POLICY xtacacs accepted login response" LOGMSG "POLICY xtacacs accepted login response" PROTO UDP SRCPORT 49 49 CONTENT "|80 02|" OFFSET 0 DEPTH 2 CONTENT "|01|" DISTANCE 4 END ########################################## # # POP2 # ########################################## BEGIN GROUPNAME FROM_EXT_POP2 TYPE ATTACKSIG NAME "POP2 FOLD overflow attempt" LOGMSG "POP2 FOLD overflow attempt" PROTO TCP DESTPORT 109 109 DIRECTION FROM_ORIG CONTENT "FOLD " CONTENT !"|0A|" WITHIN 256 NAME "POP2 FOLD arbitrary file attempt" LOGMSG "POP2 FOLD arbitrary file attempt" PROTO TCP DESTPORT 109 109 DIRECTION FROM_ORIG CONTENT "FOLD /" NAME "POP2 x86 Linux overflow" LOGMSG "POP2 x86 Linux overflow" PROTO TCP DESTPORT 109 109 DIRECTION FROM_ORIG CONTENT "|eb2c 5b89 d980 c106 39d9 7c07 8001|" NAME "POP2 x86 Linux overflow" LOGMSG "POP2 x86 Linux overflow" PROTO TCP DESTPORT 109 109 DIRECTION FROM_ORIG CONTENT "|ffff ff2f 4249 4e2f 5348 00|" END ########################################## # # POP3 # ########################################## BEGIN GROUPNAME FROM_EXT_POP3 TYPE ATTACKSIG NAME "POP3 USER overflow attempt" LOGMSG "POP3 USER overflow attempt" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "USER" NOCASE CONTENT !"|0a|" WITHIN 50 NAME "POP3 CAPA overflow attempt" LOGMSG "POP3 CAPA overflow attempt" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "CAPA" NOCASE CONTENT !"|0a|" WITHIN 10 NAME "POP3 TOP overflow attempt" LOGMSG "POP3 TOP overflow attempt" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "TOP" NOCASE CONTENT !"|0a|" WITHIN 10 NAME "POP3 STAT overflow attempt" LOGMSG "POP3 STAT overflow attempt" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "STAT" NOCASE CONTENT !"|0a|" WITHIN 10 NAME "POP3 DELE overflow attempt" LOGMSG "POP3 DELE overflow attempt" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "DELE" NOCASE CONTENT !"|0a|" WITHIN 10 NAME "POP3 RSET overflow attempt" LOGMSG "POP3 RSET overflow attempt" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "RSET" NOCASE CONTENT !"|0a|" WITHIN 10 NAME "POP3 AUTH overflow attempt" LOGMSG "POP3 AUTH overflow attempt" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "AUTH" NOCASE CONTENT !"|0a|" WITHIN 50 NAME "POP3 LIST overflow attempt" LOGMSG "POP3 LIST overflow attempt" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "LIST" NOCASE CONTENT !"|0a|" WITHIN 50 NAME "POP3 XTND overflow attempt" LOGMSG "POP3 XTND overflow attempt" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "XTND" NOCASE CONTENT !"|0a|" WITHIN 50 NAME "POP3 PASS overflow attempt" LOGMSG "POP3 PASS overflow attempt" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "PASS" NOCASE CONTENT !"|0a|" WITHIN 50 NAME "POP3 APOP overflow attempt" LOGMSG "POP3 APOP overflow attempt" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "APOP" NOCASE CONTENT !"|0a|" WITHIN 256 NAME "POP3 EXPLOIT x86 BSD overflow" LOGMSG "POP3 EXPLOIT x86 BSD overflow" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "|685d 5eff d5ff d4ff f58b f590 6631|" NAME "POP3 EXPLOIT x86 Linux overflow" LOGMSG "POP3 EXPLOIT x86 Linux overflow" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "|d840 cd80 e8d9 ffff ff|/bin/sh" NAME "POP3 EXPLOIT x86 SCO overflow" LOGMSG "POP3 EXPLOIT x86 SCO overflow" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "|560e 31c0 b03b 8d7e 1289 f989 f9|" NAME "POP3 EXPLOIT qpopper overflow" LOGMSG "POP3 EXPLOIT qpopper overflow" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "|E8 D9FF FFFF|/bin/sh" NAME "POP3 invalid SSLv3 data version attempt" LOGMSG "POP3 invalid SSLv3 data version attempt" PROTO TCP DESTPORT 995 995 DIRECTION FROM_ORIG CONTENT "|16|" DISTANCE 0 WITHIN 1 CONTENT "|03|" DISTANCE 0 WITHIN 1 CONTENT "|01|" DISTANCE 3 WITHIN 1 CONTENT !"|03|" DISTANCE 3 WITHIN 1 NAME "POP3 USER format string attempt" LOGMSG "POP3 USER format string attempt" PROTO TCP DESTPORT 110 110 DIRECTION FROM_ORIG CONTENT "USER" NOCASE CONTENT "%" DISTANCE 1 CONTENT "%" DISTANCE 1 END ########################################## # # PORN # ########################################## # BEGIN # GROUPNAME FROM_EXT_PORN # TYPE ATTACKSIG # NAME "PORN alt.binaries.pictures.erotica" LOGMSG "PORN alt.binaries.pictures.erotica" PROTO TCP DIRECTION FROM_TERM CONTENT "alt.binaries.pictures.erotica" NOCASE # NAME "PORN alt.binaries.pictures.tinygirls" LOGMSG "PORN alt.binaries.pictures.tinygirls" PROTO TCP DIRECTION FROM_TERM CONTENT "alt.binaries.pictures.tinygirls" NOCASE # NAME "PORN free XXX" LOGMSG "PORN free XXX" PROTO TCP DIRECTION FROM_TERM CONTENT "FREE XXX" NOCASE # NAME "PORN hardcore anal" LOGMSG "PORN hardcore anal" PROTO TCP DIRECTION FROM_TERM CONTENT "hardcore anal" NOCASE # NAME "PORN nude cheerleader" LOGMSG "PORN nude cheerleader" PROTO TCP DIRECTION FROM_TERM CONTENT "nude cheerleader" NOCASE # NAME "PORN up skirt" LOGMSG "PORN up skirt" PROTO TCP DIRECTION FROM_TERM CONTENT "up skirt" NOCASE # NAME "PORN hot young sex" LOGMSG "PORN hot young sex" PROTO TCP DIRECTION FROM_TERM CONTENT "hot young sex" NOCASE # NAME "PORN fuck fuck fuck" LOGMSG "PORN fuck fuck fuck" PROTO TCP DIRECTION FROM_TERM CONTENT "fuck fuck fuck" NOCASE # NAME "PORN anal sex" LOGMSG "PORN anal sex" PROTO TCP DIRECTION FROM_TERM CONTENT "anal sex" NOCASE # NAME "PORN hardcore rape" LOGMSG "PORN hardcore rape" PROTO TCP DIRECTION FROM_TERM CONTENT "hardcore rape" NOCASE # NAME "PORN real snuff" LOGMSG "PORN real snuff" PROTO TCP DIRECTION FROM_TERM CONTENT "real snuff" NOCASE # NAME "PORN fuck movies" LOGMSG "PORN fuck movies" PROTO TCP DIRECTION FROM_TERM CONTENT "fuck movies" NOCASE # NAME "PORN dildo" LOGMSG "PORN dildo" PROTO TCP DIRECTION FROM_TERM CONTENT "dildo" NOCASE # NAME "PORN nipple clamp" LOGMSG "PORN nipple clamp" PROTO TCP DIRECTION FROM_TERM CONTENT "nipple" NOCASE CONTENT "clamp" NOCASE # NAME "PORN oral sex" LOGMSG "PORN oral sex" PROTO TCP DIRECTION FROM_TERM CONTENT "oral sex" NOCASE # NAME "PORN nude celeb" LOGMSG "PORN nude celeb" PROTO TCP DIRECTION FROM_TERM CONTENT "nude celeb" NOCASE # NAME "PORN raw sex" LOGMSG "PORN raw sex" PROTO TCP DIRECTION FROM_TERM CONTENT "raw sex" NOCASE # NAME "PORN masturbation" LOGMSG "PORN masturbation" PROTO TCP DIRECTION FROM_TERM CONTENT "masturbat" NOCASE # NAME "PORN ejaculation" LOGMSG "PORN ejaculation" PROTO TCP DIRECTION FROM_TERM CONTENT "ejaculat" NOCASE # NAME "PORN BDSM" LOGMSG "PORN BDSM" PROTO TCP DIRECTION FROM_TERM CONTENT "BDSM" NOCASE # NAME "PORN naked lesbians" LOGMSG "PORN naked lesbians" PROTO TCP DIRECTION FROM_TERM CONTENT "naked lesbians" NOCASE # END ########################################## # # RPC # ########################################## BEGIN GROUPNAME FROM_EXT_RPC TYPE ATTACKSIG NAME "RPC portmap proxy attempt TCP" LOGMSG "RPC portmap proxy attempt TCP" PROTO TCP DESTPORT 111 111 DIRECTION FROM_ORIG CONTENT "|00 01 86 A0|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 05|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC portmap proxy attempt UDP" LOGMSG "RPC portmap proxy attempt UDP" PROTO UDP DESTPORT 111 111 CONTENT "|00 01 86 A0|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 05|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC portmap listing UDP 111" LOGMSG "RPC portmap listing UDP 111" PROTO UDP DESTPORT 111 111 CONTENT "|00 01 86 A0|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 04|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC portmap listing TCP 111" LOGMSG "RPC portmap listing TCP 111" PROTO TCP DESTPORT 111 111 DIRECTION FROM_ORIG CONTENT "|00 01 86 A0|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 04|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC portmap SET attempt TCP 111" LOGMSG "RPC portmap SET attempt TCP 111" PROTO TCP DESTPORT 111 111 DIRECTION FROM_ORIG CONTENT "|00 01 86 A0|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 01|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC portmap SET attempt UDP 111" LOGMSG "RPC portmap SET attempt UDP 111" PROTO UDP DESTPORT 111 111 CONTENT "|00 01 86 A0|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 01|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC portmap UNSET attempt TCP 111" LOGMSG "RPC portmap UNSET attempt TCP 111" PROTO TCP DESTPORT 111 111 DIRECTION FROM_ORIG CONTENT "|00 01 86 A0|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 02|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC portmap UNSET attempt UDP 111" LOGMSG "RPC portmap UNSET attempt UDP 111" PROTO UDP DESTPORT 111 111 CONTENT "|00 01 86 A0|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 02|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC portmap listing TCP 32771" LOGMSG "RPC portmap listing TCP 32771" PROTO TCP DESTPORT 32771 32771 DIRECTION FROM_ORIG CONTENT "|00 01 86 A0|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 04|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC portmap listing UDP 32771" LOGMSG "RPC portmap listing UDP 32771" PROTO UDP DESTPORT 32771 32771 CONTENT "|00 01 86 A0|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 04|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC rusers query UDP" LOGMSG "RPC rusers query UDP" PROTO UDP CONTENT "|00 01 86 A2|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 02|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC mountd TCP export request" LOGMSG "RPC mountd TCP export request" PROTO TCP DIRECTION FROM_ORIG CONTENT "|00 01 86 A5|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 05|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC mountd UDP export request" LOGMSG "RPC mountd UDP export request" PROTO UDP CONTENT "|00 01 86 A5|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 05|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC mountd TCP exportall request" LOGMSG "RPC mountd TCP exportall request" PROTO TCP DIRECTION FROM_ORIG CONTENT "|00 01 86 A5|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 06|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC mountd UDP exportall request" LOGMSG "RPC mountd UDP exportall request" PROTO UDP CONTENT "|00 01 86 A5|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 06|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC mountd TCP mount request" LOGMSG "RPC mountd TCP mount request" PROTO TCP DIRECTION FROM_ORIG CONTENT "|00 01 86 A5|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 01|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC mountd UDP mount request" LOGMSG "RPC mountd UDP mount request" PROTO UDP CONTENT "|00 01 86 A5|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 01|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC mountd TCP dump request" LOGMSG "RPC mountd TCP dump request" PROTO TCP DIRECTION FROM_ORIG CONTENT "|00 01 86 A5|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 02|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC mountd UDP dump request" LOGMSG "RPC mountd UDP dump request" PROTO UDP CONTENT "|00 01 86 A5|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 02|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC mountd TCP unmount request" LOGMSG "RPC mountd TCP unmount request" PROTO TCP DIRECTION FROM_ORIG CONTENT "|00 01 86 A5|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 03|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC mountd UDP unmount request" LOGMSG "RPC mountd UDP unmount request" PROTO UDP CONTENT "|00 01 86 A5|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 03|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC mountd TCP unmountall request" LOGMSG "RPC mountd TCP unmountall request" PROTO TCP DIRECTION FROM_ORIG CONTENT "|00 01 86 A5|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 04|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC mountd UDP unmountall request" LOGMSG "RPC mountd UDP unmountall request" PROTO UDP CONTENT "|00 01 86 A5|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 04|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC AMD TCP pid request" LOGMSG "RPC AMD TCP pid request" PROTO TCP DESTPORT 500 65535 DIRECTION FROM_ORIG CONTENT "|00 04 93 F3|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 09|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC AMD UDP pid request" LOGMSG "RPC AMD UDP pid request" PROTO UDP DESTPORT 500 65535 CONTENT "|00 04 93 F3|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 09|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC AMD TCP version request" LOGMSG "RPC AMD TCP version request" PROTO TCP DESTPORT 500 65535 DIRECTION FROM_ORIG CONTENT "|00 04 93 F3|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 08|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC AMD UDP version request" LOGMSG "RPC AMD UDP version request" PROTO UDP DESTPORT 500 65535 CONTENT "|00 04 93 F3|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 08|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC sadmind UDP PING" LOGMSG "RPC sadmind UDP PING" PROTO UDP CONTENT "|00 01 87 88|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 00|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC sadmind TCP PING" LOGMSG "RPC sadmind TCP PING" PROTO TCP DIRECTION FROM_ORIG CONTENT "|00 01 87 88|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 00|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC yppasswd user update UDP" LOGMSG "RPC yppasswd user update UDP" PROTO UDP CONTENT "|00 01 86 A9|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 01|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC yppasswd user update TCP" LOGMSG "RPC yppasswd user update TCP" PROTO TCP DIRECTION FROM_ORIG CONTENT "|00 01 86 A9|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 01|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC ypserv maplist request UDP" LOGMSG "RPC ypserv maplist request UDP" PROTO UDP CONTENT "|00 01 86 A4|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 0B|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC ypserv maplist request TCP" LOGMSG "RPC ypserv maplist request TCP" PROTO TCP DIRECTION FROM_ORIG CONTENT "|00 01 86 A4|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 0B|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC network-status-monitor mon-callback request UDP" LOGMSG "RPC network-status-monitor mon-callback request UDP" PROTO UDP CONTENT "|00 03 0D 70|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 01|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC network-status-monitor mon-callback request TCP" LOGMSG "RPC network-status-monitor mon-callback request TCP" PROTO TCP DIRECTION FROM_ORIG CONTENT "|00 03 0D 70|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 01|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 NAME "RPC rpc.xfsmd xfs_export attempt UDP" LOGMSG "RPC rpc.xfsmd xfs_export attempt UDP" PROTO UDP CONTENT "|00 05 F7 68|" OFFSET 12 DEPTH 4 CONTENT "|00 00 00 0D|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 4 DEPTH 4 NAME "RPC rpc.xfsmd xfs_export attempt TCP" LOGMSG "RPC rpc.xfsmd xfs_export attempt TCP" PROTO TCP DIRECTION FROM_ORIG CONTENT "|00 05 F7 68|" OFFSET 16 DEPTH 4 CONTENT "|00 00 00 0D|" DISTANCE 4 WITHIN 4 CONTENT "|00 00 00 00|" OFFSET 8 DEPTH 4 END ########################################## # # RSERVICES # ########################################## BEGIN GROUPNAME FROM_EXT_RSERVICES TYPE ATTACKSIG NAME "RSERVICES rlogin LinuxNIS" LOGMSG "RSERVICES rlogin LinuxNIS" PROTO TCP DESTPORT 513 513 DIRECTION FROM_ORIG CONTENT "|3a3a 3a3a 3a3a 3a3a 003a 3a3a 3a3a 3a3a 3a|" NAME "RSERVICES rlogin bin" LOGMSG "RSERVICES rlogin bin" PROTO TCP DESTPORT 513 513 DIRECTION FROM_ORIG CONTENT "bin|00|bin|00|" NAME "RSERVICES rlogin echo++" LOGMSG "RSERVICES rlogin echo++" PROTO TCP DESTPORT 513 513 DIRECTION FROM_ORIG CONTENT "echo |22| + + |22|" NAME "RSERVICES rsh froot" LOGMSG "RSERVICES rsh froot" PROTO TCP DESTPORT 513 513 DIRECTION FROM_ORIG CONTENT "-froot|00|" NAME "RSERVICES rlogin root" LOGMSG "RSERVICES rlogin root" PROTO TCP DESTPORT 513 513 DIRECTION FROM_ORIG CONTENT "root|00|root|00|" NAME "RSERVICES rsh bin" LOGMSG "RSERVICES rsh bin" PROTO TCP DESTPORT 514 514 DIRECTION FROM_ORIG CONTENT "bin|00|bin|00|" NAME "RSERVICES rsh echo + +" LOGMSG "RSERVICES rsh echo + +" PROTO TCP DESTPORT 514 514 DIRECTION FROM_ORIG CONTENT "echo |22|+ +|22|" NAME "RSERVICES rsh froot" LOGMSG "RSERVICES rsh froot" PROTO TCP DESTPORT 514 514 DIRECTION FROM_ORIG CONTENT "-froot|00|" NAME "RSERVICES rsh root" LOGMSG "RSERVICES rsh root" PROTO TCP DESTPORT 514 514 DIRECTION FROM_ORIG CONTENT "root|00|root|00|" NAME "RSERVICES rexec username overflow attempt" LOGMSG "RSERVICES rexec username overflow attempt" PROTO TCP DESTPORT 512 512 CONTENT "|00|" OFFSET 9 CONTENT "|00|" DISTANCE 0 CONTENT "|00|" DISTANCE 0 NAME "RSERVICES rexec password overflow attempt" LOGMSG "RSERVICES rexec password overflow attempt" PROTO TCP DESTPORT 512 512 CONTENT "|00|" CONTENT "|00|" DISTANCE 33 CONTENT "|00|" DISTANCE 0 END BEGIN GROUPNAME FROM_INT_RSERVICES TYPE ATTACKSIG NAME "RSERVICES rlogin login failure" LOGMSG "RSERVICES rlogin login failure" PROTO TCP SRCPORT 513 513 DIRECTION FROM_TERM CONTENT "|01|rlogind|3a| Permission denied." NAME "RSERVICES rlogin login failure" LOGMSG "RSERVICES rlogin login failure" PROTO TCP SRCPORT 513 513 DIRECTION FROM_TERM CONTENT "login incorrect" END ########################################## # # SCAN # ########################################## BEGIN GROUPNAME FROM_EXT_SCAN TYPE ATTACKSIG NAME "SCAN ident version request" LOGMSG "SCAN ident version request" PROTO TCP DESTPORT 113 113 DIRECTION FROM_ORIG CONTENT "VERSION|0A|" DEPTH 16 NAME "SCAN Amanda client version request" LOGMSG "SCAN Amanda client version request" PROTO UDP DESTPORT 10080 10081 CONTENT "Amanda" NOCASE NAME "SCAN XTACACS logout" LOGMSG "SCAN XTACACS logout" PROTO UDP DESTPORT 49 49 CONTENT "|8007 0000 0700 0004 0000 0000 00|" NAME "SCAN cybercop udp bomb" LOGMSG "SCAN cybercop udp bomb" PROTO UDP DESTPORT 7 7 CONTENT "cybercop" NAME "SCAN Webtrends Scanner UDP Probe" LOGMSG "SCAN Webtrends Scanner UDP Probe" PROTO UDP CONTENT "|0A|help|0A|quite|0A|" NAME "SCAN SSH Version map attempt" LOGMSG "SCAN SSH Version map attempt" PROTO TCP DESTPORT 22 22 DIRECTION FROM_ORIG CONTENT "Version_Mapper" NOCASE NAME "SCAN UPnP service discover attempt" LOGMSG "SCAN UPnP service discover attempt" PROTO UDP DESTPORT 1900 1900 CONTENT "M-SEARCH " OFFSET 0 DEPTH 9 CONTENT "ssdp\:discover" END ########################################## # # SHELLCODE # ########################################## BEGIN GROUPNAME FROM_EXT_SHELLCODE TYPE ATTACKSIG NAME "SHELLCODE sparc setuid 0" LOGMSG "SHELLCODE sparc setuid 0" PROTO TCPUDP CONTENT "|82102017 91d02008|" NAME "SHELLCODE x86 setgid 0" LOGMSG "SHELLCODE x86 setgid 0" PROTO TCPUDP CONTENT "|b0b5 cd80|" NAME "SHELLCODE x86 setuid 0" LOGMSG "SHELLCODE x86 setuid 0" PROTO TCPUDP CONTENT "|b017 cd80|" NAME "SHELLCODE SGI NOOP" LOGMSG "SHELLCODE SGI NOOP" PROTO TCPUDP CONTENT "|03e0 f825 03e0 f825 03e0 f825 03e0 f825|" NAME "SHELLCODE SGI NOOP" LOGMSG "SHELLCODE SGI NOOP" PROTO TCPUDP CONTENT "|240f 1234 240f 1234 240f 1234 240f 1234|" NAME "SHELLCODE AIX NOOP" LOGMSG "SHELLCODE AIX NOOP" PROTO TCPUDP CONTENT "|4fff fb82 4fff fb82 4fff fb82 4fff fb82|" NAME "SHELLCODE Digital UNIX NOOP" LOGMSG "SHELLCODE Digital UNIX NOOP" PROTO TCPUDP CONTENT "|47 ff 04 1f 47 ff 04 1f 47 ff 04 1f 47 ff 04 1f|" NAME "SHELLCODE HP-UX NOOP" LOGMSG "SHELLCODE HP-UX NOOP" PROTO TCPUDP CONTENT "|0821 0280 0821 0280 0821 0280 0821 0280|" NAME "SHELLCODE HP-UX NOOP" LOGMSG "SHELLCODE HP-UX NOOP" PROTO TCPUDP CONTENT "|0b39 0280 0b39 0280 0b39 0280 0b39 0280|" NAME "SHELLCODE sparc NOOP" LOGMSG "SHELLCODE sparc NOOP" PROTO TCPUDP CONTENT "|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|" NAME "SHELLCODE sparc NOOP" LOGMSG "SHELLCODE sparc NOOP" PROTO TCPUDP CONTENT "|801c 4011 801c 4011 801c 4011 801c 4011|" NAME "SHELLCODE sparc NOOP" LOGMSG "SHELLCODE sparc NOOP" PROTO TCPUDP CONTENT "|a61c c013 a61c c013 a61c c013 a61c c013|" NAME "SHELLCODE x86 NOOP" LOGMSG "SHELLCODE x86 NOOP" PROTO TCPUDP CONTENT "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|" DEPTH 128 NAME "SHELLCODE x86 stealth NOOP" LOGMSG "SHELLCODE x86 stealth NOOP" PROTO TCPUDP CONTENT "|eb 02 eb 02 eb 02|" NAME "SHELLCODE x86 unicode NOOP" LOGMSG "SHELLCODE x86 unicode NOOP" PROTO TCPUDP CONTENT "|90009000900090009000|" NAME "SHELLCODE Linux shellcode" LOGMSG "SHELLCODE Linux shellcode" PROTO TCPUDP CONTENT "|90 90 90 e8 c0 ff ff ff|/bin/sh" NAME "SHELLCODE x86 inc ebx NOOP" LOGMSG "SHELLCODE x86 inc ebx NOOP" PROTO TCPUDP CONTENT "|43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43|" NAME "SHELLCODE x86 NOOP" LOGMSG "SHELLCODE x86 NOOP" PROTO TCPUDP CONTENT "|61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61|" NAME "SHELLCODE x86 EB OC NOOP" LOGMSG "SHELLCODE x86 EB OC NOOP" PROTO TCPUDP CONTENT "|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|" END ########################################## # # SMTP # ########################################## BEGIN GROUPNAME FROM_EXT_SMTP TYPE ATTACKSIG NAME "SMTP sendmail 8.6.9 exploit" LOGMSG "SMTP sendmail 8.6.9 exploit" PROTO TCP SRCPORT 113 113 DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "|0a|D/" NAME "SMTP exchange mime DOS" LOGMSG "SMTP exchange mime DOS" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "charset = |22 22|" NAME "SMTP expn decode" LOGMSG "SMTP expn decode" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "expn decode" NOCASE NAME "SMTP expn root" LOGMSG "SMTP expn root" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "expn root" NOCASE NAME "SMTP expn *@" LOGMSG "SMTP expn *@" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "expn *@" NOCASE NAME "SMTP majordomo ifs" LOGMSG "SMTP majordomo ifs" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "eply-to|3a| a~.`/bin/" NAME "SMTP sendmail 5.5.5 exploit" LOGMSG "SMTP sendmail 5.5.5 exploit" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "mail from|3a20227c|" NOCASE NAME "SMTP rcpt to sed command attempt" LOGMSG "SMTP rcpt to sed command attempt" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "rcpt to\:" NOCASE CONTENT "\|" DISTANCE 0 CONTENT "sed " DISTANCE 0 NAME "SMTP RCPT TO decode attempt" LOGMSG "SMTP RCPT TO decode attempt" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "rcpt to|3a| decode" NOCASE NAME "SMTP sendmail 5.6.5 exploit" LOGMSG "SMTP sendmail 5.6.5 exploit" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "MAIL FROM|3a207c|/usr/ucb/tail" NOCASE NAME "SMTP sendmail 8.6.10 exploit" LOGMSG "SMTP sendmail 8.6.10 exploit" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "Croot|0d0a|Mprog, P=/bin/" NAME "SMTP sendmail 8.6.10 exploit" LOGMSG "SMTP sendmail 8.6.10 exploit" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "Croot|09090909090909|Mprog,P=/bin" NAME "SMTP sendmail 8.6.9 exploit" LOGMSG "SMTP sendmail 8.6.9 exploit" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "|0a|Croot|0a|Mprog" NAME "SMTP sendmail 8.6.9 exploit" LOGMSG "SMTP sendmail 8.6.9 exploit" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "|0a|C|3a|daemon|0a|R" NAME "SMTP sendmail 8.6.9c exploit" LOGMSG "SMTP sendmail 8.6.9c exploit" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "|0a|Croot|0d0a|Mprog" NAME "SMTP vrfy decode" LOGMSG "SMTP vrfy decode" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "vrfy decode" NOCASE NAME "SMTP vrfy root" LOGMSG "SMTP vrfy root" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "vrfy root" NOCASE NAME "SMTP ehlo cybercop attempt" LOGMSG "SMTP ehlo cybercop attempt" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "ehlo cybercop|0a|quit|0a|" NAME "SMTP expn cybercop attempt" LOGMSG "SMTP expn cybercop attempt" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "expn cybercop" NAME "SMTP HELO overflow attempt" LOGMSG "SMTP HELO overflow attempt" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "HELO " OFFSET 0 DEPTH 5 CONTENT !"|0a|" WITHIN 500 NAME "SMTP ETRN overflow attempt" LOGMSG "SMTP ETRN overflow attempt" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "ETRN " OFFSET 0 DEPTH 5 CONTENT !"|0A|" WITHIN 500 NAME "SMTP From comment overflow attempt" LOGMSG "SMTP From comment overflow attempt" PROTO TCP DESTPORT 25 25 DIRECTION FROM_ORIG CONTENT "From\:" CONTENT "<><><><><><><><><><><><><><><><><><><><><><>" DISTANCE 0 CONTENT "(" DISTANCE 1 CONTENT ")" DISTANCE 1 END ########################################## # # SNMP # ########################################## BEGIN GROUPNAME FROM_EXT_SNMP TYPE ATTACKSIG NAME "SNMP missing community string attempt" LOGMSG "SNMP missing community string attempt" PROTO UDP DESTPORT 161 161 CONTENT "|04 00|" OFFSET 5 DEPTH 15 NAME "SNMP null community string attempt" LOGMSG "SNMP null community string attempt" PROTO UDP DESTPORT 161 161 CONTENT "|04 01 00|" OFFSET 5 DEPTH 15 NAME "SNMP community string buffer overflow attempt" LOGMSG "SNMP community string buffer overflow attempt" PROTO UDP DESTPORT 161 162 CONTENT "|02 01 00 04 82 01 00|" OFFSET 4 NAME "SNMP community string buffer overflow attempt (with evasion)" LOGMSG "SNMP community string buffer overflow attempt (with evasion)" PROTO UDP DESTPORT 161 162 CONTENT " | 04 82 01 00 |" OFFSET 7 DEPTH 5 NAME "SNMP public access udp" LOGMSG "SNMP public access udp" PROTO UDP DESTPORT 161 161 CONTENT "public" NAME "SNMP public access tcp" LOGMSG "SNMP public access tcp" PROTO TCP DESTPORT 161 161 DIRECTION FROM_ORIG CONTENT "public" NAME "SNMP private access udp" LOGMSG "SNMP private access udp" PROTO UDP DESTPORT 161 161 CONTENT "private" NAME "SNMP private access tcp" LOGMSG "SNMP private access tcp" PROTO TCP DESTPORT 161 161 DIRECTION FROM_ORIG CONTENT "private" NAME "SNMP PROTOS test-suite-req-app attempt" LOGMSG "SNMP PROTOS test-suite-req-app attempt" PROTO UDP DESTPORT 161 161 CONTENT "|30 26 02 01 00 04 06 70 75 62 6C 69 63 A0 19 02 01 00 02 01 00 02 01 00 30 0E 30 0C 06 08 2B 06 01 02 01 01 05 00 05 00|" NAME "SNMP PROTOS test-suite-trap-app attempt" LOGMSG "SNMP PROTOS test-suite-trap-app attempt" PROTO UDP DESTPORT 162 162 CONTENT "|30 38 02 01 00 04 06 70 75 62 6C 69 63 A4 2B 06|" END ########################################## # # SQL # ########################################## BEGIN GROUPNAME FROM_EXT_SQL TYPE ATTACKSIG NAME "MS-SQL/SMB sp_start_job - program execution" LOGMSG "MS-SQL/SMB sp_start_job - program execution" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|" NOCASE OFFSET 32 DEPTH 32 NAME "MS-SQL/SMB sp_password password change" LOGMSG "MS-SQL/SMB sp_password password change" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|" NOCASE NAME "MS-SQL/SMB sp_delete_alert log file deletion" LOGMSG "MS-SQL/SMB sp_delete_alert log file deletion" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|" NOCASE NAME "MS-SQL/SMB sp_adduser database user creation" LOGMSG "MS-SQL/SMB sp_adduser database user creation" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|" NOCASE OFFSET 32 DEPTH 32 NAME "MS-SQL/SMB xp_enumresultset possible buffer overflow" LOGMSG "MS-SQL/SMB xp_enumresultset possible buffer overflow" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|" NOCASE OFFSET 32 NAME "MS-SQL/SMB raiserror possible buffer overflow" LOGMSG "MS-SQL/SMB raiserror possible buffer overflow" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|" NOCASE OFFSET 32 NAME "MS-SQL/SMB xp_displayparamstmt possible buffer overflow" LOGMSG "MS-SQL/SMB xp_displayparamstmt possible buffer overflow" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|" NOCASE OFFSET 32 NAME "MS-SQL/SMB xp_setsqlsecurity possible buffer overflow" LOGMSG "MS-SQL/SMB xp_setsqlsecurity possible buffer overflow" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|" NOCASE OFFSET 32 NAME "MS-SQL/SMB xp_cmdshell program execution" LOGMSG "MS-SQL/SMB xp_cmdshell program execution" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|" NOCASE OFFSET 32 NAME "MS-SQL/SMB xp_reg* registry access" LOGMSG "MS-SQL/SMB xp_reg* registry access" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|r|00|e|00|g|00|" NOCASE OFFSET 32 DEPTH 32 NAME "MS-SQL/SMB xp_printstatements possible buffer overflow" LOGMSG "MS-SQL/SMB xp_printstatements possible buffer overflow" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|" NOCASE OFFSET 32 NAME "MS-SQL/SMB shellcode attempt" LOGMSG "MS-SQL/SMB shellcode attempt" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|3920d0009201c200520055003920ec00|" NAME "MS-SQL/SMB shellcode attempt" LOGMSG "MS-SQL/SMB shellcode attempt" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "|4800250078007700900090009000900090003300c000500068002e00|" NAME "MS-SQL/SMB xp_sprintf possible buffer overflow" LOGMSG "MS-SQL/SMB xp_sprintf possible buffer overflow" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|" NOCASE OFFSET 32 NAME "MS-SQL/SMB xp_showcolv possible buffer overflow" LOGMSG "MS-SQL/SMB xp_showcolv possible buffer overflow" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|" NOCASE OFFSET 32 NAME "MS-SQL/SMB xp_peekqueue possible buffer overflow" LOGMSG "MS-SQL/SMB xp_peekqueue possible buffer overflow" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|" NOCASE OFFSET 32 NAME "MS-SQL/SMB xp_proxiedmetadata possible buffer overflow" LOGMSG "MS-SQL/SMB xp_proxiedmetadata possible buffer overflow" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|" NOCASE OFFSET 32 NAME "MS-SQL/SMB xp_updatecolvbm possible buffer overflow" LOGMSG "MS-SQL/SMB xp_updatecolvbm possible buffer overflow" PROTO TCP DESTPORT 139 139 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|" NOCASE OFFSET 32 NAME "MS-SQL sp_start_job - program execution" LOGMSG "MS-SQL sp_start_job - program execution" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|" NOCASE NAME "MS-SQL xp_displayparamstmt possible buffer overflow" LOGMSG "MS-SQL xp_displayparamstmt possible buffer overflow" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t" NOCASE NAME "MS-SQL xp_setsqlsecurity possible buffer overflow" LOGMSG "MS-SQL xp_setsqlsecurity possible buffer overflow" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|" NOCASE NAME "MS-SQL xp_enumresultset possible buffer overflow" LOGMSG "MS-SQL xp_enumresultset possible buffer overflow" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|" NOCASE NAME "MS-SQL sp_password - password change" LOGMSG "MS-SQL sp_password - password change" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|" NOCASE NAME "MS-SQL sp_delete_alert log file deletion" LOGMSG "MS-SQL sp_delete_alert log file deletion" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|" NOCASE NAME "MS-SQL sp_adduser - database user creation" LOGMSG "MS-SQL sp_adduser - database user creation" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|" NOCASE NAME "MS-SQL xp_reg* - registry access" LOGMSG "MS-SQL xp_reg* - registry access" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|r|00|e|00|g|00|" NOCASE NAME "MS-SQL xp_cmdshell - program execution" LOGMSG "MS-SQL xp_cmdshell - program execution" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|" NOCASE NAME "MS-SQL shellcode attempt" LOGMSG "MS-SQL shellcode attempt" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "|3920d0009201c200520055003920ec00|" NAME "MS-SQL shellcode attempt" LOGMSG "MS-SQL shellcode attempt" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "|4800250078007700900090009000900090003300c000500068002e00|" NAME "MS-SQL xp_printstatements possible buffer overflow" LOGMSG "MS-SQL xp_printstatements possible buffer overflow" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|" NOCASE NAME "MS-SQL xp_updatecolvbm possible buffer overflow" LOGMSG "MS-SQL xp_updatecolvbm possible buffer overflow" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|" NOCASE NAME "MS-SQL xp_sprintf possible buffer overflow" LOGMSG "MS-SQL xp_sprintf possible buffer overflow" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|" NOCASE NAME "MS-SQL xp_showcolv possible buffer overflow" LOGMSG "MS-SQL xp_showcolv possible buffer overflow" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|" NOCASE NAME "MS-SQL xp_peekqueue possible buffer overflow" LOGMSG "MS-SQL xp_peekqueue possible buffer overflow" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|" NOCASE NAME "MS-SQL xp_proxiedmetadata possible buffer overflow" LOGMSG "MS-SQL xp_proxiedmetadata possible buffer overflow" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|" NOCASE NAME "MS-SQL raiserror possible buffer overflow" LOGMSG "MS-SQL raiserror possible buffer overflow" PROTO TCP DESTPORT 1433 1433 DIRECTION FROM_ORIG CONTENT "r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|" NOCASE NAME "MS-SQL xp_cmdshell program execution (445)" LOGMSG "MS-SQL xp_cmdshell program execution (445)" PROTO TCP DESTPORT 445 445 DIRECTION FROM_ORIG CONTENT "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|" NOCASE NAME "MS-SQL Worm propagation attempt" LOGMSG "MS-SQL Worm propagation attempt" PROTO UDP DESTPORT 1434 1434 CONTENT "|04|" DEPTH 1 CONTENT "|81 F1 03 01 04 9B 81 F1 01|" CONTENT "sock" CONTENT "send" NAME "MS-SQL ping attempt" LOGMSG "MS-SQL ping attempt" PROTO UDP DESTPORT 1434 1434 CONTENT "|02|" OFFSET 0 DEPTH 1 END BEGIN GROUPNAME FROM_INT_SQL TYPE ATTACKSIG NAME "MS-SQL Worm propagation attempt OUTBOUND" LOGMSG "MS-SQL Worm propagation attempt OUTBOUND" PROTO UDP DESTPORT 1434 1434 CONTENT "|04|" DEPTH 1 CONTENT "|81 F1 03 01 04 9B 81 F1|" CONTENT "sock" CONTENT "send" END ########################################## # # TELNET # ########################################## BEGIN GROUPNAME FROM_EXT_TELNET TYPE ATTACKSIG NAME "TELNET Solaris memory mismanagement exploit attempt" LOGMSG "TELNET Solaris memory mismanagement exploit attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90 25 E0|" NAME "TELNET SGI telnetd format bug" LOGMSG "TELNET SGI telnetd format bug" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "_RLD" CONTENT "bin/sh" NAME "TELNET ld_library_path" LOGMSG "TELNET ld_library_path" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "ld_library_path" NAME "TELNET livingston DOS" LOGMSG "TELNET livingston DOS" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "|fff3 fff3 fff3 fff3 fff3|" NAME "TELNET resolv_host_conf" LOGMSG "TELNET resolv_host_conf" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "resolv_host_conf" NAME "TELNET 4Dgifts SGI account attempt" LOGMSG "TELNET 4Dgifts SGI account attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "4Dgifts" NAME "TELNET EZsetup account attempt" LOGMSG "TELNET EZsetup account attempt" PROTO TCP DESTPORT 23 23 DIRECTION FROM_ORIG CONTENT "OutOfBox" END BEGIN GROUPNAME FROM_INT_TELNET TYPE ATTACKSIG NAME "TELNET Attempted SU from wrong group" LOGMSG "TELNET Attempted SU from wrong group" PROTO TCP SRCPORT 23 23 DIRECTION FROM_TERM CONTENT "to su root" NOCASE NAME "TELNET not on console" LOGMSG "TELNET not on console" PROTO TCP SRCPORT 23 23 DIRECTION FROM_TERM CONTENT "not on system console" NOCASE NAME "TELNET login incorrect" LOGMSG "TELNET login incorrect" PROTO TCP SRCPORT 23 23 DIRECTION FROM_TERM CONTENT "Login incorrect" NAME "TELNET root login" LOGMSG "TELNET root login" PROTO TCP SRCPORT 23 23 DIRECTION FROM_TERM CONTENT "login\: root" NAME "TELNET bsd telnet exploit response" LOGMSG "TELNET bsd telnet exploit response" PROTO TCP SRCPORT 23 23 DIRECTION FROM_TERM CONTENT "|0D0A|[Yes]|0D0A FFFE 08FF FD26|" NAME "TELNET access" LOGMSG "TELNET access" PROTO TCP SRCPORT 23 23 DIRECTION FROM_TERM CONTENT "|FF FD 18 FF FD 1F FF FD 23 FF FD 27 FF FD 24|" END ########################################## # # TFTP # ########################################## BEGIN GROUPNAME FROM_EXT_TFTP TYPE ATTACKSIG NAME "TFTP parent directory" LOGMSG "TFTP parent directory" PROTO UDP DESTPORT 69 69 CONTENT ".." OFFSET 2 NAME "TFTP root directory" LOGMSG "TFTP root directory" PROTO UDP DESTPORT 69 69 CONTENT "|0001|/" OFFSET 0 DEPTH 3 NAME "TFTP Put" LOGMSG "TFTP Put" PROTO UDP DESTPORT 69 69 CONTENT "|00 02|" OFFSET 0 DEPTH 2 # NAME "TFTP Get" LOGMSG "TFTP Get" PROTO UDP DESTPORT 69 69 CONTENT "|00 01|" OFFSET 0 DEPTH 2 NAME "TFTP filename overflow attempt" LOGMSG "TFTP filename overflow attempt" PROTO UDP DESTPORT 69 69 CONTENT "|0001|" OFFSET 0 DEPTH 2 CONTENT !"|00|" WITHIN 100 NAME "TFTP GET Admin.dll" LOGMSG "TFTP GET Admin.dll" PROTO UDP DESTPORT 69 69 CONTENT "|0001|" OFFSET 0 DEPTH 2 CONTENT "admin.dll" NOCASE OFFSET 2 NAME "TFTP GET nc.exe" LOGMSG "TFTP GET nc.exe" PROTO UDP DESTPORT 69 69 CONTENT "|0001|" OFFSET 0 DEPTH 2 CONTENT "nc.exe" NOCASE OFFSET 2 NAME "TFTP GET shadow" LOGMSG "TFTP GET shadow" PROTO UDP DESTPORT 69 69 CONTENT "|0001|" OFFSET 0 DEPTH 2 CONTENT "shadow" NOCASE OFFSET 2 NAME "TFTP GET passwd" LOGMSG "TFTP GET passwd" PROTO UDP DESTPORT 69 69 CONTENT "|0001|" OFFSET 0 DEPTH 2 CONTENT "passwd" NOCASE OFFSET 2 NAME "TFTP NULL command attempt" LOGMSG "TFTP NULL command attempt" PROTO UDP DESTPORT 69 69 CONTENT "|00 00|" OFFSET 0 DEPTH 2 NAME "TFTP GET filename overflow attempt" LOGMSG "TFTP GET filename overflow attempt" PROTO UDP DESTPORT 69 69 CONTENT "|0001|" OFFSET 0 DEPTH 2 CONTENT !"|00|" WITHIN 100 NAME "TFTP PUT filename overflow attempt" LOGMSG "TFTP PUT filename overflow attempt" PROTO UDP DESTPORT 69 69 CONTENT "|0002|" OFFSET 0 DEPTH 2 CONTENT !"|00|" WITHIN 100 END BEGIN GROUPNAME FROM_INT_TFTP TYPE ATTACKSIG NAME "TFTP filename overflow attempt" LOGMSG "TFTP filename overflow attempt" PROTO UDP DESTPORT 69 69 CONTENT "|0001|" OFFSET 0 DEPTH 2 CONTENT !"|00|" WITHIN 100 NAME "TFTP GET Admin.dll" LOGMSG "TFTP GET Admin.dll" PROTO UDP DESTPORT 69 69 CONTENT "|0001|" OFFSET 0 DEPTH 2 CONTENT "admin.dll" NOCASE OFFSET 2 NAME "TFTP GET nc.exe" LOGMSG "TFTP GET nc.exe" PROTO UDP DESTPORT 69 69 CONTENT "|0001|" OFFSET 0 DEPTH 2 CONTENT "nc.exe" NOCASE OFFSET 2 NAME "TFTP GET shadow" LOGMSG "TFTP GET shadow" PROTO UDP DESTPORT 69 69 CONTENT "|0001|" OFFSET 0 DEPTH 2 CONTENT "shadow" NOCASE OFFSET 2 NAME "TFTP GET passwd" LOGMSG "TFTP GET passwd" PROTO UDP DESTPORT 69 69 CONTENT "|0001|" OFFSET 0 DEPTH 2 CONTENT "passwd" NOCASE OFFSET 2 NAME "TFTP GET filename overflow attempt" LOGMSG "TFTP GET filename overflow attempt" PROTO UDP DESTPORT 69 69 CONTENT "|0001|" OFFSET 0 DEPTH 2 CONTENT !"|00|" WITHIN 100 NAME "TFTP PUT filename overflow attempt" LOGMSG "TFTP PUT filename overflow attempt" PROTO UDP DESTPORT 69 69 CONTENT "|0002|" OFFSET 0 DEPTH 2 CONTENT !"|00|" WITHIN 100 END ########################################## # # WEB-ATTACKS # ########################################## BEGIN GROUPNAME FROM_EXT_WEB_ATTACKS TYPE ATTACKSIG NAME "WEB-ATTACKS ps command attempt" LOGMSG "WEB-ATTACKS ps command attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/bin/ps" NOCASE NAME "WEB-ATTACKS /bin/ps command attempt" LOGMSG "WEB-ATTACKS /bin/ps command attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "ps%20" NOCASE NAME "WEB-ATTACKS wget command attempt" LOGMSG "WEB-ATTACKS wget command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "wget%20" NOCASE NAME "WEB-ATTACKS uname -a command attempt" LOGMSG "WEB-ATTACKS uname -a command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "uname%20-a" NOCASE NAME "WEB-ATTACKS /usr/bin/id command attempt" LOGMSG "WEB-ATTACKS /usr/bin/id command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/usr/bin/id" NOCASE # NAME "WEB-ATTACKS id command attempt" LOGMSG "WEB-ATTACKS id command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "\;id" NOCASE NAME "WEB-ATTACKS echo command attempt" LOGMSG "WEB-ATTACKS echo command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/bin/echo" NOCASE NAME "WEB-ATTACKS kill command attempt" LOGMSG "WEB-ATTACKS kill command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/bin/kill" NOCASE NAME "WEB-ATTACKS chmod command attempt" LOGMSG "WEB-ATTACKS chmod command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/bin/chmod" NOCASE NAME "WEB-ATTACKS chgrp command attempt" LOGMSG "WEB-ATTACKS chgrp command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/chgrp" NOCASE NAME "WEB-ATTACKS chown command attempt" LOGMSG "WEB-ATTACKS chown command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/chown" NOCASE NAME "WEB-ATTACKS chsh command attempt" LOGMSG "WEB-ATTACKS chsh command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/usr/bin/chsh" NOCASE NAME "WEB-ATTACKS tftp command attempt" LOGMSG "WEB-ATTACKS tftp command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "tftp%20" NOCASE NAME "WEB-ATTACKS /usr/bin/gcc command attempt" LOGMSG "WEB-ATTACKS /usr/bin/gcc command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/usr/bin/gcc" NOCASE NAME "WEB-ATTACKS gcc command attempt" LOGMSG "WEB-ATTACKS gcc command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "gcc%20-o" NOCASE NAME "WEB-ATTACKS /usr/bin/cc command attempt" LOGMSG "WEB-ATTACKS /usr/bin/cc command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/usr/bin/cc" NOCASE NAME "WEB-ATTACKS cc command attempt" LOGMSG "WEB-ATTACKS cc command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "cc%20" NOCASE NAME "WEB-ATTACKS /usr/bin/cpp command attempt" LOGMSG "WEB-ATTACKS /usr/bin/cpp command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/usr/bin/cpp" NOCASE NAME "WEB-ATTACKS cpp command attempt" LOGMSG "WEB-ATTACKS cpp command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "cpp%20" NOCASE NAME "WEB-ATTACKS /usr/bin/g++ command attempt" LOGMSG "WEB-ATTACKS /usr/bin/g++ command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/usr/bin/g++" NOCASE NAME "WEB-ATTACKS g++ command attempt" LOGMSG "WEB-ATTACKS g++ command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "g++%20" NOCASE NAME "WEB-ATTACKS bin/python access attempt" LOGMSG "WEB-ATTACKS bin/python access attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "bin/python" NOCASE NAME "WEB-ATTACKS python access attempt" LOGMSG "WEB-ATTACKS python access attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "python%20" NOCASE NAME "WEB-ATTACKS bin/tclsh execution attempt" LOGMSG "WEB-ATTACKS bin/tclsh execution attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "bin/tclsh" NOCASE NAME "WEB-ATTACKS tclsh execution attempt" LOGMSG "WEB-ATTACKS tclsh execution attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "tclsh8%20" NOCASE NAME "WEB-ATTACKS bin/nasm command attempt" LOGMSG "WEB-ATTACKS bin/nasm command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "bin/nasm" NOCASE NAME "WEB-ATTACKS nasm command attempt" LOGMSG "WEB-ATTACKS nasm command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "nasm%20" NOCASE NAME "WEB-ATTACKS /usr/bin/perl execution attempt" LOGMSG "WEB-ATTACKS /usr/bin/perl execution attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/usr/bin/perl" NOCASE NAME "WEB-ATTACKS perl execution attempt" LOGMSG "WEB-ATTACKS perl execution attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "perl%20" NOCASE NAME "WEB-ATTACKS nt admin addition attempt" LOGMSG "WEB-ATTACKS nt admin addition attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "net localgroup administrators /add" NOCASE NAME "WEB-ATTACKS traceroute command attempt" LOGMSG "WEB-ATTACKS traceroute command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "traceroute%20" NOCASE NAME "WEB-ATTACKS ping command attempt" LOGMSG "WEB-ATTACKS ping command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/bin/ping" NOCASE NAME "WEB-ATTACKS netcat command attempt" LOGMSG "WEB-ATTACKS netcat command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "nc%20" NOCASE NAME "WEB-ATTACKS nmap command attempt" LOGMSG "WEB-ATTACKS nmap command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "nmap%20" NOCASE NAME "WEB-ATTACKS xterm command attempt" LOGMSG "WEB-ATTACKS xterm command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/usr/X11R6/bin/xterm" NOCASE NAME "WEB-ATTACKS X application to remote host attempt" LOGMSG "WEB-ATTACKS X application to remote host attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "%20-display%20" NOCASE NAME "WEB-ATTACKS lsof command attempt" LOGMSG "WEB-ATTACKS lsof command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "lsof%20" NOCASE NAME "WEB-ATTACKS rm command attempt" LOGMSG "WEB-ATTACKS rm command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "rm%20" NOCASE NAME "WEB-ATTACKS mail command attempt" LOGMSG "WEB-ATTACKS mail command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "/bin/mail" NOCASE NAME "WEB-ATTACKS mail command attempt" LOGMSG "WEB-ATTACKS mail command attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "mail%20" NOCASE NAME "WEB-ATTACKS /bin/ls| command attempt" LOGMSG "WEB-ATTACKS /bin/ls| command attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/bin/ls\|" NOCASE NAME "WEB-ATTACKS /bin/ls command attempt" LOGMSG "WEB-ATTACKS /bin/ls command attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/bin/ls" NOCASE NAME "WEB-ATTACKS /etc/inetd.conf access" LOGMSG "WEB-ATTACKS /etc/inetd.conf access" PROTO TCP DIRECTION FROM_ORIG CONTENT "/etc/inetd.conf" NOCASE NAME "WEB-ATTACKS /etc/motd access" LOGMSG "WEB-ATTACKS /etc/motd access" PROTO TCP DIRECTION FROM_ORIG CONTENT "/etc/motd" NOCASE NAME "WEB-ATTACKS /etc/shadow access" LOGMSG "WEB-ATTACKS /etc/shadow access" PROTO TCP DIRECTION FROM_ORIG CONTENT "/etc/shadow" NOCASE NAME "WEB-ATTACKS conf/httpd.conf attempt" LOGMSG "WEB-ATTACKS conf/httpd.conf attempt" PROTO TCP DIRECTION FROM_ORIG CONTENT "conf/httpd.conf" NOCASE NAME "WEB-ATTACKS .htgroup access" LOGMSG "WEB-ATTACKS .htgroup access" PROTO TCP DIRECTION FROM_ORIG URICONTENT ".htgroup" NOCASE END ########################################## # # WEB-CGI # ########################################## BEGIN GROUPNAME FROM_EXT_WEB_CGI TYPE ATTACKSIG NAME "WEB-CGI HyperSeek hsx.cgi directory traversal attempt" LOGMSG "WEB-CGI HyperSeek hsx.cgi directory traversal attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/hsx.cgi" CONTENT "../../" CONTENT "%00" DISTANCE 1 NAME "WEB-CGI HyperSeek hsx.cgi access" LOGMSG "WEB-CGI HyperSeek hsx.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/hsx.cgi" NAME "WEB-CGI SWSoft ASPSeek Overflow attempt" LOGMSG "WEB-CGI SWSoft ASPSeek Overflow attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/s.cgi" NOCASE CONTENT "tmpl=" NAME "WEB-CGI webspeed access" LOGMSG "WEB-CGI webspeed access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/wsisa.dll/WService=" NOCASE CONTENT "WSMadmin" NOCASE NAME "WEB-CGI yabb.cgi directory traversal attempt" LOGMSG "WEB-CGI yabb.cgi directory traversal attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/YaBB.pl" NOCASE CONTENT "../" # NAME "WEB-CGI yabb.cgi access" LOGMSG "WEB-CGI yabb.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/YaBB.pl" NOCASE NAME "WEB-CGI /wwwboard/passwd.txt access" LOGMSG "WEB-CGI /wwwboard/passwd.txt access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/wwwboard/passwd.txt" NOCASE NAME "WEB-CGI webdriver access" LOGMSG "WEB-CGI webdriver access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/webdriver" NOCASE NAME "WEB-CGI whois_raw.cgi arbitrary command execution attempt" LOGMSG "WEB-CGI whois_raw.cgi arbitrary command execution attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/whois_raw.cgi?" CONTENT "|0a|" # NAME "WEB-CGI whois_raw.cgi access" LOGMSG "WEB-CGI whois_raw.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/whois_raw.cgi" NAME "WEB-CGI websitepro path access" LOGMSG "WEB-CGI websitepro path access" PROTO TCP DIRECTION FROM_ORIG CONTENT " /HTTP/1." NOCASE NAME "WEB-CGI webplus version access" LOGMSG "WEB-CGI webplus version access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/webplus?about" NOCASE NAME "WEB-CGI webplus directory traversal" LOGMSG "WEB-CGI webplus directory traversal" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/webplus?script" NOCASE CONTENT "../" # NAME "WEB-CGI websendmail access" LOGMSG "WEB-CGI websendmail access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/websendmail" NOCASE NAME "WEB-CGI dcforum.cgi directory traversal attempt" LOGMSG "WEB-CGI dcforum.cgi directory traversal attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/dcforum.cgi" CONTENT "forum=../.." # NAME "WEB-CGI dcforum.cgi access" LOGMSG "WEB-CGI dcforum.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/dcforum.cgi" NAME "WEB-CGI dcboard.cgi invalid user addition attempt" LOGMSG "WEB-CGI dcboard.cgi invalid user addition attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/dcboard.cgi" CONTENT "command=register" CONTENT "%7cadmin" # NAME "WEB-CGI dcboard.cgi access" LOGMSG "WEB-CGI dcboard.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/dcboard.cgi" # NAME "WEB-CGI mmstdod.cgi access" LOGMSG "WEB-CGI mmstdod.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/mmstdod.cgi" NOCASE NAME "WEB-CGI anaconda directory transversal attempt" LOGMSG "WEB-CGI anaconda directory transversal attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/apexec.pl" CONTENT "template=../" NOCASE NAME "WEB-CGI imagemap.exe overflow attempt" LOGMSG "WEB-CGI imagemap.exe overflow attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/imagemap.exe?" NOCASE # NAME "WEB-CGI imagemap.exe access" LOGMSG "WEB-CGI imagemap.exe access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/imagemap.exe" NOCASE # NAME "WEB-CGI cvsweb.cgi access" LOGMSG "WEB-CGI cvsweb.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/cvsweb.cgi" NOCASE # NAME "WEB-CGI php.cgi access" LOGMSG "WEB-CGI php.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/php.cgi" NOCASE # NAME "WEB-CGI glimpse access" LOGMSG "WEB-CGI glimpse access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/glimpse" NOCASE NAME "WEB-CGI htmlscript attempt" LOGMSG "WEB-CGI htmlscript attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/htmlscript?../.." NOCASE # NAME "WEB-CGI htmlscript access" LOGMSG "WEB-CGI htmlscript access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/htmlscript" NOCASE # NAME "WEB-CGI info2www access" LOGMSG "WEB-CGI info2www access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/info2www" NOCASE NAME "WEB-CGI maillist.pl access" LOGMSG "WEB-CGI maillist.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/maillist.pl" NOCASE NAME "WEB-CGI nph-test-cgi access" LOGMSG "WEB-CGI nph-test-cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/nph-test-cgi" NOCASE NAME "WEB-CGI NPH-publish access" LOGMSG "WEB-CGI NPH-publish access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/nph-maillist.pl" NOCASE NAME "WEB-CGI NPH-publish access" LOGMSG "WEB-CGI NPH-publish access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/nph-publish" NOCASE NAME "WEB-CGI rguest.exe access" LOGMSG "WEB-CGI rguest.exe access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/rguest.exe" NOCASE NAME "WEB-CGI rwwwshell.pl access" LOGMSG "WEB-CGI rwwwshell.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/rwwwshell.pl" NOCASE NAME "WEB-CGI test-cgi attempt" LOGMSG "WEB-CGI test-cgi attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/test-cgi/*?*" NOCASE NAME "WEB-CGI test-cgi access" LOGMSG "WEB-CGI test-cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/test-cgi" NOCASE NAME "WEB-CGI testcgi access" LOGMSG "WEB-CGI testcgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/testcgi" NOCASE NAME "WEB-CGI test.cgi access" LOGMSG "WEB-CGI test.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/test.cgi" NOCASE # NAME "WEB-CGI textcounter.pl access" LOGMSG "WEB-CGI textcounter.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/textcounter.pl" NOCASE NAME "WEB-CGI uploader.exe access" LOGMSG "WEB-CGI uploader.exe access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/uploader.exe" NOCASE # NAME "WEB-CGI webgais access" LOGMSG "WEB-CGI webgais access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/webgais" NOCASE # NAME "WEB-CGI finger access" LOGMSG "WEB-CGI finger access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/finger" NOCASE NAME "WEB-CGI perlshop.cgi access" LOGMSG "WEB-CGI perlshop.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/perlshop.cgi" NOCASE NAME "WEB-CGI pfdisplay.cgi access" LOGMSG "WEB-CGI pfdisplay.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/pfdisplay.cgi" NOCASE NAME "WEB-CGI aglimpse access" LOGMSG "WEB-CGI aglimpse access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/aglimpse" NOCASE NAME "WEB-CGI anform2 access" LOGMSG "WEB-CGI anform2 access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/AnForm2" NOCASE NAME "WEB-CGI args.bat access" LOGMSG "WEB-CGI args.bat access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/args.bat" NOCASE NAME "WEB-CGI args.cmd access" LOGMSG "WEB-CGI args.cmd access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/args.cmd" NOCASE NAME "WEB-CGI AT-admin.cgi access" LOGMSG "WEB-CGI AT-admin.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/AT-admin.cgi" NOCASE NAME "WEB-CGI AT-generated.cgi access" LOGMSG "WEB-CGI AT-generated.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/AT-generated.cgi" NOCASE NAME "WEB-CGI bnbform.cgi access" LOGMSG "WEB-CGI bnbform.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/bnbform.cgi" NOCASE # NAME "WEB-CGI campas access" LOGMSG "WEB-CGI campas access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/campas" NOCASE NAME "WEB-CGI view-source directory traversal" LOGMSG "WEB-CGI view-source directory traversal" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/view-source" NOCASE CONTENT "../" NOCASE NAME "WEB-CGI view-source access" LOGMSG "WEB-CGI view-source access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/view-source" NOCASE NAME "WEB-CGI wais.pl access" LOGMSG "WEB-CGI wais.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/wais.pl" NOCASE NAME "WEB-CGI wwwwais access" LOGMSG "WEB-CGI wwwwais access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/wwwwais" NOCASE NAME "WEB-CGI files.pl access" LOGMSG "WEB-CGI files.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/files.pl" NOCASE NAME "WEB-CGI wguest.exe access" LOGMSG "WEB-CGI wguest.exe access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/wguest.exe" NOCASE # NAME "WEB-CGI wrap access" LOGMSG "WEB-CGI wrap access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/wrap" NAME "WEB-CGI classifieds.cgi access" LOGMSG "WEB-CGI classifieds.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/classifieds.cgi" NOCASE NAME "WEB-CGI environ.cgi access" LOGMSG "WEB-CGI environ.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/environ.cgi" NOCASE NAME "WEB-CGI faxsurvey attempt (full path)" LOGMSG "WEB-CGI faxsurvey attempt (full path)" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/faxsurvey?/" NOCASE NAME "WEB-CGI faxsurvey arbitrary file read attempt" LOGMSG "WEB-CGI faxsurvey arbitrary file read attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/faxsurvey?cat%20" NOCASE NAME "WEB-CGI faxsurvey access" LOGMSG "WEB-CGI faxsurvey access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/faxsurvey" NOCASE NAME "WEB-CGI filemail access" LOGMSG "WEB-CGI filemail access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/filemail.pl" NOCASE NAME "WEB-CGI man.sh access" LOGMSG "WEB-CGI man.sh access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/man.sh" NOCASE NAME "WEB-CGI snork.bat access" LOGMSG "WEB-CGI snork.bat access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/snork.bat" NOCASE NAME "WEB-CGI w3-msql access" LOGMSG "WEB-CGI w3-msql access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/w3-msql/" NOCASE NAME "WEB-CGI day5datacopier.cgi access" LOGMSG "WEB-CGI day5datacopier.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/day5datacopier.cgi" NOCASE NAME "WEB-CGI day5datanotifier.cgi access" LOGMSG "WEB-CGI day5datanotifier.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/day5datanotifier.cgi" NOCASE NAME "WEB-CGI post-query access" LOGMSG "WEB-CGI post-query access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/post-query" NOCASE NAME "WEB-CGI visadmin.exe access" LOGMSG "WEB-CGI visadmin.exe access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/visadmin.exe" NOCASE NAME "WEB-CGI dumpenv.pl access" LOGMSG "WEB-CGI dumpenv.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/dumpenv.pl" NOCASE NAME "WEB-CGI calendar_admin.pl arbitrary command execution attempt" LOGMSG "WEB-CGI calendar_admin.pl arbitrary command execution attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/calendar_admin.pl?config=\|" NAME "WEB-CGI calendar_admin.pl access" LOGMSG "WEB-CGI calendar_admin.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/calendar_admin.pl" NAME "WEB-CGI calendar-admin.pl access" LOGMSG "WEB-CGI calendar-admin.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/calendar-admin.pl" NOCASE # NAME "WEB-CGI calender.pl access" LOGMSG "WEB-CGI calender.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/calender.pl" NOCASE # NAME "WEB-CGI calendar access" LOGMSG "WEB-CGI calendar access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/calendar" NOCASE NAME "WEB-CGI user_update_admin.pl access" LOGMSG "WEB-CGI user_update_admin.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/user_update_admin.pl" NOCASE NAME "WEB-CGI user_update_passwd.pl access" LOGMSG "WEB-CGI user_update_passwd.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/user_update_passwd.pl" NOCASE NAME "WEB-CGI snorkerz.cmd access" LOGMSG "WEB-CGI snorkerz.cmd access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/snorkerz.cmd" NOCASE # NAME "WEB-CGI survey.cgi access" LOGMSG "WEB-CGI survey.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/survey.cgi" NOCASE NAME "WEB-CGI scriptalias access" LOGMSG "WEB-CGI scriptalias access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "///" NAME "WEB-CGI win-c-sample.exe access" LOGMSG "WEB-CGI win-c-sample.exe access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/win-c-sample.exe" NOCASE NAME "WEB-CGI w3tvars.pm access" LOGMSG "WEB-CGI w3tvars.pm access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/w3tvars.pm" NOCASE NAME "WEB-CGI admin.pl access" LOGMSG "WEB-CGI admin.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/admin.pl" NOCASE NAME "WEB-CGI LWGate access" LOGMSG "WEB-CGI LWGate access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/LWGate" NOCASE # NAME "WEB-CGI archie access" LOGMSG "WEB-CGI archie access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/archie" NOCASE # NAME "WEB-CGI flexform access" LOGMSG "WEB-CGI flexform access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/flexform" NOCASE NAME "WEB-CGI formmail arbitrary command execution attempt" LOGMSG "WEB-CGI formmail arbitrary command execution attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/formmail" NOCASE CONTENT "%0a" NOCASE # NAME "WEB-CGI formmail access" LOGMSG "WEB-CGI formmail access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/formmail" NOCASE NAME "WEB-CGI phf arbitrary command execution attempt" LOGMSG "WEB-CGI phf arbitrary command execution attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/phf" NOCASE CONTENT "QALIAS" NOCASE CONTENT "%0a/" NAME "WEB-CGI phf access" LOGMSG "WEB-CGI phf access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/phf" NOCASE NAME "WEB-CGI www-sql access" LOGMSG "WEB-CGI www-sql access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/www-sql" NOCASE NAME "WEB-CGI wwwadmin.pl access" LOGMSG "WEB-CGI wwwadmin.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/wwwadmin.pl" NOCASE NAME "WEB-CGI ppdscgi.exe access" LOGMSG "WEB-CGI ppdscgi.exe access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/ppdscgi.exe" NOCASE # NAME "WEB-CGI sendform.cgi access" LOGMSG "WEB-CGI sendform.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/sendform.cgi" NOCASE # NAME "WEB-CGI upload.pl access" LOGMSG "WEB-CGI upload.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/upload.pl" NOCASE # NAME "WEB-CGI AnyForm2 access" LOGMSG "WEB-CGI AnyForm2 access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/AnyForm2" NOCASE NAME "WEB-CGI MachineInfo access" LOGMSG "WEB-CGI MachineInfo access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/MachineInfo" NOCASE NAME "WEB-CGI bb-hist.sh attempt" LOGMSG "WEB-CGI bb-hist.sh attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/bb-hist.sh?HISTFILE=../.." NOCASE NAME "WEB-CGI bb-hist.sh access" LOGMSG "WEB-CGI bb-hist.sh access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/bb-hist.sh" NOCASE NAME "WEB-CGI bb-histlog.sh access" LOGMSG "WEB-CGI bb-histlog.sh access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/bb-histlog.sh" NOCASE NAME "WEB-CGI bb-histsvc.sh access" LOGMSG "WEB-CGI bb-histsvc.sh access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/bb-histsvc.sh" NOCASE NAME "WEB-CGI bb-hostscv.sh attempt" LOGMSG "WEB-CGI bb-hostscv.sh attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/bb-hostsvc.sh?HOSTSVC?../.." NOCASE NAME "WEB-CGI bb-hostscv.sh access" LOGMSG "WEB-CGI bb-hostscv.sh access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/bb-hostsvc.sh" NOCASE NAME "WEB-CGI bb-rep.sh access" LOGMSG "WEB-CGI bb-rep.sh access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/bb-rep.sh" NOCASE NAME "WEB-CGI bb-replog.sh access" LOGMSG "WEB-CGI bb-replog.sh access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/bb-replog.sh" NOCASE # NAME "WEB-CGI redirect access" LOGMSG "WEB-CGI redirect access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/redirect" NOCASE NAME "WEB-CGI wayboard attempt" LOGMSG "WEB-CGI wayboard attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/way-board/way-board.cgi" CONTENT "db=" CONTENT "../.." NOCASE # NAME "WEB-CGI way-board access" LOGMSG "WEB-CGI way-board access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/way-board" NOCASE NAME "WEB-CGI pals-cgi arbitrary file access attempt" LOGMSG "WEB-CGI pals-cgi arbitrary file access attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/pals-cgi" NOCASE CONTENT "documentName=" # NAME "WEB-CGI pals-cgi access" LOGMSG "WEB-CGI pals-cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/pals-cgi" NOCASE NAME "WEB-CGI commerce.cgi arbitrary file access attempt" LOGMSG "WEB-CGI commerce.cgi arbitrary file access attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/commerce.cgi" CONTENT "page=" CONTENT "/../" NOCASE # NAME "WEB-CGI commerce.cgi access" LOGMSG "WEB-CGI commerce.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/commerce.cgi" NOCASE NAME "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt" LOGMSG "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/sendtemp.pl" NOCASE CONTENT "templ=" NOCASE NAME "WEB-CGI Amaya templates sendtemp.pl access" LOGMSG "WEB-CGI Amaya templates sendtemp.pl access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/sendtemp.pl" NOCASE NAME "WEB-CGI webspirs.cgi directory traversal attempt" LOGMSG "WEB-CGI webspirs.cgi directory traversal attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/webspirs.cgi" NOCASE CONTENT "../../" NOCASE NAME "WEB-CGI webspirs.cgi access" LOGMSG "WEB-CGI webspirs.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/webspirs.cgi" NOCASE NAME "WEB-CGI tstisapi.dll access" LOGMSG "WEB-CGI tstisapi.dll access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "tstisapi.dll" NOCASE # NAME "WEB-CGI sendmessage.cgi access" LOGMSG "WEB-CGI sendmessage.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/sendmessage.cgi" NOCASE NAME "WEB-CGI lastlines.cgi access" LOGMSG "WEB-CGI lastlines.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/lastlines.cgi" NOCASE NAME "WEB-CGI zml.cgi attempt" LOGMSG "WEB-CGI zml.cgi attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/zml.cgi" CONTENT "file=../" NAME "WEB-CGI zml.cgi access" LOGMSG "WEB-CGI zml.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/zml.cgi" NAME "WEB-CGI AHG search.cgi access" LOGMSG "WEB-CGI AHG search.cgi access" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/publisher/search.cgi" NOCASE CONTENT "template=" NOCASE NAME "WEB-CGI agora.cgi attempt" LOGMSG "WEB-CGI agora.cgi attempt" PROTO TCP DIRECTION FROM_ORIG URICONTENT "/store/agora.cgi?cart_id=