HOME_NET=0/0
EXTERNAL_NET=0/0
SMTP=$HOME_NET
HTTP_SERVERS=$HOME_NET
SQL_SERVERS=$HOME_NET
DNS_SERVERS=$HOME_NET
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 0 -j LOG	# "BAD TRAFFIC tcp port 0 traffic" sid:524 classtype:misc-activity
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 0 -j LOG	# "BAD TRAFFIC tcp port 0 traffic" sid:524 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 0 -j LOG	# "BAD TRAFFIC udp port 0 traffic" sid:525 classtype:misc-activity
iptables -A SnortRules -p udp -d $EXTERNAL_NET -s $HOME_NET --sport 0 -j LOG	# "BAD TRAFFIC udp port 0 traffic" sid:525 classtype:misc-activity
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: dsize:>6	 "BAD TRAFFIC data in TCP SYN packet" sid:526 classtype:misc-activity
iptables -A SnortRules -d 127.0.0.0/8 -j LOG	# "BAD TRAFFIC loopback traffic" classtype:bad-unknown sid:528
iptables -A SnortRules -s 127.0.0.0/8 -j LOG	# "BAD TRAFFIC loopback traffic" classtype:bad-unknown sid:528
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG	#Cannot convert: fragbits:R	 "BAD TRAFFIC ip reserved bit set" sid:523 classtype:misc-activity
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m ttl --ttl-eq 0 -j LOG	# "BAD TRAFFIC 0 ttl" sid:1321 classtype:misc-activity
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG	#Cannot convert: fragbits: MD	 "BAD TRAFFIC bad frag bits" sid:1322 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "/bin/sh" -j LOG --log-prefix " cve-CVE-2001-0144 "	# "EXPLOIT ssh CRC32 overflow /bin/sh" bugtraq,2347 classtype:shellcode-detect sid:1324
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " cve-CVE-2001-0144 "	# "EXPLOIT ssh CRC32 overflow filler" bugtraq,2347 classtype:shellcode-detect sid:1325
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " cve-CVE-2001-0144 "	# "EXPLOIT ssh CRC32 overflow NOOP" bugtraq,2347 classtype:shellcode-detect sid:1326
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "W" --string "ÿÿÿÿ" -j LOG --log-prefix " cve-CVE-2001-0144 "	# "EXPLOIT ssh CRC32 overflow" bugtraq,2347 classtype:shellcode-detect sid:1327
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "3É±?éQ<úG3ÀP÷ÐP" --tcp-flags ACK ACK -j LOG	# "EXPLOIT netscape 4.7 client overflow" bugtraq,822 arachnids,215 classtype:attempted-user sid:283
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 109 --tcp-flags ACK ACK -m string --string "ë,[‰Ù€Á9Ù|€" -j LOG	# "EXPLOIT pop2 x86 linux overflow" classtype:attempted-admin sid:284
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 109 --tcp-flags ACK ACK -m string --string "ÿÿÿ/BIN/SH" -j LOG	# "EXPLOIT pop2 x86 linux overflow" classtype:attempted-admin sid:285
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "^1À°;~‰ú‰ù" -j LOG	# "EXPLOIT pop3 x86 bsd overflow" classtype:attempted-admin sid:286
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "h]^ÿÕÿÔÿõ‹õf1" -j LOG	# "EXPLOIT pop3 x86 bsd overflow" classtype:attempted-admin sid:287
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "Ø@Í€èÙÿÿÿ/bin/sh" -j LOG	# "EXPLOIT pop3 x86 linux overflow" classtype:attempted-admin sid:288
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "V1À°;~‰ù‰ù" -j LOG	# "EXPLOIT pop3 x86 sco overflow" classtype:attempted-admin sid:289
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "èÙÿÿÿ/bin/sh" -j LOG --log-prefix " cve-CAN-1999-0822 "	# "EXPLOIT qpopper overflow" bugtraq,830 classtype:attempted-admin sid:290
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 119 --tcp-flags ACK ACK -m string --string "AUTHINFO USER" -j LOG --log-prefix " cve-CAN-2000-0341 "	#Cannot convert: dsize: >512	 "EXPLOIT NNTP Cassandra Overflow" nocase-ignored arachnids,274 classtype:attempted-user sid:291
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "ë/_ëJ^‰û‰>‰ò" -j LOG --log-prefix " cve-CVE-1999-0811,cve-CVE-1999-0182 "	# "EXPLOIT x86 linux samba overflow" bugtraq,1816 classtype:attempted-admin sid:292
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "èÀÿÿÿ/bin/sh" -j LOG	# "EXPLOIT imap overflow" classtype:attempted-admin sid:293
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "‰Ø@Í€èÈÿÿÿ/" -j LOG --log-prefix " cve-CVE-1999-0005 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 classtype:attempted-admin sid:295
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ë4^‰^1Ò‰V" -j LOG --log-prefix " cve-CVE-1999-0005 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 classtype:attempted-admin sid:296
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ë5^€F0€F0€F0" -j LOG --log-prefix " cve-CVE-1999-0005 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 classtype:attempted-admin sid:297
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ë8^‰ó‰Ø€F €F" -j LOG --log-prefix " cve-CVE-1999-0005 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 classtype:attempted-admin sid:298
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ëX^1ÛƒÃƒÃˆ^&" -j LOG --log-prefix " cve-CVE-1999-0005 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 classtype:attempted-admin sid:299
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2766 --tcp-flags ACK ACK -m string --string "ë#^3ÀˆFú‰Fõ‰6" -j LOG	# "EXPLOIT nlps x86 solaris overflow" classtype:attempted-admin sid:300 bugtraq,2319
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 515 --tcp-flags ACK ACK -m string --string "C‰[K‰C°Í€1ÀþÀÍ€è”ÿÿÿ/bin/sh" -j LOG	# "EXPLOIT LPRng overflow" bugtraq,1712 classtype:attempted-admin sid:301
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 515 --tcp-flags ACK ACK -m string --string "XXXX%.172u%300\$n" -j LOG	# "EXPLOIT redhat 7.0 lprd overflow" classtype:attempted-admin sid:302
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "«Í	€    a" -j LOG --log-prefix " cve-CAN-2000-0010 "	# "EXPLOIT named tsig infoleak" bugtraq,2302 arachnids,482 classtype:attempted-admin sid:303
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6373 --tcp-flags ACK ACK -m string --string "ë]UþM˜þM›" -j LOG	# "EXPLOIT sco calserver overflow" bugtraq,2353 classtype:attempted-admin sid:304
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 -m string --string "whois://" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CVE-2000-0165 "	#Cannot convert: dsize: >1000	 "EXPLOIT delegate proxy overflow" nocase-ignored arachnids,267 classtype:attempted-admin sid:305 bugtraq,808
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 9090 --tcp-flags ACK ACK -m string --string "GET / HTTP/1.1" -j LOG --log-prefix " cve-CAN-2000-0766 "	# "EXPLOIT VQServer admin" nocase-ignored bugtraq,1610 classtype:attempted-admin sid:306
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "ëK[S2äƒÃKˆ#¸Pw" -j LOG --log-prefix " cve-CVE-1999-0672 "	# "EXPLOIT IRC client overflow" bugtraq,573 classtype:attempted-user sid:307
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "´ ´‹Ìƒé‹3Éf¹" -j LOG --log-prefix " cve-CVE-1999-0671 "	# "EXPLOIT NextFTP client overflow" bugtraq,572 classtype:attempted-user sid:308
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "from:" -j LOG --log-prefix " cve-CAN-2000-0343 "	#Cannot convert: dsize: >512	 "EXPLOIT sniffit overflow" nocase-ignored bugtraq,1158 arachnids,273 classtype:attempted-admin sid:309
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "ëEë [ü3É±‚‹ó€+" -j LOG --log-prefix " cve-CVE-1999-0404 "	# "EXPLOIT x86 windows MailMax overflow" bugtraq,2312 classtype:attempted-admin sid:310
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 80 -m string --string "3É±?éQ<úG3ÀP÷ÐP" --tcp-flags ACK ACK -j LOG	# "EXPLOIT netscape 4.7 unsucessful overflow" arachnids,214 classtype:unsuccessful-user sid:311 bugtraq,822
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 123 -j LOG	#Cannot convert: dsize: >128	 "EXPLOIT ntpdx overflow attempt" arachnids,492 classtype:attempted-admin sid:312
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 518 -m string --string "è" -j LOG	# "EXPLOIT ntalkd x86 linux overflow" bugtraq,210 classtype:attempted-admin sid:313
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "€?/bin/sh" -j LOG --log-prefix " cve-CAN-2000-0010 "	# "EXPLOIT BIND Tsig Overflow Attempt" classtype:attempted-admin sid:314 bugtraq,2302
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "^°‰þÈ‰F°‰F" -j LOG --log-prefix " cve-CVE-1999-0002 "	# "EXPLOIT x86 linux mountd overflow" classtype:attempted-admin sid:315
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "ëV^VVV1ÒˆVˆV" -j LOG --log-prefix " cve-CVE-1999-0002 "	# "EXPLOIT x86 linux mountd overflow" classtype:attempted-admin sid:316
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "ë@^1À@‰F‰Ã@‰" -j LOG --log-prefix " cve-CVE-1999-0002 "	# "EXPLOIT x86 linux mountd overflow" classtype:attempted-admin sid:317
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 67 -m string --string "echo netrjs stre" -j LOG --log-prefix " cve-CVE-1999-0914 "	# "EXPLOIT bootp x86 bsd overflow" classtype:attempted-admin sid:318 bugtraq,324
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 67 -m string --string "A90À¨/bin/sh" -j LOG --log-prefix " cve-CVE-1999-0799,cve-CAN-1999-0798,cve-CAN-1999-0389 "	# "EXPLOIT bootp x86 linux overflow" classtype:attempted-admin sid:319
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2224 -m string --string "1ÛÍ€è[ÿÿÿ" -j LOG --log-prefix " cve-CVE-2000-0446 "	# "EXPLOIT MDBMS overflow" bugtraq,1252 classtype:attempted-admin sid:1240
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 4242 -m string --string "ÿûxÿûxÿûxÿûx" --string "@ŠÿÈ@‚ÿØ;6þ;vþ" --tcp-flags ACK ACK -j LOG	#Cannot convert: dsize:>1000	 "EXPLOIT aix pdnsd overflow" bugtraq,3237 classtype:attempted-user sid:1261
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 4321 -m string --string "-soa %p" --tcp-flags ACK ACK -j LOG	# "EXPLOIT rwhoisd format string attempt" bugtraq,3474 classtype:misc-attack sid:1323
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 10101 -d $HOME_NET -m ttl --ttl-gt 220 --tcp-flags ALL SYN -j LOG	#Cannot convert: ack: 0	 "SCAN myscan" arachnids,439 classtype:attempted-recon sid:613
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 31790 -d $HOME_NET --dport 31789 -m string --string "A" --tcp-flags ACK ACK -j LOG	# "SCAN trojan hack-a-tack probe" arachnids,314 classtype:attempted-recon sid:614
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 1080 --tcp-flags ALL SYN -j LOG	# "SCAN Proxy attempt" classtype:attempted-recon sid:615
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 113 --tcp-flags ACK ACK -m string --string "VERSION" -j LOG	# "SCAN ident version" arachnids,303 classtype:attempted-recon sid:616
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "\`" -j LOG	# "SCAN ssh-research-scanner" classtype:attempted-recon sid:617
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 3128 --tcp-flags ALL SYN -j LOG	# "INFO - Possible Squid Scan" classtype:attempted-recon sid:618
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ALL FIN,SYN -j LOG	#Cannot convert: Flag1 Flag2 dsize: 0	 "SCAN cybercop os probe" arachnids,146 classtype:attempted-recon sid:619
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 --tcp-flags ALL SYN -j LOG	# "SCAN Proxy attempt" classtype:attempted-recon sid:620
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN -j LOG	# "SCAN FIN" arachnids,27 classtype:attempted-recon sid:621
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: seq: 1958810375	 "SCAN IP Eye SYN Scan" arachnids,236 classtype:attempted-recon sid:622
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL NONE -j LOG	#Cannot convert: seq:0 ack:0	 "SCAN NULL" arachnids,4 classtype:attempted-recon sid:623
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,SYN -j LOG	# "SCAN SYN FIN" arachnids,198 classtype:attempted-recon sid:624
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL ACK,FIN,PSH,SYN,RST,URG -j LOG	# "SCAN XMAS" arachnids,144 classtype:attempted-recon sid:625
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL ACK,PSH -j LOG	#Cannot convert: Flag1 Flag2	 "SCAN cybercop os probe" arachnids,149 classtype:attempted-recon sid:626
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL FIN,SYN,URG -j LOG	#Cannot convert: Flag1 Flag2 ack: 0	 "SCAN cybercop os probe" arachnids,150 classtype:attempted-recon sid:627
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL ACK -j LOG	#Cannot convert: ack:0	 "SCAN nmap TCP" arachnids,28 classtype:attempted-recon sid:628
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,PSH,SYN,URG -j LOG	# "SCAN nmap fingerprint attempt" arachnids,05 classtype:attempted-recon sid:629
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,SYN -j LOG	#Cannot convert: id: 39426	 "SCAN synscan portscan" arachnids,441 classtype:attempted-recon sid:630
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "ehlo cybercopquit" -j LOG	# "SMTP cybercop scan ehlo" arachnids,372 classtype:attempted-recon sid:631
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "expn cybercop" -j LOG	# "SMTP cybercop scan expn" arachnids,371 classtype:attempted-recon sid:632
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10080:10081 -m string --string "Amanda" -j LOG	# "SCAN Amanda client version" nocase-ignored classtype:attempted-recon sid:634
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 49 -m string --string "€" -j LOG	# "SCAN XTACACS logout" arachnids,408 classtype:bad-unknown sid:635
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 7 -m string --string "cybercop" -j LOG	# "SCAN cybercop udp bomb" arachnids,363 classtype:bad-unknown sid:636
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "helpquit" -j LOG	# "SCAN Webtrends Scanner UDP Probe" arachnids,308 classtype:attempted-recon sid:637
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,PSH,URG -j LOG	# "SCAN NMAP XMAS" arachnids,30 classtype:attempted-recon sid:1228
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "cmd_rootsh" -j LOG	# "FINGER backdoor" classtype:attempted-admin sid:320
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "a b c d e f" -j LOG	# "FINGER account enumeration" nocase-ignored classtype:attempted-recon sid:321
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "search" -j LOG	# "FINGER search attempt" classtype:attempted-recon sid:322
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "root" -j LOG	# "FINGER root" arachnids,376 classtype:attempted-recon sid:323
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "" -j LOG	# "FINGER null" arachnids,377 classtype:attempted-recon sid:324
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "0" -j LOG	# "FINGER probe0 attempt" arachnids,378 classtype:attempted-recon sid:325
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "/W;" -j LOG	# "FINGER pipew attempt" bugtraq,974 arachnids,379 classtype:attempted-user sid:326
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "|" -j LOG	# "FINGER pipe attempt" bugtraq,2220 arachnids,380 classtype:attempted-user sid:327
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "@@" -j LOG	# "FINGER bomb attempt" arachnids,382 classtype:attempted-dos sid:328
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "@localhost" -j LOG	#Cannot convert: dsize: 11	 "FINGER cybercop redirection" arachnids,11 classtype:attempted-recon sid:329
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "@" --tcp-flags ACK ACK -j LOG	# "FINGER redirection" arachnids,251 classtype:attempted-recon sid:330
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "     " --tcp-flags ACK ACK -j LOG --log-prefix " cve-CVE-1999-0612 "	# "FINGER cybercop query" arachnids,132 classtype:attempted-recon sid:331
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "0" -j LOG	# "FINGER 0@host" arachnids,131 classtype:attempted-recon sid:332
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "." -j LOG --log-prefix " cve-CVE-1999-0612 "	# "FINGER .@host" arachnids,130 classtype:attempted-recon sid:333
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string ".forward" --tcp-flags ACK ACK -j LOG	# "FTP .forward" arachnids,319 classtype:suspicious-filename-detect sid:334
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string ".rhosts" -j LOG	# "FTP .rhosts" arachnids,328 classtype:suspicious-filename-detect sid:335
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "cwd ~root" --tcp-flags ACK ACK -j LOG	# "FTP CWD ~root" nocase-ignored arachnids,318 classtype:bad-unknown sid:336
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CEL " -j LOG	#Cannot convert: dsize:>1300	 "FTP EXPLOIT aix overflow" arachnids,257 classtype:attempted-admin sid:337
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "SITE EXEC %020d|%.f%.f|" -j LOG	# "FTP EXPLOIT format string" nocase-ignored arachnids,453 classtype:attempted-user sid:338
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string " 1À™RR°Í€hÌsh" -j LOG	# "FTP EXPLOIT openbsd ftpd" arachnids,446 classtype:attempted-user sid:339
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "PWD/i" -j LOG	# "FTP EXPLOIT overflow" classtype:attempted-admin sid:340
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "XXXXX/" -j LOG	# "FTP EXPLOIT overflow" classtype:attempted-admin sid:341
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "À‚ ‘Ð " -j LOG --log-prefix " cve-CAN-2000-0573 "	# "FTP EXPLOIT solaris 2.8 format string" bugtraq,1387 arachnids,451 classtype:attempted-user sid:342
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "1ÀPPP°~Í€1Û1À" --tcp-flags ACK ACK -j LOG	# "FTP EXPLOIT wu-ftpd 2.6.0 bsd" arachnids,228 classtype:attempted-admin sid:343
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "1À1Û1É°FÍ€1À1Û" --tcp-flags ACK ACK -j LOG	# "FTP EXPLOIT wu-ftpd 2.6.0 linux overflow" arachnids,287 classtype:attempted-admin sid:344
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "SITE EXEC %p" --tcp-flags ACK ACK -j LOG	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec overflow" nocase-ignored arachnids,285 classtype:attempted-admin sid:345
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "f%.f%.f%.f%.f%." --tcp-flags ACK ACK -j LOG	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec overflow" arachnids,286 classtype:attempted-admin sid:346
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "1À1Û1É°FÍ€1À1ÛC‰ÙA°?Í€" -j LOG	# "FTP EXPLOIT wu-ftpd 2.6.0 tf8" arachnids,458 classtype:attempted-admin sid:347
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "..11venglin@" -j LOG	# "FTP EXPLOIT wu-ftpd 2.6.0" arachnids,440 classtype:attempted-user sid:348
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MKD AAAAAA" -j LOG --log-prefix " cve-CVE-1999-0368 "	# "FTP EXPLOIT x86 linux overflow" bugtraq,113 classtype:attempted-admin sid:349
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "1À1Û°Í€1À°Í€" -j LOG --log-prefix " cve-CVE-1999-0368 "	# "FTP EXPLOIT x86 linux overflow" bugtraq,113 classtype:attempted-admin sid:350
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "1Û‰Ø°Í€ë," -j LOG --log-prefix " cve-CVE-1999-0368 "	# "FTP EXPLOIT x86 linux overflow" bugtraq,113 classtype:attempted-admin sid:351
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "ƒì^ƒÆpƒÆ(ÕàÀ" -j LOG --log-prefix " cve-CVE-1999-0368 "	# "FTP EXPLOIT x86 linux overflow" bugtraq, 113 classtype:attempted-admin sid:352
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "PASS ddd@" -j LOG	# "FTP adm scan" arachnids,332 classtype:suspicious-login sid:353
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -iss@iss" -j LOG	# "FTP iss scan" arachnids,331 classtype:suspicious-login sid:354
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "pass wh00t" --tcp-flags ACK ACK -j LOG	# "FTP pass wh00t" nocase-ignored arachnids,324 classtype:suspicious-login sid:355
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "RETR" --string "passwd" --tcp-flags ACK ACK -j LOG	# "FTP passwd retreval attempt" nocase-ignored arachnids,213 classtype:suspicious-filename-detect sid:356
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -cklaus" -j LOG	# "FTP piss scan" classtype:suspicious-login sid:357
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -saint" -j LOG	# "FTP saint scan" arachnids,330 classtype:suspicious-login sid:358
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -satan" -j LOG	# "FTP satan scan" arachnids,329 classtype:suspicious-login sid:359
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string ".%20." -j LOG	# "FTP serv-u directory transversal" nocase-ignored classtype:bad-unknown sid:360
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "site exec" --tcp-flags ACK ACK -j LOG	# "FTP site exec" nocase-ignored bugtraq,2241 arachnids,317 classtype:bad-unknown sid:361
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "RETR --use-compress-program" -j LOG --log-prefix " cve-CVE-1999-0202 "	# "FTP tar parameters" nocase-ignored bugtraq,2240 arachnids,134 classtype:bad-unknown sid:362
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CWD ..." -j LOG	# "FTP CWD ..." classtype:bad-unknown sid:1229
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "_RLD" --string "/bin/sh" -j LOG	# "TELNET SGI telnetd format bug" arachnids,304 classtype:attempted-admin sid:711
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "ld_library_path" -j LOG	# "TELNET ld_library_path" arachnids,367 classtype:attempted-admin sid:712
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "ÿóÿóÿóÿóÿó" -j LOG	# "TELNET livingston DOS" arachnids,370 classtype:attempted-dos sid:713
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "resolv_host_conf" -j LOG	# "TELNET resolv_host_conf" arachnids,369 classtype:attempted-admin sid:714
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 -m string --string "to su root" --tcp-flags ACK ACK -j LOG	# "TELNET Attempted SU from wrong group" nocase-ignored classtype:attempted-admin sid:715
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 --tcp-flags ACK ACK -m string --string "not on system console" -j LOG	# "TELNET not on console" nocase-ignored arachnids,365 classtype:bad-unknown sid:717
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 -m string --string "Login incorrect" --tcp-flags ACK ACK -j LOG	# "TELNET login incorrect" arachnids,127 classtype:bad-unknown sid:718
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 -m string --string "login: root" --tcp-flags ACK ACK -j LOG	# "TELNET root login" classtype:suspicious-login sid:719
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 --tcp-flags ACK ACK -m string --string "[Yes]ÿþÿý&" -j LOG --log-prefix " cve-CAN-2001-0554 "	# "TELNET bsd telnet exploit response" classtype: attempted-admin sid: 1252 bugtraq,3064
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "ÿöÿöÿûÿö" -j LOG --log-prefix " cve-CAN-2001-0554 "	#Cannot convert: dsize: >200	 "TELNET bsd exploit client finishing" classtype: successful-admin sid: 1253 bugtraq,3064
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "4Dgifts" -j LOG	# "TELNET 4Dgifts SGI account attempt" classtype:suspicious-login sid:709
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "OutOfBox" -j LOG	# "TELNET EZsetup account attempt" classtype:suspicious-login sid:710
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 --tcp-flags ACK ACK -m string --string "ÿýÿýÿý#ÿý'ÿý\$" -j LOG --log-prefix " cve-CAN-1999-0619 "	# "TELNET access" arachnids,08 classtype:not-suspicious sid:716
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "rcpt to:" -j LOG --log-prefix " cve-CAN-2001-0260 "	#Cannot convert: dsize:>800	 "SMTP RCPT TO overflow" bugtraq,2283 classtype:attempted-admin sid:654
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 113 -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "D/" -j LOG --log-prefix " cve-CVE-1999-0204 "	# "SMTP sendmail 8.6.9 exploit" arachnids,140 classtype:attempted-admin sid:655
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "ëSë [ü3É±‚‹ó€+" -j LOG --log-prefix " cve-CVE-2000-0042 "	# "SMTP EXPLOIT x86 windows CSMMail overflow" bugtraq,895 classtype:attempted-admin sid:656
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 -m string --string "HELP " --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-1999-0261 "	#Cannot convert: dsize: >500	 "SMTP chameleon overflow" nocase-ignored bugtraq,2387 arachnids,266 classtype:attempted-admin sid:657
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "charset = \"\"" -j LOG	# "SMTP exchange mime DOS" classtype:attempted-dos sid:658
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "expn decode" -j LOG	# "SMTP expn decode" nocase-ignored arachnids,32 classtype:attempted-recon sid:659
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "expn root" -j LOG	# "SMTP expn root" nocase-ignored arachnids,31 classtype:attempted-recon sid:660
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "eply-to: a~.`/bin/" -j LOG --log-prefix " cve-CVE-1999-0208 "	#Cannot convert: Mishandled quotes	 "SMTP majordomo ifs" arachnids,143 classtype:attempted-admin sid:661
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "mail from: \"|" -j LOG	# "SMTP sendmail 5.5.5 exploit" nocase-ignored arachnids,119 classtype:attempted-admin sid:662
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "|sed -e '1,/^\$/'" -j LOG --log-prefix " cve-CVE-1999-0095 "	# "SMTP sendmail 5.5.8 overflow" arachnids,172 classtype:attempted-admin sid:663
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "rcpt to: decode" -j LOG	# "SMTP sendmail 5.6.4 exploit" nocase-ignored arachnids,121 classtype:attempted-admin sid:664
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "MAIL FROM: |/usr/ucb/tail" -j LOG	# "SMTP sendmail 5.6.5 exploit" nocase-ignored arachnids,122 classtype:attempted-user sid:665
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "rcpt to: | sed '1,/^$/d'|" -j LOG	# "SMTP sendmail 8.4.1 exploit" nocase-ignored arachnids,120 classtype:attempted-user sid:666
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "CrootMprog, P=/bin/" -j LOG	# "SMTP sendmail 8.6.10 exploit" arachnids,123 classtype:attempted-user sid:667
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "Croot							Mprog,P=/bin" -j LOG	# "SMTP sendmail 8.6.10 exploit" arachnids,124 classtype:attempted-user sid:668
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "CrootMprog" -j LOG --log-prefix " cve-CVE-1999-0204 "	# "SMTP sendmail 8.6.9 exploit" arachnids,142 classtype:attempted-user sid:669
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "C:daemonR" -j LOG --log-prefix " cve-CVE-1999-0204 "	# "SMTP sendmail 8.6.9 exploit" arachnids,139 classtype:attempted-user sid:670
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "CrootMprog" -j LOG --log-prefix " cve-CVE-1999-0204 "	# "SMTP sendmail 8.6.9c exploit" arachnids,141 classtype:attempted-user sid:671
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "vrfy decode" -j LOG	# "SMTP vrfy decode" nocase-ignored arachnids,373 classtype:attempted-recon sid:672
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "€ " --string "‡™" -j LOG --log-prefix " cve-CAN-2001-0236 "	# "RPC snmpXdmi overflow attempt" bugtraq,2417 classtype:attempted-admin sid:569
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771:34000 -m string --string "À\"?ü¢ 	À,ÿâ\"?ô" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CVE-1999-0003 "	#Cannot convert: dsize: >999	 "RPC EXPLOIT ttdbserv solaris overflow" bugtraq,122 arachnids,242 classtype:attempted-admin sid:570
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771:34000 --tcp-flags ACK ACK -m string --string "†ó" -j LOG --log-prefix " cve-CVE-1999-0003 "	#Cannot convert: dsize: >999	 "RPC EXPLOIT ttdbserv Solaris overflow" bugtraq,122 arachnids,242 classtype:attempted-admin sid:571
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771:34000 --tcp-flags ACK ACK -m string --string "†ó" -j LOG --log-prefix " cve-CVE-1999-0003 "	# "RPC DOS ttdbserv solaris" bugtraq,122 arachnids,241 classtype:attempted-dos sid:572
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 634:1400 --tcp-flags ACK ACK -m string --string "€,Lu[" -j LOG	# "RPC AMD Overflow" arachnids,217 classtype:attempted-admin sid:573
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771: --tcp-flags ACK ACK -m string --string "†¥" -j LOG	# "RPC NFS Showmount" arachnids,26 classtype:attempted-recon sid:574
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†÷" -j LOG	# "RPC portmap request admind" arachnids,18 classtype:rpc-portmap-decode sid:575
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†÷" --tcp-flags ACK ACK -j LOG	# "RPC portmap request admind" arachnids,18 classtype:rpc-portmap-decode sid:1262
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡" -j LOG	# "RPC portmap request amountd" arachnids,19 classtype:rpc-portmap-decode sid:576
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡" --tcp-flags ACK ACK -j LOG	# "RPC portmap request amountd" arachnids,19 classtype:rpc-portmap-decode sid:1263
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†º" -j LOG	# "RPC portmap request bootparam" arachnids,16 classtype:rpc-portmap-decode sid:577
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†º" --tcp-flags ACK ACK -j LOG	# "RPC portmap request bootparam" arachnids,16 classtype:rpc-portmap-decode sid:1264
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ä" -j LOG	# "RPC portmap request cmsd" arachnids,17 classtype:rpc-portmap-decode sid:578
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ä" --tcp-flags ACK ACK -j LOG	# "RPC portmap request cmsd" arachnids,17 classtype:rpc-portmap-decode sid:1265
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¥" -j LOG	# "RPC portmap request mountd" arachnids,13 classtype:rpc-portmap-decode sid:579
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¥" --tcp-flags ACK ACK -j LOG	# "RPC portmap request mountd" arachnids,13 classtype:rpc-portmap-decode sid:1266
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡Ì" -j LOG	# "RPC portmap request nisd" arachnids,21 classtype:rpc-portmap-decode sid:580
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡Ì" --tcp-flags ACK ACK -j LOG	# "RPC portmap request nisd" arachnids,21 classtype:rpc-portmap-decode sid:1267
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "Iñ" -j LOG	# "RPC portmap request pcnfsd" arachnids,22 classtype:rpc-portmap-decode sid:581
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "Iñ" --tcp-flags ACK ACK -j LOG	# "RPC portmap request pcnfsd" arachnids,22 classtype:rpc-portmap-decode sid:1268
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†±" -j LOG	# "RPC portmap request rexd" arachnids,23 classtype:rpc-portmap-decode sid:582
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†±" --tcp-flags ACK ACK -j LOG	# "RPC portmap request rexd" arachnids,23 classtype:rpc-portmap-decode sid:1269
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " -j LOG	# "RPC portmap request rstatd" arachnids,10 classtype:rpc-portmap-decode sid:583
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --tcp-flags ACK ACK -j LOG	# "RPC portmap request rstatd" arachnids,10 classtype:rpc-portmap-decode sid:1270
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¢" --tcp-flags ACK ACK -j LOG	# "RPC portmap request rusers" arachnids,133 classtype:rpc-portmap-decode sid:1271
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¢" -j LOG	# "RPC portmap request rusers" arachnids,133 classtype:rpc-portmap-decode sid:584
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡ˆ" --tcp-flags ACK ACK -j LOG	# "RPC portmap request sadmind" arachnids,20 classtype:rpc-portmap-decode sid:1272
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡ˆ" -j LOG	# "RPC portmap request sadmind" arachnids,20 classtype:rpc-portmap-decode sid:585
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¯" -j LOG	# "RPC portmap request selection_svc" arachnids,25 classtype:rpc-portmap-decode sid:586
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¯" --tcp-flags ACK ACK -j LOG	# "RPC portmap request selection_svc" arachnids,25 classtype:rpc-portmap-decode sid:1273
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¸" -j LOG	# "RPC portmap request status" arachnids,15 classtype:rpc-portmap-decode sid:587
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ó" -j LOG	# "RPC portmap request ttdbserv" arachnids,24 classtype:rpc-portmap-decode sid:588
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ó" --tcp-flags ACK ACK -j LOG	# "RPC portmap request ttdbserv" arachnids,24 classtype:rpc-portmap-decode sid:1274
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†©" -j LOG	# "RPC portmap request yppasswd" arachnids,14 classtype:rpc-portmap-decode sid:589
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†©" --tcp-flags ACK ACK -j LOG	# "RPC portmap request yppasswd" arachnids,14 classtype:rpc-portmap-decode sid:1275
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¤" --tcp-flags ACK ACK -j LOG	# "RPC portmap request ypserv" arachnids,12 classtype:rpc-portmap-decode sid:1276
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¤" -j LOG	# "RPC portmap request ypserv" arachnids,12 classtype:rpc-portmap-decode sid:590
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¼" -j LOG	# "RPC portmap request ypupdated" arachnids,125 classtype:rpc-portmap-decode sid:1277
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -m string --string "†¼" -j LOG	# "RPC portmap request ypupdated" arachnids,125 classtype:rpc-portmap-decode sid:591
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 32770: -m string --string "†¡" -j LOG	# "RPC rstatd query" arachnids,9 classtype:attempted-recon sid:592
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32770: --tcp-flags ACK ACK -m string --string "†¡" -j LOG	# "RPC rstatd query" arachnids,9 classtype:attempted-recon sid:1278
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0717 "	#Cannot convert: rpc:100083,*,*	 "RPC portmap request tooltalk" classtype:rpc-portmap-decode sid:1298
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG --log-prefix " cve-CAN-2001-0717 "	#Cannot convert: rpc:100083,*,*	 "RPC portmap request tooltalk" classtype:rpc-portmap-decode sid:1299
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG	#Cannot convert: rpc:100249,*,*	 "RPC portmap request snmpXdmi" bugtraq,2417 classtype:rpc-portmap-decode sid:593
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG	#Cannot convert: rpc:100249,*,*	 "RPC portmap request snmpXdmi" bugtraq,2417 classtype:rpc-portmap-decode sid:1279
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG --log-prefix " cve-CAN-2001-0331 "	#Cannot convert: rpc:391029,*,*	 "RPC portmap request espd" classtype:rpc-portmap-decode sid:594
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0331 "	#Cannot convert: rpc:391029,*,*	 "RPC portmap request espd" classtype:rpc-portmap-decode sid:595
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG	#Cannot convert: rpc:100009,*,*	 "RPC portmap request yppasswdd" bugtraq,2763 classtype:rpc-portmap-decode sid:1296
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG	#Cannot convert: rpc:100009,*,*	 "RPC portmap request yppasswdd" bugtraq,2763 classtype:rpc-portmap-decode sid:1297
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG	#Cannot convert: rpc: 100000,*,*	 "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:596
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 --tcp-flags ACK ACK -j LOG	#Cannot convert: rpc: 100000,*,*	 "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:597
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " -j LOG	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:1280
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -m string --string "† " -j LOG	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:598
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 --tcp-flags ACK ACK -m string --string "† " -j LOG	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:599
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 -m string --string "† " -j LOG	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:1281
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "/binÇF/sh" -j LOG	# "RPC EXPLOIT statdx" arachnids,442 classtype:attempted-admin sid:600
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "/binÇF/sh" -j LOG	# "RPC EXPLOIT statdx" arachnids,442 classtype:attempted-admin sid:1282
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "::::::::::::::::" -j LOG	# "RSERVICES rsh LinuxNIS" classtype:bad-unknown sid:601
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "binbin" -j LOG	# "RSERVICES rsh bin" arachnids,384 classtype:attempted-user sid:602
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "echo \" + + \"" -j LOG	# "RSERVICES rsh echo++" arachnids,385 classtype:bad-unknown sid:603
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "-froot" -j LOG	# "RSERVICES rsh froot" arachnids,386 classtype:attempted-admin sid:604
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "login incorrect" -j LOG	# "RSERVICES rsh login failure" arachnids,393 classtype:unsuccessful-user sid:605
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "rootroot" -j LOG	# "RSERVICES rsh root" arachnids,389 classtype:attempted-admin sid:606
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "binbin" -j LOG	# "RSERVICES rlogin bin" arachnids,390 classtype:attempted-user sid:607
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "echo \"+ +\"" -j LOG	# "RSERVICES rlogin echo++" arachnids,388 classtype:attempted-user sid:608
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "-froot" -j LOG	# "RSERVICES rlogin froot" arachnids,387 classtype:attempted-admin sid:609
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "rootroot" -j LOG	# "RSERVICES rlogin root" arachnids,391 classtype:attempted-admin sid:610
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "rlogind: Permission denied." -j LOG	# "RSERVICES rsh login failure" arachnids,392 classtype:unsuccessful-user sid:611
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 32770: -m string --string "†¢" -j LOG --log-prefix " cve-CVE-1999-0626 "	# "RPC rusers query" arachnids,136 classtype:attempted-recon sid:612
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG	#Cannot convert: fragbits: M dsize:408	 "DOS Jolt attack" classtype:attempted-dos sid:268
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: id:3868 seq: 3868	 "DOS Land attack" classtype:attempted-dos sid:269
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -j LOG	#Cannot convert: id:242 fragbits:M	 "DOS Teardrop attack" bugtraq,124 classtype:attempted-dos sid:270
iptables -A SnortRules -p udp --sport 19 -d $HOME_NET --dport 7 -j LOG	# "DOS UDP Bomb" classtype:attempted-dos sid:271
iptables -A SnortRules -p udp --dport 19 -s $HOME_NET --sport 7 -j LOG	# "DOS UDP Bomb" classtype:attempted-dos sid:271
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --proto ip_proto: 2 -j LOG	#Cannot convert: fragbits: M+	 "DOS IGMP dos attack" classtype:attempted-dos sid:272
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --proto ip_proto: 2 -j LOG	#Cannot convert: fragbits: M+	 "DOS IGMP dos attack" classtype:attempted-dos sid:273
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "+++ath" -m icmp --icmp-type 8 -j LOG	# "DOS ath" nocase-ignored arachnids,264 classtype:attempted-dos sid:274
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: seq: 6060842 id: 413	 "DOS NAPTHA" url,razor.bindview.com/publish/advisories/adv_NAPTHA.html classtype:attempted-dos sid:275
#iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: seq: 6060842 id: 413	 "DOS NAPTHA" url,razor.bindview.com/publish/advisories/adv_NAPTHA.html classtype:attempted-dos sid:275
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7070 --tcp-flags ACK ACK -m string --string "ÿôÿý" -j LOG --log-prefix " cve-CVE-2000-0474 "	# "DOS Real Audio Server" bugtraq,1288 arachnids,411 classtype:attempted-dos sid:276
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7070 --tcp-flags ACK ACK -m string --string "/viewsource/template.html?" -j LOG --log-prefix " cve-CVE-2000-0474 "	# "DOS Real Server template.html" nocase-ignored bugtraq,1288 classtype:attempted-dos sid:277
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 --tcp-flags ACK ACK -m string --string "/viewsource/template.html?" -j LOG --log-prefix " cve-CVE-2000-0474 "	# "DOS Real Server template.html" nocase-ignored bugtraq,1288 classtype:attempted-dos sid:278
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161 -j LOG --log-prefix " cve-CVE-2000-0221 "	#Cannot convert: dsize:0	 "DOS Bay/Nortel Nautica Marlin" bugtraq,1009 classtype:attempted-dos sid:279
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "+++ath0" -m icmp --icmp-type 8 -j LOG	# "DOS ath0" nocase-ignored arachnids,264 classtype:attempted-dos sid:280
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 9 -m string --string "NAMENAME" -j LOG --log-prefix " cve-CVE-1999-0060 "	# "DOS Ascend Route" bugtraq,714 arachnids,262 classtype:attempted-dos sid:281
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 617 --tcp-flags ACK ACK -j LOG --log-prefix " cve-CVE-1999-0788 "	#Cannot convert: dsize: >1445	 "DOS arkiea backup" bugtraq,662 arachnids,261 classtype:attempted-dos sid:282
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags URG URG -j LOG --log-prefix " cve-CVE-1999-0153 "	# "DOS Winnuke attack" bugtraq,2010 classtype: attempted-dos sid: 1257
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8 -m string --string "1234" -j LOG	#Cannot convert: id: 678	 "DDOS TFN Probe" arachnids,443 classtype:attempted-recon sid:221
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 0 -m string --string "AAAAAAAAAA" -j LOG	#Cannot convert: icmp_id: 0	 "DDOS tfn2k icmp possible communication" arachnids,425 classtype:attempted-dos sid:222
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "PONG" -j LOG	# "DDOS Trin00:DaemontoMaster(PONGdetected)" arachnids,187 classtype:attempted-recon sid:223
#iptables -A SnortRules -p icmp -s 3.3.3.3/32 -d $EXTERNAL_NET -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 666	 "DDOS Stacheldraht server-spoof" arachnids,193 classtype:attempted-dos sid:224
#iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET -m string --string "sicken" -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 669	 "DDOS Stacheldraht server-response-gag" arachnids,195 classtype:attempted-dos sid:225
#iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET -m string --string "ficken" -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 667	 "DDOS Stacheldraht server-response" arachnids,191 classtype:attempted-dos sid:226
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "spoofworks" -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 1000	 "DDOS Stacheldraht client-spoofworks" arachnids,192 classtype:attempted-dos sid:227
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 456 icmp_seq: 0	 "DDOS TFN client command BE" arachnids,184 classtype:attempted-dos sid:228
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "skillz" -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 666	 "DDOS Stacheldraht client-check" arachnids,190 classtype:attempted-dos sid:229
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 20432 --tcp-flags ACK ACK -j LOG	# "DDOS shaft client to handler" arachnids,254 classtype:attempted-dos sid:230
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "l44" -j LOG	# "DDOS Trin00:DaemontoMaster(messagedetected)" arachnids,186 classtype:attempted-dos sid:231
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "*HELLO*" -j LOG	# "DDOS Trin00:DaemontoMaster(*HELLO*detected)" arachnids,185 classtype:attempted-dos sid:232
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 --tcp-flags ACK ACK -m string --string "betaalmostdone" -j LOG	# "DDOS Trin00:Attacker to Master default startup password" arachnids,197 classtype:attempted-dos sid:233
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 --tcp-flags ACK ACK -m string --string "gOrave" -j LOG	# "DDOS Trin00 Attacker to Master default password" classtype:attempted-dos sid:234
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 --tcp-flags ACK ACK -m string --string "killme" -j LOG	# "DDOS Trin00 Attacker to Master default mdie password" classtype:bad-unknown sid:235
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "gesundheit" -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 668	 "DDOS Stacheldraht client-check-gag" arachnids,194 classtype:attempted-dos sid:236
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 27444 -m string --string "l44adsl" -j LOG	# "DDOS Trin00:MastertoDaemon(defaultpassdetected!)" arachnids,197 classtype:attempted-dos sid:237
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "shell bound to port" -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 123 icmp_seq: 0	 "DDOS TFN server response" arachnids,182 classtype:attempted-dos sid:238
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 18753 -m string --string "alive tijgu" -j LOG	# "DDOS shaft handler to agent" arachnids,255 classtype:attempted-dos sid:239
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 20433 -m string --string "alive" -j LOG	# "DDOS shaft agent to handler" arachnids,256 classtype:attempted-dos sid:240
#iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: seq: 674711609	 "DDOS shaft synflood" arachnids,253 classtype:attempted-dos sid:241
#iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: seq: 674711609	 "DDOS shaft synflood" arachnids,253 classtype:attempted-dos sid:241
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 6838 -m string --string "newserver" -j LOG	# "DDOS mstream agent to handler" classtype:attempted-dos sid:243
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "stream/" -j LOG --log-prefix " cve-CAN-2000-0138 "	# "DDOS mstream handler to agent" classtype:attempted-dos sid:244
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "ping" -j LOG --log-prefix " cve-CAN-2000-0138 "	# "DDOS mstream handler ping to agent" classtype:attempted-dos sid:245
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "pong" -j LOG	# "DDOS mstream agent pong to handler" classtype:attempted-dos sid:246
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 12754 -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0138 "	# "DDOS mstream client to handler" classtype:attempted-dos sid:247
iptables -A SnortRules -p tcp -s $HOME_NET --sport 12754 -d $EXTERNAL_NET -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0138 "	# "DDOS mstream handler to client" classtype:attempted-dos sid:248
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 15104 --tcp-flags ALL SYN -j LOG --log-prefix " cve-CAN-2000-0138 "	# "DDOS mstream client to handler" arachnids,111 classtype:attempted-dos sid:249
iptables -A SnortRules -p tcp -s $HOME_NET --sport 15104 -d $EXTERNAL_NET -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0138 "	# "DDOS mstream handler to client" classtype:attempted-dos sid:250
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 51201 icmp_seq: 0	 "DDOS - TFN client command LE" arachnids,183 classtype:attempted-dos sid:251
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "	€" -j LOG --log-prefix " cve-CVE-1999-0009 "	# "DNS named iquery attempt" arachnids,277 bugtraq,134 classtype:attempted-recon sid:252
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 53 -d $HOME_NET -m string --string "…€" --string "À<" -j LOG	# "DNS SPOOF query response PTR with TTL: 1 min. and no authority" classtype:bad-unknown sid:253
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 53 -d $HOME_NET -m string --string "€" --string "À<" -j LOG	# "DNS SPOOF query response with ttl: 1 min. and no authority" classtype:bad-unknown sid:254
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "ü" --tcp-flags ACK ACK -j LOG	# "DNS zone transfer" arachnids,212 classtype:attempted-recon sid:255
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "authors" --string "bind" -j LOG	# "DNS named authors attempt" nocase-ignored arachnids,480 classtype:attempted-recon sid:256
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "version" --string "bind" -j LOG	# "DNS named version attempt" nocase-ignored arachnids,278 classtype:attempted-recon sid:257
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "../../../../../../../../../" -j LOG --log-prefix " cve-CVE-1999-0833 "	# "DNS EXPLOIT named 8.2->8.2.1" classtype:attempted-admin sid:258
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool" -j LOG --log-prefix " cve-CVE-1999-0833 "	# "DNS EXPLOIT named overflow" classtype:attempted-admin sid:259
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "ADMROCKS" -j LOG --log-prefix " cve-CVE-1999-0833 "	# "DNS EXPLOIT named" classtype:attempted-admin sid:260
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "Í€è×ÿÿÿ/bin/sh" -j LOG	# "DNS EXPLOIT named" classtype:attempted-admin sid:261
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "1À°?1Û³ÿ1ÉÍ€1À" -j LOG	# "DNS EXPLOIT x86 linux" classtype:attempted-admin sid:262
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "1À°Í€…ÀuLëL^°" -j LOG	# "DNS EXPLOIT x86 linux" classtype:attempted-admin sid:264
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "‰÷)Ç‰ó‰ù‰ò¬<þ" -j LOG	# "DNS EXPLOIT x86 linux ADMv2" classtype:attempted-admin sid:265
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "ën^Æš1É‰NÆF" -j LOG	# "DNS EXPLOIT x86 freebsd" classtype:attempted-admin sid:266
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "À ’ Ð#¿ø" -j LOG	# "DNS EXPLOIT sparc" classtype:attempted-admin sid:267
iptables -A SnortRules -p udp --dport 69 -m string --string "Admin.dlloctet" -j LOG	# "TFTP GET Admin.dll" classtype:successful-admin url,www.cert.org/advisories/CA-2001-26.html sid:1289
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "" -j LOG --log-prefix " cve-CVE-1999-0183 "	# "TFTP Write" arachnids,148 classtype:bad-unknown sid:518
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string ".." -j LOG --log-prefix " cve-CVE-1999-0183 "	# "TFTP parent directory" arachnids,137 classtype:bad-unknown sid:519
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "/" -j LOG --log-prefix " cve-CVE-1999-0183 "	# "TFTP root directory" arachnids,138 classtype:bad-unknown sid:520
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/hsx.cgi" --string "../../" --string "%00" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0253 "	# "WEB-CGI HyperSeek directory traversal attempt" bugtraq,2314 classtype:web-application-attack sid:803
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/s.cgi" --string "tmpl=" --tcp-flags ACK ACK -j LOG	#Cannot convert: dsize:>500	 "WEB-CGI SWSoft ASPSeek Overflow attempt" nocase-ignored bugtraq,2492 classtype:web-application-attack sid:804
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wsisa.dll/WService=" --string "WSMadmin" -j LOG	# "WEB-CGI webspeed access" nocase-ignored nocase-ignored arachnids,467 classtype:attempted-user sid:805
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/YaBB.pl" --string "../" -j LOG	# "WEB-CGI yabb access" arachnids,462 classtype:attempted-recon sid:806
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wwwboard/passwd.txt" -j LOG	# "WEB-CGI wwwboard passwd access" nocase-ignored arachnids,463 classtype:attempted-recon sid:807
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webdriver" -j LOG	# "WEB-CGI webdriver access" nocase-ignored arachnids,473 classtype:attempted-recon sid:808
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/whois_raw.cgi?" --string "" -j LOG	# "WEB-CGI whoisraw attempt" arachnids,466 classtype:web-application-attack sid:809
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/whois_raw.cgi" -j LOG	# "WEB-CGI whoisraw access" arachnids,466 classtype:attempted-recon sid:810
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string " /HTTP/1." -j LOG	# "WEB-CGI websitepro path access" nocase-ignored arachnids,468 classtype:attempted-recon sid:811
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus?about " -j LOG	# "WEB-CGI webplus version access" nocase-ignored arachnids,470 classtype:attempted-recon sid:812
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus?script" --string "../" -j LOG	# "WEB-CGI webplus directory trasversal" nocase-ignored arachnids,471 classtype:web-application-attack sid:813
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/websendmail" -j LOG --log-prefix " cve-CVE-1999-0196 "	# "WEB-CGI websendmail access" nocase-ignored arachnids,469 bugtraq,2077 classtype:attempted-recon sid:815
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dcboard.cgi" --string "command=register" --string "%7cadmin" -j LOG	# "WEB-CGI dcforum.cgi invalid user addition attempt" classtype:web-application-attack sid:817
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/dcforum.cgi" --tcp-flags ACK ACK -j LOG	# "WEB-CGI dcforum.cgi access" classtype:attempted-recon sid:818
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/mmstdod.cgi" --tcp-flags ACK ACK -j LOG	# "WEB-CGI mmstdod.cgi access" nocase-ignored classtype:attempted-recon sid:819
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/apexec.pl" --string "template=../" -j LOG --log-prefix " cve-CVE-2000-0975 "	# "WEB-CGI anaconda directory transversal attempt" nocase-ignored bugtraq,2388 classtype:web-application-attack sid:820
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ALL ACK -m string --string "/imagemap.exe?" -j LOG	#Cannot convert: dsize: >1000	 "WEB-CGI imagemap overflow attempt" nocase-ignored arachnids,412 classtype:web-application-attack sid:821
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cvsweb.cgi" -j LOG --log-prefix " cve-CVE-2000-0670 "	# "WEB-CGI cvsweb.cgi access" nocase-ignored bugtraq,1469 classtype:attempted-recon sid:823
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/php.cgi" -j LOG	# "WEB-CGI php access" nocase-ignored bugtraq,2250 arachnids,232 classtype:attempted-recon sid:824
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/glimpse" -j LOG	# "WEB-CGI glimpse access" nocase-ignored bugtraq,2026 classtype:attempted-recon sid:825
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/htmlscript" -j LOG --log-prefix " cve-CVE-1999-0264 "	# "WEB-CGI htmlscript access" nocase-ignored bugtraq,2001 classtype:attempted-recon sid:826
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/info2www" -j LOG --log-prefix " cve-CVE-1999-0266 "	# "WEB-CGI info2www access" nocase-ignored bugtraq,1995 classtype:attempted-recon sid:827
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/maillist.pl" -j LOG	# "WEB-CGI maillist.pl access" nocase-ignored classtype:attempted-recon sid:828
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nph-test-cgi" -j LOG --log-prefix " cve-CVE-1999-0045 "	# "WEB-CGI nph-test-cgi access" nocase-ignored arachnids,224 bugtraq,686 classtype:attempted-recon sid:829
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nph-publish" -j LOG	# "WEB-CGI NPH-publish access" nocase-ignored classtype:attempted-recon sid:830
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/perl.exe" -j LOG	# "WEB-CGI perl.exe access" nocase-ignored arachnids,219 classtype:attempted-recon sid:832
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rguest.exe" -j LOG --log-prefix " cve-CAN-1999-0467 "	# "WEB-CGI rguest.exe access" nocase-ignored bugtraq,2024 classtype:attempted-recon sid:833
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rwwwshell.pl" -j LOG	# "WEB-CGI rwwwshell.pl access" nocase-ignored classtype:attempted-recon sid:834
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/test-cgi" -j LOG --log-prefix " cve-CVE-1999-0070 "	# "WEB-CGI test-cgi access" nocase-ignored arachnids,218 classtype:attempted-recon sid:835
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/textcounter.pl" -j LOG	# "WEB-CGI testcounter.pl access" nocase-ignored classtype:attempted-recon sid:836
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/uploader.exe" -j LOG --log-prefix " cve-CVE-1999-0177 "	# "WEB-CGI uploader.exe access" nocase-ignored classtype:attempted-recon sid:837
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webgais" -j LOG --log-prefix " cve-CVE-1999-0176 "	# "WEB-CGI webgais access" nocase-ignored arachnids,472 bugtraq,2058 classtype:attempted-recon sid:838
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/finger" -j LOG --log-prefix " cve-CVE-1999-0612 "	# "WEB-CGI finger access" nocase-ignored arachnids,221 classtype:attempted-recon sid:839
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/perlshop.cgi" -j LOG	# "WEB-CGI perlshop.cgi access" nocase-ignored classtype:attempted-recon sid:840
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/pfdisplay.cgi" -j LOG --log-prefix " cve-CVE-1999-0270 "	# "WEB-CGI pfdisplay.cgi access" nocase-ignored bugtraq,64 classtype:attempted-recon sid:841
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/aglimpse" -j LOG --log-prefix " cve-CVE-1999-0147 "	# "WEB-CGI aglimpse access" nocase-ignored bugtraq,2026 classtype:attempted-recon sid:842
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AnForm2" -j LOG --log-prefix " cve-CVE-1999-0066 "	# "WEB-CGI anform2 access" nocase-ignored arachnids,225 classtype:attempted-recon sid:843
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/args.bat" -j LOG	# "WEB-CGI args.bat access" nocase-ignored classtype:attempted-recon sid:844
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AT-admin.cgi" -j LOG	# "WEB-CGI AT-admin.cgi access" nocase-ignored classtype:attempted-recon sid:845
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bnbform.cgi" -j LOG --log-prefix " cve-CVE-1999-0937 "	# "WEB-CGI bnbform.cgi access" nocase-ignored bugtraq,1469 classtype:attempted-recon sid:846
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/campas" -j LOG --log-prefix " cve-CVE-1999-0146 "	# "WEB-CGI campas access" nocase-ignored bugtraq,1975 classtype:attempted-recon sid:847
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/view-source" --string "../" -j LOG --log-prefix " cve-CVE-1999-0174 "	# "WEB-CGI view-source directory traversal" nocase-ignored nocase-ignored classtype:web-application-attack sid:848
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/view-source" -j LOG --log-prefix " cve-CVE-1999-0174 "	# "WEB-CGI view-source access" nocase-ignored classtype:attempted-recon sid:849
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wais.pl" -j LOG	# "WEB-CGI wais.p access" nocase-ignored classtype:attempted-recon sid:850
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/files.pl" -j LOG	# "WEB-CGI files.pl access" nocase-ignored classtype:attempted-recon sid:851
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wguest.exe" -j LOG --log-prefix " cve-CAN-1999-0467 "	# "WEB-CGI wguest.exe access" nocase-ignored bugtraq,2024 classtype:attempted-recon sid:852
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wrap" -j LOG --log-prefix " cve-CVE-1999-0149 "	# "WEB-CGI wrap access" bugtraq,373 arachnids,234 classtype:attempted-recon sid:853
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/classifieds.cgi" -j LOG --log-prefix " cve-CVE-1999-0934 "	# "WEB-CGI classifieds.cgi access" nocase-ignored bugtraq,2020 classtype:attempted-recon sid:854
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/edit.pl" -j LOG	# "WEB-CGI edit.pl access" nocase-ignored classtype:attempted-recon sid:855
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/environ.cgi" -j LOG	# "WEB-CGI environ.cgi access" nocase-ignored classtype:attempted-recon sid:856
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/faxsurvey" -j LOG --log-prefix " cve-CVE-1999-0262 "	# "WEB-CGI faxsurvey access" nocase-ignored bugtraq,2056 classtype:attempted-recon sid:857
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/filemail.pl" -j LOG	# "WEB-CGI filemail access" nocase-ignored classtype:attempted-recon sid:858
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/man.sh" -j LOG	# "WEB-CGI man.sh access" nocase-ignored classtype:attempted-recon sid:859
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/snork.bat" -j LOG --log-prefix " cve-CVE-2000-0169 "	# "WEB-CGI snork.bat access" nocase-ignored bugtraq,1053 arachnids,220 classtype:attempted-recon sid:860
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/w3-msql/" -j LOG --log-prefix " cve-CVE-1999-0276 "	# "WEB-CGI w3-msql access" nocase-ignored bugtraq,591 arachnids,210 classtype:attempted-recon sid:861
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/csh" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI csh access" nocase-ignored classtype:attempted-recon sid:862
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/zsh" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI zsh access" nocase-ignored classtype:attempted-recon sid:1309
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/day5datacopier.cgi" -j LOG	# "WEB-CGI day5datacopier.cgi access" nocase-ignored classtype:attempted-recon sid:863
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/day5datanotifier.cgi" -j LOG	# "WEB-CGI day5datanotifier.cgi access" nocase-ignored classtype:attempted-recon sid:864
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ksh" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI ksh access" nocase-ignored classtype:attempted-recon sid:865
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/post-query" -j LOG	# "WEB-CGI post-query access" nocase-ignored classtype:attempted-recon sid:866
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/visadmin.exe" -j LOG --log-prefix " cve-CAN-1999-1970 "	# "WEB-CGI visadmin.exe access" nocase-ignored bugtraq,1808 classtype:attempted-recon sid:867
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rsh" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI rsh access" nocase-ignored classtype:attempted-recon sid:868
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dumpenv.pl" -j LOG	# "WEB-CGI dumpenv.pl access" nocase-ignored classtype:attempted-recon sid:869
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/snorkerz.cmd" -j LOG	# "WEB-CGI snorkerz.cmd access" nocase-ignored classtype:attempted-recon sid:870
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/survey.cgi" -j LOG --log-prefix " cve-CVE-1999-0936 "	# "WEB-CGI survey.cgi access" nocase-ignored bugtraq,1817 classtype:attempted-recon sid:871
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/tcsh" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI tcsh access" nocase-ignored classtype:attempted-recon sid:872
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "///" -j LOG --log-prefix " cve-CVE-1999-0236 "	# "WEB-CGI scriptalias access" bugtraq,2300 arachnids,227 classtype:attempted-recon sid:873
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/shA-cA/usr/openwin" -j LOG --log-prefix " cve-CVE-1999-0276 "	# "WEB-CGI w3-msql solaris x86 access" nocase-ignored arachnids,211 classtype:attempted-recon sid:874
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/win-c-sample.exe" -j LOG --log-prefix " cve-CVE-1999-0178 "	# "WEB-CGI win-c-sample.exe access" nocase-ignored bugtraq,2078 arachnids,231 classtype:attempted-recon sid:875
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "blaat@blaat.com" -j LOG	# "WEB-CGI bugzilla 2.8 exploit " nocase-ignored arachnids,276 classtype:web-application-attack sid:876
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rksh" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI rksh access" nocase-ignored classtype:attempted-recon sid:877
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/w3tvars.pm" -j LOG	# "WEB-CGI w2tvars.pm access" nocase-ignored classtype:attempted-recon sid:878
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.pl" -j LOG	# "WEB-CGI admin.pl access" nocase-ignored classtype:attempted-recon sid:879
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/LWGate" -j LOG	# "WEB-CGI LWGate access" nocase-ignored classtype:attempted-recon sid:880
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/archie" -j LOG	# "WEB-CGI archie access" nocase-ignored classtype:attempted-recon sid:881
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/calendar" -j LOG	# "WEB-CGI calendar access" nocase-ignored classtype:attempted-recon sid:882
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/flexform" -j LOG	# "WEB-CGI flexform access" nocase-ignored classtype:attempted-recon sid:883
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/formmail" -j LOG --log-prefix " cve-CVE-1999-0172 "	# "WEB-CGI formmail access" nocase-ignored bugtraq,1187 arachnids,226 classtype:attempted-recon sid:884
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bash" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI bash access" nocase-ignored classtype:attempted-recon sid:885
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/phf" -j LOG --log-prefix " cve-CVE-1999-0067 "	# "WEB-CGI phf access" nocase-ignored bugtraq,629 arachnids,128 classtype:attempted-recon sid:886
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/www-sql" -j LOG	# "WEB-CGI www-sql access" nocase-ignored classtype:attempted-recon sid:887
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wwwadmin.pl" -j LOG	# "WEB-CGI wwwadmin.pl access" nocase-ignored classtype:attempted-recon sid:888
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ppdscgi.exe" -j LOG	# "WEB-CGI ppdscgi.exe access" nocase-ignored bugtraq,491 classtype:attempted-recon sid:889
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/sendform.cgi" -j LOG	# "WEB-CGI sendform.cgi access" nocase-ignored classtype:attempted-recon sid:890
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/upload.pl" -j LOG	# "WEB-CGI upload.pl access" nocase-ignored classtype:attempted-recon sid:891
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AnyForm2" -j LOG --log-prefix " cve-CVE-1999-0066 "	# "WEB-CGI AnyForm2 access" nocase-ignored bugtraq,719 classtype:attempted-recon sid:892
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/MachineInfo" -j LOG	# "WEB-CGI MachineInfo access" nocase-ignored classtype:attempted-recon sid:893
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-hist.sh" -j LOG	# "WEB-CGI bb-hist.sh access" nocase-ignored bugtraq,142 classtype:attempted-recon sid:894
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/redirect" -j LOG --log-prefix " cve-CVE-2000-0382 "	# "WEB-CGI redirect access" nocase-ignored bugtraq,1179 classtype:attempted-recon sid:895
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/way-board" --tcp-flags ACK ACK -j LOG	# "WEB-CGI wayboard access" nocase-ignored bugtraq,2370 classtype:attempted-recon sid:896
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/pals-cgi" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0216,cve-CAN-2001-0217 "	# "WEB-CGI pals-cgi access" nocase-ignored bugtraq,2372 classtype:attempted-recon sid:897
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/commerce.cgi" --tcp-flags ACK ACK -j LOG	# "WEB-CGI commerce.cgi access" nocase-ignored classtype:attempted-recon sid:898
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sendtemp.pl" --string "templ=" --tcp-flags ACK ACK -j LOG	# "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2504 classtype:web-application-attack sid:899
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/webspirs.cgi" --string "../../" --tcp-flags ACK ACK -j LOG	# "WEB-CGI webspirs directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2362 classtype:web-application-attack sid:900
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/webspirs.cgi" --tcp-flags ACK ACK -j LOG	# "WEB-CGI webspirs access" nocase-ignored bugtraq,2362 classtype:attempted-recon sid:901
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "tstisapi.dll" --tcp-flags ACK ACK -j LOG	# "WEB-CGI tstisapi.dll access" nocase-ignored classtype:attempted-recon sid:902
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sendmessage.cgi" --tcp-flags ACK ACK -j LOG	# "WEB-CGI sendmessage.cgi access" nocase-ignored classtype:attempted-recon sid:1308
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfcache.map" -j LOG --log-prefix " cve-CVE-2000-0057 "	# "WEB-COLDFUSION cfcache.map access" nocase-ignored bugtraq,917 classtype:attempted-recon sid:903
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/email/application.cfm" -j LOG	# "WEB-COLDFUSION exampleapp application.cfm" nocase-ignored bugtraq,1021 classtype:attempted-recon sid:904
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/publish/admin/application.cfm" -j LOG	# "WEB-COLDFUSION application.cfm access" nocase-ignored bugtraq,1021 classtype:attempted-recon sid:905
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/email/getfile.cfm" -j LOG	# "WEB-COLDFUSION getfile.cfm access" nocase-ignored bugtraq,229 classtype:attempted-recon sid:906
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/publish/admin/addcontent.cfm" -j LOG	# "WEB-COLDFUSION addcontent.cfm access" nocase-ignored classtype:attempted-recon sid:907
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cfide/administrator/index.cfm" --tcp-flags ACK ACK -j LOG	# "WEB-COLDFUSION administrator access" nocase-ignored classtype:attempted-recon sid:908
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_SETDATASOURCEUSERNAME()" -j LOG	# "WEB-COLDFUSION datasource username attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:909
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/fileexists.cfm" -j LOG	# "WEB-COLDFUSION fileexists.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:910
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/exprcalc.cfm" -j LOG --log-prefix " cve-CVE-1999-0455 "	# "WEB-COLDFUSION exprcalc access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:911
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/parks/detail.cfm" -j LOG	# "WEB-COLDFUSION parks access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:912
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfappman/index.cfm" -j LOG	# "WEB-COLDFUSION cfappman access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:913
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/cvbeans/beaninfo.cfm" -j LOG	# "WEB-COLDFUSION beaninfo access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:914
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/evaluate.cfm" -j LOG	# "WEB-COLDFUSION evaluate.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:915
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_GETODBCDSN()" -j LOG	# "WEB-COLDFUSION getodbcdsn access" nocase-ignored bugtraq,550 classtype:web-application-attack sid:916
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_DBCONNECTIONS_FLUSH()" -j LOG	# "WEB-COLDFUSION db connections flush attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:917
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/" -j LOG --log-prefix " cve-CAN-1999-0477 "	# "WEB-COLDFUSION expeval access" nocase-ignored bugtraq,550 classtype:attempted-user sid:918
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_SETDATASOURCEPASSWORD()" -j LOG	# "WEB-COLDFUSION datasource passwordattempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:919
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_ISCOLDFUSIONDATASOURCE()" -j LOG	# "WEB-COLDFUSION datasource attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:920
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_ENCRYPT()" -j LOG	# "WEB-COLDFUSION admin encrypt attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:921
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/displayopenedfile.cfm" -j LOG	# "WEB-COLDFUSION displayfile access" nocase-ignored bugtraq,550 classtype:web-application-attack sid:922
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_GETODBCINI()" -j LOG	# "WEB-COLDFUSION getodbcin attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:923
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_DECRYPT()" -j LOG	# "WEB-COLDFUSION admin decrypt attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:924
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/mainframeset.cfm" -j LOG	# "WEB-COLDFUSION mainframeset access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:925
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_SETODBCINI()" -j LOG	# "WEB-COLDFUSION set odbc ini attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:926
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_SETTINGS_REFRESH()" -j LOG	# "WEB-COLDFUSION settings refresh attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:927
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/" -j LOG	# "WEB-COLDFUSION exampleapp access" nocase-ignored classtype:attempted-recon sid:928
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_VERIFYMAIL()" -j LOG	# "WEB-COLDFUSION verify mai access" nocase-ignored bugtraq,550 classtype:attempted-user sid:929
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/" -j LOG	# "WEB-COLDFUSION snippets attempt attempt" nocase-ignored bugtraq,550 classtype:attempted-recon sid:930
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/cfmlsyntaxcheck.cfm" -j LOG	# "WEB-COLDFUSION cfmlsyntaxcheck.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:931
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/application.cfm" -j LOG --log-prefix " cve-CAN-2000-0189 "	# "WEB-COLDFUSION application.cfm access" nocase-ignored bugtraq,550 arachnids,268 classtype:attempted-recon sid:932
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/onrequestend.cfm" -j LOG --log-prefix " cve-CAN-2000-0189 "	# "WEB-COLDFUSION onrequestend.cfm access" nocase-ignored bugtraq,550 arachnids,269 classtype:attempted-recon sid:933
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cfide/administrator/startstop.html" --tcp-flags ACK ACK -j LOG	# "WEB-COLDFUSION startstop DOS access" nocase-ignored bugtraq,247 classtype:web-application-attack sid:935
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/gettempdirectory.cfm" -j LOG	# "WEB-COLDFUSION gettempdirectory.cfm access " nocase-ignored bugtraq,550 classtype:attempted-recon sid:936
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp30reg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0341 "	#Cannot convert: dsize: >258	 "WEB-FRONTPAGE rad overflow attempt" nocase-ignored classtype:web-application-attack arachnids,555 bugtraq,2906 sid:1246
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp4areg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0341 "	#Cannot convert: dsize: >259	 "WEB-FRONTPAGE rad overflow attempt" nocase-ignored bugtraq,2906 classtype:web-application-attack sid:1247
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp30reg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0341 "	# "WEB-FRONTPAGE rad fp30reg.dll access" nocase-ignored classtype:web-application-activity arachnids,555 bugtraq,2906 sid:1248
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp4areg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0341 "	# "WEB-FRONTPAGE frontpage rad fp4areg.dll access" nocase-ignored bugtraq,2906 classtype:web-application-activity sid:1249
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_rpc" -j LOG	# "WEB-FRONTPAGE _vti_rpc access" nocase-ignored bugtraq,2144 classtype:web-application-activity sid:937
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "POST" --string "/author.dll" -j LOG	# "WEB-FRONTPAGE posting" nocase-ignored classtype:web-application-activity sid:939
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/_vti_bin/shtml.dll" --tcp-flags ACK ACK -j LOG	# "WEB-FRONTPAGE shtml.dll" nocase-ignored arachnids,292 classtype:web-application-activity sid:940
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admcgi/contents.htm" -j LOG	# "WEB-FRONTPAGE contents.htm access" nocase-ignored classtype:web-application-activity sid:941
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/orders.htm" -j LOG	# "WEB-FRONTPAGE orders.htm access" nocase-ignored classtype:web-application-activity sid:942
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpsrvadm.exe" -j LOG	# "WEB-FRONTPAGE fpsrvadm.exe access" nocase-ignored classtype:web-application-activity sid:943
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpremadm.exe" -j LOG	# "WEB-FRONTPAGE fpremadm.exe access" nocase-ignored classtype:web-application-activity sid:944
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admisapi/fpadmin.htm" -j LOG	# "WEB-FRONTPAGE fpadmin.htm access" nocase-ignored classtype:web-application-activity sid:945
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/Fpadmcgi.exe" -j LOG	# "WEB-FRONTPAGE fpadmcgi.exe access" nocase-ignored classtype:web-application-activity sid:946
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/orders.txt" -j LOG	# "WEB-FRONTPAGE orders.txt access" nocase-ignored classtype:web-application-activity sid:947
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/form_results.txt" -j LOG	# "WEB-FRONTPAGE form_results access" nocase-ignored classtype:web-application-activity sid:948
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/registrations.htm" -j LOG	# "WEB-FRONTPAGE registrations.htm access" nocase-ignored classtype:web-application-activity sid:949
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfgqiz.exe" -j LOG	# "WEB-FRONTPAGE cfgwiz.exe access" nocase-ignored classtype:web-application-activity sid:950
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/authors.pwd" -j LOG	# "WEB-FRONTPAGE authors.pwd access" nocase-ignored classtype:web-application-activity sid:951
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_bin/_vti_aut/author.exe" -j LOG	# "WEB-FRONTPAGE author.exe access" nocase-ignored classtype:web-application-activity sid:952
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/administrators.pwd" -j LOG	# "WEB-FRONTPAGE administrators.pwd" nocase-ignored bugtraq,1205 classtype:web-application-activity sid:953
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/form_results.htm" -j LOG	# "WEB-FRONTPAGE form_results.htm access" nocase-ignored classtype:web-application-activity sid:954
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/access.cnf" -j LOG	# "WEB-FRONTPAGE access.cnf access" nocase-ignored classtype:web-application-activity sid:955
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/register.txt" -j LOG	# "WEB-FRONTPAGE register.txt access" nocase-ignored classtype:web-application-activity sid:956
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/registrations.txt" -j LOG	# "WEB-FRONTPAGE registrations.txt access" nocase-ignored classtype:web-application-activity sid:957
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/service.cnf" -j LOG	# "WEB-FRONTPAGE service.cnf access" nocase-ignored classtype:web-application-activity sid:958
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/service.pwd" -j LOG	# "WEB-FRONTPAGE service.pwd" nocase-ignored bugtraq,1205 classtype:web-application-activity sid:959
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/service.stp" -j LOG	# "WEB-FRONTPAGE service.stp access" nocase-ignored classtype:web-application-activity sid:960
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/services.cnf" -j LOG	# "WEB-FRONTPAGE services.cnf access" nocase-ignored classtype:web-application-activity sid:961
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_bin/shtml.exe" -j LOG --log-prefix " cve-CAN-2000-0413,cve-CAN-2000-0709 "	# "WEB-FRONTPAGE shtml.exe access" nocase-ignored bugtraq,1608 bugtraq,1174 classtype:web-application-activity sid:962
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/svcacl.cnf" -j LOG	# "WEB-FRONTPAGE svcacl.cnf access" nocase-ignored classtype:web-application-activity sid:963
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/users.pwd" -j LOG	# "WEB-FRONTPAGE users.pwd access" nocase-ignored classtype:web-application-activity sid:964
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_vti_pvt/writeto.cnf" -j LOG	# "WEB-FRONTPAGE writeto.cnf access" nocase-ignored classtype:web-application-activity sid:965
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "..../" -j LOG --log-prefix " cve-CAN-2000-0153 "	# "WEB-FRONTPAGE fourdots request" nocase-ignored bugtraq,989 arachnids,248 classtype:web-application-attack sid:966
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dvwssr.dll" -j LOG --log-prefix " cve-CVE-2000-0260 "	# "WEB-FRONTPAGE dvwssr.dll access" nocase-ignored bugtraq,1108 arachnids,271 classtype:web-application-activity sid:967
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/register.htm" -j LOG	# "WEB-FRONTPAGE register.htm access" nocase-ignored classtype:web-application-activity sid:968
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_bin/" -j LOG	# "WEB-FRONTPAGE /_vti_bin/ access" nocase-ignored classtype:web-application-activity sid:1288
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "LOCK " -j LOG	# "WEB-IIS webdav file lock attempt" bugtraq,2736 classtype:web-application-activity sid:969
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".printer" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0241 "	# "WEB-IIS ISAPI .printer access" nocase-ignored arachnids,533 classtype:web-application-activity sid:971
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".ida?" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0071 "	#Cannot convert: dsize:>239	 "WEB-IIS ISAPI .ida attempt" nocase-ignored arachnids,552 classtype:web-application-attack sid:1243
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".ida" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0071 "	# "WEB-IIS ISAPI .ida access" nocase-ignored arachnids,552 classtype:web-application-activity sid:1242
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".idq?" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0071 "	#Cannot convert: dsize:>239	 "WEB-IIS ISAPI .idq attempt" nocase-ignored arachnids,553 classtype:web-application-attack sid:1244
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".idq" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0071 "	# "WEB-IIS ISAPI .idq access" nocase-ignored arachnids,553 classtype:web-application-activity sid:1245
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%2e.asp" -j LOG --log-prefix " cve-CAN-1999-0253 "	# "WEB-IIS %2E-asp access" nocase-ignored bugtraq,1814 classtype:web-application-activity sid:972
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "*.idc" -j LOG --log-prefix " cve-CVE-1999-0874 "	# "WEB-IIS *.idc attempt" nocase-ignored bugtraq,1448 classtype:web-application-attack sid:973
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "..\\.." -j LOG --log-prefix " cve-CAN-1999-0229 "	# "WEB-IIS .... access" bugtraq,2218 classtype:web-application-attack sid:974
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".asp::$data" -j LOG --log-prefix " cve-CVE-1999-0278 "	# "WEB-IIS .asp$data access" nocase-ignored bugtraq,140 classtype:web-application-attack sid:975
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".bat?&" -j LOG --log-prefix " cve-CVE-1999-0233 "	# "WEB-IIS .bat? access" nocase-ignored bugtraq,2023 classtype:web-application-activity sid:976
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".cnf" --tcp-flags ACK ACK -j LOG	# "WEB-IIS .cnf access" nocase-ignored classtype:web-application-activity sid:977
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20&CiRestriction=none&CiHiliteType=Full" -j LOG --log-prefix " cve-CAN-2000-0302 "	# "WEB-IIS ASP contents view" bugtraq,1084 classtype:web-application-attack sid:978
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/null.htw?CiWebHitsFile" -j LOG	# "WEB-IIS ASP contents view" bugtraq,1861 classtype:web-application-activity sid:979
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/CGImail.exe" -j LOG --log-prefix " cve-CAN-2000-0726 "	# "WEB-IIS CGImail.exe access" nocase-ignored bugtraq,1623 classtype:web-application-activity sid:980
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c0%af../" --tcp-flags ACK ACK -j LOG	# "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:981
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c1%1c../" --tcp-flags ACK ACK -j LOG	# "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:982
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c1%9c../" --tcp-flags ACK ACK -j LOG	# "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:983
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/samples/ctguestb.idc" -j LOG --log-prefix " cve-CVE-1999-0874 "	# "WEB-IIS JET VBA access" nocase-ignored bugtraq,307 classtype:web-application-activity sid:984
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/samples/details.idc" -j LOG --log-prefix " cve-CVE-1999-0874 "	# "WEB-IIS JET VBA access" nocase-ignored bugtraq,286 classtype:web-application-activity sid:985
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/proxy/w3proxy.dll" -j LOG	# "WEB-IIS MSProxy access" nocase-ignored classtype:web-application-activity sid:986
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "BBBB.htrHTTP" -j LOG	# "WEB-IIS Overflow-htr access" nocase-ignored classtype:web-application-attack sid:987
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "sam._" -j LOG	# "WEB-IIS SAM Attempt" nocase-ignored classtype:web-application-attack sid:988
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sensepost.exe" --tcp-flags ACK ACK -j LOG	# "WEB-IIS Unicode2.pl script (File permission canonicalization)" nocase-ignored classtype:web-application-activity sid:989
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_vti_inf.html" -j LOG	# "WEB-IIS _vti_inf access" nocase-ignored classtype:web-application-activity sid:990
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/achg.htr" -j LOG --log-prefix " cve-CVE-1999-0407 "	# "WEB-IIS achg.htr access" nocase-ignored bugtraq,2110 classtype:web-application-activity sid:991
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/msadc/samples/adctest.asp" -j LOG	# "WEB-IIS adctest.asp access" nocase-ignored classtype:web-application-activity sid:992
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin" -j LOG	# "WEB-IIS admin access" nocase-ignored classtype:web-application-attack sid:993
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/default.htm" -j LOG	# "WEB-IIS admin-default access" nocase-ignored classtype:web-application-attack sid:994
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/ism.dll?http/dir" -j LOG --log-prefix " cve-CVE-2000-0630 "	# "WEB-IIS admin.dll access" nocase-ignored bugtraq,189 classtype:web-application-attack sid:995
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/anot" -j LOG --log-prefix " cve-CAN-1999-0407 "	# "WEB-IIS anot.htr access" nocase-ignored bugtraq,2110 classtype:web-application-activity sid:996
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".asp." -j LOG	# "WEB-IIS asp-dot attempt" nocase-ignored classtype:web-application-attack sid:997
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.asp" -j LOG	# "WEB-IIS asp-srch attempt" nocase-ignored classtype:web-application-attack sid:998
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/bdir.htr" -j LOG	# "WEB-IIS bdir access" nocase-ignored classtype:web-application-activity sid:999
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/bdir.htr" --tcp-flags ACK ACK -j LOG	# "WEB-IIS bdir.ht access" nocase-ignored classtype:web-application-activity sid:1000
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cmd.exe" -j LOG	# "WEB-IIS cmd.exe access" nocase-ignored classtype:web-application-attack sid:1002
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".cmd?&" -j LOG	# "WEB-IIS cmd? acess" nocase-ignored classtype:web-application-attack sid:1003
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iissamples/exair/howitworks/codebrws.asp" -j LOG --log-prefix " cve-CVE-1999-0499 "	# "WEB-IIS codebrowser Exair access" nocase-ignored classtype:web-application-activity sid:1004
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iissamples/sdk/asp/docs/codebrws.asp" -j LOG	# "WEB-IIS codebrowser SDK access" nocase-ignored bugtraq,167 classtype:web-application-activity sid:1005
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Form_JScript.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS cross-site scripting attempt" nocase-ignored classtype:web-application-attack sid:1007
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "&del+/s+c:\*.*" -j LOG	# "WEB-IIS del attempt" nocase-ignored classtype:web-application-attack sid:1008
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/ServerVariables_Jscript.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS directory listing" nocase-ignored classtype:web-application-attack sid:1009
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%1u" -j LOG	# "WEB-IIS encoding access" arachnids,200 classtype:web-application-activity sid:1010
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.exe" -j LOG	# "WEB-IIS exec-src access" nocase-ignored classtype:web-application-activity sid:1011
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpcount.exe" --string "Digits=-" -j LOG	# "WEB-IIS fpcount attempt" nocase-ignored bugtraq,2252 classtype:web-application-attack sid:1012
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpcount.exe" -j LOG	# "WEB-IIS fpcount access" nocase-ignored bugtraq,2252 classtype:web-application-activity sid:1013
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/tools/getdrvrs.exe" -j LOG	# "WEB-IIS getdrvrs access" nocase-ignored classtype:web-application-activity sid:1014
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/tools/getdrvs.exe" -j LOG	# "WEB-IIS getdrvs.exe access" nocase-ignored classtype:web-application-activity sid:1015
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "global.asa" -j LOG	# "WEB-IIS global-asa access" nocase-ignored classtype:web-application-activity sid:1016
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.idc" -j LOG --log-prefix " cve-CVE-1999-0874 "	# "WEB-IIS idc-srch attempt" nocase-ignored classtype:web-application-attack sid:1017
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/aexp" -j LOG --log-prefix " cve-CVE-2000-0303 "	# "WEB-IIS iisadmpwd attempt" nocase-ignored bugtraq,2110 classtype:web-application-attack sid:1018
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?CiWebHitsFile=/" --string "&CiRestriction=none&CiHiliteType=Full" -j LOG	# "WEB-IIS index server file sourcecode attempt" classtype:web-application-attack sid:1019
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".idc::$data" -j LOG --log-prefix " cve-CVE-1999-0874 "	# "WEB-IIS isc$data attempt" nocase-ignored bugtraq,307 classtype:web-application-attack sid:1020
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20%20%20%20%20.htr" -j LOG --log-prefix " cve-CAN-2000-0457 "	# "WEB-IIS ism.dll attempt" nocase-ignored bugtraq,1193 classtype:web-application-attack sid:1021
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/advworks/equipment/catalog_type.asp" -j LOG --log-prefix " cve-CVE-1999-0874 "	# "WEB-IIS jet vba access" nocase-ignored bugtraq,286 classtype:web-application-activity sid:1022
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/msadc/msadcs.dll" -j LOG --log-prefix " cve-CVE-1999-1011 "	# "WEB-IIS msadc/msadcs.dll access" nocase-ignored bugtraq,529 classtype:web-application-activity sid:1023
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/tools/newdsn.exe" -j LOG --log-prefix " cve-CVE-1999-0191 "	# "WEB-IIS newdsn.exe access" nocase-ignored bugtraq,1818 classtype:web-application-activity sid:1024
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/perl" -j LOG	# "WEB-IIS perl access" nocase-ignored classtype:web-application-activity sid:1025
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%0a.pl" -j LOG	# "WEB-IIS perl-browse0a attempt" nocase-ignored classtype:web-application-attack sid:1026
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20.pl" -j LOG	# "WEB-IIS perl-browse20 attempt" nocase-ignored classtype:web-application-attack sid:1027
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/issamples/query.asp" -j LOG --log-prefix " cve-CVE-1999-0449 "	# "WEB-IIS query.asp access" nocase-ignored bugtraq,193 classtype:web-application-activity sid:1028
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/ " -j LOG	# "WEB-IIS scripts-browse access" nocase-ignored classtype:web-application-attack sid:1029
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/search97.vts" -j LOG	# "WEB-IIS search97.vts access" bugtraq,162 classtype:web-application-activity sid:1030
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/SiteServer/Publishing/viewcode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1031
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Knowledge/Membership/Inspired/ViewCode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1032
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1033
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1034
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Samples/Knowledge/Push/ViewCode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1035
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Samples/Knowledge/Search/ViewCode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1036
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/selector/showcode.asp" -j LOG --log-prefix " cve-CAN-1999-0736 "	# "WEB-IIS showcode.asp access" nocase-ignored classtype:web-application-activity sid:1037
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/adsamples/config/site.csc" -j LOG	# "WEB-IIS site server config access" nocase-ignored bugtraq,256 classtype:web-application-activity sid:1038
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/samples/isapi/srch.htm" -j LOG	# "WEB-IIS srch.htm access" nocase-ignored classtype:web-application-activity sid:1039
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/srchadm" -j LOG	# "WEB-IIS srchadm access" nocase-ignored classtype:web-application-activity sid:1040
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/uploadn.asp" -j LOG	# "WEB-IIS uploadn.asp access" nocase-ignored classtype:web-application-activity sid:1041
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "Translate: F" -j LOG	# "WEB-IIS view source via translate header" nocase-ignored arachnids,305 classtype:web-application-activity sid:1042
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/viewcode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS viewcode.asp access" nocase-ignored classtype:web-application-activity sid:1043
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".htw" --tcp-flags ACK ACK -j LOG	#Cannot convert: dsize: >400	 "WEB-IIS webhits access" arachnids,237 classtype:web-application-activity sid:1044
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "403" --string "Forbidden:" -j LOG	# "WEB-IIS Unauthorized IP Access Attempt" classtype:web-application-attack sid:1045
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/site/iisamples" -j LOG	# "WEB-IIS site/iisamples access" nocase-ignored classtype:web-application-activity sid:1046
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "scripts/root.exe?" -j LOG	# "WEB-IIS CodeRed v2 root.exe access" nocase-ignored classtype:web-application-attack sid: 1256
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/exchange/LogonFrm.asp?" --string "mailbox=" --string "%%%" -j LOG	# "WEB-IIS outlook web dos" nocase-ignored nocase-ignored classtype:web-application-attack bugtraq,3223 sid:1283
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%5c" --string ".." -j LOG --log-prefix " cve-CAN-2001-0333 "	# "WEB-IIS multiple decode attempt" classtype:web-application-attack sid:970
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/msdac/" -j LOG	# "WEB-IIS msdac access" nocase-ignored classtype:web-application-activity sid:1285
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_mem_bin/" -j LOG	# "WEB-IIS _mem_bin access" nocase-ignored classtype:web-application-activity sid:1286
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/" -j LOG	# "WEB-IIS scripts access" nocase-ignored classtype:web-application-activity sid:1287
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/level/" --string "/exec/" --tcp-flags ACK ACK -j LOG	# "WEB-MISC Cisco IOS HTTP configuration attempt" classtype:web-application-attack bugtraq,2936 sid:1250
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "REVLOG / " --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0251 "	# "WEB-MISC Netscape Enterprise DOS" bugtraq,2294 classtype:web-application-attack sid:1047
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "INDEX " --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0250 "	# "WEB-MISC Netscape Enterprise directory listing attempt" bugtraq,2285 classtype:web-application-attack sid:1048
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "GET " --string "/../../../../../../../../../../../" --tcp-flags ACK ACK -j LOG	# "WEB-MISC iPlanet ../../ DOS attempt" classtype:web-application-attack sid:1049
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "GETPROPERTIES" -j LOG	# "WEB-MISC iPlanet GETPROPERTIES attempt" classtype:web-application-attack sid:1050
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/technote/main.cgi" --string "filename=" --string "../../" -j LOG --log-prefix " cve-CVE-2001-0075 "	# "WEB-MISC technote main.cgi file directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2156 classtype:web-application-attack sid:1051
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/technote/print.cgi" --string "board=" --string "../../" --string "%00" -j LOG --log-prefix " cve-CAN-2001-0075 "	# "WEB-MISC technote print.cgi directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2156 classtype:web-application-attack sid:1052
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ads.cgi" --string "file=" --string "../../" --string " -j LOG --log-prefix " cve-CAN-2001-0025 "	#Cannot convert: misconvert on quoted pipe: sid:1053	 "WEB-MISC ads.cgi command execution attempt" nocase-ignored nocase-ignored bugtraq,2103 classtype:web-application-attack sid:1053
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".js%70" -j LOG	# "WEB-MISC weblogic view source attempt" bugtraq,2527 classtype:web-application-attack sid:1054
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%00.jsp" -j LOG	# "WEB-MISC tomcat directory traversal attempt" bugtraq,2518 classtype:web-application-attack sid:1055
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%252ejsp" -j LOG	# "WEB-MISC tomcat view source attempt" bugtraq,2527 classtype:web-application-attack sid:1056
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ftp.exe" -j LOG	# "WEB-MISC ftp attempt" nocase-ignored classtype:web-application-activity sid:1057
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_enumdsn" -j LOG	# "WEB-MISC enumdsn attempt" nocase-ignored classtype:web-application-attack sid:1058
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_filelist" -j LOG	# "WEB-MISC filelist attempt" nocase-ignored classtype:web-application-attack sid:1059
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_availablemedia" -j LOG	# "WEB-MISC availablemedia attempt" nocase-ignored classtype:web-application-attack sid:1060
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_cmdshell" -j LOG	# "WEB-MISC cmdshell attempt" nocase-ignored classtype:web-application-attack sid:1061
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "nc.exe" -j LOG	# "WEB-MISC nc.exe attempt" nocase-ignored classtype:web-application-activity sid:1062
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "csh.exe" -j LOG	# "WEB-MISC csh attempt" nocase-ignored classtype:web-application-activity sid:1063
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "wsh.exe" -j LOG	# "WEB-MISC wsh attempt" nocase-ignored classtype:web-application-activity sid:1064
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "rcmd.exe" -j LOG	# "WEB-MISC rcmd attempt" nocase-ignored classtype:web-application-activity sid:1065
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "telnet.exe" -j LOG	# "WEB-MISC telnet attempt" nocase-ignored classtype:web-application-activity sid:1066
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "net.exe" -j LOG	# "WEB-MISC net attempt" nocase-ignored classtype:web-application-activity sid:1067
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "tftp.exe" -j LOG	# "WEB-MISC tftp attempt" nocase-ignored classtype:web-application-activity sid:1068
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_regread" -j LOG	# "WEB-MISC regread attempt" nocase-ignored classtype:web-application-activity sid:1069
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "SEARCH " -j LOG	# "WEB-MISC webdav search access" nocase-ignored arachnids,474 classtype:web-application-activity sid:1070
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htpasswd" -j LOG	# "WEB-MISC .htpasswd access" nocase-ignored classtype:web-application-attack sid:1071
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".nsf/" --string "../" --tcp-flags ACK ACK -j LOG	# "WEB-MISC Lotus Domino directory traversal" nocase-ignored classtype:web-application-attack sid:1072
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/samples/search/webhits.exe" -j LOG	# "WEB-MISC webhits.exe access" nocase-ignored classtype:web-application-activity sid:1073
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVE