HOME_NET=0/0
EXTERNAL_NET=0/0
SMTP=$HOME_NET
HTTP_SERVERS=$HOME_NET
SQL_SERVERS=$HOME_NET
DNS_SERVERS=$HOME_NET
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 0 -j LOG	# "BAD TRAFFIC tcp port 0 traffic" sid:524 classtype:misc-activity
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 0 -j LOG	# "BAD TRAFFIC tcp port 0 traffic" sid:524 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 0 -j LOG	# "BAD TRAFFIC udp port 0 traffic" sid:525 classtype:misc-activity
iptables -A SnortRules -p udp -d $EXTERNAL_NET -s $HOME_NET --sport 0 -j LOG	# "BAD TRAFFIC udp port 0 traffic" sid:525 classtype:misc-activity
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: dsize:>6	 "BAD TRAFFIC data in TCP SYN packet" sid:526 classtype:misc-activity
iptables -A SnortRules -d 127.0.0.0/8 -j LOG	# "BAD TRAFFIC loopback traffic" classtype:bad-unknown sid:528
iptables -A SnortRules -s 127.0.0.0/8 -j LOG	# "BAD TRAFFIC loopback traffic" classtype:bad-unknown sid:528
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG	#Cannot convert: fragbits:R	 "BAD TRAFFIC ip reserved bit set" sid:523 classtype:misc-activity
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m ttl --ttl-eq 0 -j LOG	# "BAD TRAFFIC 0 ttl" sid:1321 classtype:misc-activity
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG	#Cannot convert: fragbits: MD	 "BAD TRAFFIC bad frag bits" sid:1322 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "/bin/sh" -j LOG --log-prefix " cve-CVE-2001-0144 "	# "EXPLOIT ssh CRC32 overflow /bin/sh" bugtraq,2347 classtype:shellcode-detect sid:1324
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " cve-CVE-2001-0144 "	# "EXPLOIT ssh CRC32 overflow filler" bugtraq,2347 classtype:shellcode-detect sid:1325
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " cve-CVE-2001-0144 "	# "EXPLOIT ssh CRC32 overflow NOOP" bugtraq,2347 classtype:shellcode-detect sid:1326
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "W" --string "ÿÿÿÿ" -j LOG --log-prefix " cve-CVE-2001-0144 "	# "EXPLOIT ssh CRC32 overflow" bugtraq,2347 classtype:shellcode-detect sid:1327
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "3É±?éQ<úG3ÀP÷ÐP" --tcp-flags ACK ACK -j LOG	# "EXPLOIT netscape 4.7 client overflow" bugtraq,822 arachnids,215 classtype:attempted-user sid:283
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 109 --tcp-flags ACK ACK -m string --string "ë,[‰Ù€Á9Ù|€" -j LOG	# "EXPLOIT pop2 x86 linux overflow" classtype:attempted-admin sid:284
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 109 --tcp-flags ACK ACK -m string --string "ÿÿÿ/BIN/SH" -j LOG	# "EXPLOIT pop2 x86 linux overflow" classtype:attempted-admin sid:285
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "^1À°;~‰ú‰ù" -j LOG	# "EXPLOIT pop3 x86 bsd overflow" classtype:attempted-admin sid:286
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "h]^ÿÕÿÔÿõ‹õf1" -j LOG	# "EXPLOIT pop3 x86 bsd overflow" classtype:attempted-admin sid:287
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "Ø@Í€èÙÿÿÿ/bin/sh" -j LOG	# "EXPLOIT pop3 x86 linux overflow" classtype:attempted-admin sid:288
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "V1À°;~‰ù‰ù" -j LOG	# "EXPLOIT pop3 x86 sco overflow" classtype:attempted-admin sid:289
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "èÙÿÿÿ/bin/sh" -j LOG --log-prefix " cve-CAN-1999-0822 "	# "EXPLOIT qpopper overflow" bugtraq,830 classtype:attempted-admin sid:290
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 119 --tcp-flags ACK ACK -m string --string "AUTHINFO USER" -j LOG --log-prefix " cve-CAN-2000-0341 "	#Cannot convert: dsize: >512	 "EXPLOIT NNTP Cassandra Overflow" nocase-ignored arachnids,274 classtype:attempted-user sid:291
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "ë/_ëJ^‰û‰>‰ò" -j LOG --log-prefix " cve-CVE-1999-0811,cve-CVE-1999-0182 "	# "EXPLOIT x86 linux samba overflow" bugtraq,1816 classtype:attempted-admin sid:292
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "èÀÿÿÿ/bin/sh" -j LOG	# "EXPLOIT imap overflow" classtype:attempted-admin sid:293
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "‰Ø@Í€èÈÿÿÿ/" -j LOG --log-prefix " cve-CVE-1999-0005 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 classtype:attempted-admin sid:295
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ë4^‰^1Ò‰V" -j LOG --log-prefix " cve-CVE-1999-0005 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 classtype:attempted-admin sid:296
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ë5^€F0€F0€F0" -j LOG --log-prefix " cve-CVE-1999-0005 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 classtype:attempted-admin sid:297
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ë8^‰ó‰Ø€F €F" -j LOG --log-prefix " cve-CVE-1999-0005 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 classtype:attempted-admin sid:298
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ëX^1ÛƒÃƒÃˆ^&" -j LOG --log-prefix " cve-CVE-1999-0005 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 classtype:attempted-admin sid:299
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2766 --tcp-flags ACK ACK -m string --string "ë#^3ÀˆFú‰Fõ‰6" -j LOG	# "EXPLOIT nlps x86 solaris overflow" classtype:attempted-admin sid:300 bugtraq,2319
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 515 --tcp-flags ACK ACK -m string --string "C‰[K‰C°Í€1ÀþÀÍ€è”ÿÿÿ/bin/sh" -j LOG	# "EXPLOIT LPRng overflow" bugtraq,1712 classtype:attempted-admin sid:301
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 515 --tcp-flags ACK ACK -m string --string "XXXX%.172u%300\$n" -j LOG	# "EXPLOIT redhat 7.0 lprd overflow" classtype:attempted-admin sid:302
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "«Í	€    a" -j LOG --log-prefix " cve-CAN-2000-0010 "	# "EXPLOIT named tsig infoleak" bugtraq,2302 arachnids,482 classtype:attempted-admin sid:303
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6373 --tcp-flags ACK ACK -m string --string "ë]UþM˜þM›" -j LOG	# "EXPLOIT sco calserver overflow" bugtraq,2353 classtype:attempted-admin sid:304
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 -m string --string "whois://" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CVE-2000-0165 "	#Cannot convert: dsize: >1000	 "EXPLOIT delegate proxy overflow" nocase-ignored arachnids,267 classtype:attempted-admin sid:305 bugtraq,808
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 9090 --tcp-flags ACK ACK -m string --string "GET / HTTP/1.1" -j LOG --log-prefix " cve-CAN-2000-0766 "	# "EXPLOIT VQServer admin" nocase-ignored bugtraq,1610 classtype:attempted-admin sid:306
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "ëK[S2äƒÃKˆ#¸Pw" -j LOG --log-prefix " cve-CVE-1999-0672 "	# "EXPLOIT IRC client overflow" bugtraq,573 classtype:attempted-user sid:307
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "´ ´‹Ìƒé‹3Éf¹" -j LOG --log-prefix " cve-CVE-1999-0671 "	# "EXPLOIT NextFTP client overflow" bugtraq,572 classtype:attempted-user sid:308
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "from:" -j LOG --log-prefix " cve-CAN-2000-0343 "	#Cannot convert: dsize: >512	 "EXPLOIT sniffit overflow" nocase-ignored bugtraq,1158 arachnids,273 classtype:attempted-admin sid:309
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "ëEë [ü3É±‚‹ó€+" -j LOG --log-prefix " cve-CVE-1999-0404 "	# "EXPLOIT x86 windows MailMax overflow" bugtraq,2312 classtype:attempted-admin sid:310
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 80 -m string --string "3É±?éQ<úG3ÀP÷ÐP" --tcp-flags ACK ACK -j LOG	# "EXPLOIT netscape 4.7 unsucessful overflow" arachnids,214 classtype:unsuccessful-user sid:311 bugtraq,822
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 123 -j LOG	#Cannot convert: dsize: >128	 "EXPLOIT ntpdx overflow attempt" arachnids,492 classtype:attempted-admin sid:312
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 518 -m string --string "è" -j LOG	# "EXPLOIT ntalkd x86 linux overflow" bugtraq,210 classtype:attempted-admin sid:313
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "€?/bin/sh" -j LOG --log-prefix " cve-CAN-2000-0010 "	# "EXPLOIT BIND Tsig Overflow Attempt" classtype:attempted-admin sid:314 bugtraq,2302
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "^°‰þÈ‰F°‰F" -j LOG --log-prefix " cve-CVE-1999-0002 "	# "EXPLOIT x86 linux mountd overflow" classtype:attempted-admin sid:315
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "ëV^VVV1ÒˆVˆV" -j LOG --log-prefix " cve-CVE-1999-0002 "	# "EXPLOIT x86 linux mountd overflow" classtype:attempted-admin sid:316
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "ë@^1À@‰F‰Ã@‰" -j LOG --log-prefix " cve-CVE-1999-0002 "	# "EXPLOIT x86 linux mountd overflow" classtype:attempted-admin sid:317
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 67 -m string --string "echo netrjs stre" -j LOG --log-prefix " cve-CVE-1999-0914 "	# "EXPLOIT bootp x86 bsd overflow" classtype:attempted-admin sid:318 bugtraq,324
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 67 -m string --string "A90À¨/bin/sh" -j LOG --log-prefix " cve-CVE-1999-0799,cve-CAN-1999-0798,cve-CAN-1999-0389 "	# "EXPLOIT bootp x86 linux overflow" classtype:attempted-admin sid:319
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2224 -m string --string "1ÛÍ€è[ÿÿÿ" -j LOG --log-prefix " cve-CVE-2000-0446 "	# "EXPLOIT MDBMS overflow" bugtraq,1252 classtype:attempted-admin sid:1240
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 4242 -m string --string "ÿûxÿûxÿûxÿûx" --string "@ŠÿÈ@‚ÿØ;6þ;vþ" --tcp-flags ACK ACK -j LOG	#Cannot convert: dsize:>1000	 "EXPLOIT aix pdnsd overflow" bugtraq,3237 classtype:attempted-user sid:1261
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 4321 -m string --string "-soa %p" --tcp-flags ACK ACK -j LOG	# "EXPLOIT rwhoisd format string attempt" bugtraq,3474 classtype:misc-attack sid:1323
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 10101 -d $HOME_NET -m ttl --ttl-gt 220 --tcp-flags ALL SYN -j LOG	#Cannot convert: ack: 0	 "SCAN myscan" arachnids,439 classtype:attempted-recon sid:613
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 31790 -d $HOME_NET --dport 31789 -m string --string "A" --tcp-flags ACK ACK -j LOG	# "SCAN trojan hack-a-tack probe" arachnids,314 classtype:attempted-recon sid:614
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 1080 --tcp-flags ALL SYN -j LOG	# "SCAN Proxy attempt" classtype:attempted-recon sid:615
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 113 --tcp-flags ACK ACK -m string --string "VERSION" -j LOG	# "SCAN ident version" arachnids,303 classtype:attempted-recon sid:616
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "\`" -j LOG	# "SCAN ssh-research-scanner" classtype:attempted-recon sid:617
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 3128 --tcp-flags ALL SYN -j LOG	# "INFO - Possible Squid Scan" classtype:attempted-recon sid:618
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ALL FIN,SYN -j LOG	#Cannot convert: Flag1 Flag2 dsize: 0	 "SCAN cybercop os probe" arachnids,146 classtype:attempted-recon sid:619
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 --tcp-flags ALL SYN -j LOG	# "SCAN Proxy attempt" classtype:attempted-recon sid:620
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN -j LOG	# "SCAN FIN" arachnids,27 classtype:attempted-recon sid:621
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: seq: 1958810375	 "SCAN IP Eye SYN Scan" arachnids,236 classtype:attempted-recon sid:622
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL NONE -j LOG	#Cannot convert: seq:0 ack:0	 "SCAN NULL" arachnids,4 classtype:attempted-recon sid:623
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,SYN -j LOG	# "SCAN SYN FIN" arachnids,198 classtype:attempted-recon sid:624
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL ACK,FIN,PSH,SYN,RST,URG -j LOG	# "SCAN XMAS" arachnids,144 classtype:attempted-recon sid:625
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL ACK,PSH -j LOG	#Cannot convert: Flag1 Flag2	 "SCAN cybercop os probe" arachnids,149 classtype:attempted-recon sid:626
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL FIN,SYN,URG -j LOG	#Cannot convert: Flag1 Flag2 ack: 0	 "SCAN cybercop os probe" arachnids,150 classtype:attempted-recon sid:627
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL ACK -j LOG	#Cannot convert: ack:0	 "SCAN nmap TCP" arachnids,28 classtype:attempted-recon sid:628
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,PSH,SYN,URG -j LOG	# "SCAN nmap fingerprint attempt" arachnids,05 classtype:attempted-recon sid:629
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,SYN -j LOG	#Cannot convert: id: 39426	 "SCAN synscan portscan" arachnids,441 classtype:attempted-recon sid:630
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "ehlo cybercopquit" -j LOG	# "SMTP cybercop scan ehlo" arachnids,372 classtype:attempted-recon sid:631
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "expn cybercop" -j LOG	# "SMTP cybercop scan expn" arachnids,371 classtype:attempted-recon sid:632
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10080:10081 -m string --string "Amanda" -j LOG	# "SCAN Amanda client version" nocase-ignored classtype:attempted-recon sid:634
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 49 -m string --string "€" -j LOG	# "SCAN XTACACS logout" arachnids,408 classtype:bad-unknown sid:635
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 7 -m string --string "cybercop" -j LOG	# "SCAN cybercop udp bomb" arachnids,363 classtype:bad-unknown sid:636
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "helpquit" -j LOG	# "SCAN Webtrends Scanner UDP Probe" arachnids,308 classtype:attempted-recon sid:637
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,PSH,URG -j LOG	# "SCAN NMAP XMAS" arachnids,30 classtype:attempted-recon sid:1228
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "cmd_rootsh" -j LOG	# "FINGER backdoor" classtype:attempted-admin sid:320
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "a b c d e f" -j LOG	# "FINGER account enumeration" nocase-ignored classtype:attempted-recon sid:321
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "search" -j LOG	# "FINGER search attempt" classtype:attempted-recon sid:322
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "root" -j LOG	# "FINGER root" arachnids,376 classtype:attempted-recon sid:323
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "" -j LOG	# "FINGER null" arachnids,377 classtype:attempted-recon sid:324
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "0" -j LOG	# "FINGER probe0 attempt" arachnids,378 classtype:attempted-recon sid:325
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "/W;" -j LOG	# "FINGER pipew attempt" bugtraq,974 arachnids,379 classtype:attempted-user sid:326
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "|" -j LOG	# "FINGER pipe attempt" bugtraq,2220 arachnids,380 classtype:attempted-user sid:327
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "@@" -j LOG	# "FINGER bomb attempt" arachnids,382 classtype:attempted-dos sid:328
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "@localhost" -j LOG	#Cannot convert: dsize: 11	 "FINGER cybercop redirection" arachnids,11 classtype:attempted-recon sid:329
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "@" --tcp-flags ACK ACK -j LOG	# "FINGER redirection" arachnids,251 classtype:attempted-recon sid:330
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "     " --tcp-flags ACK ACK -j LOG --log-prefix " cve-CVE-1999-0612 "	# "FINGER cybercop query" arachnids,132 classtype:attempted-recon sid:331
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "0" -j LOG	# "FINGER 0@host" arachnids,131 classtype:attempted-recon sid:332
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "." -j LOG --log-prefix " cve-CVE-1999-0612 "	# "FINGER .@host" arachnids,130 classtype:attempted-recon sid:333
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string ".forward" --tcp-flags ACK ACK -j LOG	# "FTP .forward" arachnids,319 classtype:suspicious-filename-detect sid:334
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string ".rhosts" -j LOG	# "FTP .rhosts" arachnids,328 classtype:suspicious-filename-detect sid:335
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "cwd ~root" --tcp-flags ACK ACK -j LOG	# "FTP CWD ~root" nocase-ignored arachnids,318 classtype:bad-unknown sid:336
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CEL " -j LOG	#Cannot convert: dsize:>1300	 "FTP EXPLOIT aix overflow" arachnids,257 classtype:attempted-admin sid:337
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "SITE EXEC %020d|%.f%.f|" -j LOG	# "FTP EXPLOIT format string" nocase-ignored arachnids,453 classtype:attempted-user sid:338
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string " 1À™RR°Í€hÌsh" -j LOG	# "FTP EXPLOIT openbsd ftpd" arachnids,446 classtype:attempted-user sid:339
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "PWD/i" -j LOG	# "FTP EXPLOIT overflow" classtype:attempted-admin sid:340
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "XXXXX/" -j LOG	# "FTP EXPLOIT overflow" classtype:attempted-admin sid:341
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "À‚ ‘Ð " -j LOG --log-prefix " cve-CAN-2000-0573 "	# "FTP EXPLOIT solaris 2.8 format string" bugtraq,1387 arachnids,451 classtype:attempted-user sid:342
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "1ÀPPP°~Í€1Û1À" --tcp-flags ACK ACK -j LOG	# "FTP EXPLOIT wu-ftpd 2.6.0 bsd" arachnids,228 classtype:attempted-admin sid:343
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "1À1Û1É°FÍ€1À1Û" --tcp-flags ACK ACK -j LOG	# "FTP EXPLOIT wu-ftpd 2.6.0 linux overflow" arachnids,287 classtype:attempted-admin sid:344
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "SITE EXEC %p" --tcp-flags ACK ACK -j LOG	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec overflow" nocase-ignored arachnids,285 classtype:attempted-admin sid:345
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "f%.f%.f%.f%.f%." --tcp-flags ACK ACK -j LOG	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec overflow" arachnids,286 classtype:attempted-admin sid:346
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "1À1Û1É°FÍ€1À1ÛC‰ÙA°?Í€" -j LOG	# "FTP EXPLOIT wu-ftpd 2.6.0 tf8" arachnids,458 classtype:attempted-admin sid:347
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "..11venglin@" -j LOG	# "FTP EXPLOIT wu-ftpd 2.6.0" arachnids,440 classtype:attempted-user sid:348
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MKD AAAAAA" -j LOG --log-prefix " cve-CVE-1999-0368 "	# "FTP EXPLOIT x86 linux overflow" bugtraq,113 classtype:attempted-admin sid:349
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "1À1Û°Í€1À°Í€" -j LOG --log-prefix " cve-CVE-1999-0368 "	# "FTP EXPLOIT x86 linux overflow" bugtraq,113 classtype:attempted-admin sid:350
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "1Û‰Ø°Í€ë," -j LOG --log-prefix " cve-CVE-1999-0368 "	# "FTP EXPLOIT x86 linux overflow" bugtraq,113 classtype:attempted-admin sid:351
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "ƒì^ƒÆpƒÆ(ÕàÀ" -j LOG --log-prefix " cve-CVE-1999-0368 "	# "FTP EXPLOIT x86 linux overflow" bugtraq, 113 classtype:attempted-admin sid:352
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "PASS ddd@" -j LOG	# "FTP adm scan" arachnids,332 classtype:suspicious-login sid:353
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -iss@iss" -j LOG	# "FTP iss scan" arachnids,331 classtype:suspicious-login sid:354
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "pass wh00t" --tcp-flags ACK ACK -j LOG	# "FTP pass wh00t" nocase-ignored arachnids,324 classtype:suspicious-login sid:355
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "RETR" --string "passwd" --tcp-flags ACK ACK -j LOG	# "FTP passwd retreval attempt" nocase-ignored arachnids,213 classtype:suspicious-filename-detect sid:356
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -cklaus" -j LOG	# "FTP piss scan" classtype:suspicious-login sid:357
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -saint" -j LOG	# "FTP saint scan" arachnids,330 classtype:suspicious-login sid:358
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -satan" -j LOG	# "FTP satan scan" arachnids,329 classtype:suspicious-login sid:359
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string ".%20." -j LOG	# "FTP serv-u directory transversal" nocase-ignored classtype:bad-unknown sid:360
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "site exec" --tcp-flags ACK ACK -j LOG	# "FTP site exec" nocase-ignored bugtraq,2241 arachnids,317 classtype:bad-unknown sid:361
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "RETR --use-compress-program" -j LOG --log-prefix " cve-CVE-1999-0202 "	# "FTP tar parameters" nocase-ignored bugtraq,2240 arachnids,134 classtype:bad-unknown sid:362
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CWD ..." -j LOG	# "FTP CWD ..." classtype:bad-unknown sid:1229
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "_RLD" --string "/bin/sh" -j LOG	# "TELNET SGI telnetd format bug" arachnids,304 classtype:attempted-admin sid:711
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "ld_library_path" -j LOG	# "TELNET ld_library_path" arachnids,367 classtype:attempted-admin sid:712
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "ÿóÿóÿóÿóÿó" -j LOG	# "TELNET livingston DOS" arachnids,370 classtype:attempted-dos sid:713
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "resolv_host_conf" -j LOG	# "TELNET resolv_host_conf" arachnids,369 classtype:attempted-admin sid:714
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 -m string --string "to su root" --tcp-flags ACK ACK -j LOG	# "TELNET Attempted SU from wrong group" nocase-ignored classtype:attempted-admin sid:715
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 --tcp-flags ACK ACK -m string --string "not on system console" -j LOG	# "TELNET not on console" nocase-ignored arachnids,365 classtype:bad-unknown sid:717
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 -m string --string "Login incorrect" --tcp-flags ACK ACK -j LOG	# "TELNET login incorrect" arachnids,127 classtype:bad-unknown sid:718
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 -m string --string "login: root" --tcp-flags ACK ACK -j LOG	# "TELNET root login" classtype:suspicious-login sid:719
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 --tcp-flags ACK ACK -m string --string "[Yes]ÿþÿý&" -j LOG --log-prefix " cve-CAN-2001-0554 "	# "TELNET bsd telnet exploit response" classtype: attempted-admin sid: 1252 bugtraq,3064
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "ÿöÿöÿûÿö" -j LOG --log-prefix " cve-CAN-2001-0554 "	#Cannot convert: dsize: >200	 "TELNET bsd exploit client finishing" classtype: successful-admin sid: 1253 bugtraq,3064
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "4Dgifts" -j LOG	# "TELNET 4Dgifts SGI account attempt" classtype:suspicious-login sid:709
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "OutOfBox" -j LOG	# "TELNET EZsetup account attempt" classtype:suspicious-login sid:710
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 --tcp-flags ACK ACK -m string --string "ÿýÿýÿý#ÿý'ÿý\$" -j LOG --log-prefix " cve-CAN-1999-0619 "	# "TELNET access" arachnids,08 classtype:not-suspicious sid:716
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "rcpt to:" -j LOG --log-prefix " cve-CAN-2001-0260 "	#Cannot convert: dsize:>800	 "SMTP RCPT TO overflow" bugtraq,2283 classtype:attempted-admin sid:654
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 113 -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "D/" -j LOG --log-prefix " cve-CVE-1999-0204 "	# "SMTP sendmail 8.6.9 exploit" arachnids,140 classtype:attempted-admin sid:655
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "ëSë [ü3É±‚‹ó€+" -j LOG --log-prefix " cve-CVE-2000-0042 "	# "SMTP EXPLOIT x86 windows CSMMail overflow" bugtraq,895 classtype:attempted-admin sid:656
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 -m string --string "HELP " --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-1999-0261 "	#Cannot convert: dsize: >500	 "SMTP chameleon overflow" nocase-ignored bugtraq,2387 arachnids,266 classtype:attempted-admin sid:657
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "charset = \"\"" -j LOG	# "SMTP exchange mime DOS" classtype:attempted-dos sid:658
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "expn decode" -j LOG	# "SMTP expn decode" nocase-ignored arachnids,32 classtype:attempted-recon sid:659
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "expn root" -j LOG	# "SMTP expn root" nocase-ignored arachnids,31 classtype:attempted-recon sid:660
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "eply-to: a~.`/bin/" -j LOG --log-prefix " cve-CVE-1999-0208 "	#Cannot convert: Mishandled quotes	 "SMTP majordomo ifs" arachnids,143 classtype:attempted-admin sid:661
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "mail from: \"|" -j LOG	# "SMTP sendmail 5.5.5 exploit" nocase-ignored arachnids,119 classtype:attempted-admin sid:662
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "|sed -e '1,/^\$/'" -j LOG --log-prefix " cve-CVE-1999-0095 "	# "SMTP sendmail 5.5.8 overflow" arachnids,172 classtype:attempted-admin sid:663
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "rcpt to: decode" -j LOG	# "SMTP sendmail 5.6.4 exploit" nocase-ignored arachnids,121 classtype:attempted-admin sid:664
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "MAIL FROM: |/usr/ucb/tail" -j LOG	# "SMTP sendmail 5.6.5 exploit" nocase-ignored arachnids,122 classtype:attempted-user sid:665
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "rcpt to: | sed '1,/^$/d'|" -j LOG	# "SMTP sendmail 8.4.1 exploit" nocase-ignored arachnids,120 classtype:attempted-user sid:666
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "CrootMprog, P=/bin/" -j LOG	# "SMTP sendmail 8.6.10 exploit" arachnids,123 classtype:attempted-user sid:667
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "Croot							Mprog,P=/bin" -j LOG	# "SMTP sendmail 8.6.10 exploit" arachnids,124 classtype:attempted-user sid:668
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "CrootMprog" -j LOG --log-prefix " cve-CVE-1999-0204 "	# "SMTP sendmail 8.6.9 exploit" arachnids,142 classtype:attempted-user sid:669
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "C:daemonR" -j LOG --log-prefix " cve-CVE-1999-0204 "	# "SMTP sendmail 8.6.9 exploit" arachnids,139 classtype:attempted-user sid:670
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "CrootMprog" -j LOG --log-prefix " cve-CVE-1999-0204 "	# "SMTP sendmail 8.6.9c exploit" arachnids,141 classtype:attempted-user sid:671
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "vrfy decode" -j LOG	# "SMTP vrfy decode" nocase-ignored arachnids,373 classtype:attempted-recon sid:672
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "€ " --string "‡™" -j LOG --log-prefix " cve-CAN-2001-0236 "	# "RPC snmpXdmi overflow attempt" bugtraq,2417 classtype:attempted-admin sid:569
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771:34000 -m string --string "À\"?ü¢ 	À,ÿâ\"?ô" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CVE-1999-0003 "	#Cannot convert: dsize: >999	 "RPC EXPLOIT ttdbserv solaris overflow" bugtraq,122 arachnids,242 classtype:attempted-admin sid:570
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771:34000 --tcp-flags ACK ACK -m string --string "†ó" -j LOG --log-prefix " cve-CVE-1999-0003 "	#Cannot convert: dsize: >999	 "RPC EXPLOIT ttdbserv Solaris overflow" bugtraq,122 arachnids,242 classtype:attempted-admin sid:571
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771:34000 --tcp-flags ACK ACK -m string --string "†ó" -j LOG --log-prefix " cve-CVE-1999-0003 "	# "RPC DOS ttdbserv solaris" bugtraq,122 arachnids,241 classtype:attempted-dos sid:572
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 634:1400 --tcp-flags ACK ACK -m string --string "€,Lu[" -j LOG	# "RPC AMD Overflow" arachnids,217 classtype:attempted-admin sid:573
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771: --tcp-flags ACK ACK -m string --string "†¥" -j LOG	# "RPC NFS Showmount" arachnids,26 classtype:attempted-recon sid:574
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†÷" -j LOG	# "RPC portmap request admind" arachnids,18 classtype:rpc-portmap-decode sid:575
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†÷" --tcp-flags ACK ACK -j LOG	# "RPC portmap request admind" arachnids,18 classtype:rpc-portmap-decode sid:1262
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡" -j LOG	# "RPC portmap request amountd" arachnids,19 classtype:rpc-portmap-decode sid:576
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡" --tcp-flags ACK ACK -j LOG	# "RPC portmap request amountd" arachnids,19 classtype:rpc-portmap-decode sid:1263
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†º" -j LOG	# "RPC portmap request bootparam" arachnids,16 classtype:rpc-portmap-decode sid:577
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†º" --tcp-flags ACK ACK -j LOG	# "RPC portmap request bootparam" arachnids,16 classtype:rpc-portmap-decode sid:1264
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ä" -j LOG	# "RPC portmap request cmsd" arachnids,17 classtype:rpc-portmap-decode sid:578
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ä" --tcp-flags ACK ACK -j LOG	# "RPC portmap request cmsd" arachnids,17 classtype:rpc-portmap-decode sid:1265
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¥" -j LOG	# "RPC portmap request mountd" arachnids,13 classtype:rpc-portmap-decode sid:579
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¥" --tcp-flags ACK ACK -j LOG	# "RPC portmap request mountd" arachnids,13 classtype:rpc-portmap-decode sid:1266
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡Ì" -j LOG	# "RPC portmap request nisd" arachnids,21 classtype:rpc-portmap-decode sid:580
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡Ì" --tcp-flags ACK ACK -j LOG	# "RPC portmap request nisd" arachnids,21 classtype:rpc-portmap-decode sid:1267
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "Iñ" -j LOG	# "RPC portmap request pcnfsd" arachnids,22 classtype:rpc-portmap-decode sid:581
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "Iñ" --tcp-flags ACK ACK -j LOG	# "RPC portmap request pcnfsd" arachnids,22 classtype:rpc-portmap-decode sid:1268
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†±" -j LOG	# "RPC portmap request rexd" arachnids,23 classtype:rpc-portmap-decode sid:582
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†±" --tcp-flags ACK ACK -j LOG	# "RPC portmap request rexd" arachnids,23 classtype:rpc-portmap-decode sid:1269
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " -j LOG	# "RPC portmap request rstatd" arachnids,10 classtype:rpc-portmap-decode sid:583
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --tcp-flags ACK ACK -j LOG	# "RPC portmap request rstatd" arachnids,10 classtype:rpc-portmap-decode sid:1270
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¢" --tcp-flags ACK ACK -j LOG	# "RPC portmap request rusers" arachnids,133 classtype:rpc-portmap-decode sid:1271
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¢" -j LOG	# "RPC portmap request rusers" arachnids,133 classtype:rpc-portmap-decode sid:584
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡ˆ" --tcp-flags ACK ACK -j LOG	# "RPC portmap request sadmind" arachnids,20 classtype:rpc-portmap-decode sid:1272
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡ˆ" -j LOG	# "RPC portmap request sadmind" arachnids,20 classtype:rpc-portmap-decode sid:585
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¯" -j LOG	# "RPC portmap request selection_svc" arachnids,25 classtype:rpc-portmap-decode sid:586
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¯" --tcp-flags ACK ACK -j LOG	# "RPC portmap request selection_svc" arachnids,25 classtype:rpc-portmap-decode sid:1273
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¸" -j LOG	# "RPC portmap request status" arachnids,15 classtype:rpc-portmap-decode sid:587
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ó" -j LOG	# "RPC portmap request ttdbserv" arachnids,24 classtype:rpc-portmap-decode sid:588
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ó" --tcp-flags ACK ACK -j LOG	# "RPC portmap request ttdbserv" arachnids,24 classtype:rpc-portmap-decode sid:1274
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†©" -j LOG	# "RPC portmap request yppasswd" arachnids,14 classtype:rpc-portmap-decode sid:589
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†©" --tcp-flags ACK ACK -j LOG	# "RPC portmap request yppasswd" arachnids,14 classtype:rpc-portmap-decode sid:1275
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¤" --tcp-flags ACK ACK -j LOG	# "RPC portmap request ypserv" arachnids,12 classtype:rpc-portmap-decode sid:1276
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¤" -j LOG	# "RPC portmap request ypserv" arachnids,12 classtype:rpc-portmap-decode sid:590
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¼" -j LOG	# "RPC portmap request ypupdated" arachnids,125 classtype:rpc-portmap-decode sid:1277
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -m string --string "†¼" -j LOG	# "RPC portmap request ypupdated" arachnids,125 classtype:rpc-portmap-decode sid:591
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 32770: -m string --string "†¡" -j LOG	# "RPC rstatd query" arachnids,9 classtype:attempted-recon sid:592
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32770: --tcp-flags ACK ACK -m string --string "†¡" -j LOG	# "RPC rstatd query" arachnids,9 classtype:attempted-recon sid:1278
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0717 "	#Cannot convert: rpc:100083,*,*	 "RPC portmap request tooltalk" classtype:rpc-portmap-decode sid:1298
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG --log-prefix " cve-CAN-2001-0717 "	#Cannot convert: rpc:100083,*,*	 "RPC portmap request tooltalk" classtype:rpc-portmap-decode sid:1299
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG	#Cannot convert: rpc:100249,*,*	 "RPC portmap request snmpXdmi" bugtraq,2417 classtype:rpc-portmap-decode sid:593
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG	#Cannot convert: rpc:100249,*,*	 "RPC portmap request snmpXdmi" bugtraq,2417 classtype:rpc-portmap-decode sid:1279
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG --log-prefix " cve-CAN-2001-0331 "	#Cannot convert: rpc:391029,*,*	 "RPC portmap request espd" classtype:rpc-portmap-decode sid:594
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0331 "	#Cannot convert: rpc:391029,*,*	 "RPC portmap request espd" classtype:rpc-portmap-decode sid:595
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG	#Cannot convert: rpc:100009,*,*	 "RPC portmap request yppasswdd" bugtraq,2763 classtype:rpc-portmap-decode sid:1296
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG	#Cannot convert: rpc:100009,*,*	 "RPC portmap request yppasswdd" bugtraq,2763 classtype:rpc-portmap-decode sid:1297
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG	#Cannot convert: rpc: 100000,*,*	 "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:596
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 --tcp-flags ACK ACK -j LOG	#Cannot convert: rpc: 100000,*,*	 "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:597
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " -j LOG	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:1280
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -m string --string "† " -j LOG	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:598
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 --tcp-flags ACK ACK -m string --string "† " -j LOG	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:599
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 -m string --string "† " -j LOG	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:1281
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "/binÇF/sh" -j LOG	# "RPC EXPLOIT statdx" arachnids,442 classtype:attempted-admin sid:600
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "/binÇF/sh" -j LOG	# "RPC EXPLOIT statdx" arachnids,442 classtype:attempted-admin sid:1282
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "::::::::::::::::" -j LOG	# "RSERVICES rsh LinuxNIS" classtype:bad-unknown sid:601
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "binbin" -j LOG	# "RSERVICES rsh bin" arachnids,384 classtype:attempted-user sid:602
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "echo \" + + \"" -j LOG	# "RSERVICES rsh echo++" arachnids,385 classtype:bad-unknown sid:603
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "-froot" -j LOG	# "RSERVICES rsh froot" arachnids,386 classtype:attempted-admin sid:604
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "login incorrect" -j LOG	# "RSERVICES rsh login failure" arachnids,393 classtype:unsuccessful-user sid:605
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "rootroot" -j LOG	# "RSERVICES rsh root" arachnids,389 classtype:attempted-admin sid:606
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "binbin" -j LOG	# "RSERVICES rlogin bin" arachnids,390 classtype:attempted-user sid:607
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "echo \"+ +\"" -j LOG	# "RSERVICES rlogin echo++" arachnids,388 classtype:attempted-user sid:608
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "-froot" -j LOG	# "RSERVICES rlogin froot" arachnids,387 classtype:attempted-admin sid:609
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "rootroot" -j LOG	# "RSERVICES rlogin root" arachnids,391 classtype:attempted-admin sid:610
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "rlogind: Permission denied." -j LOG	# "RSERVICES rsh login failure" arachnids,392 classtype:unsuccessful-user sid:611
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 32770: -m string --string "†¢" -j LOG --log-prefix " cve-CVE-1999-0626 "	# "RPC rusers query" arachnids,136 classtype:attempted-recon sid:612
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG	#Cannot convert: fragbits: M dsize:408	 "DOS Jolt attack" classtype:attempted-dos sid:268
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: id:3868 seq: 3868	 "DOS Land attack" classtype:attempted-dos sid:269
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -j LOG	#Cannot convert: id:242 fragbits:M	 "DOS Teardrop attack" bugtraq,124 classtype:attempted-dos sid:270
iptables -A SnortRules -p udp --sport 19 -d $HOME_NET --dport 7 -j LOG	# "DOS UDP Bomb" classtype:attempted-dos sid:271
iptables -A SnortRules -p udp --dport 19 -s $HOME_NET --sport 7 -j LOG	# "DOS UDP Bomb" classtype:attempted-dos sid:271
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --proto ip_proto: 2 -j LOG	#Cannot convert: fragbits: M+	 "DOS IGMP dos attack" classtype:attempted-dos sid:272
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --proto ip_proto: 2 -j LOG	#Cannot convert: fragbits: M+	 "DOS IGMP dos attack" classtype:attempted-dos sid:273
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "+++ath" -m icmp --icmp-type 8 -j LOG	# "DOS ath" nocase-ignored arachnids,264 classtype:attempted-dos sid:274
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: seq: 6060842 id: 413	 "DOS NAPTHA" url,razor.bindview.com/publish/advisories/adv_NAPTHA.html classtype:attempted-dos sid:275
#iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: seq: 6060842 id: 413	 "DOS NAPTHA" url,razor.bindview.com/publish/advisories/adv_NAPTHA.html classtype:attempted-dos sid:275
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7070 --tcp-flags ACK ACK -m string --string "ÿôÿý" -j LOG --log-prefix " cve-CVE-2000-0474 "	# "DOS Real Audio Server" bugtraq,1288 arachnids,411 classtype:attempted-dos sid:276
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7070 --tcp-flags ACK ACK -m string --string "/viewsource/template.html?" -j LOG --log-prefix " cve-CVE-2000-0474 "	# "DOS Real Server template.html" nocase-ignored bugtraq,1288 classtype:attempted-dos sid:277
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 --tcp-flags ACK ACK -m string --string "/viewsource/template.html?" -j LOG --log-prefix " cve-CVE-2000-0474 "	# "DOS Real Server template.html" nocase-ignored bugtraq,1288 classtype:attempted-dos sid:278
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161 -j LOG --log-prefix " cve-CVE-2000-0221 "	#Cannot convert: dsize:0	 "DOS Bay/Nortel Nautica Marlin" bugtraq,1009 classtype:attempted-dos sid:279
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "+++ath0" -m icmp --icmp-type 8 -j LOG	# "DOS ath0" nocase-ignored arachnids,264 classtype:attempted-dos sid:280
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 9 -m string --string "NAMENAME" -j LOG --log-prefix " cve-CVE-1999-0060 "	# "DOS Ascend Route" bugtraq,714 arachnids,262 classtype:attempted-dos sid:281
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 617 --tcp-flags ACK ACK -j LOG --log-prefix " cve-CVE-1999-0788 "	#Cannot convert: dsize: >1445	 "DOS arkiea backup" bugtraq,662 arachnids,261 classtype:attempted-dos sid:282
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags URG URG -j LOG --log-prefix " cve-CVE-1999-0153 "	# "DOS Winnuke attack" bugtraq,2010 classtype: attempted-dos sid: 1257
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8 -m string --string "1234" -j LOG	#Cannot convert: id: 678	 "DDOS TFN Probe" arachnids,443 classtype:attempted-recon sid:221
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 0 -m string --string "AAAAAAAAAA" -j LOG	#Cannot convert: icmp_id: 0	 "DDOS tfn2k icmp possible communication" arachnids,425 classtype:attempted-dos sid:222
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "PONG" -j LOG	# "DDOS Trin00:DaemontoMaster(PONGdetected)" arachnids,187 classtype:attempted-recon sid:223
#iptables -A SnortRules -p icmp -s 3.3.3.3/32 -d $EXTERNAL_NET -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 666	 "DDOS Stacheldraht server-spoof" arachnids,193 classtype:attempted-dos sid:224
#iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET -m string --string "sicken" -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 669	 "DDOS Stacheldraht server-response-gag" arachnids,195 classtype:attempted-dos sid:225
#iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET -m string --string "ficken" -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 667	 "DDOS Stacheldraht server-response" arachnids,191 classtype:attempted-dos sid:226
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "spoofworks" -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 1000	 "DDOS Stacheldraht client-spoofworks" arachnids,192 classtype:attempted-dos sid:227
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 456 icmp_seq: 0	 "DDOS TFN client command BE" arachnids,184 classtype:attempted-dos sid:228
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "skillz" -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 666	 "DDOS Stacheldraht client-check" arachnids,190 classtype:attempted-dos sid:229
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 20432 --tcp-flags ACK ACK -j LOG	# "DDOS shaft client to handler" arachnids,254 classtype:attempted-dos sid:230
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "l44" -j LOG	# "DDOS Trin00:DaemontoMaster(messagedetected)" arachnids,186 classtype:attempted-dos sid:231
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "*HELLO*" -j LOG	# "DDOS Trin00:DaemontoMaster(*HELLO*detected)" arachnids,185 classtype:attempted-dos sid:232
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 --tcp-flags ACK ACK -m string --string "betaalmostdone" -j LOG	# "DDOS Trin00:Attacker to Master default startup password" arachnids,197 classtype:attempted-dos sid:233
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 --tcp-flags ACK ACK -m string --string "gOrave" -j LOG	# "DDOS Trin00 Attacker to Master default password" classtype:attempted-dos sid:234
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 --tcp-flags ACK ACK -m string --string "killme" -j LOG	# "DDOS Trin00 Attacker to Master default mdie password" classtype:bad-unknown sid:235
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "gesundheit" -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 668	 "DDOS Stacheldraht client-check-gag" arachnids,194 classtype:attempted-dos sid:236
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 27444 -m string --string "l44adsl" -j LOG	# "DDOS Trin00:MastertoDaemon(defaultpassdetected!)" arachnids,197 classtype:attempted-dos sid:237
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "shell bound to port" -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 123 icmp_seq: 0	 "DDOS TFN server response" arachnids,182 classtype:attempted-dos sid:238
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 18753 -m string --string "alive tijgu" -j LOG	# "DDOS shaft handler to agent" arachnids,255 classtype:attempted-dos sid:239
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 20433 -m string --string "alive" -j LOG	# "DDOS shaft agent to handler" arachnids,256 classtype:attempted-dos sid:240
#iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: seq: 674711609	 "DDOS shaft synflood" arachnids,253 classtype:attempted-dos sid:241
#iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --tcp-flags ALL SYN -j LOG	#Cannot convert: seq: 674711609	 "DDOS shaft synflood" arachnids,253 classtype:attempted-dos sid:241
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 6838 -m string --string "newserver" -j LOG	# "DDOS mstream agent to handler" classtype:attempted-dos sid:243
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "stream/" -j LOG --log-prefix " cve-CAN-2000-0138 "	# "DDOS mstream handler to agent" classtype:attempted-dos sid:244
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "ping" -j LOG --log-prefix " cve-CAN-2000-0138 "	# "DDOS mstream handler ping to agent" classtype:attempted-dos sid:245
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "pong" -j LOG	# "DDOS mstream agent pong to handler" classtype:attempted-dos sid:246
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 12754 -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0138 "	# "DDOS mstream client to handler" classtype:attempted-dos sid:247
iptables -A SnortRules -p tcp -s $HOME_NET --sport 12754 -d $EXTERNAL_NET -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0138 "	# "DDOS mstream handler to client" classtype:attempted-dos sid:248
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 15104 --tcp-flags ALL SYN -j LOG --log-prefix " cve-CAN-2000-0138 "	# "DDOS mstream client to handler" arachnids,111 classtype:attempted-dos sid:249
iptables -A SnortRules -p tcp -s $HOME_NET --sport 15104 -d $EXTERNAL_NET -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0138 "	# "DDOS mstream handler to client" classtype:attempted-dos sid:250
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 0 -j LOG	#Cannot convert: icmp_id: 51201 icmp_seq: 0	 "DDOS - TFN client command LE" arachnids,183 classtype:attempted-dos sid:251
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "	€" -j LOG --log-prefix " cve-CVE-1999-0009 "	# "DNS named iquery attempt" arachnids,277 bugtraq,134 classtype:attempted-recon sid:252
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 53 -d $HOME_NET -m string --string "…€" --string "À<" -j LOG	# "DNS SPOOF query response PTR with TTL: 1 min. and no authority" classtype:bad-unknown sid:253
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 53 -d $HOME_NET -m string --string "€" --string "À<" -j LOG	# "DNS SPOOF query response with ttl: 1 min. and no authority" classtype:bad-unknown sid:254
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "ü" --tcp-flags ACK ACK -j LOG	# "DNS zone transfer" arachnids,212 classtype:attempted-recon sid:255
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "authors" --string "bind" -j LOG	# "DNS named authors attempt" nocase-ignored arachnids,480 classtype:attempted-recon sid:256
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "version" --string "bind" -j LOG	# "DNS named version attempt" nocase-ignored arachnids,278 classtype:attempted-recon sid:257
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "../../../../../../../../../" -j LOG --log-prefix " cve-CVE-1999-0833 "	# "DNS EXPLOIT named 8.2->8.2.1" classtype:attempted-admin sid:258
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool" -j LOG --log-prefix " cve-CVE-1999-0833 "	# "DNS EXPLOIT named overflow" classtype:attempted-admin sid:259
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "ADMROCKS" -j LOG --log-prefix " cve-CVE-1999-0833 "	# "DNS EXPLOIT named" classtype:attempted-admin sid:260
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "Í€è×ÿÿÿ/bin/sh" -j LOG	# "DNS EXPLOIT named" classtype:attempted-admin sid:261
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "1À°?1Û³ÿ1ÉÍ€1À" -j LOG	# "DNS EXPLOIT x86 linux" classtype:attempted-admin sid:262
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "1À°Í€…ÀuLëL^°" -j LOG	# "DNS EXPLOIT x86 linux" classtype:attempted-admin sid:264
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "‰÷)Ç‰ó‰ù‰ò¬<þ" -j LOG	# "DNS EXPLOIT x86 linux ADMv2" classtype:attempted-admin sid:265
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "ën^Æš1É‰NÆF" -j LOG	# "DNS EXPLOIT x86 freebsd" classtype:attempted-admin sid:266
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "À ’ Ð#¿ø" -j LOG	# "DNS EXPLOIT sparc" classtype:attempted-admin sid:267
iptables -A SnortRules -p udp --dport 69 -m string --string "Admin.dlloctet" -j LOG	# "TFTP GET Admin.dll" classtype:successful-admin url,www.cert.org/advisories/CA-2001-26.html sid:1289
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "" -j LOG --log-prefix " cve-CVE-1999-0183 "	# "TFTP Write" arachnids,148 classtype:bad-unknown sid:518
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string ".." -j LOG --log-prefix " cve-CVE-1999-0183 "	# "TFTP parent directory" arachnids,137 classtype:bad-unknown sid:519
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "/" -j LOG --log-prefix " cve-CVE-1999-0183 "	# "TFTP root directory" arachnids,138 classtype:bad-unknown sid:520
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/hsx.cgi" --string "../../" --string "%00" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0253 "	# "WEB-CGI HyperSeek directory traversal attempt" bugtraq,2314 classtype:web-application-attack sid:803
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/s.cgi" --string "tmpl=" --tcp-flags ACK ACK -j LOG	#Cannot convert: dsize:>500	 "WEB-CGI SWSoft ASPSeek Overflow attempt" nocase-ignored bugtraq,2492 classtype:web-application-attack sid:804
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wsisa.dll/WService=" --string "WSMadmin" -j LOG	# "WEB-CGI webspeed access" nocase-ignored nocase-ignored arachnids,467 classtype:attempted-user sid:805
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/YaBB.pl" --string "../" -j LOG	# "WEB-CGI yabb access" arachnids,462 classtype:attempted-recon sid:806
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wwwboard/passwd.txt" -j LOG	# "WEB-CGI wwwboard passwd access" nocase-ignored arachnids,463 classtype:attempted-recon sid:807
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webdriver" -j LOG	# "WEB-CGI webdriver access" nocase-ignored arachnids,473 classtype:attempted-recon sid:808
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/whois_raw.cgi?" --string "" -j LOG	# "WEB-CGI whoisraw attempt" arachnids,466 classtype:web-application-attack sid:809
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/whois_raw.cgi" -j LOG	# "WEB-CGI whoisraw access" arachnids,466 classtype:attempted-recon sid:810
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string " /HTTP/1." -j LOG	# "WEB-CGI websitepro path access" nocase-ignored arachnids,468 classtype:attempted-recon sid:811
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus?about " -j LOG	# "WEB-CGI webplus version access" nocase-ignored arachnids,470 classtype:attempted-recon sid:812
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus?script" --string "../" -j LOG	# "WEB-CGI webplus directory trasversal" nocase-ignored arachnids,471 classtype:web-application-attack sid:813
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/websendmail" -j LOG --log-prefix " cve-CVE-1999-0196 "	# "WEB-CGI websendmail access" nocase-ignored arachnids,469 bugtraq,2077 classtype:attempted-recon sid:815
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dcboard.cgi" --string "command=register" --string "%7cadmin" -j LOG	# "WEB-CGI dcforum.cgi invalid user addition attempt" classtype:web-application-attack sid:817
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/dcforum.cgi" --tcp-flags ACK ACK -j LOG	# "WEB-CGI dcforum.cgi access" classtype:attempted-recon sid:818
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/mmstdod.cgi" --tcp-flags ACK ACK -j LOG	# "WEB-CGI mmstdod.cgi access" nocase-ignored classtype:attempted-recon sid:819
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/apexec.pl" --string "template=../" -j LOG --log-prefix " cve-CVE-2000-0975 "	# "WEB-CGI anaconda directory transversal attempt" nocase-ignored bugtraq,2388 classtype:web-application-attack sid:820
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ALL ACK -m string --string "/imagemap.exe?" -j LOG	#Cannot convert: dsize: >1000	 "WEB-CGI imagemap overflow attempt" nocase-ignored arachnids,412 classtype:web-application-attack sid:821
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cvsweb.cgi" -j LOG --log-prefix " cve-CVE-2000-0670 "	# "WEB-CGI cvsweb.cgi access" nocase-ignored bugtraq,1469 classtype:attempted-recon sid:823
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/php.cgi" -j LOG	# "WEB-CGI php access" nocase-ignored bugtraq,2250 arachnids,232 classtype:attempted-recon sid:824
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/glimpse" -j LOG	# "WEB-CGI glimpse access" nocase-ignored bugtraq,2026 classtype:attempted-recon sid:825
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/htmlscript" -j LOG --log-prefix " cve-CVE-1999-0264 "	# "WEB-CGI htmlscript access" nocase-ignored bugtraq,2001 classtype:attempted-recon sid:826
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/info2www" -j LOG --log-prefix " cve-CVE-1999-0266 "	# "WEB-CGI info2www access" nocase-ignored bugtraq,1995 classtype:attempted-recon sid:827
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/maillist.pl" -j LOG	# "WEB-CGI maillist.pl access" nocase-ignored classtype:attempted-recon sid:828
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nph-test-cgi" -j LOG --log-prefix " cve-CVE-1999-0045 "	# "WEB-CGI nph-test-cgi access" nocase-ignored arachnids,224 bugtraq,686 classtype:attempted-recon sid:829
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nph-publish" -j LOG	# "WEB-CGI NPH-publish access" nocase-ignored classtype:attempted-recon sid:830
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/perl.exe" -j LOG	# "WEB-CGI perl.exe access" nocase-ignored arachnids,219 classtype:attempted-recon sid:832
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rguest.exe" -j LOG --log-prefix " cve-CAN-1999-0467 "	# "WEB-CGI rguest.exe access" nocase-ignored bugtraq,2024 classtype:attempted-recon sid:833
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rwwwshell.pl" -j LOG	# "WEB-CGI rwwwshell.pl access" nocase-ignored classtype:attempted-recon sid:834
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/test-cgi" -j LOG --log-prefix " cve-CVE-1999-0070 "	# "WEB-CGI test-cgi access" nocase-ignored arachnids,218 classtype:attempted-recon sid:835
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/textcounter.pl" -j LOG	# "WEB-CGI testcounter.pl access" nocase-ignored classtype:attempted-recon sid:836
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/uploader.exe" -j LOG --log-prefix " cve-CVE-1999-0177 "	# "WEB-CGI uploader.exe access" nocase-ignored classtype:attempted-recon sid:837
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webgais" -j LOG --log-prefix " cve-CVE-1999-0176 "	# "WEB-CGI webgais access" nocase-ignored arachnids,472 bugtraq,2058 classtype:attempted-recon sid:838
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/finger" -j LOG --log-prefix " cve-CVE-1999-0612 "	# "WEB-CGI finger access" nocase-ignored arachnids,221 classtype:attempted-recon sid:839
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/perlshop.cgi" -j LOG	# "WEB-CGI perlshop.cgi access" nocase-ignored classtype:attempted-recon sid:840
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/pfdisplay.cgi" -j LOG --log-prefix " cve-CVE-1999-0270 "	# "WEB-CGI pfdisplay.cgi access" nocase-ignored bugtraq,64 classtype:attempted-recon sid:841
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/aglimpse" -j LOG --log-prefix " cve-CVE-1999-0147 "	# "WEB-CGI aglimpse access" nocase-ignored bugtraq,2026 classtype:attempted-recon sid:842
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AnForm2" -j LOG --log-prefix " cve-CVE-1999-0066 "	# "WEB-CGI anform2 access" nocase-ignored arachnids,225 classtype:attempted-recon sid:843
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/args.bat" -j LOG	# "WEB-CGI args.bat access" nocase-ignored classtype:attempted-recon sid:844
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AT-admin.cgi" -j LOG	# "WEB-CGI AT-admin.cgi access" nocase-ignored classtype:attempted-recon sid:845
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bnbform.cgi" -j LOG --log-prefix " cve-CVE-1999-0937 "	# "WEB-CGI bnbform.cgi access" nocase-ignored bugtraq,1469 classtype:attempted-recon sid:846
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/campas" -j LOG --log-prefix " cve-CVE-1999-0146 "	# "WEB-CGI campas access" nocase-ignored bugtraq,1975 classtype:attempted-recon sid:847
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/view-source" --string "../" -j LOG --log-prefix " cve-CVE-1999-0174 "	# "WEB-CGI view-source directory traversal" nocase-ignored nocase-ignored classtype:web-application-attack sid:848
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/view-source" -j LOG --log-prefix " cve-CVE-1999-0174 "	# "WEB-CGI view-source access" nocase-ignored classtype:attempted-recon sid:849
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wais.pl" -j LOG	# "WEB-CGI wais.p access" nocase-ignored classtype:attempted-recon sid:850
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/files.pl" -j LOG	# "WEB-CGI files.pl access" nocase-ignored classtype:attempted-recon sid:851
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wguest.exe" -j LOG --log-prefix " cve-CAN-1999-0467 "	# "WEB-CGI wguest.exe access" nocase-ignored bugtraq,2024 classtype:attempted-recon sid:852
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wrap" -j LOG --log-prefix " cve-CVE-1999-0149 "	# "WEB-CGI wrap access" bugtraq,373 arachnids,234 classtype:attempted-recon sid:853
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/classifieds.cgi" -j LOG --log-prefix " cve-CVE-1999-0934 "	# "WEB-CGI classifieds.cgi access" nocase-ignored bugtraq,2020 classtype:attempted-recon sid:854
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/edit.pl" -j LOG	# "WEB-CGI edit.pl access" nocase-ignored classtype:attempted-recon sid:855
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/environ.cgi" -j LOG	# "WEB-CGI environ.cgi access" nocase-ignored classtype:attempted-recon sid:856
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/faxsurvey" -j LOG --log-prefix " cve-CVE-1999-0262 "	# "WEB-CGI faxsurvey access" nocase-ignored bugtraq,2056 classtype:attempted-recon sid:857
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/filemail.pl" -j LOG	# "WEB-CGI filemail access" nocase-ignored classtype:attempted-recon sid:858
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/man.sh" -j LOG	# "WEB-CGI man.sh access" nocase-ignored classtype:attempted-recon sid:859
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/snork.bat" -j LOG --log-prefix " cve-CVE-2000-0169 "	# "WEB-CGI snork.bat access" nocase-ignored bugtraq,1053 arachnids,220 classtype:attempted-recon sid:860
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/w3-msql/" -j LOG --log-prefix " cve-CVE-1999-0276 "	# "WEB-CGI w3-msql access" nocase-ignored bugtraq,591 arachnids,210 classtype:attempted-recon sid:861
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/csh" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI csh access" nocase-ignored classtype:attempted-recon sid:862
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/zsh" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI zsh access" nocase-ignored classtype:attempted-recon sid:1309
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/day5datacopier.cgi" -j LOG	# "WEB-CGI day5datacopier.cgi access" nocase-ignored classtype:attempted-recon sid:863
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/day5datanotifier.cgi" -j LOG	# "WEB-CGI day5datanotifier.cgi access" nocase-ignored classtype:attempted-recon sid:864
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ksh" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI ksh access" nocase-ignored classtype:attempted-recon sid:865
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/post-query" -j LOG	# "WEB-CGI post-query access" nocase-ignored classtype:attempted-recon sid:866
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/visadmin.exe" -j LOG --log-prefix " cve-CAN-1999-1970 "	# "WEB-CGI visadmin.exe access" nocase-ignored bugtraq,1808 classtype:attempted-recon sid:867
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rsh" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI rsh access" nocase-ignored classtype:attempted-recon sid:868
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dumpenv.pl" -j LOG	# "WEB-CGI dumpenv.pl access" nocase-ignored classtype:attempted-recon sid:869
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/snorkerz.cmd" -j LOG	# "WEB-CGI snorkerz.cmd access" nocase-ignored classtype:attempted-recon sid:870
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/survey.cgi" -j LOG --log-prefix " cve-CVE-1999-0936 "	# "WEB-CGI survey.cgi access" nocase-ignored bugtraq,1817 classtype:attempted-recon sid:871
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/tcsh" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI tcsh access" nocase-ignored classtype:attempted-recon sid:872
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "///" -j LOG --log-prefix " cve-CVE-1999-0236 "	# "WEB-CGI scriptalias access" bugtraq,2300 arachnids,227 classtype:attempted-recon sid:873
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/shA-cA/usr/openwin" -j LOG --log-prefix " cve-CVE-1999-0276 "	# "WEB-CGI w3-msql solaris x86 access" nocase-ignored arachnids,211 classtype:attempted-recon sid:874
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/win-c-sample.exe" -j LOG --log-prefix " cve-CVE-1999-0178 "	# "WEB-CGI win-c-sample.exe access" nocase-ignored bugtraq,2078 arachnids,231 classtype:attempted-recon sid:875
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "blaat@blaat.com" -j LOG	# "WEB-CGI bugzilla 2.8 exploit " nocase-ignored arachnids,276 classtype:web-application-attack sid:876
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rksh" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI rksh access" nocase-ignored classtype:attempted-recon sid:877
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/w3tvars.pm" -j LOG	# "WEB-CGI w2tvars.pm access" nocase-ignored classtype:attempted-recon sid:878
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.pl" -j LOG	# "WEB-CGI admin.pl access" nocase-ignored classtype:attempted-recon sid:879
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/LWGate" -j LOG	# "WEB-CGI LWGate access" nocase-ignored classtype:attempted-recon sid:880
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/archie" -j LOG	# "WEB-CGI archie access" nocase-ignored classtype:attempted-recon sid:881
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/calendar" -j LOG	# "WEB-CGI calendar access" nocase-ignored classtype:attempted-recon sid:882
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/flexform" -j LOG	# "WEB-CGI flexform access" nocase-ignored classtype:attempted-recon sid:883
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/formmail" -j LOG --log-prefix " cve-CVE-1999-0172 "	# "WEB-CGI formmail access" nocase-ignored bugtraq,1187 arachnids,226 classtype:attempted-recon sid:884
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bash" -j LOG --log-prefix " cve-CAN-1999-0509 "	# "WEB-CGI bash access" nocase-ignored classtype:attempted-recon sid:885
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/phf" -j LOG --log-prefix " cve-CVE-1999-0067 "	# "WEB-CGI phf access" nocase-ignored bugtraq,629 arachnids,128 classtype:attempted-recon sid:886
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/www-sql" -j LOG	# "WEB-CGI www-sql access" nocase-ignored classtype:attempted-recon sid:887
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wwwadmin.pl" -j LOG	# "WEB-CGI wwwadmin.pl access" nocase-ignored classtype:attempted-recon sid:888
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ppdscgi.exe" -j LOG	# "WEB-CGI ppdscgi.exe access" nocase-ignored bugtraq,491 classtype:attempted-recon sid:889
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/sendform.cgi" -j LOG	# "WEB-CGI sendform.cgi access" nocase-ignored classtype:attempted-recon sid:890
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/upload.pl" -j LOG	# "WEB-CGI upload.pl access" nocase-ignored classtype:attempted-recon sid:891
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AnyForm2" -j LOG --log-prefix " cve-CVE-1999-0066 "	# "WEB-CGI AnyForm2 access" nocase-ignored bugtraq,719 classtype:attempted-recon sid:892
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/MachineInfo" -j LOG	# "WEB-CGI MachineInfo access" nocase-ignored classtype:attempted-recon sid:893
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-hist.sh" -j LOG	# "WEB-CGI bb-hist.sh access" nocase-ignored bugtraq,142 classtype:attempted-recon sid:894
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/redirect" -j LOG --log-prefix " cve-CVE-2000-0382 "	# "WEB-CGI redirect access" nocase-ignored bugtraq,1179 classtype:attempted-recon sid:895
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/way-board" --tcp-flags ACK ACK -j LOG	# "WEB-CGI wayboard access" nocase-ignored bugtraq,2370 classtype:attempted-recon sid:896
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/pals-cgi" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0216,cve-CAN-2001-0217 "	# "WEB-CGI pals-cgi access" nocase-ignored bugtraq,2372 classtype:attempted-recon sid:897
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/commerce.cgi" --tcp-flags ACK ACK -j LOG	# "WEB-CGI commerce.cgi access" nocase-ignored classtype:attempted-recon sid:898
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sendtemp.pl" --string "templ=" --tcp-flags ACK ACK -j LOG	# "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2504 classtype:web-application-attack sid:899
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/webspirs.cgi" --string "../../" --tcp-flags ACK ACK -j LOG	# "WEB-CGI webspirs directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2362 classtype:web-application-attack sid:900
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/webspirs.cgi" --tcp-flags ACK ACK -j LOG	# "WEB-CGI webspirs access" nocase-ignored bugtraq,2362 classtype:attempted-recon sid:901
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "tstisapi.dll" --tcp-flags ACK ACK -j LOG	# "WEB-CGI tstisapi.dll access" nocase-ignored classtype:attempted-recon sid:902
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sendmessage.cgi" --tcp-flags ACK ACK -j LOG	# "WEB-CGI sendmessage.cgi access" nocase-ignored classtype:attempted-recon sid:1308
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfcache.map" -j LOG --log-prefix " cve-CVE-2000-0057 "	# "WEB-COLDFUSION cfcache.map access" nocase-ignored bugtraq,917 classtype:attempted-recon sid:903
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/email/application.cfm" -j LOG	# "WEB-COLDFUSION exampleapp application.cfm" nocase-ignored bugtraq,1021 classtype:attempted-recon sid:904
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/publish/admin/application.cfm" -j LOG	# "WEB-COLDFUSION application.cfm access" nocase-ignored bugtraq,1021 classtype:attempted-recon sid:905
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/email/getfile.cfm" -j LOG	# "WEB-COLDFUSION getfile.cfm access" nocase-ignored bugtraq,229 classtype:attempted-recon sid:906
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/publish/admin/addcontent.cfm" -j LOG	# "WEB-COLDFUSION addcontent.cfm access" nocase-ignored classtype:attempted-recon sid:907
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cfide/administrator/index.cfm" --tcp-flags ACK ACK -j LOG	# "WEB-COLDFUSION administrator access" nocase-ignored classtype:attempted-recon sid:908
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_SETDATASOURCEUSERNAME()" -j LOG	# "WEB-COLDFUSION datasource username attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:909
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/fileexists.cfm" -j LOG	# "WEB-COLDFUSION fileexists.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:910
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/exprcalc.cfm" -j LOG --log-prefix " cve-CVE-1999-0455 "	# "WEB-COLDFUSION exprcalc access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:911
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/parks/detail.cfm" -j LOG	# "WEB-COLDFUSION parks access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:912
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfappman/index.cfm" -j LOG	# "WEB-COLDFUSION cfappman access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:913
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/cvbeans/beaninfo.cfm" -j LOG	# "WEB-COLDFUSION beaninfo access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:914
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/evaluate.cfm" -j LOG	# "WEB-COLDFUSION evaluate.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:915
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_GETODBCDSN()" -j LOG	# "WEB-COLDFUSION getodbcdsn access" nocase-ignored bugtraq,550 classtype:web-application-attack sid:916
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_DBCONNECTIONS_FLUSH()" -j LOG	# "WEB-COLDFUSION db connections flush attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:917
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/" -j LOG --log-prefix " cve-CAN-1999-0477 "	# "WEB-COLDFUSION expeval access" nocase-ignored bugtraq,550 classtype:attempted-user sid:918
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_SETDATASOURCEPASSWORD()" -j LOG	# "WEB-COLDFUSION datasource passwordattempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:919
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_ISCOLDFUSIONDATASOURCE()" -j LOG	# "WEB-COLDFUSION datasource attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:920
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_ENCRYPT()" -j LOG	# "WEB-COLDFUSION admin encrypt attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:921
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/displayopenedfile.cfm" -j LOG	# "WEB-COLDFUSION displayfile access" nocase-ignored bugtraq,550 classtype:web-application-attack sid:922
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_GETODBCINI()" -j LOG	# "WEB-COLDFUSION getodbcin attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:923
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_DECRYPT()" -j LOG	# "WEB-COLDFUSION admin decrypt attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:924
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/mainframeset.cfm" -j LOG	# "WEB-COLDFUSION mainframeset access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:925
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_SETODBCINI()" -j LOG	# "WEB-COLDFUSION set odbc ini attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:926
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_SETTINGS_REFRESH()" -j LOG	# "WEB-COLDFUSION settings refresh attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:927
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/" -j LOG	# "WEB-COLDFUSION exampleapp access" nocase-ignored classtype:attempted-recon sid:928
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_VERIFYMAIL()" -j LOG	# "WEB-COLDFUSION verify mai access" nocase-ignored bugtraq,550 classtype:attempted-user sid:929
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/" -j LOG	# "WEB-COLDFUSION snippets attempt attempt" nocase-ignored bugtraq,550 classtype:attempted-recon sid:930
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/cfmlsyntaxcheck.cfm" -j LOG	# "WEB-COLDFUSION cfmlsyntaxcheck.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:931
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/application.cfm" -j LOG --log-prefix " cve-CAN-2000-0189 "	# "WEB-COLDFUSION application.cfm access" nocase-ignored bugtraq,550 arachnids,268 classtype:attempted-recon sid:932
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/onrequestend.cfm" -j LOG --log-prefix " cve-CAN-2000-0189 "	# "WEB-COLDFUSION onrequestend.cfm access" nocase-ignored bugtraq,550 arachnids,269 classtype:attempted-recon sid:933
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cfide/administrator/startstop.html" --tcp-flags ACK ACK -j LOG	# "WEB-COLDFUSION startstop DOS access" nocase-ignored bugtraq,247 classtype:web-application-attack sid:935
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/gettempdirectory.cfm" -j LOG	# "WEB-COLDFUSION gettempdirectory.cfm access " nocase-ignored bugtraq,550 classtype:attempted-recon sid:936
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp30reg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0341 "	#Cannot convert: dsize: >258	 "WEB-FRONTPAGE rad overflow attempt" nocase-ignored classtype:web-application-attack arachnids,555 bugtraq,2906 sid:1246
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp4areg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0341 "	#Cannot convert: dsize: >259	 "WEB-FRONTPAGE rad overflow attempt" nocase-ignored bugtraq,2906 classtype:web-application-attack sid:1247
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp30reg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0341 "	# "WEB-FRONTPAGE rad fp30reg.dll access" nocase-ignored classtype:web-application-activity arachnids,555 bugtraq,2906 sid:1248
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp4areg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0341 "	# "WEB-FRONTPAGE frontpage rad fp4areg.dll access" nocase-ignored bugtraq,2906 classtype:web-application-activity sid:1249
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_rpc" -j LOG	# "WEB-FRONTPAGE _vti_rpc access" nocase-ignored bugtraq,2144 classtype:web-application-activity sid:937
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "POST" --string "/author.dll" -j LOG	# "WEB-FRONTPAGE posting" nocase-ignored classtype:web-application-activity sid:939
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/_vti_bin/shtml.dll" --tcp-flags ACK ACK -j LOG	# "WEB-FRONTPAGE shtml.dll" nocase-ignored arachnids,292 classtype:web-application-activity sid:940
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admcgi/contents.htm" -j LOG	# "WEB-FRONTPAGE contents.htm access" nocase-ignored classtype:web-application-activity sid:941
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/orders.htm" -j LOG	# "WEB-FRONTPAGE orders.htm access" nocase-ignored classtype:web-application-activity sid:942
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpsrvadm.exe" -j LOG	# "WEB-FRONTPAGE fpsrvadm.exe access" nocase-ignored classtype:web-application-activity sid:943
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpremadm.exe" -j LOG	# "WEB-FRONTPAGE fpremadm.exe access" nocase-ignored classtype:web-application-activity sid:944
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admisapi/fpadmin.htm" -j LOG	# "WEB-FRONTPAGE fpadmin.htm access" nocase-ignored classtype:web-application-activity sid:945
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/Fpadmcgi.exe" -j LOG	# "WEB-FRONTPAGE fpadmcgi.exe access" nocase-ignored classtype:web-application-activity sid:946
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/orders.txt" -j LOG	# "WEB-FRONTPAGE orders.txt access" nocase-ignored classtype:web-application-activity sid:947
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/form_results.txt" -j LOG	# "WEB-FRONTPAGE form_results access" nocase-ignored classtype:web-application-activity sid:948
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/registrations.htm" -j LOG	# "WEB-FRONTPAGE registrations.htm access" nocase-ignored classtype:web-application-activity sid:949
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfgqiz.exe" -j LOG	# "WEB-FRONTPAGE cfgwiz.exe access" nocase-ignored classtype:web-application-activity sid:950
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/authors.pwd" -j LOG	# "WEB-FRONTPAGE authors.pwd access" nocase-ignored classtype:web-application-activity sid:951
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_bin/_vti_aut/author.exe" -j LOG	# "WEB-FRONTPAGE author.exe access" nocase-ignored classtype:web-application-activity sid:952
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/administrators.pwd" -j LOG	# "WEB-FRONTPAGE administrators.pwd" nocase-ignored bugtraq,1205 classtype:web-application-activity sid:953
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/form_results.htm" -j LOG	# "WEB-FRONTPAGE form_results.htm access" nocase-ignored classtype:web-application-activity sid:954
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/access.cnf" -j LOG	# "WEB-FRONTPAGE access.cnf access" nocase-ignored classtype:web-application-activity sid:955
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/register.txt" -j LOG	# "WEB-FRONTPAGE register.txt access" nocase-ignored classtype:web-application-activity sid:956
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/registrations.txt" -j LOG	# "WEB-FRONTPAGE registrations.txt access" nocase-ignored classtype:web-application-activity sid:957
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/service.cnf" -j LOG	# "WEB-FRONTPAGE service.cnf access" nocase-ignored classtype:web-application-activity sid:958
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/service.pwd" -j LOG	# "WEB-FRONTPAGE service.pwd" nocase-ignored bugtraq,1205 classtype:web-application-activity sid:959
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/service.stp" -j LOG	# "WEB-FRONTPAGE service.stp access" nocase-ignored classtype:web-application-activity sid:960
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/services.cnf" -j LOG	# "WEB-FRONTPAGE services.cnf access" nocase-ignored classtype:web-application-activity sid:961
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_bin/shtml.exe" -j LOG --log-prefix " cve-CAN-2000-0413,cve-CAN-2000-0709 "	# "WEB-FRONTPAGE shtml.exe access" nocase-ignored bugtraq,1608 bugtraq,1174 classtype:web-application-activity sid:962
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/svcacl.cnf" -j LOG	# "WEB-FRONTPAGE svcacl.cnf access" nocase-ignored classtype:web-application-activity sid:963
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/users.pwd" -j LOG	# "WEB-FRONTPAGE users.pwd access" nocase-ignored classtype:web-application-activity sid:964
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_vti_pvt/writeto.cnf" -j LOG	# "WEB-FRONTPAGE writeto.cnf access" nocase-ignored classtype:web-application-activity sid:965
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "..../" -j LOG --log-prefix " cve-CAN-2000-0153 "	# "WEB-FRONTPAGE fourdots request" nocase-ignored bugtraq,989 arachnids,248 classtype:web-application-attack sid:966
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dvwssr.dll" -j LOG --log-prefix " cve-CVE-2000-0260 "	# "WEB-FRONTPAGE dvwssr.dll access" nocase-ignored bugtraq,1108 arachnids,271 classtype:web-application-activity sid:967
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/register.htm" -j LOG	# "WEB-FRONTPAGE register.htm access" nocase-ignored classtype:web-application-activity sid:968
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_bin/" -j LOG	# "WEB-FRONTPAGE /_vti_bin/ access" nocase-ignored classtype:web-application-activity sid:1288
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "LOCK " -j LOG	# "WEB-IIS webdav file lock attempt" bugtraq,2736 classtype:web-application-activity sid:969
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".printer" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0241 "	# "WEB-IIS ISAPI .printer access" nocase-ignored arachnids,533 classtype:web-application-activity sid:971
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".ida?" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0071 "	#Cannot convert: dsize:>239	 "WEB-IIS ISAPI .ida attempt" nocase-ignored arachnids,552 classtype:web-application-attack sid:1243
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".ida" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0071 "	# "WEB-IIS ISAPI .ida access" nocase-ignored arachnids,552 classtype:web-application-activity sid:1242
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".idq?" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0071 "	#Cannot convert: dsize:>239	 "WEB-IIS ISAPI .idq attempt" nocase-ignored arachnids,553 classtype:web-application-attack sid:1244
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".idq" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2000-0071 "	# "WEB-IIS ISAPI .idq access" nocase-ignored arachnids,553 classtype:web-application-activity sid:1245
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%2e.asp" -j LOG --log-prefix " cve-CAN-1999-0253 "	# "WEB-IIS %2E-asp access" nocase-ignored bugtraq,1814 classtype:web-application-activity sid:972
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "*.idc" -j LOG --log-prefix " cve-CVE-1999-0874 "	# "WEB-IIS *.idc attempt" nocase-ignored bugtraq,1448 classtype:web-application-attack sid:973
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "..\\.." -j LOG --log-prefix " cve-CAN-1999-0229 "	# "WEB-IIS .... access" bugtraq,2218 classtype:web-application-attack sid:974
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".asp::$data" -j LOG --log-prefix " cve-CVE-1999-0278 "	# "WEB-IIS .asp$data access" nocase-ignored bugtraq,140 classtype:web-application-attack sid:975
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".bat?&" -j LOG --log-prefix " cve-CVE-1999-0233 "	# "WEB-IIS .bat? access" nocase-ignored bugtraq,2023 classtype:web-application-activity sid:976
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".cnf" --tcp-flags ACK ACK -j LOG	# "WEB-IIS .cnf access" nocase-ignored classtype:web-application-activity sid:977
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20&CiRestriction=none&CiHiliteType=Full" -j LOG --log-prefix " cve-CAN-2000-0302 "	# "WEB-IIS ASP contents view" bugtraq,1084 classtype:web-application-attack sid:978
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/null.htw?CiWebHitsFile" -j LOG	# "WEB-IIS ASP contents view" bugtraq,1861 classtype:web-application-activity sid:979
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/CGImail.exe" -j LOG --log-prefix " cve-CAN-2000-0726 "	# "WEB-IIS CGImail.exe access" nocase-ignored bugtraq,1623 classtype:web-application-activity sid:980
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c0%af../" --tcp-flags ACK ACK -j LOG	# "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:981
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c1%1c../" --tcp-flags ACK ACK -j LOG	# "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:982
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c1%9c../" --tcp-flags ACK ACK -j LOG	# "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:983
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/samples/ctguestb.idc" -j LOG --log-prefix " cve-CVE-1999-0874 "	# "WEB-IIS JET VBA access" nocase-ignored bugtraq,307 classtype:web-application-activity sid:984
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/samples/details.idc" -j LOG --log-prefix " cve-CVE-1999-0874 "	# "WEB-IIS JET VBA access" nocase-ignored bugtraq,286 classtype:web-application-activity sid:985
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/proxy/w3proxy.dll" -j LOG	# "WEB-IIS MSProxy access" nocase-ignored classtype:web-application-activity sid:986
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "BBBB.htrHTTP" -j LOG	# "WEB-IIS Overflow-htr access" nocase-ignored classtype:web-application-attack sid:987
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "sam._" -j LOG	# "WEB-IIS SAM Attempt" nocase-ignored classtype:web-application-attack sid:988
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sensepost.exe" --tcp-flags ACK ACK -j LOG	# "WEB-IIS Unicode2.pl script (File permission canonicalization)" nocase-ignored classtype:web-application-activity sid:989
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_vti_inf.html" -j LOG	# "WEB-IIS _vti_inf access" nocase-ignored classtype:web-application-activity sid:990
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/achg.htr" -j LOG --log-prefix " cve-CVE-1999-0407 "	# "WEB-IIS achg.htr access" nocase-ignored bugtraq,2110 classtype:web-application-activity sid:991
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/msadc/samples/adctest.asp" -j LOG	# "WEB-IIS adctest.asp access" nocase-ignored classtype:web-application-activity sid:992
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin" -j LOG	# "WEB-IIS admin access" nocase-ignored classtype:web-application-attack sid:993
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/default.htm" -j LOG	# "WEB-IIS admin-default access" nocase-ignored classtype:web-application-attack sid:994
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/ism.dll?http/dir" -j LOG --log-prefix " cve-CVE-2000-0630 "	# "WEB-IIS admin.dll access" nocase-ignored bugtraq,189 classtype:web-application-attack sid:995
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/anot" -j LOG --log-prefix " cve-CAN-1999-0407 "	# "WEB-IIS anot.htr access" nocase-ignored bugtraq,2110 classtype:web-application-activity sid:996
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".asp." -j LOG	# "WEB-IIS asp-dot attempt" nocase-ignored classtype:web-application-attack sid:997
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.asp" -j LOG	# "WEB-IIS asp-srch attempt" nocase-ignored classtype:web-application-attack sid:998
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/bdir.htr" -j LOG	# "WEB-IIS bdir access" nocase-ignored classtype:web-application-activity sid:999
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/bdir.htr" --tcp-flags ACK ACK -j LOG	# "WEB-IIS bdir.ht access" nocase-ignored classtype:web-application-activity sid:1000
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cmd.exe" -j LOG	# "WEB-IIS cmd.exe access" nocase-ignored classtype:web-application-attack sid:1002
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".cmd?&" -j LOG	# "WEB-IIS cmd? acess" nocase-ignored classtype:web-application-attack sid:1003
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iissamples/exair/howitworks/codebrws.asp" -j LOG --log-prefix " cve-CVE-1999-0499 "	# "WEB-IIS codebrowser Exair access" nocase-ignored classtype:web-application-activity sid:1004
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iissamples/sdk/asp/docs/codebrws.asp" -j LOG	# "WEB-IIS codebrowser SDK access" nocase-ignored bugtraq,167 classtype:web-application-activity sid:1005
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Form_JScript.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS cross-site scripting attempt" nocase-ignored classtype:web-application-attack sid:1007
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "&del+/s+c:\*.*" -j LOG	# "WEB-IIS del attempt" nocase-ignored classtype:web-application-attack sid:1008
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/ServerVariables_Jscript.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS directory listing" nocase-ignored classtype:web-application-attack sid:1009
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%1u" -j LOG	# "WEB-IIS encoding access" arachnids,200 classtype:web-application-activity sid:1010
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.exe" -j LOG	# "WEB-IIS exec-src access" nocase-ignored classtype:web-application-activity sid:1011
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpcount.exe" --string "Digits=-" -j LOG	# "WEB-IIS fpcount attempt" nocase-ignored bugtraq,2252 classtype:web-application-attack sid:1012
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpcount.exe" -j LOG	# "WEB-IIS fpcount access" nocase-ignored bugtraq,2252 classtype:web-application-activity sid:1013
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/tools/getdrvrs.exe" -j LOG	# "WEB-IIS getdrvrs access" nocase-ignored classtype:web-application-activity sid:1014
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/tools/getdrvs.exe" -j LOG	# "WEB-IIS getdrvs.exe access" nocase-ignored classtype:web-application-activity sid:1015
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "global.asa" -j LOG	# "WEB-IIS global-asa access" nocase-ignored classtype:web-application-activity sid:1016
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.idc" -j LOG --log-prefix " cve-CVE-1999-0874 "	# "WEB-IIS idc-srch attempt" nocase-ignored classtype:web-application-attack sid:1017
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/aexp" -j LOG --log-prefix " cve-CVE-2000-0303 "	# "WEB-IIS iisadmpwd attempt" nocase-ignored bugtraq,2110 classtype:web-application-attack sid:1018
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?CiWebHitsFile=/" --string "&CiRestriction=none&CiHiliteType=Full" -j LOG	# "WEB-IIS index server file sourcecode attempt" classtype:web-application-attack sid:1019
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".idc::$data" -j LOG --log-prefix " cve-CVE-1999-0874 "	# "WEB-IIS isc$data attempt" nocase-ignored bugtraq,307 classtype:web-application-attack sid:1020
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20%20%20%20%20.htr" -j LOG --log-prefix " cve-CAN-2000-0457 "	# "WEB-IIS ism.dll attempt" nocase-ignored bugtraq,1193 classtype:web-application-attack sid:1021
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/advworks/equipment/catalog_type.asp" -j LOG --log-prefix " cve-CVE-1999-0874 "	# "WEB-IIS jet vba access" nocase-ignored bugtraq,286 classtype:web-application-activity sid:1022
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/msadc/msadcs.dll" -j LOG --log-prefix " cve-CVE-1999-1011 "	# "WEB-IIS msadc/msadcs.dll access" nocase-ignored bugtraq,529 classtype:web-application-activity sid:1023
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/tools/newdsn.exe" -j LOG --log-prefix " cve-CVE-1999-0191 "	# "WEB-IIS newdsn.exe access" nocase-ignored bugtraq,1818 classtype:web-application-activity sid:1024
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/perl" -j LOG	# "WEB-IIS perl access" nocase-ignored classtype:web-application-activity sid:1025
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%0a.pl" -j LOG	# "WEB-IIS perl-browse0a attempt" nocase-ignored classtype:web-application-attack sid:1026
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20.pl" -j LOG	# "WEB-IIS perl-browse20 attempt" nocase-ignored classtype:web-application-attack sid:1027
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/issamples/query.asp" -j LOG --log-prefix " cve-CVE-1999-0449 "	# "WEB-IIS query.asp access" nocase-ignored bugtraq,193 classtype:web-application-activity sid:1028
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/ " -j LOG	# "WEB-IIS scripts-browse access" nocase-ignored classtype:web-application-attack sid:1029
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/search97.vts" -j LOG	# "WEB-IIS search97.vts access" bugtraq,162 classtype:web-application-activity sid:1030
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/SiteServer/Publishing/viewcode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1031
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Knowledge/Membership/Inspired/ViewCode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1032
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1033
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1034
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Samples/Knowledge/Push/ViewCode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1035
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Samples/Knowledge/Search/ViewCode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1036
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/selector/showcode.asp" -j LOG --log-prefix " cve-CAN-1999-0736 "	# "WEB-IIS showcode.asp access" nocase-ignored classtype:web-application-activity sid:1037
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/adsamples/config/site.csc" -j LOG	# "WEB-IIS site server config access" nocase-ignored bugtraq,256 classtype:web-application-activity sid:1038
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/samples/isapi/srch.htm" -j LOG	# "WEB-IIS srch.htm access" nocase-ignored classtype:web-application-activity sid:1039
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/srchadm" -j LOG	# "WEB-IIS srchadm access" nocase-ignored classtype:web-application-activity sid:1040
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/uploadn.asp" -j LOG	# "WEB-IIS uploadn.asp access" nocase-ignored classtype:web-application-activity sid:1041
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "Translate: F" -j LOG	# "WEB-IIS view source via translate header" nocase-ignored arachnids,305 classtype:web-application-activity sid:1042
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/viewcode.asp" --tcp-flags ACK ACK -j LOG	# "WEB-IIS viewcode.asp access" nocase-ignored classtype:web-application-activity sid:1043
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".htw" --tcp-flags ACK ACK -j LOG	#Cannot convert: dsize: >400	 "WEB-IIS webhits access" arachnids,237 classtype:web-application-activity sid:1044
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "403" --string "Forbidden:" -j LOG	# "WEB-IIS Unauthorized IP Access Attempt" classtype:web-application-attack sid:1045
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/site/iisamples" -j LOG	# "WEB-IIS site/iisamples access" nocase-ignored classtype:web-application-activity sid:1046
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "scripts/root.exe?" -j LOG	# "WEB-IIS CodeRed v2 root.exe access" nocase-ignored classtype:web-application-attack sid: 1256
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/exchange/LogonFrm.asp?" --string "mailbox=" --string "%%%" -j LOG	# "WEB-IIS outlook web dos" nocase-ignored nocase-ignored classtype:web-application-attack bugtraq,3223 sid:1283
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%5c" --string ".." -j LOG --log-prefix " cve-CAN-2001-0333 "	# "WEB-IIS multiple decode attempt" classtype:web-application-attack sid:970
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/msdac/" -j LOG	# "WEB-IIS msdac access" nocase-ignored classtype:web-application-activity sid:1285
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_mem_bin/" -j LOG	# "WEB-IIS _mem_bin access" nocase-ignored classtype:web-application-activity sid:1286
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/" -j LOG	# "WEB-IIS scripts access" nocase-ignored classtype:web-application-activity sid:1287
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/level/" --string "/exec/" --tcp-flags ACK ACK -j LOG	# "WEB-MISC Cisco IOS HTTP configuration attempt" classtype:web-application-attack bugtraq,2936 sid:1250
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "REVLOG / " --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0251 "	# "WEB-MISC Netscape Enterprise DOS" bugtraq,2294 classtype:web-application-attack sid:1047
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "INDEX " --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-2001-0250 "	# "WEB-MISC Netscape Enterprise directory listing attempt" bugtraq,2285 classtype:web-application-attack sid:1048
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "GET " --string "/../../../../../../../../../../../" --tcp-flags ACK ACK -j LOG	# "WEB-MISC iPlanet ../../ DOS attempt" classtype:web-application-attack sid:1049
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "GETPROPERTIES" -j LOG	# "WEB-MISC iPlanet GETPROPERTIES attempt" classtype:web-application-attack sid:1050
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/technote/main.cgi" --string "filename=" --string "../../" -j LOG --log-prefix " cve-CVE-2001-0075 "	# "WEB-MISC technote main.cgi file directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2156 classtype:web-application-attack sid:1051
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/technote/print.cgi" --string "board=" --string "../../" --string "%00" -j LOG --log-prefix " cve-CAN-2001-0075 "	# "WEB-MISC technote print.cgi directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2156 classtype:web-application-attack sid:1052
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ads.cgi" --string "file=" --string "../../" --string " -j LOG --log-prefix " cve-CAN-2001-0025 "	#Cannot convert: misconvert on quoted pipe: sid:1053	 "WEB-MISC ads.cgi command execution attempt" nocase-ignored nocase-ignored bugtraq,2103 classtype:web-application-attack sid:1053
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".js%70" -j LOG	# "WEB-MISC weblogic view source attempt" bugtraq,2527 classtype:web-application-attack sid:1054
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%00.jsp" -j LOG	# "WEB-MISC tomcat directory traversal attempt" bugtraq,2518 classtype:web-application-attack sid:1055
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%252ejsp" -j LOG	# "WEB-MISC tomcat view source attempt" bugtraq,2527 classtype:web-application-attack sid:1056
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ftp.exe" -j LOG	# "WEB-MISC ftp attempt" nocase-ignored classtype:web-application-activity sid:1057
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_enumdsn" -j LOG	# "WEB-MISC enumdsn attempt" nocase-ignored classtype:web-application-attack sid:1058
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_filelist" -j LOG	# "WEB-MISC filelist attempt" nocase-ignored classtype:web-application-attack sid:1059
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_availablemedia" -j LOG	# "WEB-MISC availablemedia attempt" nocase-ignored classtype:web-application-attack sid:1060
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_cmdshell" -j LOG	# "WEB-MISC cmdshell attempt" nocase-ignored classtype:web-application-attack sid:1061
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "nc.exe" -j LOG	# "WEB-MISC nc.exe attempt" nocase-ignored classtype:web-application-activity sid:1062
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "csh.exe" -j LOG	# "WEB-MISC csh attempt" nocase-ignored classtype:web-application-activity sid:1063
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "wsh.exe" -j LOG	# "WEB-MISC wsh attempt" nocase-ignored classtype:web-application-activity sid:1064
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "rcmd.exe" -j LOG	# "WEB-MISC rcmd attempt" nocase-ignored classtype:web-application-activity sid:1065
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "telnet.exe" -j LOG	# "WEB-MISC telnet attempt" nocase-ignored classtype:web-application-activity sid:1066
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "net.exe" -j LOG	# "WEB-MISC net attempt" nocase-ignored classtype:web-application-activity sid:1067
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "tftp.exe" -j LOG	# "WEB-MISC tftp attempt" nocase-ignored classtype:web-application-activity sid:1068
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_regread" -j LOG	# "WEB-MISC regread attempt" nocase-ignored classtype:web-application-activity sid:1069
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "SEARCH " -j LOG	# "WEB-MISC webdav search access" nocase-ignored arachnids,474 classtype:web-application-activity sid:1070
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htpasswd" -j LOG	# "WEB-MISC .htpasswd access" nocase-ignored classtype:web-application-attack sid:1071
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".nsf/" --string "../" --tcp-flags ACK ACK -j LOG	# "WEB-MISC Lotus Domino directory traversal" nocase-ignored classtype:web-application-attack sid:1072
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/samples/search/webhits.exe" -j LOG	# "WEB-MISC webhits.exe access" nocase-ignored classtype:web-application-activity sid:1073
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/postinfo.asp" -j LOG	# "WEB-MISC postinfo.asp access" nocase-ignored classtype:web-application-activity sid:1075
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/repost.asp" -j LOG	# "WEB-MISC repost.asp access" nocase-ignored classtype:web-application-activity sid:1076
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/samples/search/queryhit.htm" -j LOG	# "WEB-MISC queryhit.htm access" nocase-ignored classtype:web-application-activity sid:1077
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/counter.exe" -j LOG	# "WEB-MISC counter.exe access" nocase-ignored bugtraq,267 classtype:web-application-activity sid:1078
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "<a:propfind" --string "xmlns:a="DAV">" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CVE-2000-0869 "	# "WEB-MISC webdav propfind access" nocase-ignored nocase-ignored classtype:web-application-activity sid:1079
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "(com.unify.servletexec.UploadServlet" --tcp-flags ACK ACK -j LOG	# "WEB-MISC unify eWave ServletExec upload" nocase-ignored classtype:web-application-attack sid:1080 bugtraq,1868
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dsgw/bin/search?context=" -j LOG	# "WEB-MISC netscape servers suite DOS" nocase-ignored classtype:web-application-attack sid:1081 bugtraq,1868
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ref%3Cscript%20language%3D%22Javascript" -j LOG --log-prefix " cve-CVE-2000-0439 "	# "WEB-MISC amazon 1-click cookie theft" nocase-ignored classtype:web-application-attack sid:1082 bugtraq,1194
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/servlet/ServletExec" -j LOG	# "WEB-MISC unify eWave ServletExec DOS" classtype:web-application-activity sid:1083
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "servlet/......." -j LOG	# "WEB-MISC Allaire JRUN DOS attempt" nocase-ignored classtype:web-application-attack sid:1084 bugtraq,2337
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ºIþÿÿ÷Ò¹¿ÿÿÿ÷Ñ" -j LOG	# "WEB-MISC PHP strings overflow" bugtraq,802 arachnids,431 classtype:web-application-attack sid:1085
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?STRENGUR " -j LOG	# "WEB-MISC PHP strings overflow" arachnids,430 classtype:web-application-attack sid:1086
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/web_store.cgi" --string "page=../" -j LOG	# "WEB-MISC eXtropia webstore directory traversal" bugtraq,1774 classtype:web-application-attack sid:1088
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/shop.cgi" --string "page=../" -j LOG	# "WEB-MISC shopping cart directory traversal" bugtraq,1777 classtype:web-application-attack sid:1089
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/authenticate.cgi?PASSWORD" --string "config.ini" -j LOG	# "WEB-MISC Allaire Pro Web Shell attempt" classtype:web-application-attack sid:1090
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "??????????" -j LOG	# "WEB-MISC ICQ Webfront HTTP DOS" classtype:web-application-attack sid:1091
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/search.cgi?keys" --string "catigory=../" -j LOG	# "WEB-MISC Armada Style Master Index directory traversal" classtype:web-application-attack sid:1092
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cached_feed.cgi" --string "../" -j LOG	# "WEB-MISC moreover shopping cart directory traversal" bugtraq,1762 classtype:web-application-attack sid:1093
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/web_store.cgi?page=../.." --tcp-flags ACK ACK -j LOG	# "WEB-MISC webstore directory traversal" classtype:web-application-attack sid:1094
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus.exe?script=test.wml" -j LOG	# "WEB-MISC Talentsoft Web+ Source Code view access" bugtraq,1722 classtype:web-application-attack sid:1095
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus.exe?about" -j LOG	# "WEB-MISC Talentsoft Web+ internal IP Address access" bugtraq,1720 classtype:web-application-activity sid:1096
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus.cgi?Script=/webplus/webping/webping.wml" -j LOG	# "WEB-MISC Talentsoft Web+ exploit attempt" bugtraq,1725 classtype:web-application-attack sid:1097
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_private/shopping_cart.mdb" -j LOG	# "WEB-MISC SmartWin CyberOffice Shopping Cart access" bugtraq,1734 classtype:web-application-attack sid:1098
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cybercop" -j LOG	# "WEB-MISC cybercop scan" nocase-ignored arachnids,374 classtype:web-application-activity sid:1099
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "User-Agent: Java1.2.1" --tcp-flags ACK ACK -j LOG	# "WEB-MISC L3retriever HTTP Probe" arachnids,310 classtype:web-application-activity sid:1100
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "User-Agent: Webtrends Security Analyzer" --tcp-flags ACK ACK -j LOG	# "WEB-MISC Webtrends HTTP probe" arachnids,309 classtype:web-application-activity sid:1101
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nessus_is_probing_you_" -j LOG	# "WEB-MISC Nessus 404 probe" arachnids,301 classtype:web-application-activity sid:1102
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin-serv/config/admpw" -j LOG	# "WEB-MISC netscape admin passwd" nocase-ignored bugtraq,1579 classtype:web-application-attack sid:1103
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-hostsvc.sh?HOSTSVC" -j LOG	# "WEB-MISC BigBrother access" nocase-ignored classtype:attempted-recon sid:1105
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/pollit/Poll_It_SSI_v2.0.cgi" -j LOG --log-prefix " cve-CAN-2000-0590 "	# "WEB-MISC Poll-it access" nocase-ignored bugtraq,1431 classtype:attempted-recon sid:1106
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ftp.pl" -j LOG	# "WEB-MISC ftp.pl access" nocase-ignored bugtraq,1471 classtype:attempted-recon sid:1107
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/jsp/snp/anything.snp" -j LOG --log-prefix " cve-CAN-2000-0760 "	# "WEB-MISC tomcat server snoop access" nocase-ignored bugtraq,1532 classtype:attempted-recon sid:1108
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/%00/" -j LOG --log-prefix " cve-CVE-2000-0671 "	# "WEB-MISC ROXEN directory list attempt" nocase-ignored bugtraq,1510 classtype:attempted-recon sid:1109
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/site/eg/source.asp" -j LOG --log-prefix " cve-CVE-2000-0628 "	# "WEB-MISC apache source.asp file access" nocase-ignored bugtraq,1457 classtype:attempted-recon sid:1110
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/contextAdmin/contextAdmin.html" -j LOG	# "WEB-MISC tomcat server exploit access" nocase-ignored classtype:attempted-recon sid:1111
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "..\" -j LOG	#Cannot convert: Mishandled quotes	 "WEB-MISC http directory traversal" arachnids,298 classtype:attempted-recon sid:1112
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "get //" -j LOG	# "WEB-MISC prefix-get //" nocase-ignored classtype:attempted-recon sid:1114
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".html/......" -j LOG --log-prefix " cve-CVE-1999-0474 "	# "WEB-MISC ICQ webserver DOS" nocase-ignored classtype:attempted-dos sid:1115
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?DeleteDocument" -j LOG	# "WEB-MISC Lotus DelDoc attempt" nocase-ignored classtype:attempted-recon sid:1116
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?EditDocument" -j LOG	# "WEB-MISC Lotus EditDoc attempt" nocase-ignored classtype:attempted-recon sid:1117
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ls%20-l" -j LOG	# "WEB-MISC ls%20-l" nocase-ignored classtype:attempted-recon sid:1118
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/mlog.phtml" -j LOG --log-prefix " cve-CVE-1999-0346 "	# "WEB-MISC mlog.phtml access" nocase-ignored bugtraq,713 classtype:attempted-recon sid:1119
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/mylog.phtml" -j LOG --log-prefix " cve-CVE-1999-0346 "	# "WEB-MISC mylog.phtml access" nocase-ignored bugtraq,713 classtype:attempted-recon sid:1120
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgi-dos/args.bat" -j LOG	# "WEB-MISC O'Reilly args.bat access" nocase-ignored classtype:attempted-recon sid:1121
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/etc/passwd" -j LOG	# "WEB-MISC /etc/passwd" nocase-ignored classtype:attempted-recon sid:1122
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?PageServices" -j LOG --log-prefix " cve-CVE-1999-0269 "	# "WEB-MISC PageService access" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1123
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/config/check.txt" -j LOG	# "WEB-MISC Ecommerce check.txt access" nocase-ignored classtype:attempted-recon sid:1124
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webcart/" -j LOG	# "WEB-MISC webcart access" nocase-ignored classtype:attempted-recon sid:1125
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_AuthChangeUrl?" -j LOG	# "WEB-MISC AuthChangeUr access" nocase-ignored classtype:attempted-recon sid:1126
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/convert.bas" -j LOG --log-prefix " cve-CVE-1999-0175 "	# "WEB-MISC convert.bas access" nocase-ignored bugtraq,2025 classtype:attempted-recon sid:1127
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/cpshost.dll" -j LOG	# "WEB-MISC cpshost.dll access" nocase-ignored classtype:attempted-recon sid:1128
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htaccess" -j LOG	# "WEB-MISC .htaccess access" nocase-ignored classtype:attempted-recon sid:1129
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".wwwacl" -j LOG	# "WEB-MISC .wwwacl access" nocase-ignored classtype:attempted-recon sid:1130
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".www_acl" -j LOG	# "WEB-MISC .wwwacl access" nocase-ignored classtype:attempted-recon sid:1131
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 457 -m string --string "ë_šÿÿÿÿÿÃ^1À‰F" --tcp-flags ACK ACK -j LOG	# "WEB-MISC netscape unixware overflow" arachnids,180 classtype:attempted-recon sid:1132
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL FIN,PSH,SYN -j LOG	#Cannot convert: ack: 0	 "SCAN cybercop os probe" arachnids,145 classtype:attempted-recon sid:1133
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.php3" -j LOG	# "WEB-MISC Phorum admin access" nocase-ignored bugtraq,2271 arachnids,205 classtype:attempted-recon sid:1134
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cd.." -j LOG	# "WEB-MISC cd.." nocase-ignored classtype:attempted-recon sid:1136
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "PHP_AUTH_USER=boogieman" -j LOG	# "WEB-MISC Phorum auth access" nocase-ignored bugtraq,2274 arachnids,206 classtype:attempted-recon sid:1137
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string " /%%" -j LOG	# "WEB-MISC Cisco Web DOS attempt" arachnids,275 classtype:attempted-dos sid:1138
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/guestbook" -j LOG --log-prefix " cve-CVE-1999-0237 "	# "WEB-MISC guestbook access" nocase-ignored bugtraq,776 arachnids,228 classtype:attempted-recon sid:1140
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/handler" -j LOG --log-prefix " cve-CVE-1999-0148 "	# "WEB-MISC handler access" nocase-ignored bugtraq,380 arachnids,235 classtype:attempted-recon sid:1141
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/...." -j LOG	# "WEB-MISC /...." classtype:attempted-recon sid:1142
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "///cgi-bin" -j LOG	# "WEB-MISC ///cgi-bin" nocase-ignored classtype:attempted-recon sid:1143
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgi-bin///" -j LOG	# "WEB-MISC /cgi-bin/// access" nocase-ignored classtype:attempted-recon sid:1144
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/~root/" -j LOG	# "WEB-MISC /~root" nocase-ignored classtype:attempted-recon sid:1145
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/config/import.txt" -j LOG	# "WEB-MISC Ecommerce import.txt access" nocase-ignored classtype:attempted-recon sid:1146
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cat%20" -j LOG --log-prefix " cve-CVE-1999-0039 "	# "WEB-MISC cat%20 access" nocase-ignored bugtraq,374 classtype:attempted-recon sid:1147
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/orders/import.txt" -j LOG	# "WEB-MISC Ecommerce import.txt access" nocase-ignored classtype:attempted-recon sid:1148
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/count.cgi" -j LOG --log-prefix " cve-CVE-1999-0021 "	# "WEB-MISC count.cgi access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:1149
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/catalog.nsf" -j LOG	# "WEB-MISC Domino catalog.ns access" nocase-ignored classtype:attempted-recon sid:1150
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/domcfg.nsf" -j LOG	# "WEB-MISC Domino domcfg.nsf access" nocase-ignored classtype:attempted-recon sid:1151
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/domlog.nsf" -j LOG	# "WEB-MISC Domino domlog.nsf access" nocase-ignored classtype:attempted-recon sid:1152
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/log.nsf" -j LOG	# "WEB-MISC Domino log.nsf access" nocase-ignored classtype:attempted-recon sid:1153
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/names.nsf" -j LOG	# "WEB-MISC Domino names.nsf access" nocase-ignored classtype:attempted-recon sid:1154
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/orders/checks.txt" -j LOG	# "WEB-MISC Ecommerce checks.txt access" nocase-ignored classtype:attempted-recon sid:1155
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "////////" -j LOG	# "WEB-MISC apache DOS attempt" classtype:attempted-dos sid:1156
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/PSUser/PSCOErrPage.htm?" -j LOG --log-prefix " cve-CAN-2000-1196 "	# "WEB-MISC netscape PublishingXpert 2 Exploit" nocase-ignored classtype:attempted-recon sid:1157
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/windmail.exe" --string "-n" --string "mail" -j LOG --log-prefix " cve-CAN-2000-0242 "	# "WEB-MISC windmail access" nocase-ignored nocase-ignored bugtraq,1073 arachnids,465 classtype:attempted-recon sid:1158
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "webplus?script" --tcp-flags ACK ACK -j LOG	# "WEB-MISC webplus access" nocase-ignored classtype:attempted-recon sid:1159
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-" -j LOG --log-prefix " cve-CVE-2000-0236 "	# "WEB-MISC netscape dir index wp" nocase-ignored bugtraq,1063 arachnids,270 classtype:attempted-recon sid:1160
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/passwd.php3" -j LOG --log-prefix " cve-CVE-2000-0322 "	# "WEB-MISC piranha passwd.php3 access" bugtraq,1149 arachnids,272 classtype:attempted-recon sid:1161
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/c32web.exe/ChangeAdminPassword" -j LOG	# "WEB-MISC cart 32 AdminPwd access" nocase-ignored bugtraq,1153 classtype:attempted-recon sid:1162
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/webdist.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CVE-1999-0039 "	# "WEB-MISC webdist.cgi access" nocase-ignored bugtraq,374 classtype:attempted-recon sid:1163
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/quikstore.cfg" --tcp-flags ACK ACK -j LOG	# "WEB-MISC shopping cart access access" nocase-ignored classtype:attempted-recon sid:1164
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/GWWEB.EXE?HELP=" -j LOG --log-prefix " cve-CAN-1999-1006 "	# "WEB-MISC novell groupwise gwweb.exe access" nocase-ignored bugtraq,879 classtype:attempted-recon sid:1165
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/ws_ftp.ini" --tcp-flags ACK ACK -j LOG	# "WEB-MISC ws_ftp.ini access" nocase-ignored classtype:attempted-recon sid:1166
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rmp_query" -j LOG --log-prefix " cve-CVE-2000-0192 "	# "WEB-MISC rpm_query access" nocase-ignored bugtraq,1036 classtype:attempted-recon sid:1167
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/mall_log_files/order.log" --tcp-flags ACK ACK -j LOG	# "WEB-MISC mall log order access" nocase-ignored classtype:attempted-recon sid:1168
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/bigconf.cgi" --tcp-flags ACK ACK -j LOG	# "WEB-MISC bigconf.cgi access" nocase-ignored classtype:attempted-recon sid:1172
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/ews/architext_query.pl" --tcp-flags ACK ACK -j LOG	# "WEB-MISC architext_query.pl access" nocase-ignored classtype:attempted-recon sid:1173
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cgi-bin/jj" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CVE-1999-0260 "	# "WEB-MISC /cgi-bin/jj attempt" nocase-ignored bugtraq,2002 classtype:attempted-recon sid:1174
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/wwwboard.pl" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CVE-1999-0953 "	# "WEB-MISC wwwboard.pl access" nocase-ignored bugtraq,1795 classtype:attempted-recon sid:1175
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/admin_files/order.log" --tcp-flags ACK ACK -j LOG	# "WEB-MISC order.log access" nocase-ignored classtype:attempted-recon sid:1176
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-verify-link" -j LOG	# "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1177
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/read.php3" -j LOG	# "WEB-MISC Phorum read access" nocase-ignored arachnids,208 classtype:attempted-recon sid:1178
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/violation.php3" -j LOG	# "WEB-MISC Phorum violation access" nocase-ignored bugtraq,2272 arachnids,209 classtype:attempted-recon sid:1179
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/get32.exe" -j LOG	# "WEB-MISC get32.exe access" nocase-ignored bugtraq,1485 arachnids,258 classtype:attempted-recon sid:1180
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ping?query" -j LOG	#Cannot convert: dsize:>1446	 "WEB-MISC Annex Terminal DOS attempt" arachnids,260 classtype:attempted-dos sid:1181
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cgitest.exeuser" --tcp-flags ACK ACK -j LOG	# "WEB-MISC cgitest.exe attempt" nocase-ignored arachnids,265 classtype:attempted-recon sid:1182
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-cs-dump" -j LOG	# "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1183
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-ver-info" -j LOG	# "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1184
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bizdb1-search.cgi" --string "mail" -j LOG --log-prefix " cve-CAN-2000-0287 "	# "WEB-MISC bizdbsearch access" nocase-ignored bugtraq,1104 classtype:attempted-recon sid:1185
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-ver-diff" -j LOG	# "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1186
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/slxweb.dll/admin?command=" -j LOG --log-prefix " cve-CAN-2000-0289 "	# "WEB-MISC SalesLogix Eviewer web shutdown acess" nocase-ignored bugtraq,1089 classtype:attempted-recon sid:1187
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-start-ver" -j LOG	# "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1188
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-stop-ver" -j LOG	# "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1189
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-uncheckout" -j LOG	# "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1190
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-html-rend" -j LOG	# "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1191
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/officescan/cgi/jdkRqNotify.exe?" -j LOG	# "WEB-MISC Trend Micro OfficeScan access" nocase-ignored bugtraq,1057 classtype:attempted-recon sid:1192
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ows-bin/&" -j LOG --log-prefix " cve-CVE-2000-0169 "	# "WEB-MISC oracle web listener batch access" nocase-ignored bugtraq,1053 classtype:attempted-recon sid:1193
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/sojourn.cgi?cat=" --string "%00" -j LOG --log-prefix " cve-CAN-2000-0180 "	# "WEB-MISC Sojourn File attempt" nocase-ignored bugtraq,1052 classtype:attempted-user sid:1194
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/sojourn.cgi" -j LOG --log-prefix " cve-CAN-2000-0180 "	# "WEB-MISC Sojourn access" nocase-ignored bugtraq,1052 classtype:attempted-recon sid:1195
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/infosrch.cgi?" --string "fname=" -j LOG --log-prefix " cve-CVE-2000-0207 "	# "WEB-MISC SGI InfoSearch fname access" nocase-ignored bugtraq,1031 arachnids,290 classtype:attempted-recon sid:1196
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/code.php3" -j LOG	# "WEB-MISC Phorum code access" nocase-ignored arachnids,207 classtype:attempted-recon sid:1197
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-usr-prop" -j LOG	# "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1198
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2301 -m string --string "../" -j LOG --log-prefix " cve-CVE-1999-0771 "	# "WEB-MISC compaq nsight directory traversal" bugtraq,282 arachnids,244 classtype:attempted-recon sid:1199
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Invalid URL" --tcp-flags ACK ACK -j LOG	# "WEB-MISC Invalid URL" nocase-ignored classtype:attempted-recon sid:1200
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "HTTP/1.1 403" -j LOG	# "WEB-MISC 403 Forbidden" classtype:attempted-recon sid:1201
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/search.vts" -j LOG	# "WEB-MISC search.vts access" classtype:attempted-recon sid:1202
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ax-admin.cgi" -j LOG	# "WEB-MISC ax-admin.cgi access" classtype:attempted-recon sid:1204
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/axs.cgi" -j LOG	# "WEB-MISC axs.cgi access" classtype:attempted-recon sid:1205
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cachemgr.cgi" -j LOG	# "WEB-MISC cachemgr.cgi access" classtype:attempted-recon sid:1206
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/htgrep" -j LOG	# "WEB-MISC htgrep access" classtype:attempted-recon sid:1207
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/responder.cgi" -j LOG	# "WEB-MISC responder.cgi access" classtype:attempted-recon sid:1208
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/.nsconfig" -j LOG	# "WEB-MISC .nsconfig access" classtype:attempted-recon sid:1209
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/web-map.cgi" -j LOG	# "WEB-MISC web-map.cgi access" classtype:attempted-recon sid:1211
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin_files" -j LOG	# "WEB-MISC Admin_files access" nocase-ignored classtype:attempted-recon sid:1212
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/backup" -j LOG	# "WEB-MISC backup access" nocase-ignored classtype:attempted-recon sid:1213
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/intranet/" -j LOG	# "WEB-MISC intranet access" nocase-ignored classtype:attempted-recon sid:1214
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ministats/admin.cgi" -j LOG	# "WEB-MISC ministats admin access" nocase-ignored classtype:attempted-recon sid:1215
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/filemail" -j LOG	# "WEB-MISC filemail access" nocase-ignored classtype:attempted-recon sid:1216
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/plusmail" -j LOG	# "WEB-MISC plusmail access" nocase-ignored classtype:attempted-recon sid:1217
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/adminlogin" -j LOG	# "WEB-MISC adminlogin access" nocase-ignored classtype:attempted-recon sid:1218
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dfire.cgi" -j LOG	# "WEB-MISC dfire.cgi access" nocase-ignored classtype:attempted-recon sid:1219
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ultraboard" -j LOG	# "WEB-MISC ultraboard access" nocase-ignored classtype:attempted-recon sid:1220
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/empower" -j LOG	# "WEB-MISC musicat access" nocase-ignored classtype:attempted-recon sid:1221
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/pals-cgi" --string "documentName=" -j LOG --log-prefix " cve-CAN-2001-0217 "	# "WEB-MISC WebPALS attempt" nocase-ignored classtype:attempted-recon bugtraq,2372 sid:1222
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ROADS/cgi-bin/search.pl" --string "form=" -j LOG --log-prefix " cve-CAN-2001-0215 "	# "WEB-MISC ROADS attempt" nocase-ignored bugtraq,2371 classtype:attempted-recon sid:1224
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/FtpSave.dll" -j LOG	# "WEB-MISC VirusWall FtpSave access" nocase-ignored classtype:attempted-recon sid:1230
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/catinfo" -j LOG	# "WEB-MISC VirusWall access" nocase-ignored bugtraq,2808 classtype:attempted-recon sid:1231
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 1812 --tcp-flags ACK ACK -m string --string "/catinfo" -j LOG	# "WEB-MISC VirusWall access" nocase-ignored bugtraq,2579 classtype:attempted-recon sid:1232
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 80 -m string --string ".ewl" --tcp-flags ACK ACK -j LOG	# "WEB-MISC Outlook EML access" classtype:attempted-admin sid:1233
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/FtpSaveCSP.dll" -j LOG	# "WEB-MISC VirusWall FtpSaveCSP access" nocase-ignored classtype:attempted-recon sid:1234
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/FtpSaveCVP.dll" -j LOG	# "WEB-MISC VirusWall FtpSaveCVP access" nocase-ignored classtype:attempted-recon sid:1235
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".js%2570" -j LOG	# "WEB-MISC Tomcat sourcode view" nocase-ignored classtype:attempted-recon sid:1236
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".j%2573p" -j LOG	# "WEB-MISC Tomcat sourcode view" nocase-ignored classtype:attempted-recon sid:1237
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".%256Asp" -j LOG	# "WEB-MISC Tomcat sourcode view" nocase-ignored classtype:attempted-recon sid:1238
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/SWEditServlet" --string "template=../../../" --tcp-flags ACK ACK -j LOG	# "WEB-MISC SWEditServlet directory traversal attempt" classtype:attempted-user sid:1241
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/SWEditServlet" --tcp-flags ACK ACK -j LOG	# "WEB-MISC SWEditServlet access" classtype:attempted-recon sid:1259
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "HEAD" --tcp-flags ACK ACK -j LOG	#Cannot convert: dsize:>512	 "WEB-MISC whisker head" nocase-ignored classtype:attempted-recon sid:1171
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "HEAD/./" -j LOG	# "WEB-MISC whisker head" classtype:attempted-recon sid:1139
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string " " --tcp-flags ACK ACK -j LOG	#Cannot convert: dsize: 1	 "WEB-MISC whisker splice attack" arachnids,296 classtype:attempted-recon sid:1104
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "	" -j LOG	#Cannot convert: dsize: <5	 "WEB-MISC whisker splice attack" arachnids,415 classtype:attempted-recon sid:1087
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "PHPLIB[libdir]" -j LOG	# "WEB-MISC PHPLIB remote command attempt" bugtraq,3079 classtype:attempted-user sid:1254
iptables -A SnortRules -p tcp -s $HTTP_SERVERS -d $EXTERNAL_NET --dport 80 --tcp-flags ACK ACK -m string --string "/db_mysql.inc" -j LOG	# "WEB-MISC PHPLIB remote command attempt" bugtraq,3079 classtype:attempted-user sid:1255
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid=" -j LOG	#Cannot convert: dsize:>202	 "WEB-MISC HP Openview Manager DOS" nocase-ignored bugtraq,2845 sid:1258 classtype:misc-activity
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "Authorization: Basic " -j LOG	#Cannot convert: dsize:>1000	 "WEB-MISC long basic authorization string" nocase-ignored classtype:attempted-dos bugtraq,3230 sid:1260
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET --tcp-flags ACK ACK -m string --string "window.open("readme.eml"" -j LOG	# "WEB-MISC readme.eml autoload attempt" nocase-ignored classtype:attempted-user sid:1290 url,www.cert.org/advisories/CA-2001-26.html
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET --tcp-flags ACK ACK -m string --string "readme.eml" -j LOG	# "WEB-MISC readme.eml attempt" nocase-ignored classtype:attempted-user sid:1284 url,www.cert.org/advisories/CA-2001-26.html
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/graphics/sml3com" -j LOG	# "WEB-MISC sml3com access" classtype:attempted-dos bugtraq,2721 sid:1291
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/carbo.dll" --string "icatcommand=" -j LOG --log-prefix " cve-CAN-1999-1069 "	# "WEB-MISC carbo.dll access" nocase-ignored bugtraq,2126 classtype:attempted-recon sid:1001
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.php" --string "file_name=" -j LOG	# "WEB-MISC admin.php file upload attempt" nocase-ignored bugtraq,3361 classtype:attempted-admin sid:1300
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.php" -j LOG	# "WEB-MISC admin.php access" nocase-ignored bugtraq,3361 classtype:attempted-recon sid:1301
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgi-bin/console.exe" -j LOG	# "WEB-MISC console.exe access" nocase-ignored bugtraq,3375 classtype:attempted-recon sid:1302
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgi-bin/cs.exe" -j LOG	# "WEB-MISC cs.exe access" nocase-ignored bugtraq,3375 classtype:attempted-recon sid:1303
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/txt2html.cgi" --string "/../../../../" -j LOG	# "WEB-MISC txt2html attempt" nocase-ignored classtype:attempted-admin sid:1305
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/txt2html.cgi" -j LOG	# "WEB-MISC txt2html access" nocase-ignored classtype:attempted-recon sid:1304
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/store.cgi" --string "product=" --string "../.." -j LOG	# "WEB-MISC store.cgi attempt" nocase-ignored classtype:attempted-admin sid:1306
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/store.cgi" -j LOG	# "WEB-MISC store.cgi access" nocase-ignored classtype:attempted-recon sid:1307
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "../" -j LOG	# "WEB-MISC http directory traversal" arachnids,297 classtype:attempted-recon sid:1113
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/ps" -j LOG	# "WEB-ATTACKS ps command attempt" nocase-ignored sid:1328 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ps%20" -j LOG	# "WEB-ATTACKS /bin/ps command attempt" nocase-ignored sid:1329 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "wget%20" -j LOG	# "WEB-ATTACKS wget command attempt" nocase-ignored sid:1330 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "uname%20-a" -j LOG	# "WEB-ATTACKS uname -a command attempt" nocase-ignored sid:1331 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/id" -j LOG	# "WEB-ATTACKS /usr/bin/id command attempt" nocase-ignored sid:1332 classtype:web-application-attack
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string " -j LOG	#Cannot convert: id" misconvert in content semicolon: sid:1333	 "WEB-ATTACKS id command attempt" nocase-ignored sid:1333 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/echo" -j LOG	# "WEB-ATTACKS echo command attempt" nocase-ignored sid:1334 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/kill" -j LOG	# "WEB-ATTACKS kill command attempt" nocase-ignored sid:1335 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/chmod" -j LOG	# "WEB-ATTACKS chmod command attempt" nocase-ignored sid:1336 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/chgrp" -j LOG	# "WEB-ATTACKS chgrp command attempt" nocase-ignored sid:1337 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/sbin/chown" -j LOG	# "WEB-ATTACKS chown command attempt" nocase-ignored sid:1338 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/chsh" -j LOG	# "WEB-ATTACKS chsh command attempt" nocase-ignored sid:1339 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "tftp%20" -j LOG	# "WEB-ATTACKS tftp command attempt" nocase-ignored sid:1340 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/gcc" -j LOG	# "WEB-ATTACKS /usr/bin/gcc command attempt" nocase-ignored sid:1341 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "gcc%20-o" -j LOG	# "WEB-ATTACKS gcc command attempt" nocase-ignored sid:1342 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/cc" -j LOG	# "WEB-ATTACKS /usr/bin/cc command attempt" nocase-ignored sid:1343 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cc%20" -j LOG	# "WEB-ATTACKS cc command attempt" nocase-ignored sid:1344 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/cpp" -j LOG	# "WEB-ATTACKS /usr/bin/cpp command attempt" nocase-ignored sid:1345 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cpp%20" -j LOG	# "WEB-ATTACKS cpp command attempt" nocase-ignored sid:1346 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/g++" -j LOG	# "WEB-ATTACKS /usr/bin/g++ command attempt" nocase-ignored sid:1347 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "g++%20" -j LOG	# "WEB-ATTACKS g++ command attempt" nocase-ignored sid:1348 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "bin/python" -j LOG	# "WEB-ATTACKS bin/python access attempt" nocase-ignored sid:1349 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "python%20" -j LOG	# "WEB-ATTACKS python access attempt" nocase-ignored sid:1350 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "bin/tclsh" -j LOG	# "WEB-ATTACKS bin/tclsh execution attempt" nocase-ignored sid:1351 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "tclsh8%20" -j LOG	# "WEB-ATTACKS tclsh execution attempt" nocase-ignored sid:1352 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "bin/nasm" -j LOG	# "WEB-ATTACKS bin/nasm command attempt" nocase-ignored sid:1353 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "nasm%20" -j LOG	# "WEB-ATTACKS nasm command attempt" nocase-ignored sid:1354 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/perl" -j LOG	# "WEB-ATTACKS /usr/bin/perl execution attempt" nocase-ignored sid:1355 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "perl%20" -j LOG	# "WEB-ATTACKS perl execution attempt" nocase-ignored sid:1356 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "net localgroup administrators /add" -j LOG	# "WEB-ATTACKS nt admin addition attempt" nocase-ignored sid:1357 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "traceroute%20" -j LOG	# "WEB-ATTACKS traceroute command attempt" nocase-ignored sid:1358 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/ping" -j LOG	# "WEB-ATTACKS ping command attempt" nocase-ignored sid:1359 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "nc%20" -j LOG	# "WEB-ATTACKS netcat command attempt" nocase-ignored sid:1360 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "nmap%20" -j LOG	# "WEB-ATTACKS nmap command attempt" nocase-ignored sid:1361 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/X11R6/bin/xterm" -j LOG	# "WEB-ATTACKS xterm command attempt" nocase-ignored sid:1362 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20-display%20" -j LOG	# "WEB-ATTACKS X application to remote host attempt" nocase-ignored sid:1363 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "lsof%20" -j LOG	# "WEB-ATTACKS lsof command attempt" nocase-ignored sid:1364 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "rm%20" -j LOG	# "WEB-ATTACKS rm command attempt" nocase-ignored sid:1365 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/mail" -j LOG	# "WEB-ATTACKS mail command attempt" nocase-ignored sid:1366 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "mail%20" -j LOG	# "WEB-ATTACKS mail command attempt" nocase-ignored sid:1367 classtype:web-application-attack
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/ls -j LOG	#Cannot convert: misconvert in content pipe: sid:1368	 "WEB-ATTACKS /bin/ls| command attempt" nocase-ignored sid:1368 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/ls" -j LOG	# "WEB-ATTACKS /bin/ls command attempt" nocase-ignored sid:1369 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/etc/inetd.conf" -j LOG	# "WEB-ATTACKS /etc/inetd.conf access" nocase-ignored sid:1370 classtype:web-application-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/etc/motd" -j LOG	# "WEB-ATTACKS /etc/motd access" nocase-ignored sid:1371 classtype:web-application-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/etc/shadow" -j LOG	# "WEB-ATTACKS /etc/shadow access" nocase-ignored sid:1372 classtype:web-application-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "conf/httpd.conf" -j LOG	# "WEB-ATTACKS conf/httpd.conf attempt" nocase-ignored sid:1373 classtype:web-application-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htgroup" -j LOG	# "WEB-ATTACKS .htgroup access" nocase-ignored sid:1374 classtype:web-application-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "sp_start_jo" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL sp_start_job - program execution" nocase-ignored classtype:attempted-user sid:673
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_displayparamstmt" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL - xp_displayparamstmt possible buffer overflow" nocase-ignored classtype:attempted-user sid:674
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_setsqlsecurity" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL - xp_setsqlsecurity possible buffer overflow" nocase-ignored classtype:attempted-user sid:675
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "sp_start_jo" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL sp_start_job - program execution" nocase-ignored classtype:attempted-user sid:676
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "sp_password" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL PIPES sp_password - password change" nocase-ignored classtype:attempted-user sid:677
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "sp_delete_ale" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL PIPES sp_delete_alert - log file deletion" nocase-ignored classtype:attempted-user sid:678
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "sp_adduser" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL PIPES sp_adduser - database user creation" nocase-ignored classtype:attempted-user sid:679
iptables -A SnortRules -p tcp -s $SQL_SERVERS --sport 139 -d $EXTERNAL_NET -m string --string "Login failed for user 'sa'" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL sa logon failed" classtype:attempted-user sid:680
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_cmdshell" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL PIPES xp_cmdshell - program execution" nocase-ignored classtype:attempted-user sid:681
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_enumresultset" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_enumresultset possible buffer overflow" nocase-ignored classtype:attempted-user sid:682
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "sp_password" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL sp_password - password change" nocase-ignored classtype:attempted-user sid:683
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "sp_delete_ale" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL sp_delete_alert - log file deletion" nocase-ignored classtype:attempted-user sid:684
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "sp_adduser" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL sp_adduser - database user creation" nocase-ignored classtype:attempted-user sid:685
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_reg" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_reg* - registry access" nocase-ignored classtype:attempted-user sid:686
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_cmdshell" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_cmdshell - program execution" nocase-ignored classtype:attempted-user sid:687
#iptables -A SnortRules -p tcp -s $SQL_SERVERS --sport 1433 -d $EXTERNAL_NET -m string --string "Login failed for user 'sa'" --tcp-flags ALL ACK,PSH -j LOG	#Cannot convert: Mishandled quotes	 "MS-SQL sa logon failed" classtype:unsuccessful-user sid:688
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_reg" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL PIPES xp_reg* - registry access" nocase-ignored classtype:attempted-user sid:689
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_printstatements" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL - xp_printstatements possible buffer overflow" nocase-ignored classtype:attempted-user sid:690
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "9 Ð’ÂRU9 ì" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL Buffer overflow shellcode ACTIVE ATTACK" classtype:attempted-user sid:691
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "9 Ð’ÂRU9 ì" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL Buffer overflow shellcode ACTIVE ATTACK" classtype:attempted-user sid:692
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "H%xw3ÀPh." --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL Buffer overflow shellcode ACTIVE ATTACK" classtype:attempted-user sid:693
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "H%xw3ÀPh." --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL Buffer overflow shellcode ACTIVE ATTACK" classtype:attempted-user sid:694
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_sprintf" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_sprintf possible buffer overflow" nocase-ignored classtype:attempted-user sid:695
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_showcolv" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_showcolv possible buffer overflow" nocase-ignored classtype:attempted-user sid:696
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_peekqueue" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_peekqueue possible buffer overflow" nocase-ignored classtype:attempted-user sid:697
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_proxiedmetadata" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_proxiedmetadata possible buffer overflow" nocase-ignored classtype:attempted-user sid:698
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_printstatements" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_printstatements possible buffer overflow" nocase-ignored classtype:attempted-user sid:699
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_updatecolvbm" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_updatecolvbm possible buffer overflow" nocase-ignored classtype:attempted-user sid:700
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_updatecolvbm" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_updatecolvbm possible buffer overflow" nocase-ignored classtype:attempted-user sid:701
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_displayparamstmt" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_displayparamstmt possible buffer overflow" nocase-ignored classtype:attempted-user sid:702
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_setsqlsecurity" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_setsqlsecurity possible buffer overflow" nocase-ignored classtype:attempted-user sid:703
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_sprintf" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_sprintf possible buffer overflow" nocase-ignored classtype:attempted-user sid:704
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_showcolv" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_showcolv possible buffer overflow" nocase-ignored classtype:attempted-user sid:705
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_peekqueue" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_peekqueue possible buffer overflow" nocase-ignored classtype:attempted-user sid:706
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_proxiedmetadata" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_proxiedmetadata possible buffer overflow" nocase-ignored classtype:attempted-user sid:707
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_enumresultset" --tcp-flags ALL ACK,PSH -j LOG	# "MS-SQL xp_enumresultset possible buffer overflow" nocase-ignored classtype:attempted-user sid:708
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6000 --tcp-flags ACK ACK -m string --string "MIT-MAGIC-COOKIE-1" -j LOG	# "X11 MITcookie" arachnids,396 classtype:bad-unknown sid:1225
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6000 --tcp-flags ACK ACK -m string --string "l" -j LOG	# "X11 xopen" arachnids,395 classtype:unknown sid:1226
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 6000:6005 -d $HOME_NET --tcp-flags ALL ACK,SYN -j LOG	# "X11 outgoing" arachnids,126 classtype:unknown sid:1227
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "ISSPNGRQ" -m icmp --icmp-type 8 -j LOG	# "ICMP ISS Pinger" arachnids,158 classtype:attempted-recon sid:465
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI" -m icmp --icmp-type 8/0 -j LOG	# "ICMP L3retriever Ping" arachnids,311 classtype:attempted-recon sid:466
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8 -m string --string "" -j LOG	#Cannot convert: dsize: 20 icmp_id: 0 icmp_seq: 0	 "ICMP Nemesis v1.1 Echo" arachnids,449 classtype:attempted-recon sid:467
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8 -j LOG	#Cannot convert: dsize: 0	 "ICMP PING NMAP" arachnids,162 classtype:attempted-recon sid:469
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8 -j LOG	#Cannot convert: id: 666 dsize: 0 icmp_id: 666  icmp_seq: 0	 "ICMP icmpenum v1.1.1" arachnids,450 classtype:attempted-recon sid:471
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 5/1 -j LOG --log-prefix " cve-CVE-1999-0265 "	# "ICMP redirect host" arachnids,135 classtype:bad-unknown sid:472
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 5/0 -j LOG --log-prefix " cve-CVE-1999-0265 "	# "ICMP redirect net" arachnids,199 classtype:bad-unknown sid:473
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "" -m icmp --icmp-type 8 -j LOG	#Cannot convert: dsize:8	 "ICMP superscan echo" classtype:attempted-recon sid:474
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m ipv4options --rr -m icmp --icmp-type 0 -j LOG	# "ICMP traceroute ipopts" arachnids,238 classtype:attempted-recon sid:475
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "EEEEEEEEEEEE" -m icmp --icmp-type 8/0 -j LOG	# "ICMP webtrends scanner" arachnids,307 classtype:attempted-recon sid:476
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 4/0 -j LOG	# "ICMP Source Quench" classtype:bad-unknown sid:477
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8 -j LOG	#Cannot convert: icmp_id: 0 icmp_seq: 0 dsize:4	 "ICMP Broadscan Smurf Scanner" classtype:attempted-recon sid:478
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "89:;<=>?" -m icmp --icmp-type 8 -j LOG	# "ICMP PING speedera" sid:480 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "TJPingPro by Jim" -m icmp --icmp-type 8 -j LOG	# "ICMP TJPingPro1.1Build 2 Windows" arachnids,167 sid:481 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "WhatsUp - A Netw" -m icmp --icmp-type 8 -j LOG	# "ICMP PING WhatsupGold Windows" arachnids,168 sid:482 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "ªªªªªªªªªªªªªªªª" -m icmp --icmp-type 8 -j LOG	# "ICMP PING CyberKit 2.2 Windows" arachnids,154 sid:483 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8 -m string --string "Cinco Network, Inc." -j LOG	# "ICMP PING Sniffer Pro/NetXRay network scan" sid:484 classtype:misc-activity
iptables -A SnortRules -p icmp -m icmp --icmp-type 3/13 -j LOG	# "ICMP Destination Unreachable (Communication Administratively Prohibited)" sid:485 classtype:misc-activity
iptables -A SnortRules -p icmp -m icmp --icmp-type 3/10 -j LOG	# "ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited)" sid:486 classtype:misc-activity
iptables -A SnortRules -p icmp -m icmp --icmp-type 3/9 -j LOG	# "ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited)" sid:487 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 -m string --string "EML" --tcp-flags ACK ACK -j LOG	# "NETBIOS nimda .eml" classtype:bad-unknown url,www.datafellows.com/v-descs/nimda.shtml sid:1293
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 -m string --string "NWS" --tcp-flags ACK ACK -j LOG	# "NETBIOS nimda .nws" classtype:bad-unknown url,www.datafellows.com/v-descs/nimda.shtml sid:1294
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 -m string --string "RICHED20" --tcp-flags ACK ACK -j LOG	# "NETBIOS nimda RICHED20.DLL" classtype:bad-unknown url,www.datafellows.com/v-descs/nimda.shtml sid:1295
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\\\\*SMBSERVERÿÿÿÿ" -j LOG	# "NETBIOS DOS RFPoison" arachnids,454 classtype:attempted-dos sid:529
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "Windows NT 1381" -j LOG --log-prefix " cve-CVE-2000-0347 "	# "NETBIOS NT NULL session" bugtraq,1163 arachnids,204 classtype:attempted-recon sid:530
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "BEAVIS" --string "yep yep" -j LOG	# "NETBIOS RFParalyze Attempt" classtype:attempted-recon sid:1239
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\ADMIN$A:" -j LOG	# "NETBIOS SMB ADMIN$access" arachnids,340 classtype:attempted-admin sid:532
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\\C$A:" -j LOG	# "NETBIOS SMB C$ access" arachnids,339 classtype:attempted-recon sid:533
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\../" -j LOG	# "NETBIOS SMB CD.." arachnids,338 classtype:attempted-recon sid:534
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\..." -j LOG	# "NETBIOS SMB CD..." arachnids,337 classtype:attempted-recon sid:535
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\D$A:" -j LOG	# "NETBIOS SMB D$access" arachnids,336 classtype:attempted-recon sid:536
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\IPC$A:" -j LOG	# "NETBIOS SMB IPC$access" arachnids,335 classtype:attempted-recon sid:537
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\\IPC$IPC" -j LOG	# "NETBIOS SMB IPC$access" arachnids,334 classtype:attempted-recon sid:538
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "UnixSamba" -j LOG	# "NETBIOS Samba clientaccess" arachnids,341 classtype:not-suspicious sid:539
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -j LOG	#Cannot convert: dsize: >800	 "MISC Large ICMP Packet" arachnids,246 classtype:bad-unknown sid:499
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m ipv4options --lsrr -j LOG --log-prefix " cve-CVE-1999-0909 "	# "MISC source route lssr" bugtraq,646 arachnids,418 classtype:bad-unknown sid:500
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " cve-CVE-1999-0909 "	#Cannot convert: ipopts:lsrre	 "MISC source route lssre" bugtraq,646 arachnids,420 classtype:bad-unknown sid:501
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m ipv4options --ssrr -j LOG	# "MISC source route ssrr" arachnids,422 classtype:bad-unknown sid:502
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 20 -d $HOME_NET --dport :1023 --tcp-flags ALL SYN -j LOG	# "MISC Source Port 20 to <1024" arachnids,06 classtype:bad-unknown sid:503
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 53 -d $HOME_NET --dport :1023 --tcp-flags ALL SYN -j LOG	# "MISC source port 53 to <1024" arachnids,07 classtype:bad-unknown sid:504
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 1417 -m string --string ">" --tcp-flags ACK ACK -j LOG	# "MISC Insecure TIMBUKTU Password" arachnids,229 classtype:bad-unknown sid:505
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27374 --tcp-flags ACK ACK -m string --string "GET " -j LOG	# "MISC ramen worm incoming" nocase-ignored arachnids,460 classtype:bad-unknown sid:506
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 5631 --tcp-flags ACK ACK -m string --string "ADMINISTRATOR" -j LOG	# "MISC PCAnywhere Attempted Administrator Login" classtype:attempted-admin sid:507
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 70 -m string --string "ftp:" --string "@/" --tcp-flags ACK ACK -j LOG	# "MISC gopher proxy" nocase-ignored arachnids,409 classtype:bad-unknown sid:508
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "pccsmysqladm/incs/dbconnect.inc" -j LOG	# "MISC PCCS mysql database admin tool" nocase-ignored arachnids,300 classtype:attempted-user sid:509
iptables -A SnortRules -p tcp -s $HOME_NET --sport 5631 -d $EXTERNAL_NET -m string --string "Invalid login" --tcp-flags ACK ACK -j LOG	# "MISC Invalid PCAnywhere Login" classtype:unsuccessful-user sid:511
iptables -A SnortRules -p tcp -s $HOME_NET --sport 5632 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "Invalid login" -j LOG	# "MISC PCAnywhere Failed Login" arachnids,240 classtype:unsuccessful-user sid:512
iptables -A SnortRules -p tcp -s $HOME_NET --sport 7161 -d $EXTERNAL_NET --tcp-flags ALL ACK,SYN -j LOG --log-prefix " cve-CVE-1999-0430 "	# "MISC Cisco Catalyst Remote Access" arachnids,129 classtype:bad-unknown sid:513
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 27374 --tcp-flags ACK ACK -m string --string "GET " -j LOG	# "MISC ramen worm outgoing" nocase-ignored arachnids,461 classtype:bad-unknown sid:514
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161 -m string --string "+@Ñ" -j LOG	# "MISC SNMP NT UserList" classtype:attempted-recon sid:516
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 177 -m string --string "" -j LOG	# "MISC xdmcp query" arachnids,476 classtype:attempted-recon sid:517
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -j LOG	#Cannot convert: dsize: >4000	 "MISC Large UDP Packet" arachnids,247 classtype:bad-unknown sid:521
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG	#Cannot convert: fragbits:M dsize: < 25	 "MISC Tiny Fragments" classtype:bad-unknown sid:522
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Volume Serial Number" --tcp-flags ACK ACK -j LOG	# "ATTACK RESPONSES http dir listing" classtype:bad-unknown sid:1292
iptables -A SnortRules -p tcp --tcp-flags ACK ACK -m string --string "uid=0(root)" -j LOG	# "ATTACK RESPONSES id check returned root" classtype:bad-unknown sid:498
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Command completed" --tcp-flags ACK ACK -j LOG	# "ATTACK RESPONSES command completed" nocase-ignored classtype:bad-unknown sid:494
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Bad command or filename" --tcp-flags ACK ACK -j LOG	# "ATTACK RESPONSES command error" nocase-ignored classtype:bad-unknown sid:495
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Directory Listing of" --tcp-flags ACK ACK -j LOG	# "ATTACK RESPONSES directory listing" nocase-ignored classtype:unknown sid:496
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "1 file(s) copied" --tcp-flags ACK ACK -j LOG	# "ATTACK RESPONSES file copied ok" nocase-ignored classtype:bad-unknown sid:497
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 27374 -d $HOME_NET --tcp-flags ACK ACK -m string --string "[RPL]002" -j LOG	# "BACKDOOR subseven 22" arachnids,485 sid:103 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 1024: -d $HOME_NET --dport 2589 --tcp-flags ACK ACK -m string --string "Connect" -j LOG	# "BACKDOOR - Dagger_1.4.0_client_connect" arachnids,483 sid:104 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 2589 -d $EXTERNAL_NET --dport 1024: --tcp-flags ACK ACK -m string --string "2Drives\$" -j LOG	# "BACKDOOR - Dagger_1.4.0" arachnids,484 sid:105 classtype:misc-activity
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET --dport 1054 --tcp-flags ALL ACK -j LOG	#Cannot convert: seq: 101058054 ack: 101058054	 "BACKDOOR ACKcmdC trojan scan" arachnids,445 sid:106 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 16959 -d $HOME_NET -m string --string "PWD" --string "acidphreak" --tcp-flags ACK ACK -j LOG	# "BACKDOOR subseven DEFCON8 2.1 access" nocase-ignored sid:107 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7597 --tcp-flags ACK ACK -m string --string "qazwsx.hsq" -j LOG	# "BACKDOOR QAZ Worm Client Login access" MCAFEE,98775 sid:108 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 12345 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetBus" -j LOG	# "BACKDOOR netbus active" arachnids,401 sid:109 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 12345 --tcp-flags ACK ACK -m string --string "GetInfo" -j LOG	# "BACKDOOR netbus getinfo" arachnids,403 sid:110 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 12346 --tcp-flags ACK ACK -m string --string "GetInfo" -j LOG	# "BACKDOOR netbus getinfo" arachnids,403 sid:111 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 80 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "server: BO/" -j LOG	# "BACKDOOR BackOrifice access" arachnids,400 sid:112 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 4120 -d $HOME_NET -m string --string "--Ahhhhhhhhhh" -j LOG	# "BACKDOOR DeepThroat access" arachnids,405 sid:113 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 12346 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetBus" -j LOG	# "BACKDOOR netbus active" arachnids,401 sid:114 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 20034 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetBus" -j LOG	# "BACKDOOR netbus active" arachnids,401 sid:115 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31337 -m string --string "ÎcÑÒçÏ9¥¥†" -j LOG	# "BACKDOOR BackOrifice access" arachnids,399 sid:116 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 146 -d $EXTERNAL_NET --dport 1024: -m string --string "WHATISIT" --tcp-flags ACK ACK -j LOG	# "BACKDOOR Infector.1.x" arachnids,315 sid:117 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 666 -d $EXTERNAL_NET --dport 1024: -m string --string "Remote: You are connected to me." --tcp-flags ACK ACK -j LOG	# "BACKDOOR SatansBackdoor.2.0.Beta" arachnids,316 sid:118 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 6789 -d $EXTERNAL_NET -m string --string "Wtzup Use" --tcp-flags ACK ACK -j LOG	# "BACKDOOR Doly 2.0 access" arachnids,312 sid:119 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 146 -d $EXTERNAL_NET --dport 1000:1300 -m string --string "WHATISIT" --tcp-flags ACK ACK -j LOG	# "BACKDOOR Infector 1.6 Server to Client" sid:120 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 1000:1300 -d $HOME_NET --dport 146 -m string --string "FC " --tcp-flags ACK ACK -j LOG	# "BACKDOOR Infector 1.6 Client to Server Connection Request" sid:121 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "13" -j LOG	# "BACKDOOR DeepThroat 3.1 System Info Client Request" arachnids,106 sid:122 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "09" -j LOG	# "BACKDOOR DeepThroat 3.1 FTP Status Client Request" arachnids,106 sid:124 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "Retreaving" -j LOG	# "BACKDOOR DeepThroat 3.1 E-Mail Info From Server" arachnids,106 sid:125 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "12" -j LOG	# "BACKDOOR DeepThroat 3.1 E-Mail Info Client Request" arachnids,106 sid:126 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "Host" -j LOG	# "BACKDOOR DeepThroat 3.1 Server Status From Server" arachnids,106 sid:127 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "10" -j LOG	# "BACKDOOR DeepThroat 3.1 Server Status Client Request" arachnids,106 sid:128 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "C - " -j LOG	# "BACKDOOR DeepThroat 3.1 Drive Info From Server" arachnids,106 sid:129 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "Comp Name" -j LOG	# "BACKDOOR DeepThroat 3.1 System Info From Server" arachnids,106 sid:130 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "130" -j LOG	# "BACKDOOR DeepThroat 3.1 Drive Info Client Request" arachnids,106 sid:131 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "FTP Server changed to" -j LOG	# "BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server" arachnids,106 sid:132 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "16" -j LOG	# "BACKDOOR DeepThroat 3.1 Cached Passwords Client Request" arachnids,106 sid:133 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "17" -j LOG	# "BACKDOOR DeepThroat 3.1 RAS Passwords Client Request" arachnids,106 sid:134 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "91" -j LOG	# "BACKDOOR DeepThroat 3.1 Server Password Change Client Request" arachnids,106 sid:135 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "92" -j LOG	# "BACKDOOR DeepThroat 3.1 Server Password Remove Client Request" arachnids,106 sid:136 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "911" -j LOG	# "BACKDOOR DeepThroat 3.1 Rehash Client Request" arachnids,106 sid:137 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 3150 -m string --string "shutd0wnM0therF***eR" -j LOG	# "BACKDOOR DeepThroat 3.1 Server Rehash Client Request" arachnids,106 sid:138 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "88" -j LOG	# "BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request" arachnids,106 sid:140 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 31785 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "host" -j LOG	# "BACKDOOR HackAttack 1.20 Connect" sid:141 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "40" -j LOG	# "BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request" arachnids,106 sid:142 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "20" -j LOG	# "BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request" arachnids,106 sid:143 classtype:misc-activity
iptables -A SnortRules -p tcp -d $HOME_NET --dport 21 -s $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "USERw0rm" -j LOG	# "BACKDOOR ADMw0rm ftp retrieval" arachnids,01 sid:144 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport ! 80 -d $HOME_NET --dport 21554 --tcp-flags ACK ACK -m string --string "Girl" -j LOG	# "BACKDOOR GirlFriendaccess" arachnids,98 sid:145 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 30100 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetSphere" -j LOG	# "BACKDOOR NetSphere access" arachnids,76 sid:146 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 6969 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "GateCrasher" -j LOG	# "BACKDOOR GateCrasher" arachnids,99 sid:147 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "KeyLogger Is Enabled On port" -j LOG	# "BACKDOOR DeepThroat 3.1 Keylogger Active on Network" arachnids,106 sid:148 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 3150 -m string --string "#" -j LOG	# "BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network" arachnids,106 sid:149 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 3150 -d $HOME_NET --dport 60000 -m string --string "#" -j LOG	# "BACKDOOR DeepThroat 3.1 Server Active on Network" arachnids,106 sid:150 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -j LOG	# "BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network" arachnids,106 sid:151 classtype:misc-activity
#iptables -A SnortRules -p tcp -s $HOME_NET --sport 5401:5402 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "c:\" -j LOG	#Cannot convert: Mishandled quotes	 "BACKDOOR BackConstruction 2.1 Connection" sid:152 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23476 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "pINg" -j LOG	# "BACKDOOR DonaldDick 1.53 Traffic" sid:153 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 3150 -d $EXTERNAL_NET --dport 60000 -m string --string "Wrong Password" -j LOG	# "BACKDOOR DeepThroat 3.1 Wrong Password" arachnids,106 sid:154 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 30100:30102 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetSphere" -j LOG	# "BACKDOOR NetSphere 1.31.337 access" arachnids,76 sid:155 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "37" -j LOG	# "BACKDOOR DeepThroat 3.1 Visible Window List Client Request" arachnids,106 sid:156 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 666 --tcp-flags ACK ACK -m string --string "FTPON" -j LOG	# "BACKDOOR BackConstruction 2.1 Client FTP Open Request" sid:157 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 666 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "FTP Port open" -j LOG	# "BACKDOOR BackConstruction 2.1 Server FTP Open Reply" sid:158 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 5032 --tcp-flags ACK ACK -m string --string "--" -j LOG	# "BACKDOOR NetMetro File List" arachnids,79 sid:159 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 3344 -d $HOME_NET --dport 3345 -m string --string "activate" -j LOG	# "BACKDOOR Matrix 2.0 Client connect" arachnids,83 sid:161 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 3345 -d $HOME_NET --dport 3344 -m string --string "logged in" -j LOG	# "BACKDOOR Matrix 2.0 Server access" arachnids,83 sid:162 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 5714 -d $EXTERNAL_NET --tcp-flags ALL ACK,SYN -m string --string "´´" -j LOG	# "BACKDOOR WinCrash 1.0 Server Active" arachnids,36 sid:163 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 2140 -d $HOME_NET --dport 60000 -j LOG	# "BACKDOOR DeepThroat 3.1 Server Active on Network" arachnids,106 sid:164 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "KeyLogger Is Enabled On port" -j LOG	# "BACKDOOR DeepThroat 3.1 Keylogger on Server ON" arachnids,106 sid:165 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "22" -j LOG	# "BACKDOOR DeepThroat 3.1 Show Picture Client Request" arachnids,106 sid:166 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "32" -j LOG	# "BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request" arachnids,106 sid:167 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "33" -j LOG	# "BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request" arachnids,106 sid:168 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "34" -j LOG	# "BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request" arachnids,106 sid:169 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "110" -j LOG	# "BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request" arachnids,106 sid:170 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "35" -j LOG	# "BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request" arachnids,106 sid:171 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "70" -j LOG	# "BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request" arachnids,106 sid:172 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "71" -j LOG	# "BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request" arachnids,106 sid:173 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "31" -j LOG	# "BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request" arachnids,106 sid:174 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "125" -j LOG	# "BACKDOOR DeepThroat 3.1 Resolution Change Client Request" arachnids,106 sid:175 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "04" -j LOG	# "BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request" arachnids,106 sid:176 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "KeyLogger Shut Down" -j LOG	# "BACKDOOR DeepThroat 3.1 Keylogger on Server OFF" arachnids,106 sid:177 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "21" -j LOG	# "BACKDOOR DeepThroat 3.1 FTP Server Port Client Request" arachnids,106 sid:179 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "64" -j LOG	# "BACKDOOR DeepThroat 3.1 Process List Client request" arachnids,106 sid:180 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "121" -j LOG	# "BACKDOOR DeepThroat 3.1 Close Port Scan Client Request" arachnids,106 sid:181 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "89" -j LOG	# "BACKDOOR DeepThroat 3.1 Registry Add Client Request" arachnids,106 sid:182 classtype:misc-activity
#iptables -A SnortRules -p icmp -s 255.255.255.0/24 -d $HOME_NET -m icmp --icmp-type 0 -j LOG	#Cannot convert: dsize: >1	 "BACKDOOR SIGNATURE - Q ICMP" arachnids,202 sid:183 classtype:misc-activity
#iptables -A SnortRules -p tcp -s 255.255.255.0/24 -d $HOME_NET --tcp-flags ACK ACK -j LOG	#Cannot convert: dsize: >1	 "BACKDOOR Q access" arachnids,203 sid:184 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "ypi0ca" --tcp-flags ACK ACK -j LOG	# "BACKDOOR CDK" nocase-ignored arachnids,263 sid:185 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "07" -j LOG	# "BACKDOOR DeepThroat 3.1 Monitor on/off Client Request" arachnids,106 sid:186 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "41" -j LOG	# "BACKDOOR DeepThroat 3.1 Delete File Client Request" arachnids,106 sid:187 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "38" -j LOG	# "BACKDOOR DeepThroat 3.1 Kill Window Client Request" arachnids,106 sid:188 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "23" -j LOG	# "BACKDOOR DeepThroat 3.1 Disable Window Client Request" arachnids,106 sid:189 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "24" -j LOG	# "BACKDOOR DeepThroat 3.1 Enable Window Client Request" arachnids,106 sid:190 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "60" -j LOG	# "BACKDOOR DeepThroat 3.1 Change Window Title Client Request" arachnids,106 sid:191 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "26" -j LOG	# "BACKDOOR DeepThroat 3.1 Hide Window Client Request" arachnids,106 sid:192 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "25" -j LOG	# "BACKDOOR DeepThroat 3.1 Show Window Client Request" arachnids,106 sid:193 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "63" -j LOG	# "BACKDOOR DeepThroat 3.1 Send Text to Window Client Request" arachnids,106 sid:194 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "Ahhhh My Mouth Is Open" -j LOG	# "BACKDOOR DeepThroat 3.1 Server Response" arachnids,106 sid:195 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "30" -j LOG	# "BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request" arachnids,106 sid:196 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "39" -j LOG	# "BACKDOOR DeepThroat 3.1 Create Directory Client Request" arachnids,106 sid:197 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "370" -j LOG	# "BACKDOOR DeepThroat 3.1 All Window List Client Request" arachnids,106 sid:198 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "36" -j LOG	# "BACKDOOR DeepThroat 3.1 Play Sound Client Request" arachnids,106 sid:199 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "14" -j LOG	# "BACKDOOR DeepThroat 3.1 Run Program Normal Client Request" arachnids,106 sid:200 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "15" -j LOG	# "BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request" arachnids,106 sid:201 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "100" -j LOG	# "BACKDOOR DeepThroat 3.1 Get NET File Client Request" arachnids,106 sid:202 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "117" -j LOG	# "BACKDOOR DeepThroat 3.1 Find File Client Request" arachnids,106 sid:203 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "118" -j LOG	# "BACKDOOR DeepThroat 3.1 Find File Client Request" arachnids,106 sid:204 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "199" -j LOG	# "BACKDOOR DeepThroat 3.1 HUP Modem Client Request" arachnids,106 sid:205 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "02" -j LOG	# "BACKDOOR DeepThroat 3.1 CD ROM Open Client Request" arachnids,106 sid:206 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "03" -j LOG	# "BACKDOOR DeepThroat 3.1 CD ROM Close Client Request" arachnids,106 sid:207 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 555 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "phAse" -j LOG	# "BACKDOOR PhaseZero Server Active on Network" sid:208 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "w00w00" -j LOG	# "BACKDOOR w00w00 attempt" classtype:attempted-admin sid:209
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "backdoor" -j LOG	# "BACKDOOR attempt" nocase-ignored classtype:attempted-admin sid:210
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "r00t" -j LOG	# "BACKDOOR MISC r00t attempt" classtype:attempted-admin sid:211
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "rewt" -j LOG	# "BACKDOOR MISC rewt attempt" classtype:attempted-admin sid:212
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "wh00t!" -j LOG	# "BACKDOOR MISC linux rootkit attempt" classtype:attempted-admin sid:213
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "lrkr0x" -j LOG	# "BACKDOOR MISC linux rootkit attempt lrkr0x" classtype:attempted-admin sid:214
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "d13hh[" -j LOG	# "BACKDOOR MISC linux rootkit attempt" nocase-ignored classtype:attempted-admin sid:215
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "satori" -j LOG	# "BACKDOOR MISC linux rootkit attempt" classtype:attempted-admin sid:216
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "hax0r" -j LOG	# "BACKDOOR MISC sm4ck attempt" classtype:attempted-admin sid:217
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "friday" -j LOG	# "BACKDOOR MISC solaris 2.5 attempt" classtype:attempted-user sid:218
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "StoogR" -j LOG	# "BACKDOOR HidePak backdoor attempt" sid:219 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "wank" -j LOG	# "BACKDOOR HideSource backdoor attempt" sid:220 classtype:misc-activity
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "‚ ‘Ð " -j LOG	# "SHELLCODE sparc setuid 0" arachnids,282 classtype:system-call-detect sid:647
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "°µÍ€" -j LOG	# "SHELLCODE x86 setgid 0" arachnids,284 classtype:system-call-detect sid:649
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "°Í€" -j LOG	# "SHELLCODE x86 setuid 0" arachnids,436 classtype:system-call-detect sid:650
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "àø%àø%àø%àø%" -j LOG	# "SHELLCODE SGI NOOP" arachnids,356 classtype:shellcode-detect sid:638
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "\$4\$4\$4\$4" -j LOG	# "SHELLCODE SGI NOOP" arachnids,357 classtype:shellcode-detect sid:639
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "Oÿû‚Oÿû‚Oÿû‚Oÿû‚" -j LOG	# "SHELLCODE aix NOOP" classtype:shellcode-detect sid:640
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "GÿGÿGÿGÿ" -j LOG	# "SHELLCODE digital unix NOOP" arachnids,352 classtype:shellcode-detect sid:641
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "€€€€" -j LOG	# "SHELLCODE hpux NOOP" arachnids,358 classtype:shellcode-detect sid:642
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "9€9€9€9€" -j LOG	# "SHELLCODE hpux NOOP" arachnids,359 classtype:shellcode-detect sid:643
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "À¦À¦À¦À¦" -j LOG	# "SHELLCODE sparc NOOP" arachnids,345 classtype:shellcode-detect sid:644
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "€@€@€@€@" -j LOG	# "SHELLCODE sparc NOOP" arachnids,353 classtype:shellcode-detect sid:645
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "¦À¦À¦À¦À" -j LOG	# "SHELLCODE sparc NOOP" arachnids,355 classtype:shellcode-detect sid:646
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" -j LOG	# "SHELLCODE x86 NOOP" arachnids,181 classtype:shellcode-detect sid:648
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "ëëë" -j LOG	# "SHELLCODE x86 stealth NOOP" arachnids,291 classtype:shellcode-detect sid:651
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" -j LOG	# "SHELLCODE x86 unicode NOOP" classtype:shellcode-detect sid:653
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "èÀÿÿÿ/bin/sh" -j LOG	# "SHELLCODE linux shellcode" arachnids,343 classtype:shellcode-detect sid:652
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 1863 --tcp-flags ACK ACK -m string --string "text/plain" -j LOG	# "INFO msn chat access" classtype:not-suspicious sid:540
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "User-Agent:ICQ" -j LOG	# "INFO icq access" classtype:not-suspicious sid:541
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 6666:7000 --tcp-flags ACK ACK -m string --string "NICK " -j LOG	# "INFO Possible IRC Access" classtype:not-suspicious sid:542
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "STOR 1MB" -j LOG	# "FTP STOR 1MB possible warez site" nocase-ignored classtype:bad-unknown sid:543
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "RETR 1MB" -j LOG	# "FTP RETR 1MB possible warez site" nocase-ignored classtype:bad-unknown sid:544
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CWD / " -j LOG	# "FTP CWD / - possible warez site" nocase-ignored classtype:bad-unknown sid:545
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CWD " -j LOG	# "FTP "CWD " possible warez site" nocase-ignored classtype:bad-unknown sid:546
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MKD " -j LOG	# "FTP "MKD " possible warez site" nocase-ignored classtype:bad-unknown sid:547
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MKD ." -j LOG	# "FTP "MKD . " possible warez site" nocase-ignored classtype:bad-unknown sid:548
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MKD / " -j LOG	# "FTP "MKD / " possible warez site" nocase-ignored classtype:bad-unknown sid:554
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 8888 --tcp-flags ACK ACK -m string --string "" -j LOG	# "INFO napster login" classtype:bad-unknown sid:549
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 8888 --tcp-flags ACK ACK -m string --string "" -j LOG	# "INFO napster new user login" classtype:bad-unknown sid:550
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8888 --tcp-flags ACK ACK -m string --string "Ë" -j LOG	# "INFO napster download attempt" classtype:bad-unknown sid:551
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 8888 -d $HOME_NET --tcp-flags ACK ACK -m string --string "_" -j LOG	# "INFO napster upload request" classtype:bad-unknown sid:552
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "anonymous" --tcp-flags ACK ACK -j LOG	# "INFO FTP anonymous FTP" nocase-ignored classtype:not-suspicious sid:553
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET -m string --string "WinGate>" --tcp-flags ACK ACK -j LOG --log-prefix " cve-CAN-1999-0657 "	# "INFO wingate telnet active" arachnids,366 classtype:bad-unknown sid:555
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET -m string --string "GNUTELLA CONNECT" -j LOG	# "INFO Outbound GNUTella Connect request" nocase-ignored classtype:bad-unknown sid:556
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET -m string --string "GNUTELLA OK" -j LOG	# "INFO Inbound GNUTella Connect accept" nocase-ignored classtype:bad-unknown sid:557
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "GNUTELLA OK" -j LOG	# "INFO Outbound GNUTella Connect accept" nocase-ignored classtype:bad-unknown sid:558
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "GNUTELLA CONNECT" -j LOG	# "INFO Inbound GNUTella Connect request" nocase-ignored classtype:bad-unknown sid:559
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "RFB 003.003" -j LOG	# "INFO VNC Active on Network" classtype:bad-unknown sid:560
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 6699 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG	# "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:561
iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 6699 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG	# "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:561
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 7777 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG	# "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:562
iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 7777 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG	# "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:562
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 6666 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG	# "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:563
iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 6666 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG	# "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:563
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 5555 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG	# "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:564
iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 5555 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG	# "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:564
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 8875 --tcp-flags ACK ACK -m string --string "anon@napster.com" -j LOG	# "INFO Napster Server Login" classtype:bad-unknown sid:565
iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 8875 --tcp-flags ACK ACK -m string --string "anon@napster.com" -j LOG	# "INFO Napster Server Login" classtype:bad-unknown sid:565
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 5632 -m string --string "ST" -j LOG	# "MISC PCAnywhere Startup" arachnids,239 classtype:bad-unknown sid:566
iptables -A SnortRules -p tcp -s $SMTP --sport 25 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "550 5.7.1" -j LOG	# "SMTP relaying denied" arachnids,249 classtype:bad-unknown sid:567
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 9100 --tcp-flags ACK ACK -m string --string "@PJL RDYMSG DISPLAY =" -j LOG	# "INFO hp jetdirect LCD modification attempt" classtype:bad-unknown bugtraq,2245 arachnids,302 sid:568
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 9001 --tcp-flags ACK ACK -m string --string "@PJL RDYMSG DISPLAY =" -j LOG	# "INFO hp jetdirect LCD modification attempt" classtype:bad-unknown bugtraq,2245 arachnids,302 sid:510
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "FREE XXX" --tcp-flags ACK ACK -j LOG	# "PORN free XXX" nocase-ignored classtype:kickass-porn sid:1310
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "hardcore anal" --tcp-flags ACK ACK -j LOG	# "PORN hardcore anal" nocase-ignored classtype:kickass-porn sid:1311
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "nude cheerleader" --tcp-flags ACK ACK -j LOG	# "PORN nude cheerleader" nocase-ignored classtype:kickass-porn sid:1312
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "up skirt" --tcp-flags ACK ACK -j LOG	# "PORN up skirt" nocase-ignored classtype:kickass-porn sid:1313
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "young teen" --tcp-flags ACK ACK -j LOG	# "PORN young teen" nocase-ignored classtype:kickass-porn sid:1314
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "hot young sex" --tcp-flags ACK ACK -j LOG	# "PORN hot young sex" nocase-ignored classtype:kickass-porn sid:1315
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "fuck fuck fuck" --tcp-flags ACK ACK -j LOG	# "PORN fuck fuck fuck" nocase-ignored classtype:kickass-porn sid:1316
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "anal sex" --tcp-flags ACK ACK -j LOG	# "PORN anal sex" nocase-ignored classtype:kickass-porn sid:1317
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "hardcore rape" --tcp-flags ACK ACK -j LOG	# "PORN hardcore rape" nocase-ignored classtype:kickass-porn sid:1318
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "real snuff" --tcp-flags ACK ACK -j LOG	# "PORN real snuff" nocase-ignored classtype:kickass-porn sid:1319
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "fuck movies" --tcp-flags ACK ACK -j LOG	# "PORN fuck movies" nocase-ignored classtype:kickass-porn sid:1320
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "Connection closed by foreign host" --tcp-flags ACK ACK -j LOG	# "INFO Connection Closed MSG from Port 80" nocase-ignored classtype:unknown sid:488
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "pass " --tcp-flags ACK ACK -j LOG	# "INFO FTP No Password" nocase-ignored arachnids,322 classtype:unknown sid:489
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 -m string --string "BattleMail" --tcp-flags ACK ACK -j LOG	# "INFO battle-mail traffic" classtype:unknown sid:490
iptables -A SnortRules -p tcp -s $HOME_NET --sport 21 -d $EXTERNAL_NET -m string --string "530 Login " --tcp-flags ACK ACK -j LOG	# "FTP Bad login" nocase-ignored classtype:bad-unknown sid:491
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET -m string --string "Login failed" --tcp-flags ACK ACK -j LOG	# "TELNET Bad Login" nocase-ignored classtype:bad-unknown sid:492
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET -m string --string "Login incorrect" --tcp-flags ACK ACK -j LOG	# "TELNET Bad Login" nocase-ignored classtype:bad-unknown sid:1251
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET -m string --string "Welcome!psyBNC@lam3rz.de" --tcp-flags ACK ACK -j LOG	# "INFO psyBNC access" classtype:bad-unknown sid:493
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 9 -j LOG --log-prefix " cve-CVE-1999-0875 "	# "ICMP IRDP router advertisement" bugtraq,578 arachnids,173 sid:363 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 10 -j LOG --log-prefix " cve-CVE-1999-0875 "	# "ICMP IRDP router selection" bugtraq,578 arachnids,174 sid:364 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "" -m icmp --icmp-type 8 -j LOG	# "ICMP PING *NIX" sid:366 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8 -m string --string "	" -j LOG	# "ICMP PING BSDtype" arachnids,152 sid:368 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8 -m string --string "	" -j LOG	# "ICMP PING BayRS Router" arachnids,438 arachnids,444 sid:369 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "	" -m icmp --icmp-type 8 -j LOG	# "ICMP PING BeOS4.x" arachnids,151 sid:370 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "«Í«Í«Í«Í«Í«Í«Í«Í" -m icmp --icmp-type 8 -j LOG	# "ICMP PING Cisco Type.x" arachnids,153 sid:371 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "Pinging from Del" -m icmp --icmp-type 8 -j LOG	# "ICMP PING Delphi-Piette Windows" arachnids,155 sid:372 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8 -m string --string "	" -j LOG	# "ICMP PING Flowpoint2200 or Network Management Software" arachnids,156 sid:373 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "© Sustainable So" -m icmp --icmp-type 8 -j LOG	# "ICMP PING IP NetMonitor Macintosh" arachnids,157 sid:374 classtype:misc-activity
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8 -j LOG	#Cannot convert: dsize:8 id:13170	 "ICMP PING LINUX/*BSD" arachnids,447 sid:375 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "0123456789abcdefghijklmnop" -m icmp --icmp-type 8 -j LOG	# "ICMP PING Microsoft Windows" arachnids,159 sid:376 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "================" -m icmp --icmp-type 8 -j LOG	# "ICMP PING Network Toolbox 3 Windows" arachnids,161 sid:377 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "OMeterObeseArmad" -m icmp --icmp-type 8 -j LOG	# "ICMP PING Ping-O-MeterWindows" arachnids,164 sid:378 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "Data" -m icmp --icmp-type 8 -j LOG	# "ICMP PING Pinger Windows" arachnids,163 sid:379 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "ˆ              " -m icmp --icmp-type 8 -j LOG	# "ICMP PING Seer Windows" arachnids,166 sid:380 classtype:misc-activity
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8 -j LOG	#Cannot convert: dsize:8	 "ICMP PING Sun Solaris" arachnids,448 sid:381 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "abcdefghijklmnop" -m icmp --icmp-type 8 -j LOG	# "ICMP PING Windows" arachnids,169 sid:382 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8/0 -j LOG	# "ICMP PING" sid:384 classtype:misc-activity
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m ttl --ttl-eq 1 -m icmp --icmp-type 8 -j LOG	#Cannot convert: Can't specify TTL option twice	 "ICMP traceroute " arachnids,118 classtype:attempted-recon sid:385
iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET -m icmp --icmp-type 18/0 -j LOG	# "ICMP Address Mask Reply" sid:386 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 18 -j LOG	# "ICMP Address Mask Reply (Undefined Code!)" sid:387 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 17/0 -j LOG	# "ICMP Address Mask Request" sid:388 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 17 -j LOG	# "ICMP Address Mask Request (Undefined Code!)" sid:389 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 6/0 -j LOG	# "ICMP Alternate Host Address" sid:390 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 6 -j LOG	# "ICMP Alternate Host Address (Undefined Code!)" sid:391 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 31/0 -j LOG	# "ICMP Datagram Conversion Error" sid:392 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 31 -j LOG	# "ICMP Datagram Conversion Error (Undefined Code!)" sid:393 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3/7 -j LOG	# "ICMP Destination Unreachable (Destination Host Unknown)" sid:394 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3/6 -j LOG	# "ICMP Destination Unreachable (Destination Network Unknown)" sid:395 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3/4 -j LOG	# "ICMP Destination Unreachable (Fragmentation Needed and DF bit was set)" sid:396 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3/14 -j LOG	# "ICMP Destination Unreachable (Host Precedence Violation)" sid:397 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3/12 -j LOG	# "ICMP Destination Unreachable (Host Unreachable for Type of Service)" sid:398 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3/1 -j LOG	# "ICMP Destination Unreachable (Host Unreachable)" sid:399 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3/11 -j LOG	# "ICMP Destination Unreachable (Network Unreachable for Type of Service)" sid:400 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3/0 -j LOG	# "ICMP Destination Unreachable (Network Unreachable)" sid:401 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3/3 -j LOG	# "ICMP Destination Unreachable (Port Unreachable)" sid:402 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3/15 -j LOG	# "ICMP Destination Unreachable (Precedence Cutoff in effect)" sid:403 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3/2 -j LOG	# "ICMP Destination Unreachable (Protocol Unreachable)" sid:404 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3/8 -j LOG	# "ICMP Destination Unreachable (Source Host Isolated)" sid:405 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3/5 -j LOG	# "ICMP Destination Unreachable (Source Route Failed)" sid:406 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 3 -j LOG	# "ICMP Destination Unreachable (Undefined Code!)" sid:407 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 0/0 -j LOG	# "ICMP Echo Reply" sid:408 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 0 -j LOG	# "ICMP Echo Reply (Undefined Code!)" sid:409 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 11/1 -j LOG	# "ICMP Fragment Reassembly Time Exceeded" sid:410 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 34/0 -j LOG	# "ICMP IPV6 I-Am-Here" sid:411 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 34 -j LOG	# "ICMP IPV6 I-Am-Here (Undefined Code!" sid:412 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 33/0 -j LOG	# "ICMP IPV6 Where-Are-You" sid:413 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 33 -j LOG	# "ICMP IPV6 Where-Are-You (Undefined Code!)" sid:414 classtype:misc-activity
iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET -m icmp --icmp-type 16/0 -j LOG	# "ICMP Information Reply" sid:415 classtype:misc-activity
iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET -m icmp --icmp-type 16 -j LOG	# "ICMP Information Reply (Undefined Code!)" sid:416 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 15/0 -j LOG	# "ICMP Information Request" sid:417 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 15 -j LOG	# "ICMP Information Request (Undefined Code!)" sid:418 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 32/0 -j LOG	# "ICMP Mobile Host Redirect" sid:419 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 32 -j LOG	# "ICMP Mobile Host Redirect (Undefined Code!)" sid:420 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 36/0 -j LOG	# "ICMP Mobile Registration Reply" sid:421 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 36 -j LOG	# "ICMP Mobile Registration Reply (Undefined Code!)" sid:422 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 35/0 -j LOG	# "ICMP Mobile Registration Request" sid:423 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 35 -j LOG	# "ICMP Mobile Registration Request (Undefined Code!" sid:424 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 12/2 -j LOG	# "ICMP Parameter Problem (Bad Length)" sid:425 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 12/1 -j LOG	# "ICMP Parameter Problem (Missing a Requiered Option)" sid:426 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 12/0 -j LOG	# "ICMP Parameter Problem (Unspecified Error)" sid:427 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 12 -j LOG	# "ICMP Parameter Problem (Undefined Code!)" sid:428 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 40/0 -j LOG	# "ICMP Photuris (Reserved)" sid:429 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 40/1 -j LOG	# "ICMP Photuris (Unknown Security Parameters Index)" sid:430 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 40/2 -j LOG	# "ICMP Photuris (Valid Security Parameters, But Authentication Failed)" sid:431 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 40/3 -j LOG	# "ICMP Photuris (Valid Security Parameters, But Decryption Failed)" sid:432 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 40 -j LOG	# "ICMP Photuris (Undefined Code!)" sid:433 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 5/3 -j LOG	# "ICMP Redirect (for TOS and Host)" sid:436 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 5/2 -j LOG	# "ICMP Redirect (for TOS and Network)" sid:437 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 5 -j LOG	# "ICMP Redirect (Undefined Code!)" sid:438 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 19/0 -j LOG	# "ICMP Reserved for Security (Type 19)" sid:439 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 19 -j LOG	# "ICMP Reserved for Security (Type 19) (Undefined Code!)" sid:440 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 9/0 -j LOG	# "ICMP Router Advertisment" arachnids,173 sid:441 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 10/0 -j LOG	# "ICMP Router Selection" arachnids,174 sid:443 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 39/0 -j LOG	# "ICMP SKIP" sid:445 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 39 -j LOG	# "ICMP SKIP (Undefined Code!" sid:446 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 4 -j LOG	# "ICMP Source Quench (Undefined Code!)" sid:448 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 11/0 -j LOG	# "ICMP Time-To-Live Exceeded in Transit" sid:449 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 11 -j LOG	# "ICMP Time-To-Live Exceeded in Transit (Undefined Code!)" sid:450 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 14/0 -j LOG	# "ICMP Timestamp Reply" sid:451 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 14 -j LOG	# "ICMP Timestamp Reply (Undefined Code!)" sid:452 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 13/0 -j LOG	# "ICMP Timestamp Request" sid:453 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 13 -j LOG	# "ICMP Timestamp Request (Undefined Code!)" sid:454 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m ipv4options --rr -m icmp --icmp-type 0 -j LOG	# "ICMP Traceroute ipopts" arachnids,238 sid:455 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 30/0 -j LOG	# "ICMP Traceroute" sid:456 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 30 -j LOG	# "ICMP Traceroute (Undefined Code!)" sid:457 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 1/0 -j LOG	# "ICMP Unassigned! (Type 1)" sid:458 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 1 -j LOG	# "ICMP Unassigned! (Type 1) (Undefined Code)" sid:459 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 2/0 -j LOG	# "ICMP Unassigned! (Type 2)" sid:460 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 2 -j LOG	# "ICMP Unassigned! (Type 2) (Undefined Code)" sid:461 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 7/0 -j LOG	# "ICMP Unassigned! (Type 7)" sid:462 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 7 -j LOG	# "ICMP Unassigned! (Type 7) (Undefined Code!)" sid:463 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m icmp --icmp-type 8 -j LOG	# "ICMP PING (Undefined Code!)" sid:365 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "Suddlently" -j LOG	# "Virus - SnowWhite Trojan Incoming" sid:720 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string ".pif" -j LOG	# "Virus - Possible pif Worm" nocase-ignored sid:721 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "NAVIDAD.EXE" -j LOG	# "Virus - Possible NAVIDAD Worm" nocase-ignored sid:722 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "myromeo.exe" -j LOG	# "Virus - Possible MyRomeo Worm" nocase-ignored sid:723 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "myjuliet.chm" -j LOG	# "Virus - Possible MyRomeo Worm" nocase-ignored sid:724 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "ble bla" -j LOG	# "Virus - Possible MyRomeo Worm" nocase-ignored sid:725 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "I Love You" -j LOG	# "Virus - Possible MyRomeo Worm" sid:726 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "Sorry... Hey you !" -j LOG	# "Virus - Possible MyRomeo Worm" sid:727 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "my picture from shake-beer" -j LOG	# "Virus - Possible MyRomeo Worm" sid:728 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string ".scr" -j LOG	# "Virus - Possible scr Worm" nocase-ignored sid:729 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string ".shs" -j LOG	# "Virus - Possible shs Worm" nocase-ignored sid:730 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "qazwsx.hsq" -j LOG	# "Virus - Possible QAZ Worm" MCAFEE,98775 sid:731 classtype:misc-activity
iptables -A SnortRules -p tcp --dport 139 --tcp-flags ALL ACK -m string --string "qazwsx.hsq" -j LOG	# "Virus - Possible QAZ Worm Infection" MCAFEE,98775 sid:732 classtype:misc-activity
iptables -A SnortRules -p tcp --dport 25 -m string --string "nongmin_cn" -j LOG	# "Virus - Possible QAZ Worm Calling Home" MCAFEE,98775 sid:733 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "Software provide by [MATRiX]" -j LOG	# "Virus - Possible Matrix worm" nocase-ignored sid:734 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "Matrix has you..." -j LOG	# "Virus - Possible MyRomeo Worm" sid:735 classtype:misc-activity
iptables -A SnortRules -p tcp --dport 25 --tcp-flags ALL ACK,PSH -m string --string "funguscrack@hotmail.com" -j LOG	# "Virus - Successful eurocalculator execution" nocase-ignored sid:736 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string "eurocalculator.exe" -j LOG	# "Virus - Possible eurocalculator.exe file" nocase-ignored sid:737 classtype:misc-activity
iptables -A SnortRules -p tcp --dport 110 --tcp-flags ALL ACK,PSH -m string --string "Pikachu Pokemon" -j LOG	# "Virus - Possible Pikachu Pokemon Virus" MCAFEE,98696 sid:738 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="666TEST.VBS"" -j LOG	# "Virus - Possible Triplesix Worm" nocase-ignored MCAFEE,10389 sid:739 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="tune.vbs"" -j LOG	# "Virus - Possible Tune.vbs" nocase-ignored MCAFEE,10497 sid:740 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "Market share tipoff" -j LOG	# "Virus - Possible NAIL Worm" MCAFEE,10109 sid:741 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"WWIII" -j LOG	# "Virus - Possible NAIL Worm" MCAFEE,10109 sid:742 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "New Developments" -j LOG	# "Virus - Possible NAIL Worm" MCAFEE,10109 sid:743 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "Good Times" -j LOG	# "Virus - Possible NAIL Worm" MCAFEE,10109 sid:744 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="XPASS.XLS"" -j LOG	# "Virus - Possible Papa Worm" nocase-ignored MCAFEE,10145 sid:745 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "LINKS.VBS" -j LOG	# "Virus - Possible Freelink Worm" MCAFEE,10225 sid:746 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="SETUP.EXE"" -j LOG	# "Virus - Possible Simbiosis Worm" nocase-ignored sid:747 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"BADASS.EXE\"" -j LOG	# "Virus - Possible BADASS Worm" MCAFEE,10388 sid:748 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"File_zippati.exe\"" -j LOG	# "Virus - Possible ExploreZip.B Worm" MCAFEE,10471 sid:749 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="KAK.HTA"" -j LOG	# "Virus - Possible wscript.KakWorm" nocase-ignored MCAFEE,10509 sid:751 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Suppl.doc"" -j LOG	# "Virus Possible Suppl Worm" nocase-ignored MCAFEE,10361 sid:752 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="THEOBBQ.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - theobbq.exe" nocase-ignored MCAFEE,10540 sid:753 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="MONEY.DOC"" -j LOG	# "Virus - Possible Word Macro - VALE" nocase-ignored MCAFEE,10502 sid:754 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="irok.exe"" -j LOG	# "Virus - Possible IROK Worm" nocase-ignored MCAFEE,98552 sid:755 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Fix2001.exe"" -j LOG	# "Virus - Possible Fix2001 Worm" nocase-ignored MCAFEE,10355 sid:756 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Y2K.EXE"" -j LOG	# "Virus - Possible Y2K Zelu Trojan" nocase-ignored MCAFEE,10505 sid:757 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="THE_FLY.CHM"" -j LOG	# "Virus - Possible The_Fly Trojan" nocase-ignored MCAFEE,10478 sid:758 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="DINHEIRO.DOC"" -j LOG	# "Virus - Possible Word Macro - VALE" nocase-ignored MCAFEE,10502 sid:759 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="ICQ_GREETINGS.EXE"" -j LOG	# "Virus - Possible Passion Worm" nocase-ignored MCAFEE,10467 sid:760 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="COOLER3.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - cooler3.exe" nocase-ignored MCAFEE,10540 sid:761 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="PARTY.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - party.exe" nocase-ignored MCAFEE,10540 sid:762 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="HOG.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - hog.exe" nocase-ignored MCAFEE,10540 sid:763 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="GOAL1.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - goal1.exe" nocase-ignored MCAFEE,10540 sid:764 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="PIRATE.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - pirate.exe" nocase-ignored MCAFEE,10540 sid:765 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="VIDEO.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - video.exe" nocase-ignored MCAFEE,10540 sid:766 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="BABY.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - baby.exe" nocase-ignored MCAFEE,10540 sid:767 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="COOLER1.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - cooler1.exe" nocase-ignored MCAFEE,10540 sid:768 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="BOSS.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - boss.exe" nocase-ignored MCAFEE,10540 sid:769 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="G-ZILLA.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - g-zilla.exe" nocase-ignored MCAFEE,10540 sid:770 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Toadie.exe"" -j LOG	# "Virus - Possible ToadieE-mail Trojan" nocase-ignored MCAFEE,10540 sid:771 classtype:misc-activity
#iptables -A SnortRules -p tcp --sport 110 -m string --string "\CoolProgs\" -j LOG	#Cannot convert: Mishandled quotes	 "Virus - Possible PrettyPark Trojan" MCAFEE,10175 sid:772 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "X-Spanska:Yes" -j LOG	# "Virus - Possible Happy99 Virus" MCAFEE,10144 sid:773 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"links.vbs\"" -j LOG	# "Virus - Possible CheckThis Trojan" sid:774 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "BubbleBoy is back!" -j LOG	# "Virus - Possible Bubbleboy Worm" MCAFEE,10418 sid:775 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="COPIER.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - copier.exe" nocase-ignored MCAFEE,10540 sid:776 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"pics4you.exe\"" -j LOG	# "Virus - Possible MyPics Worm" MCAFEE,10467 sid:777 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"X-MAS.EXE\"" -j LOG	# "Virus - Possible Babylonia - X-MAS.exe" MCAFEE,10461 sid:778 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="GADGET.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - gadget.exe" nocase-ignored MCAFEE,10540 sid:779 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="IRNGLANT.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - irnglant.exe" nocase-ignored MCAFEE,10540 sid:780 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="CASPER.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - casper.exe" nocase-ignored MCAFEE,10540 sid:781 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="FBORFW.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - fborfw.exe" nocase-ignored MCAFEE,10540 sid:782 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="SADDAM.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - saddam.exe" nocase-ignored MCAFEE,10540 sid:783 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="BBOY.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - bboy.exe" nocase-ignored MCAFEE,10540 sid:784 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="MONICA.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - monica.exe" nocase-ignored MCAFEE,10540 sid:785 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="GOAL.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - goal.exe" nocase-ignored MCAFEE,10540 sid:786 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="PANTHER.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - panther.exe" nocase-ignored MCAFEE,10540 sid:787 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="CHESTBURST.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - chestburst.exe" nocase-ignored MCAFEE,10540 sid:788 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="FARTER.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - farter.exe" nocase-ignored MCAFEE,1054 sid:789 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"THE_FLY.CHM\"" -j LOG	# "Virus - Possible Common Sense Worm" sid:790 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="CUPID2.EXE"" -j LOG	# "Virus - Possible NewApt.Worm - cupid2.exe" nocase-ignored MCAFEE,10540 sid:791 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="RESUME1.DOC"" -j LOG	# "Virus - Possible Resume Worm" nocase-ignored MCAFEE,98661 sid:792 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "multipart" --string "name=" --string ".vbs" -j LOG	# "Virus - Mail .VBS" nocase-ignored sid:793 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Explorer.doc"" -j LOG	# "Virus - Possible Resume Worm" nocase-ignored MCAFEE,98661 sid:794 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".txt.vbs" -j LOG	# "Virus - Possible Worm - txt.vbs file" nocase-ignored sid:795 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".xls.vbs" -j LOG	# "Virus - Possible Worm - xls.vbs file" nocase-ignored sid:796 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".jpg.vbs" -j LOG	# "Virus - Possible Worm - jpg.vbs file" nocase-ignored sid:797 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".gif.vbs" -j LOG	# "Virus - Possible Worm - gif.vbs file" nocase-ignored sid:798 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="TIMOFONICA.TXT.vbs"" -j LOG	# "Virus - Possible Timofonica Worm" nocase-ignored MCAFEE,98674 sid:799 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="NORMAL.DOT"" -j LOG	# "Virus - Possible Resume Worm" nocase-ignored MCAFEE,98661 sid:800 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".doc.vbs" -j LOG	# "Virus - Possible Worm - doc.vbs file" nocase-ignored sid:801 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"Zipped_Files.EXE\"" -j LOG	# "Virus - Possbile Zipped Files Trojan" MCAFEE,10450 sid:802 classtype:misc-activity