HOME_NET=0/0 EXTERNAL_NET=0/0 SMTP=$HOME_NET HTTP_SERVERS=$HOME_NET SQL_SERVERS=$HOME_NET DNS_SERVERS=$HOME_NET iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 0 -j LOG --log-prefix " SID524 " # "BAD TRAFFIC tcp port 0 traffic" sid:524 classtype:misc-activity iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 0 -j LOG --log-prefix " SID524 " # "BAD TRAFFIC tcp port 0 traffic" sid:524 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 0 -j LOG --log-prefix " SID525 " # "BAD TRAFFIC udp port 0 traffic" sid:525 classtype:misc-activity iptables -A SnortRules -p udp -d $EXTERNAL_NET -s $HOME_NET --sport 0 -j LOG --log-prefix " SID525 " # "BAD TRAFFIC udp port 0 traffic" sid:525 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -m dsize --dsize 7: -j LOG --log-prefix " SID526 " # "BAD TRAFFIC data in TCP SYN packet" sid:526 classtype:misc-activity iptables -A SnortRules -d 127.0.0.0/8 -j LOG --log-prefix " SID528 " # "BAD TRAFFIC loopback traffic" classtype:bad-unknown sid:528 iptables -A SnortRules -s 127.0.0.0/8 -j LOG --log-prefix " SID528 " # "BAD TRAFFIC loopback traffic" classtype:bad-unknown sid:528 #iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID523 " #Cannot convert: fragbits:R "BAD TRAFFIC ip reserved bit set" sid:523 classtype:misc-activity iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m ttl --ttl-eq 0 -j LOG --log-prefix " SID1321 " # "BAD TRAFFIC 0 ttl" sid:1321 classtype:misc-activity #iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID1322 " #Cannot convert: fragbits: MD "BAD TRAFFIC bad frag bits" sid:1322 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "/bin/sh" -j LOG --log-prefix " SID1324 " # "EXPLOIT ssh CRC32 overflow /bin/sh" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1324 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " SID1325 " # "EXPLOIT ssh CRC32 overflow filler" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1325 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " SID1326 " # "EXPLOIT ssh CRC32 overflow NOOP" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1326 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "W" --string "" -j LOG --log-prefix " SID1327 " # "EXPLOIT ssh CRC32 overflow" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1327 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "3ɱ?Q" -j LOG --log-prefix " SID292 " # "EXPLOIT x86 linux samba overflow" bugtraq,1816 cve,CVE-1999-0811 cve,CVE-1999-0182 classtype:attempted-admin sid:292 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "/bin/sh" -j LOG --log-prefix " SID293 " # "EXPLOIT imap overflow" classtype:attempted-admin sid:293 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "@̀/" -j LOG --log-prefix " SID295 " # "EXPLOIT imap x86 linux overflow" bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:295 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "4^^ 1҉V" -j LOG --log-prefix " SID296 " # "EXPLOIT imap x86 linux overflow" bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:296 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "5^F0F0F0" -j LOG --log-prefix " SID297 " # "EXPLOIT imap x86 linux overflow" bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:297 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "8^؀F F" -j LOG --log-prefix " SID298 " # "EXPLOIT imap x86 linux overflow" bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:298 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "X^1ۃ^&" -j LOG --log-prefix " SID299 " # "EXPLOIT imap x86 linux overflow" bugtraq,130 cve, CVE-1999-0005 classtype:attempted-admin sid:299 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2766 --tcp-flags ACK ACK -m string --string "#^3FF6" -j LOG --log-prefix " SID300 " # "EXPLOIT nlps x86 solaris overflow" classtype:attempted-admin sid:300 bugtraq,2319 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 515 --tcp-flags ACK ACK -m string --string "C[KC ̀1̀/bin/sh" -j LOG --log-prefix " SID301 " # "EXPLOIT LPRng overflow" bugtraq,1712 classtype:attempted-admin sid:301 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 515 --tcp-flags ACK ACK -m string --string "XXXX%.172u%300\$n" -j LOG --log-prefix " SID302 " # "EXPLOIT redhat 7.0 lprd overflow" classtype:attempted-admin sid:302 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string " a" -j LOG --log-prefix " SID303 " # "EXPLOIT named tsig infoleak" cve,CAN-2000-0010 bugtraq,2302 arachnids,482 classtype:attempted-admin sid:303 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6373 --tcp-flags ACK ACK -m string --string "]UMM" -j LOG --log-prefix " SID304 " # "EXPLOIT sco calserver overflow" bugtraq,2353 classtype:attempted-admin sid:304 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 -m string --string "whois://" --tcp-flags ACK ACK -m dsize --dsize 1001: -j LOG --log-prefix " SID305 " # "EXPLOIT delegate proxy overflow" nocase-ignored arachnids,267 classtype:attempted-admin sid:305 bugtraq,808 cve,CVE-2000-0165 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 9090 --tcp-flags ACK ACK -m string --string "GET / HTTP/1.1" -j LOG --log-prefix " SID306 " # "EXPLOIT VQServer admin" nocase-ignored bugtraq,1610 cve,CAN-2000-0766 classtype:attempted-admin sid:306 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6666:7000 --tcp-flags ACK ACK -m string --string "K[S2 K#Pw" -j LOG --log-prefix " SID307 " # "EXPLOIT IRC topic overflow" cve,CVE-1999-0672 bugtraq,573 classtype:attempted-user sid:307 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string " ̃3f" -j LOG --log-prefix " SID308 " # "EXPLOIT NextFTP client overflow" bugtraq,572 cve,CVE-1999-0671 classtype:attempted-user sid:308 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "from:" -m dsize --dsize 513: -j LOG --log-prefix " SID309 " # "EXPLOIT sniffit overflow" nocase-ignored bugtraq,1158 cve,CAN-2000-0343 arachnids,273 classtype:attempted-admin sid:309 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "E [3ɱ+" -j LOG --log-prefix " SID310 " # "EXPLOIT x86 windows MailMax overflow" bugtraq,2312 cve,CVE-1999-0404 classtype:attempted-admin sid:310 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 80 -m string --string "3ɱ?Q" --tcp-flags ACK ACK -j LOG --log-prefix " SID247 " # "DDOS mstream client to handler" cve,CAN-2000-0138 classtype:attempted-dos sid:247 iptables -A SnortRules -p tcp -s $HOME_NET --sport 12754 -d $EXTERNAL_NET -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " SID248 " # "DDOS mstream handler to client" cve,CAN-2000-0138 classtype:attempted-dos sid:248 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 15104 --tcp-flags ALL SYN -j LOG --log-prefix " SID249 " # "DDOS mstream client to handler" arachnids,111 cve,CAN-2000-0138 classtype:attempted-dos sid:249 iptables -A SnortRules -p tcp -s $HOME_NET --sport 15104 -d $EXTERNAL_NET -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " SID250 " # "DDOS mstream handler to client" cve,CAN-2000-0138 classtype:attempted-dos sid:250 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0 -j LOG --log-prefix " SID251 " #Cannot convert: icmp_id: 51201 icmp_seq: 0 "DDOS - TFN client command LE" arachnids,183 classtype:attempted-dos sid:251 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string " " -j LOG --log-prefix " SID252 " # "DNS named iquery attempt" arachnids,277 cve,CVE-1999-0009 bugtraq,134 classtype:attempted-recon sid:252 iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 53 -d $HOME_NET -m string --string "" --string " <" -j LOG --log-prefix " SID253 " # "DNS SPOOF query response PTR with TTL: 1 min. and no authority" classtype:bad-unknown sid:253 iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 53 -d $HOME_NET -m string --string "" --string " <" -j LOG --log-prefix " SID254 " # "DNS SPOOF query response with ttl: 1 min. and no authority" classtype:bad-unknown sid:254 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "" --tcp-flags ACK ACK -j LOG --log-prefix " SID255 " # "DNS zone transfer" arachnids,212 classtype:attempted-recon sid:255 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "authors" --string "bind" -j LOG --log-prefix " SID256 " # "DNS named authors attempt" nocase-ignored arachnids,480 classtype:attempted-recon sid:256 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "version" --string "bind" -j LOG --log-prefix " SID257 " # "DNS named version attempt" nocase-ignored arachnids,278 classtype:attempted-recon sid:257 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "../../../../../../../../../" -j LOG --log-prefix " SID258 " # "DNS EXPLOIT named 8.2->8.2.1" cve,CVE-1999-0833 classtype:attempted-admin sid:258 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool" -j LOG --log-prefix " SID259 " # "DNS EXPLOIT named overflow" cve,CVE-1999-0833 classtype:attempted-admin sid:259 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "ADMROCKS" -j LOG --log-prefix " SID260 " # "DNS EXPLOIT named" cve,CVE-1999-0833 classtype:attempted-admin sid:260 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "̀/bin/sh" -j LOG --log-prefix " SID261 " # "DNS EXPLOIT named" classtype:attempted-admin sid:261 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "1?1۳1̀1" -j LOG --log-prefix " SID262 " # "DNS EXPLOIT x86 linux" classtype:attempted-admin sid:262 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "1̀uLL^" -j LOG --log-prefix " SID264 " # "DNS EXPLOIT x86 linux" classtype:attempted-admin sid:264 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string ")lj<" -j LOG --log-prefix " SID265 " # "DNS EXPLOIT x86 linux ADMv2" classtype:attempted-admin sid:265 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "n^1ɉNF" -j LOG --log-prefix " SID266 " # "DNS EXPLOIT x86 freebsd" classtype:attempted-admin sid:266 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "  #" -j LOG --log-prefix " SID267 " # "DNS EXPLOIT sparc" classtype:attempted-admin sid:267 iptables -A SnortRules -p udp --dport 69 -m string --string "Admin.dlloctet" -j LOG --log-prefix " SID1289 " # "TFTP GET Admin.dll" classtype:successful-admin url,www.cert.org/advisories/CA-2001-26.html sid:1289 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "" -j LOG --log-prefix " SID518 " # "TFTP Write" cve,CVE-1999-0183 arachnids,148 classtype:bad-unknown sid:518 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string ".." -j LOG --log-prefix " SID519 " # "TFTP parent directory" arachnids,137 cve,CVE-1999-0183 classtype:bad-unknown sid:519 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "/" -j LOG --log-prefix " SID520 " # "TFTP root directory" arachnids,138 cve,CVE-1999-0183 classtype:bad-unknown sid:520 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/hsx.cgi" --string "../../" --string "%00" --tcp-flags ACK ACK -j LOG --log-prefix " SID803 " # "WEB-CGI HyperSeek directory traversal attempt" bugtraq,2314 cve,CAN-2001-0253 classtype:web-application-attack sid:803 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/s.cgi" --string "tmpl=" -m dsize --dsize 501: --tcp-flags ACK ACK -j LOG --log-prefix " SID804 " # "WEB-CGI SWSoft ASPSeek Overflow attempt" nocase-ignored bugtraq,2492 classtype:web-application-attack sid:804 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wsisa.dll/WService=" --string "WSMadmin" -j LOG --log-prefix " SID805 " # "WEB-CGI webspeed access" nocase-ignored nocase-ignored arachnids,467 classtype:attempted-user sid:805 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/YaBB.pl" --string "../" -j LOG --log-prefix " SID806 " # "WEB-CGI yabb access" arachnids,462 classtype:attempted-recon sid:806 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wwwboard/passwd.txt" -j LOG --log-prefix " SID807 " # "WEB-CGI wwwboard passwd access" nocase-ignored arachnids,463 classtype:attempted-recon sid:807 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webdriver" -j LOG --log-prefix " SID808 " # "WEB-CGI webdriver access" nocase-ignored arachnids,473 classtype:attempted-recon sid:808 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/whois_raw.cgi?" --string "" -j LOG --log-prefix " SID809 " # "WEB-CGI whoisraw attempt" arachnids,466 classtype:web-application-attack sid:809 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/whois_raw.cgi" -j LOG --log-prefix " SID810 " # "WEB-CGI whoisraw access" arachnids,466 classtype:attempted-recon sid:810 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string " /HTTP/1." -j LOG --log-prefix " SID811 " # "WEB-CGI websitepro path access" nocase-ignored arachnids,468 classtype:attempted-recon sid:811 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus?about " -j LOG --log-prefix " SID812 " # "WEB-CGI webplus version access" nocase-ignored arachnids,470 classtype:attempted-recon sid:812 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus?script" --string "../" -j LOG --log-prefix " SID813 " # "WEB-CGI webplus directory trasversal" nocase-ignored arachnids,471 classtype:web-application-attack sid:813 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/websendmail" -j LOG --log-prefix " SID815 " # "WEB-CGI websendmail access" nocase-ignored cve,CVE-1999-0196 arachnids,469 bugtraq,2077 classtype:attempted-recon sid:815 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dcboard.cgi" --string "command=register" --string "%7cadmin" -j LOG --log-prefix " SID817 " # "WEB-CGI dcforum.cgi invalid user addition attempt" classtype:web-application-attack sid:817 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/dcforum.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID818 " # "WEB-CGI dcforum.cgi access" classtype:attempted-recon sid:818 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/mmstdod.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID819 " # "WEB-CGI mmstdod.cgi access" nocase-ignored classtype:attempted-recon sid:819 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/apexec.pl" --string "template=../" -j LOG --log-prefix " SID820 " # "WEB-CGI anaconda directory transversal attempt" nocase-ignored cve,CVE-2000-0975 bugtraq,2388 classtype:web-application-attack sid:820 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m dsize --dsize 1001: --tcp-flags ALL ACK -m string --string "/imagemap.exe?" -j LOG --log-prefix " SID821 " # "WEB-CGI imagemap overflow attempt" nocase-ignored arachnids,412 classtype:web-application-attack sid:821 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cvsweb.cgi" -j LOG --log-prefix " SID823 " # "WEB-CGI cvsweb.cgi access" nocase-ignored cve,CVE-2000-0670 bugtraq,1469 classtype:attempted-recon sid:823 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/php.cgi" -j LOG --log-prefix " SID824 " # "WEB-CGI php access" nocase-ignored bugtraq,2250 arachnids,232 classtype:attempted-recon sid:824 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/glimpse" -j LOG --log-prefix " SID825 " # "WEB-CGI glimpse access" nocase-ignored bugtraq,2026 classtype:attempted-recon sid:825 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/htmlscript" -j LOG --log-prefix " SID826 " # "WEB-CGI htmlscript access" nocase-ignored bugtraq,2001 cve,CVE-1999-0264 classtype:attempted-recon sid:826 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/info2www" -j LOG --log-prefix " SID827 " # "WEB-CGI info2www access" nocase-ignored bugtraq,1995 cve,CVE-1999-0266 classtype:attempted-recon sid:827 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/maillist.pl" -j LOG --log-prefix " SID828 " # "WEB-CGI maillist.pl access" nocase-ignored classtype:attempted-recon sid:828 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nph-test-cgi" -j LOG --log-prefix " SID829 " # "WEB-CGI nph-test-cgi access" nocase-ignored arachnids,224 cve,CVE-1999-0045 bugtraq,686 classtype:attempted-recon sid:829 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nph-publish" -j LOG --log-prefix " SID830 " # "WEB-CGI NPH-publish access" nocase-ignored classtype:attempted-recon sid:830 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/perl.exe" -j LOG --log-prefix " SID832 " # "WEB-CGI perl.exe access" nocase-ignored arachnids,219 classtype:attempted-recon sid:832 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rguest.exe" -j LOG --log-prefix " SID833 " # "WEB-CGI rguest.exe access" nocase-ignored cve,CAN-1999-0467 bugtraq,2024 classtype:attempted-recon sid:833 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rwwwshell.pl" -j LOG --log-prefix " SID834 " # "WEB-CGI rwwwshell.pl access" nocase-ignored classtype:attempted-recon sid:834 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/test-cgi" -j LOG --log-prefix " SID835 " # "WEB-CGI test-cgi access" nocase-ignored cve,CVE-1999-0070 arachnids,218 classtype:attempted-recon sid:835 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/textcounter.pl" -j LOG --log-prefix " SID836 " # "WEB-CGI testcounter.pl access" nocase-ignored classtype:attempted-recon sid:836 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/uploader.exe" -j LOG --log-prefix " SID837 " # "WEB-CGI uploader.exe access" nocase-ignored cve,CVE-1999-0177 classtype:attempted-recon sid:837 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webgais" -j LOG --log-prefix " SID838 " # "WEB-CGI webgais access" nocase-ignored arachnids,472 bugtraq,2058 cve,CVE-1999-0176 classtype:attempted-recon sid:838 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/finger" -j LOG --log-prefix " SID839 " # "WEB-CGI finger access" nocase-ignored arachnids,221 cve,CVE-1999-0612 classtype:attempted-recon sid:839 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/perlshop.cgi" -j LOG --log-prefix " SID840 " # "WEB-CGI perlshop.cgi access" nocase-ignored classtype:attempted-recon sid:840 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/pfdisplay.cgi" -j LOG --log-prefix " SID841 " # "WEB-CGI pfdisplay.cgi access" nocase-ignored bugtraq,64 cve,CVE-1999-0270 classtype:attempted-recon sid:841 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/aglimpse" -j LOG --log-prefix " SID842 " # "WEB-CGI aglimpse access" nocase-ignored cve,CVE-1999-0147 bugtraq,2026 classtype:attempted-recon sid:842 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AnForm2" -j LOG --log-prefix " SID843 " # "WEB-CGI anform2 access" nocase-ignored cve,CVE-1999-0066 arachnids,225 classtype:attempted-recon sid:843 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/args.bat" -j LOG --log-prefix " SID844 " # "WEB-CGI args.bat access" nocase-ignored classtype:attempted-recon sid:844 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AT-admin.cgi" -j LOG --log-prefix " SID845 " # "WEB-CGI AT-admin.cgi access" nocase-ignored classtype:attempted-recon sid:845 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bnbform.cgi" -j LOG --log-prefix " SID846 " # "WEB-CGI bnbform.cgi access" nocase-ignored cve,CVE-1999-0937 bugtraq,1469 classtype:attempted-recon sid:846 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/campas" -j LOG --log-prefix " SID847 " # "WEB-CGI campas access" nocase-ignored cve,CVE-1999-0146 bugtraq,1975 classtype:attempted-recon sid:847 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/view-source" --string "../" -j LOG --log-prefix " SID848 " # "WEB-CGI view-source directory traversal" nocase-ignored nocase-ignored cve,CVE-1999-0174 classtype:web-application-attack sid:848 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/view-source" -j LOG --log-prefix " SID849 " # "WEB-CGI view-source access" nocase-ignored cve,CVE-1999-0174 classtype:attempted-recon sid:849 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wais.pl" -j LOG --log-prefix " SID850 " # "WEB-CGI wais.p access" nocase-ignored classtype:attempted-recon sid:850 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/files.pl" -j LOG --log-prefix " SID851 " # "WEB-CGI files.pl access" nocase-ignored classtype:attempted-recon sid:851 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wguest.exe" -j LOG --log-prefix " SID852 " # "WEB-CGI wguest.exe access" nocase-ignored cve,CAN-1999-0467 bugtraq,2024 classtype:attempted-recon sid:852 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wrap" -j LOG --log-prefix " SID853 " # "WEB-CGI wrap access" bugtraq,373 arachnids,234 cve,CVE-1999-0149 classtype:attempted-recon sid:853 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/classifieds.cgi" -j LOG --log-prefix " SID854 " # "WEB-CGI classifieds.cgi access" nocase-ignored bugtraq,2020 cve,CVE-1999-0934 classtype:attempted-recon sid:854 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/edit.pl" -j LOG --log-prefix " SID855 " # "WEB-CGI edit.pl access" nocase-ignored classtype:attempted-recon sid:855 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/environ.cgi" -j LOG --log-prefix " SID856 " # "WEB-CGI environ.cgi access" nocase-ignored classtype:attempted-recon sid:856 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/faxsurvey" -j LOG --log-prefix " SID857 " # "WEB-CGI faxsurvey access" nocase-ignored cve,CVE-1999-0262 bugtraq,2056 classtype:attempted-recon sid:857 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/filemail.pl" -j LOG --log-prefix " SID858 " # "WEB-CGI filemail access" nocase-ignored classtype:attempted-recon sid:858 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/man.sh" -j LOG --log-prefix " SID859 " # "WEB-CGI man.sh access" nocase-ignored classtype:attempted-recon sid:859 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/snork.bat" -j LOG --log-prefix " SID860 " # "WEB-CGI snork.bat access" nocase-ignored bugtraq,1053 cve,CVE-2000-0169 arachnids,220 classtype:attempted-recon sid:860 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/w3-msql/" -j LOG --log-prefix " SID861 " # "WEB-CGI w3-msql access" nocase-ignored bugtraq,591 cve,CVE-1999-0276 arachnids,210 classtype:attempted-recon sid:861 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/csh" -j LOG --log-prefix " SID862 " # "WEB-CGI csh access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:862 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/zsh" -j LOG --log-prefix " SID1309 " # "WEB-CGI zsh access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:1309 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/day5datacopier.cgi" -j LOG --log-prefix " SID863 " # "WEB-CGI day5datacopier.cgi access" nocase-ignored classtype:attempted-recon sid:863 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/day5datanotifier.cgi" -j LOG --log-prefix " SID864 " # "WEB-CGI day5datanotifier.cgi access" nocase-ignored classtype:attempted-recon sid:864 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ksh" -j LOG --log-prefix " SID865 " # "WEB-CGI ksh access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:865 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/post-query" -j LOG --log-prefix " SID866 " # "WEB-CGI post-query access" nocase-ignored classtype:attempted-recon sid:866 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/visadmin.exe" -j LOG --log-prefix " SID867 " # "WEB-CGI visadmin.exe access" nocase-ignored bugtraq,1808 cve,CAN-1999-1970 classtype:attempted-recon sid:867 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rsh" -j LOG --log-prefix " SID868 " # "WEB-CGI rsh access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:868 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dumpenv.pl" -j LOG --log-prefix " SID869 " # "WEB-CGI dumpenv.pl access" nocase-ignored classtype:attempted-recon sid:869 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/snorkerz.cmd" -j LOG --log-prefix " SID870 " # "WEB-CGI snorkerz.cmd access" nocase-ignored classtype:attempted-recon sid:870 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/survey.cgi" -j LOG --log-prefix " SID871 " # "WEB-CGI survey.cgi access" nocase-ignored bugtraq,1817 cve,CVE-1999-0936 classtype:attempted-recon sid:871 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/tcsh" -j LOG --log-prefix " SID872 " # "WEB-CGI tcsh access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:872 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "///" -j LOG --log-prefix " SID873 " # "WEB-CGI scriptalias access" cve,CVE-1999-0236 bugtraq,2300 arachnids,227 classtype:attempted-recon sid:873 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/shA-cA/usr/openwin" -j LOG --log-prefix " SID874 " # "WEB-CGI w3-msql solaris x86 access" nocase-ignored cve,CVE-1999-0276 arachnids,211 classtype:attempted-recon sid:874 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/win-c-sample.exe" -j LOG --log-prefix " SID875 " # "WEB-CGI win-c-sample.exe access" nocase-ignored bugtraq,2078 arachnids,231 cve,CVE-1999-0178 classtype:attempted-recon sid:875 iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "blaat@blaat.com" -j LOG --log-prefix " SID876 " # "WEB-CGI bugzilla 2.8 exploit " nocase-ignored arachnids,276 classtype:web-application-attack sid:876 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rksh" -j LOG --log-prefix " SID877 " # "WEB-CGI rksh access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:877 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/w3tvars.pm" -j LOG --log-prefix " SID878 " # "WEB-CGI w2tvars.pm access" nocase-ignored classtype:attempted-recon sid:878 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.pl" -j LOG --log-prefix " SID879 " # "WEB-CGI admin.pl access" nocase-ignored classtype:attempted-recon sid:879 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/LWGate" -j LOG --log-prefix " SID880 " # "WEB-CGI LWGate access" nocase-ignored classtype:attempted-recon sid:880 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/archie" -j LOG --log-prefix " SID881 " # "WEB-CGI archie access" nocase-ignored classtype:attempted-recon sid:881 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/calendar" -j LOG --log-prefix " SID882 " # "WEB-CGI calendar access" nocase-ignored classtype:attempted-recon sid:882 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/flexform" -j LOG --log-prefix " SID883 " # "WEB-CGI flexform access" nocase-ignored classtype:attempted-recon sid:883 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/formmail" -j LOG --log-prefix " SID884 " # "WEB-CGI formmail access" nocase-ignored bugtraq,1187 cve,CVE-1999-0172 arachnids,226 classtype:attempted-recon sid:884 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bash" -j LOG --log-prefix " SID885 " # "WEB-CGI bash access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:885 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/phf" -j LOG --log-prefix " SID886 " # "WEB-CGI phf access" nocase-ignored bugtraq,629 arachnids,128 cve,CVE-1999-0067 classtype:attempted-recon sid:886 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/www-sql" -j LOG --log-prefix " SID887 " # "WEB-CGI www-sql access" nocase-ignored classtype:attempted-recon sid:887 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wwwadmin.pl" -j LOG --log-prefix " SID888 " # "WEB-CGI wwwadmin.pl access" nocase-ignored classtype:attempted-recon sid:888 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ppdscgi.exe" -j LOG --log-prefix " SID889 " # "WEB-CGI ppdscgi.exe access" nocase-ignored bugtraq,491 classtype:attempted-recon sid:889 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/sendform.cgi" -j LOG --log-prefix " SID890 " # "WEB-CGI sendform.cgi access" nocase-ignored classtype:attempted-recon sid:890 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/upload.pl" -j LOG --log-prefix " SID891 " # "WEB-CGI upload.pl access" nocase-ignored classtype:attempted-recon sid:891 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AnyForm2" -j LOG --log-prefix " SID892 " # "WEB-CGI AnyForm2 access" nocase-ignored bugtraq,719 cve,CVE-1999-0066 classtype:attempted-recon sid:892 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/MachineInfo" -j LOG --log-prefix " SID893 " # "WEB-CGI MachineInfo access" nocase-ignored classtype:attempted-recon sid:893 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-hist.sh" -j LOG --log-prefix " SID894 " # "WEB-CGI bb-hist.sh access" nocase-ignored bugtraq,142 classtype:attempted-recon sid:894 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/redirect" -j LOG --log-prefix " SID895 " # "WEB-CGI redirect access" nocase-ignored bugtraq,1179 cve,CVE-2000-0382 classtype:attempted-recon sid:895 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/way-board" --tcp-flags ACK ACK -j LOG --log-prefix " SID896 " # "WEB-CGI wayboard access" nocase-ignored bugtraq,2370 classtype:attempted-recon sid:896 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/pals-cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID897 " # "WEB-CGI pals-cgi access" nocase-ignored cve,CAN-2001-0216 cve,CAN-2001-0217 bugtraq,2372 classtype:attempted-recon sid:897 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/commerce.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID898 " # "WEB-CGI commerce.cgi access" nocase-ignored classtype:attempted-recon sid:898 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sendtemp.pl" --string "templ=" --tcp-flags ACK ACK -j LOG --log-prefix " SID899 " # "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2504 classtype:web-application-attack sid:899 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/webspirs.cgi" --string "../../" --tcp-flags ACK ACK -j LOG --log-prefix " SID900 " # "WEB-CGI webspirs directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2362 classtype:web-application-attack sid:900 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/webspirs.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID901 " # "WEB-CGI webspirs access" nocase-ignored bugtraq,2362 classtype:attempted-recon sid:901 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "tstisapi.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID902 " # "WEB-CGI tstisapi.dll access" nocase-ignored classtype:attempted-recon sid:902 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sendmessage.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID1308 " # "WEB-CGI sendmessage.cgi access" nocase-ignored classtype:attempted-recon sid:1308 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfcache.map" -j LOG --log-prefix " SID903 " # "WEB-COLDFUSION cfcache.map access" nocase-ignored bugtraq,917 cve,CVE-2000-0057 classtype:attempted-recon sid:903 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/email/application.cfm" -j LOG --log-prefix " SID904 " # "WEB-COLDFUSION exampleapp application.cfm" nocase-ignored bugtraq,1021 classtype:attempted-recon sid:904 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/publish/admin/application.cfm" -j LOG --log-prefix " SID905 " # "WEB-COLDFUSION application.cfm access" nocase-ignored bugtraq,1021 classtype:attempted-recon sid:905 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/email/getfile.cfm" -j LOG --log-prefix " SID906 " # "WEB-COLDFUSION getfile.cfm access" nocase-ignored bugtraq,229 classtype:attempted-recon sid:906 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/publish/admin/addcontent.cfm" -j LOG --log-prefix " SID907 " # "WEB-COLDFUSION addcontent.cfm access" nocase-ignored classtype:attempted-recon sid:907 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cfide/administrator/index.cfm" --tcp-flags ACK ACK -j LOG --log-prefix " SID908 " # "WEB-COLDFUSION administrator access" nocase-ignored classtype:attempted-recon sid:908 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_SETDATASOURCEUSERNAME()" -j LOG --log-prefix " SID909 " # "WEB-COLDFUSION datasource username attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:909 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/fileexists.cfm" -j LOG --log-prefix " SID910 " # "WEB-COLDFUSION fileexists.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:910 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/exprcalc.cfm" -j LOG --log-prefix " SID911 " # "WEB-COLDFUSION exprcalc access" nocase-ignored cve,CVE-1999-0455 bugtraq,550 classtype:attempted-recon sid:911 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/parks/detail.cfm" -j LOG --log-prefix " SID912 " # "WEB-COLDFUSION parks access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:912 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfappman/index.cfm" -j LOG --log-prefix " SID913 " # "WEB-COLDFUSION cfappman access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:913 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/cvbeans/beaninfo.cfm" -j LOG --log-prefix " SID914 " # "WEB-COLDFUSION beaninfo access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:914 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/evaluate.cfm" -j LOG --log-prefix " SID915 " # "WEB-COLDFUSION evaluate.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:915 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_GETODBCDSN()" -j LOG --log-prefix " SID916 " # "WEB-COLDFUSION getodbcdsn access" nocase-ignored bugtraq,550 classtype:web-application-attack sid:916 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_DBCONNECTIONS_FLUSH()" -j LOG --log-prefix " SID917 " # "WEB-COLDFUSION db connections flush attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:917 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/" -j LOG --log-prefix " SID918 " # "WEB-COLDFUSION expeval access" nocase-ignored bugtraq,550 cve,CAN-1999-0477 classtype:attempted-user sid:918 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_SETDATASOURCEPASSWORD()" -j LOG --log-prefix " SID919 " # "WEB-COLDFUSION datasource passwordattempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:919 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_ISCOLDFUSIONDATASOURCE()" -j LOG --log-prefix " SID920 " # "WEB-COLDFUSION datasource attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:920 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_ENCRYPT()" -j LOG --log-prefix " SID921 " # "WEB-COLDFUSION admin encrypt attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:921 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/displayopenedfile.cfm" -j LOG --log-prefix " SID922 " # "WEB-COLDFUSION displayfile access" nocase-ignored bugtraq,550 classtype:web-application-attack sid:922 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_GETODBCINI()" -j LOG --log-prefix " SID923 " # "WEB-COLDFUSION getodbcin attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:923 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_DECRYPT()" -j LOG --log-prefix " SID924 " # "WEB-COLDFUSION admin decrypt attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:924 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/mainframeset.cfm" -j LOG --log-prefix " SID925 " # "WEB-COLDFUSION mainframeset access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:925 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_SETODBCINI()" -j LOG --log-prefix " SID926 " # "WEB-COLDFUSION set odbc ini attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:926 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_SETTINGS_REFRESH()" -j LOG --log-prefix " SID927 " # "WEB-COLDFUSION settings refresh attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:927 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/" -j LOG --log-prefix " SID928 " # "WEB-COLDFUSION exampleapp access" nocase-ignored classtype:attempted-recon sid:928 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_VERIFYMAIL()" -j LOG --log-prefix " SID929 " # "WEB-COLDFUSION verify mai access" nocase-ignored bugtraq,550 classtype:attempted-user sid:929 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/" -j LOG --log-prefix " SID930 " # "WEB-COLDFUSION snippets attempt attempt" nocase-ignored bugtraq,550 classtype:attempted-recon sid:930 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/cfmlsyntaxcheck.cfm" -j LOG --log-prefix " SID931 " # "WEB-COLDFUSION cfmlsyntaxcheck.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:931 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/application.cfm" -j LOG --log-prefix " SID932 " # "WEB-COLDFUSION application.cfm access" nocase-ignored bugtraq,550 arachnids,268 cve,CAN-2000-0189 classtype:attempted-recon sid:932 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/onrequestend.cfm" -j LOG --log-prefix " SID933 " # "WEB-COLDFUSION onrequestend.cfm access" nocase-ignored bugtraq,550 arachnids,269 cve,CAN-2000-0189 classtype:attempted-recon sid:933 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cfide/administrator/startstop.html" --tcp-flags ACK ACK -j LOG --log-prefix " SID935 " # "WEB-COLDFUSION startstop DOS access" nocase-ignored bugtraq,247 classtype:web-application-attack sid:935 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/gettempdirectory.cfm" -j LOG --log-prefix " SID936 " # "WEB-COLDFUSION gettempdirectory.cfm access " nocase-ignored bugtraq,550 classtype:attempted-recon sid:936 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp30reg.dll" -m dsize --dsize 259: --tcp-flags ACK ACK -j LOG --log-prefix " SID1246 " # "WEB-FRONTPAGE rad overflow attempt" nocase-ignored classtype:web-application-attack arachnids,555 bugtraq,2906 cve,CAN-2001-0341 sid:1246 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp4areg.dll" -m dsize --dsize 260: --tcp-flags ACK ACK -j LOG --log-prefix " SID1247 " # "WEB-FRONTPAGE rad overflow attempt" nocase-ignored cve,CAN-2001-0341 bugtraq,2906 classtype:web-application-attack sid:1247 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp30reg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID1248 " # "WEB-FRONTPAGE rad fp30reg.dll access" nocase-ignored classtype:web-application-activity arachnids,555 bugtraq,2906 cve,CAN-2001-0341 sid:1248 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp4areg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID1249 " # "WEB-FRONTPAGE frontpage rad fp4areg.dll access" nocase-ignored cve,CAN-2001-0341 bugtraq,2906 classtype:web-application-activity sid:1249 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_rpc" -j LOG --log-prefix " SID937 " # "WEB-FRONTPAGE _vti_rpc access" nocase-ignored bugtraq,2144 classtype:web-application-activity sid:937 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "POST" --string "/author.dll" -j LOG --log-prefix " SID939 " # "WEB-FRONTPAGE posting" nocase-ignored classtype:web-application-activity sid:939 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/_vti_bin/shtml.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID940 " # "WEB-FRONTPAGE shtml.dll" nocase-ignored arachnids,292 classtype:web-application-activity sid:940 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admcgi/contents.htm" -j LOG --log-prefix " SID941 " # "WEB-FRONTPAGE contents.htm access" nocase-ignored classtype:web-application-activity sid:941 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/orders.htm" -j LOG --log-prefix " SID942 " # "WEB-FRONTPAGE orders.htm access" nocase-ignored classtype:web-application-activity sid:942 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpsrvadm.exe" -j LOG --log-prefix " SID943 " # "WEB-FRONTPAGE fpsrvadm.exe access" nocase-ignored classtype:web-application-activity sid:943 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpremadm.exe" -j LOG --log-prefix " SID944 " # "WEB-FRONTPAGE fpremadm.exe access" nocase-ignored classtype:web-application-activity sid:944 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admisapi/fpadmin.htm" -j LOG --log-prefix " SID945 " # "WEB-FRONTPAGE fpadmin.htm access" nocase-ignored classtype:web-application-activity sid:945 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/Fpadmcgi.exe" -j LOG --log-prefix " SID946 " # "WEB-FRONTPAGE fpadmcgi.exe access" nocase-ignored classtype:web-application-activity sid:946 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/orders.txt" -j LOG --log-prefix " SID947 " # "WEB-FRONTPAGE orders.txt access" nocase-ignored classtype:web-application-activity sid:947 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/form_results.txt" -j LOG --log-prefix " SID948 " # "WEB-FRONTPAGE form_results access" nocase-ignored classtype:web-application-activity sid:948 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/registrations.htm" -j LOG --log-prefix " SID949 " # "WEB-FRONTPAGE registrations.htm access" nocase-ignored classtype:web-application-activity sid:949 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfgqiz.exe" -j LOG --log-prefix " SID950 " # "WEB-FRONTPAGE cfgwiz.exe access" nocase-ignored classtype:web-application-activity sid:950 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/authors.pwd" -j LOG --log-prefix " SID951 " # "WEB-FRONTPAGE authors.pwd access" nocase-ignored classtype:web-application-activity sid:951 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_bin/_vti_aut/author.exe" -j LOG --log-prefix " SID952 " # "WEB-FRONTPAGE author.exe access" nocase-ignored classtype:web-application-activity sid:952 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/administrators.pwd" -j LOG --log-prefix " SID953 " # "WEB-FRONTPAGE administrators.pwd" nocase-ignored bugtraq,1205 classtype:web-application-activity sid:953 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/form_results.htm" -j LOG --log-prefix " SID954 " # "WEB-FRONTPAGE form_results.htm access" nocase-ignored classtype:web-application-activity sid:954 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/access.cnf" -j LOG --log-prefix " SID955 " # "WEB-FRONTPAGE access.cnf access" nocase-ignored classtype:web-application-activity sid:955 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/register.txt" -j LOG --log-prefix " SID956 " # "WEB-FRONTPAGE register.txt access" nocase-ignored classtype:web-application-activity sid:956 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/registrations.txt" -j LOG --log-prefix " SID957 " # "WEB-FRONTPAGE registrations.txt access" nocase-ignored classtype:web-application-activity sid:957 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/service.cnf" -j LOG --log-prefix " SID958 " # "WEB-FRONTPAGE service.cnf access" nocase-ignored classtype:web-application-activity sid:958 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/service.pwd" -j LOG --log-prefix " SID959 " # "WEB-FRONTPAGE service.pwd" nocase-ignored bugtraq,1205 classtype:web-application-activity sid:959 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/service.stp" -j LOG --log-prefix " SID960 " # "WEB-FRONTPAGE service.stp access" nocase-ignored classtype:web-application-activity sid:960 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/services.cnf" -j LOG --log-prefix " SID961 " # "WEB-FRONTPAGE services.cnf access" nocase-ignored classtype:web-application-activity sid:961 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_bin/shtml.exe" -j LOG --log-prefix " SID962 " # "WEB-FRONTPAGE shtml.exe access" nocase-ignored cve,CAN-2000-0413 cve,CAN-2000-0709 bugtraq,1608 bugtraq,1174 classtype:web-application-activity sid:962 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/svcacl.cnf" -j LOG --log-prefix " SID963 " # "WEB-FRONTPAGE svcacl.cnf access" nocase-ignored classtype:web-application-activity sid:963 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/users.pwd" -j LOG --log-prefix " SID964 " # "WEB-FRONTPAGE users.pwd access" nocase-ignored classtype:web-application-activity sid:964 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_vti_pvt/writeto.cnf" -j LOG --log-prefix " SID965 " # "WEB-FRONTPAGE writeto.cnf access" nocase-ignored classtype:web-application-activity sid:965 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "..../" -j LOG --log-prefix " SID966 " # "WEB-FRONTPAGE fourdots request" nocase-ignored bugtraq,989 cve,CAN-2000-0153 arachnids,248 classtype:web-application-attack sid:966 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dvwssr.dll" -j LOG --log-prefix " SID967 " # "WEB-FRONTPAGE dvwssr.dll access" nocase-ignored bugtraq,1108 cve,CVE-2000-0260 arachnids,271 classtype:web-application-activity sid:967 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/register.htm" -j LOG --log-prefix " SID968 " # "WEB-FRONTPAGE register.htm access" nocase-ignored classtype:web-application-activity sid:968 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_bin/" -j LOG --log-prefix " SID1288 " # "WEB-FRONTPAGE /_vti_bin/ access" nocase-ignored classtype:web-application-activity sid:1288 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "LOCK " -j LOG --log-prefix " SID969 " # "WEB-IIS webdav file lock attempt" bugtraq,2736 classtype:web-application-activity sid:969 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".printer" --tcp-flags ACK ACK -j LOG --log-prefix " SID971 " # "WEB-IIS ISAPI .printer access" nocase-ignored cve,CAN-2001-0241 arachnids,533 classtype:web-application-activity sid:971 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".ida?" -m dsize --dsize 240: --tcp-flags ACK ACK -j LOG --log-prefix " SID1243 " # "WEB-IIS ISAPI .ida attempt" nocase-ignored arachnids,552 classtype:web-application-attack cve,CAN-2000-0071 sid:1243 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".ida" --tcp-flags ACK ACK -j LOG --log-prefix " SID1242 " # "WEB-IIS ISAPI .ida access" nocase-ignored arachnids,552 classtype:web-application-activity cve,CAN-2000-0071 sid:1242 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".idq?" -m dsize --dsize 240: --tcp-flags ACK ACK -j LOG --log-prefix " SID1244 " # "WEB-IIS ISAPI .idq attempt" nocase-ignored arachnids,553 classtype:web-application-attack cve,CAN-2000-0071 sid:1244 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".idq" --tcp-flags ACK ACK -j LOG --log-prefix " SID1245 " # "WEB-IIS ISAPI .idq access" nocase-ignored arachnids,553 classtype:web-application-activity cve,CAN-2000-0071 sid:1245 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%2e.asp" -j LOG --log-prefix " SID972 " # "WEB-IIS %2E-asp access" nocase-ignored bugtraq,1814 cve,CAN-1999-0253 classtype:web-application-activity sid:972 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "*.idc" -j LOG --log-prefix " SID973 " # "WEB-IIS *.idc attempt" nocase-ignored bugtraq,1448 cve,CVE-1999-0874 classtype:web-application-attack sid:973 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "..\\.." -j LOG --log-prefix " SID974 " # "WEB-IIS .... access" bugtraq,2218 cve,CAN-1999-0229 classtype:web-application-attack sid:974 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".asp::$data" -j LOG --log-prefix " SID975 " # "WEB-IIS .asp$data access" nocase-ignored bugtraq,140 cve,CVE-1999-0278 classtype:web-application-attack sid:975 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".bat?&" -j LOG --log-prefix " SID976 " # "WEB-IIS .bat? access" nocase-ignored bugtraq,2023 cve,CVE-1999-0233 classtype:web-application-activity sid:976 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".cnf" --tcp-flags ACK ACK -j LOG --log-prefix " SID977 " # "WEB-IIS .cnf access" nocase-ignored classtype:web-application-activity sid:977 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20&CiRestriction=none&CiHiliteType=Full" -j LOG --log-prefix " SID978 " # "WEB-IIS ASP contents view" cve,CAN-2000-0302 bugtraq,1084 classtype:web-application-attack sid:978 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/null.htw?CiWebHitsFile" -j LOG --log-prefix " SID979 " # "WEB-IIS ASP contents view" bugtraq,1861 classtype:web-application-activity sid:979 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/CGImail.exe" -j LOG --log-prefix " SID980 " # "WEB-IIS CGImail.exe access" nocase-ignored cve,CAN-2000-0726 bugtraq,1623 classtype:web-application-activity sid:980 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c0%af../" --tcp-flags ACK ACK -j LOG --log-prefix " SID981 " # "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:981 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c1%1c../" --tcp-flags ACK ACK -j LOG --log-prefix " SID982 " # "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:982 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c1%9c../" --tcp-flags ACK ACK -j LOG --log-prefix " SID983 " # "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:983 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/samples/ctguestb.idc" -j LOG --log-prefix " SID984 " # "WEB-IIS JET VBA access" nocase-ignored bugtraq,307 cve,CVE-1999-0874 classtype:web-application-activity sid:984 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/samples/details.idc" -j LOG --log-prefix " SID985 " # "WEB-IIS JET VBA access" nocase-ignored bugtraq,286 cve,CVE-1999-0874 classtype:web-application-activity sid:985 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/proxy/w3proxy.dll" -j LOG --log-prefix " SID986 " # "WEB-IIS MSProxy access" nocase-ignored classtype:web-application-activity sid:986 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "BBBB.htrHTTP" -j LOG --log-prefix " SID987 " # "WEB-IIS Overflow-htr access" nocase-ignored classtype:web-application-attack sid:987 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "sam._" -j LOG --log-prefix " SID988 " # "WEB-IIS SAM Attempt" nocase-ignored classtype:web-application-attack sid:988 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sensepost.exe" --tcp-flags ACK ACK -j LOG --log-prefix " SID989 " # "WEB-IIS Unicode2.pl script (File permission canonicalization)" nocase-ignored classtype:web-application-activity sid:989 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_vti_inf.html" -j LOG --log-prefix " SID990 " # "WEB-IIS _vti_inf access" nocase-ignored classtype:web-application-activity sid:990 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/achg.htr" -j LOG --log-prefix " SID991 " # "WEB-IIS achg.htr access" nocase-ignored cve,CVE-1999-0407 bugtraq,2110 classtype:web-application-activity sid:991 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/msadc/samples/adctest.asp" -j LOG --log-prefix " SID992 " # "WEB-IIS adctest.asp access" nocase-ignored classtype:web-application-activity sid:992 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin" -j LOG --log-prefix " SID993 " # "WEB-IIS admin access" nocase-ignored classtype:web-application-attack sid:993 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/default.htm" -j LOG --log-prefix " SID994 " # "WEB-IIS admin-default access" nocase-ignored classtype:web-application-attack sid:994 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/ism.dll?http/dir" -j LOG --log-prefix " SID995 " # "WEB-IIS admin.dll access" nocase-ignored cve,CVE-2000-0630 bugtraq,189 classtype:web-application-attack sid:995 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/anot" -j LOG --log-prefix " SID996 " # "WEB-IIS anot.htr access" nocase-ignored bugtraq,2110 cve,CAN-1999-0407 classtype:web-application-activity sid:996 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".asp." -j LOG --log-prefix " SID997 " # "WEB-IIS asp-dot attempt" nocase-ignored classtype:web-application-attack sid:997 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.asp" -j LOG --log-prefix " SID998 " # "WEB-IIS asp-srch attempt" nocase-ignored classtype:web-application-attack sid:998 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/bdir.htr" -j LOG --log-prefix " SID999 " # "WEB-IIS bdir access" nocase-ignored classtype:web-application-activity sid:999 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/bdir.htr" --tcp-flags ACK ACK -j LOG --log-prefix " SID1000 " # "WEB-IIS bdir.ht access" nocase-ignored classtype:web-application-activity sid:1000 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cmd.exe" -j LOG --log-prefix " SID1002 " # "WEB-IIS cmd.exe access" nocase-ignored classtype:web-application-attack sid:1002 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".cmd?&" -j LOG --log-prefix " SID1003 " # "WEB-IIS cmd? acess" nocase-ignored classtype:web-application-attack sid:1003 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iissamples/exair/howitworks/codebrws.asp" -j LOG --log-prefix " SID1004 " # "WEB-IIS codebrowser Exair access" nocase-ignored cve,CVE-1999-0499 classtype:web-application-activity sid:1004 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iissamples/sdk/asp/docs/codebrws.asp" -j LOG --log-prefix " SID1005 " # "WEB-IIS codebrowser SDK access" nocase-ignored bugtraq,167 classtype:web-application-activity sid:1005 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Form_JScript.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1007 " # "WEB-IIS cross-site scripting attempt" nocase-ignored classtype:web-application-attack sid:1007 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "&del+/s+c:\*.*" -j LOG --log-prefix " SID1008 " # "WEB-IIS del attempt" nocase-ignored classtype:web-application-attack sid:1008 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/ServerVariables_Jscript.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1009 " # "WEB-IIS directory listing" nocase-ignored classtype:web-application-attack sid:1009 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%1u" -j LOG --log-prefix " SID1010 " # "WEB-IIS encoding access" arachnids,200 classtype:web-application-activity sid:1010 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.exe" -j LOG --log-prefix " SID1011 " # "WEB-IIS exec-src access" nocase-ignored classtype:web-application-activity sid:1011 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpcount.exe" --string "Digits=-" -j LOG --log-prefix " SID1012 " # "WEB-IIS fpcount attempt" nocase-ignored bugtraq,2252 classtype:web-application-attack sid:1012 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpcount.exe" -j LOG --log-prefix " SID1013 " # "WEB-IIS fpcount access" nocase-ignored bugtraq,2252 classtype:web-application-activity sid:1013 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/tools/getdrvrs.exe" -j LOG --log-prefix " SID1014 " # "WEB-IIS getdrvrs access" nocase-ignored classtype:web-application-activity sid:1014 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/tools/getdrvs.exe" -j LOG --log-prefix " SID1015 " # "WEB-IIS getdrvs.exe access" nocase-ignored classtype:web-application-activity sid:1015 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "global.asa" -j LOG --log-prefix " SID1016 " # "WEB-IIS global-asa access" nocase-ignored classtype:web-application-activity sid:1016 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.idc" -j LOG --log-prefix " SID1017 " # "WEB-IIS idc-srch attempt" nocase-ignored cve,CVE-1999-0874 classtype:web-application-attack sid:1017 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/aexp" -j LOG --log-prefix " SID1018 " # "WEB-IIS iisadmpwd attempt" nocase-ignored bugtraq,2110 cve,CVE-2000-0303 classtype:web-application-attack sid:1018 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?CiWebHitsFile=/" --string "&CiRestriction=none&CiHiliteType=Full" -j LOG --log-prefix " SID1019 " # "WEB-IIS index server file sourcecode attempt" classtype:web-application-attack sid:1019 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".idc::$data" -j LOG --log-prefix " SID1020 " # "WEB-IIS isc$data attempt" nocase-ignored bugtraq,307 cve,CVE-1999-0874 classtype:web-application-attack sid:1020 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20%20%20%20%20.htr" -j LOG --log-prefix " SID1021 " # "WEB-IIS ism.dll attempt" nocase-ignored cve,CAN-2000-0457 bugtraq,1193 classtype:web-application-attack sid:1021 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/advworks/equipment/catalog_type.asp" -j LOG --log-prefix " SID1022 " # "WEB-IIS jet vba access" nocase-ignored bugtraq,286 cve,CVE-1999-0874 classtype:web-application-activity sid:1022 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/msadc/msadcs.dll" -j LOG --log-prefix " SID1023 " # "WEB-IIS msadc/msadcs.dll access" nocase-ignored cve,CVE-1999-1011 bugtraq,529 classtype:web-application-activity sid:1023 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/tools/newdsn.exe" -j LOG --log-prefix " SID1024 " # "WEB-IIS newdsn.exe access" nocase-ignored bugtraq,1818 cve,CVE-1999-0191 classtype:web-application-activity sid:1024 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/perl" -j LOG --log-prefix " SID1025 " # "WEB-IIS perl access" nocase-ignored classtype:web-application-activity sid:1025 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%0a.pl" -j LOG --log-prefix " SID1026 " # "WEB-IIS perl-browse0a attempt" nocase-ignored classtype:web-application-attack sid:1026 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20.pl" -j LOG --log-prefix " SID1027 " # "WEB-IIS perl-browse20 attempt" nocase-ignored classtype:web-application-attack sid:1027 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/issamples/query.asp" -j LOG --log-prefix " SID1028 " # "WEB-IIS query.asp access" nocase-ignored bugtraq,193 cve,CVE-1999-0449 classtype:web-application-activity sid:1028 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/ " -j LOG --log-prefix " SID1029 " # "WEB-IIS scripts-browse access" nocase-ignored classtype:web-application-attack sid:1029 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/search97.vts" -j LOG --log-prefix " SID1030 " # "WEB-IIS search97.vts access" bugtraq,162 classtype:web-application-activity sid:1030 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/SiteServer/Publishing/viewcode.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1031 " # "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1031 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Knowledge/Membership/Inspired/ViewCode.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1032 " # "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1032 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1033 " # "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1033 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1034 " # "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1034 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Samples/Knowledge/Push/ViewCode.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1035 " # "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1035 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Sites/Samples/Knowledge/Search/ViewCode.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1036 " # "WEB-IIS showcode access" nocase-ignored classtype:web-application-activity sid:1036 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/selector/showcode.asp" -j LOG --log-prefix " SID1037 " # "WEB-IIS showcode.asp access" nocase-ignored cve,CAN-1999-0736 classtype:web-application-activity sid:1037 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/adsamples/config/site.csc" -j LOG --log-prefix " SID1038 " # "WEB-IIS site server config access" nocase-ignored bugtraq,256 classtype:web-application-activity sid:1038 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/samples/isapi/srch.htm" -j LOG --log-prefix " SID1039 " # "WEB-IIS srch.htm access" nocase-ignored classtype:web-application-activity sid:1039 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/srchadm" -j LOG --log-prefix " SID1040 " # "WEB-IIS srchadm access" nocase-ignored classtype:web-application-activity sid:1040 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/uploadn.asp" -j LOG --log-prefix " SID1041 " # "WEB-IIS uploadn.asp access" nocase-ignored classtype:web-application-activity sid:1041 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "Translate: F" -j LOG --log-prefix " SID1042 " # "WEB-IIS view source via translate header" nocase-ignored arachnids,305 classtype:web-application-activity sid:1042 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/viewcode.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1043 " # "WEB-IIS viewcode.asp access" nocase-ignored classtype:web-application-activity sid:1043 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".htw" --tcp-flags ACK ACK -m dsize --dsize 401: -j LOG --log-prefix " SID1044 " # "WEB-IIS webhits access" arachnids,237 classtype:web-application-activity sid:1044 iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "403" --string "Forbidden:" -j LOG --log-prefix " SID1045 " # "WEB-IIS Unauthorized IP Access Attempt" classtype:web-application-attack sid:1045 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/site/iisamples" -j LOG --log-prefix " SID1046 " # "WEB-IIS site/iisamples access" nocase-ignored classtype:web-application-activity sid:1046 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "scripts/root.exe?" -j LOG --log-prefix " SID1256 " # "WEB-IIS CodeRed v2 root.exe access" nocase-ignored classtype:web-application-attack sid: 1256 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/exchange/LogonFrm.asp?" --string "mailbox=" --string "%%%" -j LOG --log-prefix " SID1283 " # "WEB-IIS outlook web dos" nocase-ignored nocase-ignored classtype:web-application-attack bugtraq,3223 sid:1283 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%5c" --string ".." -j LOG --log-prefix " SID970 " # "WEB-IIS multiple decode attempt" cve,CAN-2001-0333 classtype:web-application-attack sid:970 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/msdac/" -j LOG --log-prefix " SID1285 " # "WEB-IIS msdac access" nocase-ignored classtype:web-application-activity sid:1285 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_mem_bin/" -j LOG --log-prefix " SID1286 " # "WEB-IIS _mem_bin access" nocase-ignored classtype:web-application-activity sid:1286 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/" -j LOG --log-prefix " SID1287 " # "WEB-IIS scripts access" nocase-ignored classtype:web-application-activity sid:1287 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/level/" --string "/exec/" --tcp-flags ACK ACK -j LOG --log-prefix " SID1250 " # "WEB-MISC Cisco IOS HTTP configuration attempt" classtype:web-application-attack bugtraq,2936 sid:1250 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "REVLOG / " --tcp-flags ACK ACK -j LOG --log-prefix " SID1047 " # "WEB-MISC Netscape Enterprise DOS" cve,CAN-2001-0251 bugtraq,2294 classtype:web-application-attack sid:1047 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "INDEX " --tcp-flags ACK ACK -j LOG --log-prefix " SID1048 " # "WEB-MISC Netscape Enterprise directory listing attempt" cve,CAN-2001-0250 bugtraq,2285 classtype:web-application-attack sid:1048 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "GET " --string "/../../../../../../../../../../../" --tcp-flags ACK ACK -j LOG --log-prefix " SID1049 " # "WEB-MISC iPlanet ../../ DOS attempt" classtype:web-application-attack sid:1049 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "GETPROPERTIES" -j LOG --log-prefix " SID1050 " # "WEB-MISC iPlanet GETPROPERTIES attempt" classtype:web-application-attack sid:1050 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/technote/main.cgi" --string "filename=" --string "../../" -j LOG --log-prefix " SID1051 " # "WEB-MISC technote main.cgi file directory traversal attempt" nocase-ignored nocase-ignored cve,CVE-2001-0075 bugtraq,2156 classtype:web-application-attack sid:1051 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/technote/print.cgi" --string "board=" --string "../../" --string "%00" -j LOG --log-prefix " SID1052 " # "WEB-MISC technote print.cgi directory traversal attempt" nocase-ignored nocase-ignored cve,CAN-2001-0075 bugtraq,2156 classtype:web-application-attack sid:1052 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ads.cgi" --string "file=" --string "../../" --string " -j LOG --log-prefix " SID1053 " #Cannot convert: misconvert on quoted pipe: sid:1053 "WEB-MISC ads.cgi command execution attempt" nocase-ignored nocase-ignored cve,CAN-2001-0025 bugtraq,2103 classtype:web-application-attack sid:1053 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".js%70" -j LOG --log-prefix " SID1054 " # "WEB-MISC weblogic view source attempt" bugtraq,2527 classtype:web-application-attack sid:1054 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%00.jsp" -j LOG --log-prefix " SID1055 " # "WEB-MISC tomcat directory traversal attempt" bugtraq,2518 classtype:web-application-attack sid:1055 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%252ejsp" -j LOG --log-prefix " SID1056 " # "WEB-MISC tomcat view source attempt" bugtraq,2527 classtype:web-application-attack sid:1056 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ftp.exe" -j LOG --log-prefix " SID1057 " # "WEB-MISC ftp attempt" nocase-ignored classtype:web-application-activity sid:1057 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_enumdsn" -j LOG --log-prefix " SID1058 " # "WEB-MISC enumdsn attempt" nocase-ignored classtype:web-application-attack sid:1058 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_filelist" -j LOG --log-prefix " SID1059 " # "WEB-MISC filelist attempt" nocase-ignored classtype:web-application-attack sid:1059 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_availablemedia" -j LOG --log-prefix " SID1060 " # "WEB-MISC availablemedia attempt" nocase-ignored classtype:web-application-attack sid:1060 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_cmdshell" -j LOG --log-prefix " SID1061 " # "WEB-MISC cmdshell attempt" nocase-ignored classtype:web-application-attack sid:1061 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "nc.exe" -j LOG --log-prefix " SID1062 " # "WEB-MISC nc.exe attempt" nocase-ignored classtype:web-application-activity sid:1062 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "wsh.exe" -j LOG --log-prefix " SID1064 " # "WEB-MISC wsh attempt" nocase-ignored classtype:web-application-activity sid:1064 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "rcmd.exe" -j LOG --log-prefix " SID1065 " # "WEB-MISC rcmd attempt" nocase-ignored classtype:web-application-activity sid:1065 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "telnet.exe" -j LOG --log-prefix " SID1066 " # "WEB-MISC telnet attempt" nocase-ignored classtype:web-application-activity sid:1066 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "net.exe" -j LOG --log-prefix " SID1067 " # "WEB-MISC net attempt" nocase-ignored classtype:web-application-activity sid:1067 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "tftp.exe" -j LOG --log-prefix " SID1068 " # "WEB-MISC tftp attempt" nocase-ignored classtype:web-application-activity sid:1068 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_regread" -j LOG --log-prefix " SID1069 " # "WEB-MISC regread attempt" nocase-ignored classtype:web-application-activity sid:1069 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "SEARCH " -j LOG --log-prefix " SID1070 " # "WEB-MISC webdav search access" nocase-ignored arachnids,474 classtype:web-application-activity sid:1070 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htpasswd" -j LOG --log-prefix " SID1071 " # "WEB-MISC .htpasswd access" nocase-ignored classtype:web-application-attack sid:1071 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".nsf/" --string "../" --tcp-flags ACK ACK -j LOG --log-prefix " SID1072 " # "WEB-MISC Lotus Domino directory traversal" nocase-ignored classtype:web-application-attack sid:1072 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/samples/search/webhits.exe" -j LOG --log-prefix " SID1073 " # "WEB-MISC webhits.exe access" nocase-ignored classtype:web-application-activity sid:1073 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/postinfo.asp" -j LOG --log-prefix " SID1075 " # "WEB-MISC postinfo.asp access" nocase-ignored classtype:web-application-activity sid:1075 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/repost.asp" -j LOG --log-prefix " SID1076 " # "WEB-MISC repost.asp access" nocase-ignored classtype:web-application-activity sid:1076 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/samples/search/queryhit.htm" -j LOG --log-prefix " SID1077 " # "WEB-MISC queryhit.htm access" nocase-ignored classtype:web-application-activity sid:1077 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/counter.exe" -j LOG --log-prefix " SID1078 " # "WEB-MISC counter.exe access" nocase-ignored bugtraq,267 classtype:web-application-activity sid:1078 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "" --tcp-flags ACK ACK -j LOG --log-prefix " SID1079 " # "WEB-MISC webdav propfind access" nocase-ignored nocase-ignored cve,CVE-2000-0869 classtype:web-application-activity sid:1079 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "(com.unify.servletexec.UploadServlet" --tcp-flags ACK ACK -j LOG --log-prefix " SID1080 " # "WEB-MISC unify eWave ServletExec upload" nocase-ignored classtype:web-application-attack sid:1080 bugtraq,1868 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dsgw/bin/search?context=" -j LOG --log-prefix " SID1081 " # "WEB-MISC netscape servers suite DOS" nocase-ignored classtype:web-application-attack sid:1081 bugtraq,1868 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ref%3Cscript%20language%3D%22Javascript" -j LOG --log-prefix " SID1082 " # "WEB-MISC amazon 1-click cookie theft" nocase-ignored classtype:web-application-attack sid:1082 bugtraq,1194 cve,CVE-2000-0439 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/servlet/ServletExec" -j LOG --log-prefix " SID1083 " # "WEB-MISC unify eWave ServletExec DOS" classtype:web-application-activity sid:1083 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "servlet/......." -j LOG --log-prefix " SID1084 " # "WEB-MISC Allaire JRUN DOS attempt" nocase-ignored classtype:web-application-attack sid:1084 bugtraq,2337 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "Iҹ" -j LOG --log-prefix " SID1085 " # "WEB-MISC PHP strings overflow" bugtraq,802 arachnids,431 classtype:web-application-attack sid:1085 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?STRENGUR " -j LOG --log-prefix " SID1086 " # "WEB-MISC PHP strings overflow" arachnids,430 classtype:web-application-attack sid:1086 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/web_store.cgi" --string "page=../" -j LOG --log-prefix " SID1088 " # "WEB-MISC eXtropia webstore directory traversal" bugtraq,1774 classtype:web-application-attack sid:1088 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/shop.cgi" --string "page=../" -j LOG --log-prefix " SID1089 " # "WEB-MISC shopping cart directory traversal" bugtraq,1777 classtype:web-application-attack sid:1089 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/authenticate.cgi?PASSWORD" --string "config.ini" -j LOG --log-prefix " SID1090 " # "WEB-MISC Allaire Pro Web Shell attempt" classtype:web-application-attack sid:1090 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "??????????" -j LOG --log-prefix " SID1091 " # "WEB-MISC ICQ Webfront HTTP DOS" classtype:web-application-attack sid:1091 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/search.cgi?keys" --string "catigory=../" -j LOG --log-prefix " SID1092 " # "WEB-MISC Armada Style Master Index directory traversal" classtype:web-application-attack sid:1092 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cached_feed.cgi" --string "../" -j LOG --log-prefix " SID1093 " # "WEB-MISC moreover shopping cart directory traversal" bugtraq,1762 classtype:web-application-attack sid:1093 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/web_store.cgi?page=../.." --tcp-flags ACK ACK -j LOG --log-prefix " SID1094 " # "WEB-MISC webstore directory traversal" classtype:web-application-attack sid:1094 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus.exe?script=test.wml" -j LOG --log-prefix " SID1095 " # "WEB-MISC Talentsoft Web+ Source Code view access" bugtraq,1722 classtype:web-application-attack sid:1095 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus.exe?about" -j LOG --log-prefix " SID1096 " # "WEB-MISC Talentsoft Web+ internal IP Address access" bugtraq,1720 classtype:web-application-activity sid:1096 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus.cgi?Script=/webplus/webping/webping.wml" -j LOG --log-prefix " SID1097 " # "WEB-MISC Talentsoft Web+ exploit attempt" bugtraq,1725 classtype:web-application-attack sid:1097 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_private/shopping_cart.mdb" -j LOG --log-prefix " SID1098 " # "WEB-MISC SmartWin CyberOffice Shopping Cart access" bugtraq,1734 classtype:web-application-attack sid:1098 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cybercop" -j LOG --log-prefix " SID1099 " # "WEB-MISC cybercop scan" nocase-ignored arachnids,374 classtype:web-application-activity sid:1099 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "User-Agent: Java1.2.1 " --tcp-flags ACK ACK -j LOG --log-prefix " SID1100 " # "WEB-MISC L3retriever HTTP Probe" arachnids,310 classtype:web-application-activity sid:1100 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "User-Agent: Webtrends Security Analyzer " --tcp-flags ACK ACK -j LOG --log-prefix " SID1101 " # "WEB-MISC Webtrends HTTP probe" arachnids,309 classtype:web-application-activity sid:1101 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nessus_is_probing_you_" -j LOG --log-prefix " SID1102 " # "WEB-MISC Nessus 404 probe" arachnids,301 classtype:web-application-activity sid:1102 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin-serv/config/admpw" -j LOG --log-prefix " SID1103 " # "WEB-MISC netscape admin passwd" nocase-ignored bugtraq,1579 classtype:web-application-attack sid:1103 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-hostsvc.sh?HOSTSVC" -j LOG --log-prefix " SID1105 " # "WEB-MISC BigBrother access" nocase-ignored classtype:attempted-recon sid:1105 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/pollit/Poll_It_SSI_v2.0.cgi" -j LOG --log-prefix " SID1106 " # "WEB-MISC Poll-it access" nocase-ignored cve,CAN-2000-0590 bugtraq,1431 classtype:attempted-recon sid:1106 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ftp.pl" -j LOG --log-prefix " SID1107 " # "WEB-MISC ftp.pl access" nocase-ignored bugtraq,1471 classtype:attempted-recon sid:1107 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/jsp/snp/anything.snp" -j LOG --log-prefix " SID1108 " # "WEB-MISC tomcat server snoop access" nocase-ignored cve,CAN-2000-0760 bugtraq,1532 classtype:attempted-recon sid:1108 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/%00/" -j LOG --log-prefix " SID1109 " # "WEB-MISC ROXEN directory list attempt" nocase-ignored bugtraq,1510 cve,CVE-2000-0671 classtype:attempted-recon sid:1109 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/site/eg/source.asp" -j LOG --log-prefix " SID1110 " # "WEB-MISC apache source.asp file access" nocase-ignored bugtraq,1457 cve, CVE-2000-0628 classtype:attempted-recon sid:1110 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/contextAdmin/contextAdmin.html" -j LOG --log-prefix " SID1111 " # "WEB-MISC tomcat server exploit access" nocase-ignored classtype:attempted-recon sid:1111 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "..\" -j LOG --log-prefix " SID1112 " #Cannot convert: Mishandled quotes "WEB-MISC http directory traversal" arachnids,298 classtype:attempted-recon sid:1112 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "get //" -j LOG --log-prefix " SID1114 " # "WEB-MISC prefix-get //" nocase-ignored classtype:attempted-recon sid:1114 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".html/......" -j LOG --log-prefix " SID1115 " # "WEB-MISC ICQ webserver DOS" nocase-ignored cve,CVE-1999-0474 classtype:attempted-dos sid:1115 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?DeleteDocument" -j LOG --log-prefix " SID1116 " # "WEB-MISC Lotus DelDoc attempt" nocase-ignored classtype:attempted-recon sid:1116 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?EditDocument" -j LOG --log-prefix " SID1117 " # "WEB-MISC Lotus EditDoc attempt" nocase-ignored classtype:attempted-recon sid:1117 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ls%20-l" -j LOG --log-prefix " SID1118 " # "WEB-MISC ls%20-l" nocase-ignored classtype:attempted-recon sid:1118 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/mlog.phtml" -j LOG --log-prefix " SID1119 " # "WEB-MISC mlog.phtml access" nocase-ignored bugtraq,713 cve,CVE-1999-0346 classtype:attempted-recon sid:1119 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/mylog.phtml" -j LOG --log-prefix " SID1120 " # "WEB-MISC mylog.phtml access" nocase-ignored bugtraq,713 cve,CVE-1999-0346 classtype:attempted-recon sid:1120 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgi-dos/args.bat" -j LOG --log-prefix " SID1121 " # "WEB-MISC O'Reilly args.bat access" nocase-ignored classtype:attempted-recon sid:1121 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/etc/passwd" -j LOG --log-prefix " SID1122 " # "WEB-MISC /etc/passwd" nocase-ignored classtype:attempted-recon sid:1122 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?PageServices" -j LOG --log-prefix " SID1123 " # "WEB-MISC PageService access" nocase-ignored bugtraq,1063 cve,CVE-1999-0269 classtype:attempted-recon sid:1123 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/config/check.txt" -j LOG --log-prefix " SID1124 " # "WEB-MISC Ecommerce check.txt access" nocase-ignored classtype:attempted-recon sid:1124 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webcart/" -j LOG --log-prefix " SID1125 " # "WEB-MISC webcart access" nocase-ignored classtype:attempted-recon sid:1125 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_AuthChangeUrl?" -j LOG --log-prefix " SID1126 " # "WEB-MISC AuthChangeUr access" nocase-ignored classtype:attempted-recon sid:1126 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/convert.bas" -j LOG --log-prefix " SID1127 " # "WEB-MISC convert.bas access" nocase-ignored bugtraq,2025 cve,CVE-1999-0175 classtype:attempted-recon sid:1127 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/cpshost.dll" -j LOG --log-prefix " SID1128 " # "WEB-MISC cpshost.dll access" nocase-ignored classtype:attempted-recon sid:1128 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htaccess" -j LOG --log-prefix " SID1129 " # "WEB-MISC .htaccess access" nocase-ignored classtype:attempted-recon sid:1129 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".wwwacl" -j LOG --log-prefix " SID1130 " # "WEB-MISC .wwwacl access" nocase-ignored classtype:attempted-recon sid:1130 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".www_acl" -j LOG --log-prefix " SID1131 " # "WEB-MISC .wwwacl access" nocase-ignored classtype:attempted-recon sid:1131 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 457 -m string --string "_^1F" --tcp-flags ACK ACK -j LOG --log-prefix " SID1132 " # "WEB-MISC netscape unixware overflow" arachnids,180 classtype:attempted-recon sid:1132 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL FIN,PSH,SYN -j LOG --log-prefix " SID1133 " #Cannot convert: ack: 0 "SCAN cybercop os probe" arachnids,145 classtype:attempted-recon sid:1133 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.php3" -j LOG --log-prefix " SID1134 " # "WEB-MISC Phorum admin access" nocase-ignored bugtraq,2271 arachnids,205 classtype:attempted-recon sid:1134 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cd.." -j LOG --log-prefix " SID1136 " # "WEB-MISC cd.." nocase-ignored classtype:attempted-recon sid:1136 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "PHP_AUTH_USER=boogieman" -j LOG --log-prefix " SID1137 " # "WEB-MISC Phorum auth access" nocase-ignored bugtraq,2274 arachnids,206 classtype:attempted-recon sid:1137 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string " /%%" -j LOG --log-prefix " SID1138 " # "WEB-MISC Cisco Web DOS attempt" arachnids,275 classtype:attempted-dos sid:1138 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/guestbook" -j LOG --log-prefix " SID1140 " # "WEB-MISC guestbook access" nocase-ignored bugtraq,776 cve,CVE-1999-0237 arachnids,228 classtype:attempted-recon sid:1140 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/handler" -j LOG --log-prefix " SID1141 " # "WEB-MISC handler access" nocase-ignored bugtraq,380 arachnids,235 cve,CVE-1999-0148 classtype:attempted-recon sid:1141 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/...." -j LOG --log-prefix " SID1142 " # "WEB-MISC /...." classtype:attempted-recon sid:1142 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "///cgi-bin" -j LOG --log-prefix " SID1143 " # "WEB-MISC ///cgi-bin" nocase-ignored classtype:attempted-recon sid:1143 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgi-bin///" -j LOG --log-prefix " SID1144 " # "WEB-MISC /cgi-bin/// access" nocase-ignored classtype:attempted-recon sid:1144 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/~root/" -j LOG --log-prefix " SID1145 " # "WEB-MISC /~root" nocase-ignored classtype:attempted-recon sid:1145 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/config/import.txt" -j LOG --log-prefix " SID1146 " # "WEB-MISC Ecommerce import.txt access" nocase-ignored classtype:attempted-recon sid:1146 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cat%20" -j LOG --log-prefix " SID1147 " # "WEB-MISC cat%20 access" nocase-ignored cve,CVE-1999-0039 bugtraq,374 classtype:attempted-recon sid:1147 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/orders/import.txt" -j LOG --log-prefix " SID1148 " # "WEB-MISC Ecommerce import.txt access" nocase-ignored classtype:attempted-recon sid:1148 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/count.cgi" -j LOG --log-prefix " SID1149 " # "WEB-MISC count.cgi access" nocase-ignored bugtraq,550 cve,CVE-1999-0021 classtype:attempted-recon sid:1149 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/catalog.nsf" -j LOG --log-prefix " SID1150 " # "WEB-MISC Domino catalog.ns access" nocase-ignored classtype:attempted-recon sid:1150 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/domcfg.nsf" -j LOG --log-prefix " SID1151 " # "WEB-MISC Domino domcfg.nsf access" nocase-ignored classtype:attempted-recon sid:1151 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/domlog.nsf" -j LOG --log-prefix " SID1152 " # "WEB-MISC Domino domlog.nsf access" nocase-ignored classtype:attempted-recon sid:1152 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/log.nsf" -j LOG --log-prefix " SID1153 " # "WEB-MISC Domino log.nsf access" nocase-ignored classtype:attempted-recon sid:1153 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/names.nsf" -j LOG --log-prefix " SID1154 " # "WEB-MISC Domino names.nsf access" nocase-ignored classtype:attempted-recon sid:1154 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/orders/checks.txt" -j LOG --log-prefix " SID1155 " # "WEB-MISC Ecommerce checks.txt access" nocase-ignored classtype:attempted-recon sid:1155 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "////////" -j LOG --log-prefix " SID1156 " # "WEB-MISC apache DOS attempt" classtype:attempted-dos sid:1156 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/PSUser/PSCOErrPage.htm?" -j LOG --log-prefix " SID1157 " # "WEB-MISC netscape PublishingXpert 2 Exploit" nocase-ignored cve,CAN-2000-1196 classtype:attempted-recon sid:1157 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/windmail.exe" --string "-n" --string "mail" -j LOG --log-prefix " SID1158 " # "WEB-MISC windmail access" nocase-ignored nocase-ignored cve,CAN-2000-0242 bugtraq,1073 arachnids,465 classtype:attempted-recon sid:1158 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "webplus?script" --tcp-flags ACK ACK -j LOG --log-prefix " SID1159 " # "WEB-MISC webplus access" nocase-ignored classtype:attempted-recon sid:1159 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-" -j LOG --log-prefix " SID1160 " # "WEB-MISC netscape dir index wp" nocase-ignored bugtraq,1063 cve,CVE-2000-0236 arachnids,270 classtype:attempted-recon sid:1160 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/passwd.php3" -j LOG --log-prefix " SID1161 " # "WEB-MISC piranha passwd.php3 access" bugtraq,1149 cve,CVE-2000-0322 arachnids,272 classtype:attempted-recon sid:1161 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/c32web.exe/ChangeAdminPassword" -j LOG --log-prefix " SID1162 " # "WEB-MISC cart 32 AdminPwd access" nocase-ignored bugtraq,1153 classtype:attempted-recon sid:1162 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/webdist.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID1163 " # "WEB-MISC webdist.cgi access" nocase-ignored bugtraq,374 cve,CVE-1999-0039 classtype:attempted-recon sid:1163 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/quikstore.cfg" --tcp-flags ACK ACK -j LOG --log-prefix " SID1164 " # "WEB-MISC shopping cart access access" nocase-ignored classtype:attempted-recon sid:1164 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/GWWEB.EXE?HELP=" -j LOG --log-prefix " SID1165 " # "WEB-MISC novell groupwise gwweb.exe access" nocase-ignored bugtraq,879 cve,CAN-1999-1006 classtype:attempted-recon sid:1165 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/ws_ftp.ini" --tcp-flags ACK ACK -j LOG --log-prefix " SID1166 " # "WEB-MISC ws_ftp.ini access" nocase-ignored classtype:attempted-recon sid:1166 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rmp_query" -j LOG --log-prefix " SID1167 " # "WEB-MISC rpm_query access" nocase-ignored cve,CVE-2000-0192 bugtraq,1036 classtype:attempted-recon sid:1167 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/mall_log_files/order.log" --tcp-flags ACK ACK -j LOG --log-prefix " SID1168 " # "WEB-MISC mall log order access" nocase-ignored classtype:attempted-recon sid:1168 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/bigconf.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID1172 " # "WEB-MISC bigconf.cgi access" nocase-ignored classtype:attempted-recon sid:1172 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/ews/architext_query.pl" --tcp-flags ACK ACK -j LOG --log-prefix " SID1173 " # "WEB-MISC architext_query.pl access" nocase-ignored classtype:attempted-recon sid:1173 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cgi-bin/jj" --tcp-flags ACK ACK -j LOG --log-prefix " SID1174 " # "WEB-MISC /cgi-bin/jj attempt" nocase-ignored bugtraq,2002 cve,CVE-1999-0260 classtype:attempted-recon sid:1174 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/wwwboard.pl" --tcp-flags ACK ACK -j LOG --log-prefix " SID1175 " # "WEB-MISC wwwboard.pl access" nocase-ignored bugtraq,1795 cve,CVE-1999-0953 classtype:attempted-recon sid:1175 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/admin_files/order.log" --tcp-flags ACK ACK -j LOG --log-prefix " SID1176 " # "WEB-MISC order.log access" nocase-ignored classtype:attempted-recon sid:1176 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-verify-link" -j LOG --log-prefix " SID1177 " # "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1177 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/read.php3" -j LOG --log-prefix " SID1178 " # "WEB-MISC Phorum read access" nocase-ignored arachnids,208 classtype:attempted-recon sid:1178 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/violation.php3" -j LOG --log-prefix " SID1179 " # "WEB-MISC Phorum violation access" nocase-ignored bugtraq,2272 arachnids,209 classtype:attempted-recon sid:1179 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/get32.exe" -j LOG --log-prefix " SID1180 " # "WEB-MISC get32.exe access" nocase-ignored bugtraq,1485 arachnids,258 classtype:attempted-recon sid:1180 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m dsize --dsize 1447: -m string --string "/ping?query" -j LOG --log-prefix " SID1181 " # "WEB-MISC Annex Terminal DOS attempt" arachnids,260 classtype:attempted-dos sid:1181 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cgitest.exe user" --tcp-flags ACK ACK -j LOG --log-prefix " SID1182 " # "WEB-MISC cgitest.exe attempt" nocase-ignored arachnids,265 classtype:attempted-recon sid:1182 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-cs-dump" -j LOG --log-prefix " SID1183 " # "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1183 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-ver-info" -j LOG --log-prefix " SID1184 " # "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1184 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bizdb1-search.cgi" --string "mail" -j LOG --log-prefix " SID1185 " # "WEB-MISC bizdbsearch access" nocase-ignored cve,CAN-2000-0287 bugtraq,1104 classtype:attempted-recon sid:1185 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-ver-diff" -j LOG --log-prefix " SID1186 " # "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1186 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/slxweb.dll/admin?command=" -j LOG --log-prefix " SID1187 " # "WEB-MISC SalesLogix Eviewer web shutdown acess" nocase-ignored bugtraq,1089 cve,CAN-2000-0289 classtype:attempted-recon sid:1187 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-start-ver" -j LOG --log-prefix " SID1188 " # "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1188 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-stop-ver" -j LOG --log-prefix " SID1189 " # "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1189 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-uncheckout" -j LOG --log-prefix " SID1190 " # "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1190 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-html-rend" -j LOG --log-prefix " SID1191 " # "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1191 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/officescan/cgi/jdkRqNotify.exe?" -j LOG --log-prefix " SID1192 " # "WEB-MISC Trend Micro OfficeScan access" nocase-ignored bugtraq,1057 classtype:attempted-recon sid:1192 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ows-bin/&" -j LOG --log-prefix " SID1193 " # "WEB-MISC oracle web listener batch access" nocase-ignored cve,CVE-2000-0169 bugtraq,1053 classtype:attempted-recon sid:1193 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/sojourn.cgi?cat=" --string "%00" -j LOG --log-prefix " SID1194 " # "WEB-MISC Sojourn File attempt" nocase-ignored bugtraq,1052 cve,CAN-2000-0180 classtype:attempted-user sid:1194 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/sojourn.cgi" -j LOG --log-prefix " SID1195 " # "WEB-MISC Sojourn access" nocase-ignored bugtraq,1052 cve,CAN-2000-0180 classtype:attempted-recon sid:1195 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/infosrch.cgi?" --string "fname=" -j LOG --log-prefix " SID1196 " # "WEB-MISC SGI InfoSearch fname access" nocase-ignored bugtraq,1031 arachnids,290 cve,CVE-2000-0207 classtype:attempted-recon sid:1196 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/code.php3" -j LOG --log-prefix " SID1197 " # "WEB-MISC Phorum code access" nocase-ignored arachnids,207 classtype:attempted-recon sid:1197 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-usr-prop" -j LOG --log-prefix " SID1198 " # "WEB-MISC netscape enterprise server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1198 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2301 -m string --string "../" -j LOG --log-prefix " SID1199 " # "WEB-MISC compaq nsight directory traversal" bugtraq,282 arachnids,244 cve,CVE-1999-0771 classtype:attempted-recon sid:1199 iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Invalid URL" --tcp-flags ACK ACK -j LOG --log-prefix " SID1200 " # "WEB-MISC Invalid URL" nocase-ignored classtype:attempted-recon sid:1200 iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "HTTP/1.1 403" -j LOG --log-prefix " SID1201 " # "WEB-MISC 403 Forbidden" classtype:attempted-recon sid:1201 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/search.vts" -j LOG --log-prefix " SID1202 " # "WEB-MISC search.vts access" classtype:attempted-recon sid:1202 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ax-admin.cgi" -j LOG --log-prefix " SID1204 " # "WEB-MISC ax-admin.cgi access" classtype:attempted-recon sid:1204 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/axs.cgi" -j LOG --log-prefix " SID1205 " # "WEB-MISC axs.cgi access" classtype:attempted-recon sid:1205 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cachemgr.cgi" -j LOG --log-prefix " SID1206 " # "WEB-MISC cachemgr.cgi access" classtype:attempted-recon sid:1206 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/htgrep" -j LOG --log-prefix " SID1207 " # "WEB-MISC htgrep access" classtype:attempted-recon sid:1207 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/responder.cgi" -j LOG --log-prefix " SID1208 " # "WEB-MISC responder.cgi access" classtype:attempted-recon sid:1208 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/.nsconfig" -j LOG --log-prefix " SID1209 " # "WEB-MISC .nsconfig access" classtype:attempted-recon sid:1209 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/web-map.cgi" -j LOG --log-prefix " SID1211 " # "WEB-MISC web-map.cgi access" classtype:attempted-recon sid:1211 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin_files" -j LOG --log-prefix " SID1212 " # "WEB-MISC Admin_files access" nocase-ignored classtype:attempted-recon sid:1212 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/backup" -j LOG --log-prefix " SID1213 " # "WEB-MISC backup access" nocase-ignored classtype:attempted-recon sid:1213 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/intranet/" -j LOG --log-prefix " SID1214 " # "WEB-MISC intranet access" nocase-ignored classtype:attempted-recon sid:1214 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ministats/admin.cgi" -j LOG --log-prefix " SID1215 " # "WEB-MISC ministats admin access" nocase-ignored classtype:attempted-recon sid:1215 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/filemail" -j LOG --log-prefix " SID1216 " # "WEB-MISC filemail access" nocase-ignored classtype:attempted-recon sid:1216 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/plusmail" -j LOG --log-prefix " SID1217 " # "WEB-MISC plusmail access" nocase-ignored classtype:attempted-recon sid:1217 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/adminlogin" -j LOG --log-prefix " SID1218 " # "WEB-MISC adminlogin access" nocase-ignored classtype:attempted-recon sid:1218 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dfire.cgi" -j LOG --log-prefix " SID1219 " # "WEB-MISC dfire.cgi access" nocase-ignored classtype:attempted-recon sid:1219 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ultraboard" -j LOG --log-prefix " SID1220 " # "WEB-MISC ultraboard access" nocase-ignored classtype:attempted-recon sid:1220 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/empower" -j LOG --log-prefix " SID1221 " # "WEB-MISC musicat access" nocase-ignored classtype:attempted-recon sid:1221 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/pals-cgi" --string "documentName=" -j LOG --log-prefix " SID1222 " # "WEB-MISC WebPALS attempt" nocase-ignored classtype:attempted-recon cve,CAN-2001-0217 bugtraq,2372 sid:1222 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ROADS/cgi-bin/search.pl" --string "form=" -j LOG --log-prefix " SID1224 " # "WEB-MISC ROADS attempt" nocase-ignored cve,CAN-2001-0215 bugtraq,2371 classtype:attempted-recon sid:1224 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/FtpSave.dll" -j LOG --log-prefix " SID1230 " # "WEB-MISC VirusWall FtpSave access" nocase-ignored classtype:attempted-recon sid:1230 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/catinfo" -j LOG --log-prefix " SID1231 " # "WEB-MISC VirusWall access" nocase-ignored bugtraq,2808 classtype:attempted-recon sid:1231 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 1812 --tcp-flags ACK ACK -m string --string "/catinfo" -j LOG --log-prefix " SID1232 " # "WEB-MISC VirusWall access" nocase-ignored bugtraq,2579 classtype:attempted-recon sid:1232 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 80 -m string --string ".ewl" --tcp-flags ACK ACK -j LOG --log-prefix " SID1233 " # "WEB-MISC Outlook EML access" classtype:attempted-admin sid:1233 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/FtpSaveCSP.dll" -j LOG --log-prefix " SID1234 " # "WEB-MISC VirusWall FtpSaveCSP access" nocase-ignored classtype:attempted-recon sid:1234 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/FtpSaveCVP.dll" -j LOG --log-prefix " SID1235 " # "WEB-MISC VirusWall FtpSaveCVP access" nocase-ignored classtype:attempted-recon sid:1235 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".js%2570" -j LOG --log-prefix " SID1236 " # "WEB-MISC Tomcat sourcode view" nocase-ignored classtype:attempted-recon sid:1236 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".j%2573p" -j LOG --log-prefix " SID1237 " # "WEB-MISC Tomcat sourcode view" nocase-ignored classtype:attempted-recon sid:1237 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".%256Asp" -j LOG --log-prefix " SID1238 " # "WEB-MISC Tomcat sourcode view" nocase-ignored classtype:attempted-recon sid:1238 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/SWEditServlet" --string "template=../../../" --tcp-flags ACK ACK -j LOG --log-prefix " SID1241 " # "WEB-MISC SWEditServlet directory traversal attempt" classtype:attempted-user sid:1241 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/SWEditServlet" --tcp-flags ACK ACK -j LOG --log-prefix " SID1259 " # "WEB-MISC SWEditServlet access" classtype:attempted-recon sid:1259 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "HEAD" -m dsize --dsize 513: --tcp-flags ACK ACK -j LOG --log-prefix " SID1171 " # "WEB-MISC whisker head" nocase-ignored classtype:attempted-recon sid:1171 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "HEAD/./" -j LOG --log-prefix " SID1139 " # "WEB-MISC whisker head" classtype:attempted-recon sid:1139 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string " " --tcp-flags ACK ACK -m dsize --dsize 1 -j LOG --log-prefix " SID1104 " # "WEB-MISC whisker splice attack" arachnids,296 classtype:attempted-recon sid:1104 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m dsize --dsize :4 --tcp-flags ACK ACK -m string --string " " -j LOG --log-prefix " SID1087 " # "WEB-MISC whisker splice attack" arachnids,415 classtype:attempted-recon sid:1087 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "PHPLIB[libdir]" -j LOG --log-prefix " SID1254 " # "WEB-MISC PHPLIB remote command attempt" bugtraq,3079 classtype:attempted-user sid:1254 iptables -A SnortRules -p tcp -s $HTTP_SERVERS -d $EXTERNAL_NET --dport 80 --tcp-flags ACK ACK -m string --string "/db_mysql.inc" -j LOG --log-prefix " SID1255 " # "WEB-MISC PHPLIB remote command attempt" bugtraq,3079 classtype:attempted-user sid:1255 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid=" -m dsize --dsize 203: -j LOG --log-prefix " SID1258 " # "WEB-MISC HP Openview Manager DOS" nocase-ignored bugtraq,2845 sid:1258 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "Authorization: Basic " -m dsize --dsize 1001: -j LOG --log-prefix " SID1260 " # "WEB-MISC long basic authorization string" nocase-ignored classtype:attempted-dos bugtraq,3230 sid:1260 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET --tcp-flags ACK ACK -m string --string "window.open("readme.eml"" -j LOG --log-prefix " SID1290 " # "WEB-MISC readme.eml autoload attempt" nocase-ignored classtype:attempted-user sid:1290 url,www.cert.org/advisories/CA-2001-26.html iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET --tcp-flags ACK ACK -m string --string "readme.eml" -j LOG --log-prefix " SID1284 " # "WEB-MISC readme.eml attempt" nocase-ignored classtype:attempted-user sid:1284 url,www.cert.org/advisories/CA-2001-26.html iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/graphics/sml3com" -j LOG --log-prefix " SID1291 " # "WEB-MISC sml3com access" classtype:attempted-dos bugtraq,2721 sid:1291 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/carbo.dll" --string "icatcommand=" -j LOG --log-prefix " SID1001 " # "WEB-MISC carbo.dll access" nocase-ignored cve,CAN-1999-1069 bugtraq,2126 classtype:attempted-recon sid:1001 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.php" --string "file_name=" -j LOG --log-prefix " SID1300 " # "WEB-MISC admin.php file upload attempt" nocase-ignored bugtraq,3361 classtype:attempted-admin sid:1300 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.php" -j LOG --log-prefix " SID1301 " # "WEB-MISC admin.php access" nocase-ignored bugtraq,3361 classtype:attempted-recon sid:1301 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgi-bin/console.exe" -j LOG --log-prefix " SID1302 " # "WEB-MISC console.exe access" nocase-ignored bugtraq,3375 classtype:attempted-recon sid:1302 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgi-bin/cs.exe" -j LOG --log-prefix " SID1303 " # "WEB-MISC cs.exe access" nocase-ignored bugtraq,3375 classtype:attempted-recon sid:1303 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/txt2html.cgi" --string "/../../../../" -j LOG --log-prefix " SID1305 " # "WEB-MISC txt2html attempt" nocase-ignored classtype:attempted-admin sid:1305 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/txt2html.cgi" -j LOG --log-prefix " SID1304 " # "WEB-MISC txt2html access" nocase-ignored classtype:attempted-recon sid:1304 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/store.cgi" --string "product=" --string "../.." -j LOG --log-prefix " SID1306 " # "WEB-MISC store.cgi attempt" nocase-ignored classtype:attempted-admin sid:1306 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/store.cgi" -j LOG --log-prefix " SID1307 " # "WEB-MISC store.cgi access" nocase-ignored classtype:attempted-recon sid:1307 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "../" -j LOG --log-prefix " SID1113 " # "WEB-MISC http directory traversal" arachnids,297 classtype:attempted-recon sid:1113 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "GET x HTTP/1.0" -j LOG --log-prefix " SID1375 " # "WEB-MISC sadmind worm access" classtype:attempted-recon url,"www.cert.org/advisories/CA-2001-11.html" sid:1375 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/ps" -j LOG --log-prefix " SID1328 " # "WEB-ATTACKS ps command attempt" nocase-ignored sid:1328 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ps%20" -j LOG --log-prefix " SID1329 " # "WEB-ATTACKS /bin/ps command attempt" nocase-ignored sid:1329 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "wget%20" -j LOG --log-prefix " SID1330 " # "WEB-ATTACKS wget command attempt" nocase-ignored sid:1330 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "uname%20-a" -j LOG --log-prefix " SID1331 " # "WEB-ATTACKS uname -a command attempt" nocase-ignored sid:1331 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/id" -j LOG --log-prefix " SID1332 " # "WEB-ATTACKS /usr/bin/id command attempt" nocase-ignored sid:1332 classtype:web-application-attack #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string " -j LOG --log-prefix " SID1333 " #Cannot convert: id" misconvert in content semicolon: sid:1333 "WEB-ATTACKS id command attempt" nocase-ignored sid:1333 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/echo" -j LOG --log-prefix " SID1334 " # "WEB-ATTACKS echo command attempt" nocase-ignored sid:1334 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/kill" -j LOG --log-prefix " SID1335 " # "WEB-ATTACKS kill command attempt" nocase-ignored sid:1335 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/chmod" -j LOG --log-prefix " SID1336 " # "WEB-ATTACKS chmod command attempt" nocase-ignored sid:1336 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/chgrp" -j LOG --log-prefix " SID1337 " # "WEB-ATTACKS chgrp command attempt" nocase-ignored sid:1337 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/sbin/chown" -j LOG --log-prefix " SID1338 " # "WEB-ATTACKS chown command attempt" nocase-ignored sid:1338 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/chsh" -j LOG --log-prefix " SID1339 " # "WEB-ATTACKS chsh command attempt" nocase-ignored sid:1339 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "tftp%20" -j LOG --log-prefix " SID1340 " # "WEB-ATTACKS tftp command attempt" nocase-ignored sid:1340 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/gcc" -j LOG --log-prefix " SID1341 " # "WEB-ATTACKS /usr/bin/gcc command attempt" nocase-ignored sid:1341 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "gcc%20-o" -j LOG --log-prefix " SID1342 " # "WEB-ATTACKS gcc command attempt" nocase-ignored sid:1342 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/cc" -j LOG --log-prefix " SID1343 " # "WEB-ATTACKS /usr/bin/cc command attempt" nocase-ignored sid:1343 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cc%20" -j LOG --log-prefix " SID1344 " # "WEB-ATTACKS cc command attempt" nocase-ignored sid:1344 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/cpp" -j LOG --log-prefix " SID1345 " # "WEB-ATTACKS /usr/bin/cpp command attempt" nocase-ignored sid:1345 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cpp%20" -j LOG --log-prefix " SID1346 " # "WEB-ATTACKS cpp command attempt" nocase-ignored sid:1346 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/g++" -j LOG --log-prefix " SID1347 " # "WEB-ATTACKS /usr/bin/g++ command attempt" nocase-ignored sid:1347 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "g++%20" -j LOG --log-prefix " SID1348 " # "WEB-ATTACKS g++ command attempt" nocase-ignored sid:1348 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "bin/python" -j LOG --log-prefix " SID1349 " # "WEB-ATTACKS bin/python access attempt" nocase-ignored sid:1349 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "python%20" -j LOG --log-prefix " SID1350 " # "WEB-ATTACKS python access attempt" nocase-ignored sid:1350 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "bin/tclsh" -j LOG --log-prefix " SID1351 " # "WEB-ATTACKS bin/tclsh execution attempt" nocase-ignored sid:1351 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "tclsh8%20" -j LOG --log-prefix " SID1352 " # "WEB-ATTACKS tclsh execution attempt" nocase-ignored sid:1352 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "bin/nasm" -j LOG --log-prefix " SID1353 " # "WEB-ATTACKS bin/nasm command attempt" nocase-ignored sid:1353 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "nasm%20" -j LOG --log-prefix " SID1354 " # "WEB-ATTACKS nasm command attempt" nocase-ignored sid:1354 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/perl" -j LOG --log-prefix " SID1355 " # "WEB-ATTACKS /usr/bin/perl execution attempt" nocase-ignored sid:1355 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "perl%20" -j LOG --log-prefix " SID1356 " # "WEB-ATTACKS perl execution attempt" nocase-ignored sid:1356 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "net localgroup administrators /add" -j LOG --log-prefix " SID1357 " # "WEB-ATTACKS nt admin addition attempt" nocase-ignored sid:1357 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "traceroute%20" -j LOG --log-prefix " SID1358 " # "WEB-ATTACKS traceroute command attempt" nocase-ignored sid:1358 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/ping" -j LOG --log-prefix " SID1359 " # "WEB-ATTACKS ping command attempt" nocase-ignored sid:1359 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "nc%20" -j LOG --log-prefix " SID1360 " # "WEB-ATTACKS netcat command attempt" nocase-ignored sid:1360 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "nmap%20" -j LOG --log-prefix " SID1361 " # "WEB-ATTACKS nmap command attempt" nocase-ignored sid:1361 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/X11R6/bin/xterm" -j LOG --log-prefix " SID1362 " # "WEB-ATTACKS xterm command attempt" nocase-ignored sid:1362 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20-display%20" -j LOG --log-prefix " SID1363 " # "WEB-ATTACKS X application to remote host attempt" nocase-ignored sid:1363 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "lsof%20" -j LOG --log-prefix " SID1364 " # "WEB-ATTACKS lsof command attempt" nocase-ignored sid:1364 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "rm%20" -j LOG --log-prefix " SID1365 " # "WEB-ATTACKS rm command attempt" nocase-ignored sid:1365 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/mail" -j LOG --log-prefix " SID1366 " # "WEB-ATTACKS mail command attempt" nocase-ignored sid:1366 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "mail%20" -j LOG --log-prefix " SID1367 " # "WEB-ATTACKS mail command attempt" nocase-ignored sid:1367 classtype:web-application-attack #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/ls -j LOG --log-prefix " SID1368 " #Cannot convert: misconvert in content pipe: sid:1368 "WEB-ATTACKS /bin/ls| command attempt" nocase-ignored sid:1368 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/ls" -j LOG --log-prefix " SID1369 " # "WEB-ATTACKS /bin/ls command attempt" nocase-ignored sid:1369 classtype:web-application-attack iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/etc/inetd.conf" -j LOG --log-prefix " SID1370 " # "WEB-ATTACKS /etc/inetd.conf access" nocase-ignored sid:1370 classtype:web-application-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/etc/motd" -j LOG --log-prefix " SID1371 " # "WEB-ATTACKS /etc/motd access" nocase-ignored sid:1371 classtype:web-application-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/etc/shadow" -j LOG --log-prefix " SID1372 " # "WEB-ATTACKS /etc/shadow access" nocase-ignored sid:1372 classtype:web-application-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "conf/httpd.conf" -j LOG --log-prefix " SID1373 " # "WEB-ATTACKS conf/httpd.conf attempt" nocase-ignored sid:1373 classtype:web-application-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htgroup" -j LOG --log-prefix " SID1374 " # "WEB-ATTACKS .htgroup access" nocase-ignored sid:1374 classtype:web-application-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "sp_start_jo" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID673 " # "MS-SQL sp_start_job - program execution" nocase-ignored classtype:attempted-user sid:673 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_displayparamstmt" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID674 " # "MS-SQL - xp_displayparamstmt possible buffer overflow" nocase-ignored classtype:attempted-user sid:674 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_setsqlsecurity" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID675 " # "MS-SQL - xp_setsqlsecurity possible buffer overflow" nocase-ignored classtype:attempted-user sid:675 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "sp_start_jo" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID676 " # "MS-SQL sp_start_job - program execution" nocase-ignored classtype:attempted-user sid:676 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "sp_password" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID677 " # "MS-SQL PIPES sp_password - password change" nocase-ignored classtype:attempted-user sid:677 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "sp_delete_ale" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID678 " # "MS-SQL PIPES sp_delete_alert - log file deletion" nocase-ignored classtype:attempted-user sid:678 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "sp_adduser" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID679 " # "MS-SQL PIPES sp_adduser - database user creation" nocase-ignored classtype:attempted-user sid:679 iptables -A SnortRules -p tcp -s $SQL_SERVERS --sport 139 -d $EXTERNAL_NET -m string --string "Login failed for user 'sa'" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID680 " # "MS-SQL sa logon failed" classtype:attempted-user sid:680 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_cmdshell" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID681 " # "MS-SQL PIPES xp_cmdshell - program execution" nocase-ignored classtype:attempted-user sid:681 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_enumresultset" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID682 " # "MS-SQL xp_enumresultset possible buffer overflow" nocase-ignored classtype:attempted-user sid:682 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "sp_password" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID683 " # "MS-SQL sp_password - password change" nocase-ignored classtype:attempted-user sid:683 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "sp_delete_ale" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID684 " # "MS-SQL sp_delete_alert - log file deletion" nocase-ignored classtype:attempted-user sid:684 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "sp_adduser" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID685 " # "MS-SQL sp_adduser - database user creation" nocase-ignored classtype:attempted-user sid:685 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_reg" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID686 " # "MS-SQL xp_reg* - registry access" nocase-ignored classtype:attempted-user sid:686 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_cmdshell" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID687 " # "MS-SQL xp_cmdshell - program execution" nocase-ignored classtype:attempted-user sid:687 #iptables -A SnortRules -p tcp -s $SQL_SERVERS --sport 1433 -d $EXTERNAL_NET -m string --string "Login failed for user 'sa'" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID688 " #Cannot convert: Mishandled quotes "MS-SQL sa logon failed" classtype:unsuccessful-user sid:688 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_reg" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID689 " # "MS-SQL PIPES xp_reg* - registry access" nocase-ignored classtype:attempted-user sid:689 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_printstatements" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID690 " # "MS-SQL - xp_printstatements possible buffer overflow" nocase-ignored classtype:attempted-user sid:690 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "9 ВRU9 " --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID691 " # "MS-SQL Buffer overflow shellcode ACTIVE ATTACK" classtype:attempted-user sid:691 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "9 ВRU9 " --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID692 " # "MS-SQL Buffer overflow shellcode ACTIVE ATTACK" classtype:attempted-user sid:692 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "H%xw3Ph." --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID693 " # "MS-SQL Buffer overflow shellcode ACTIVE ATTACK" classtype:attempted-user sid:693 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "H%xw3Ph." --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID694 " # "MS-SQL Buffer overflow shellcode ACTIVE ATTACK" classtype:attempted-user sid:694 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_sprintf" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID695 " # "MS-SQL xp_sprintf possible buffer overflow" nocase-ignored classtype:attempted-user sid:695 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_showcolv" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID696 " # "MS-SQL xp_showcolv possible buffer overflow" nocase-ignored classtype:attempted-user sid:696 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_peekqueue" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID697 " # "MS-SQL xp_peekqueue possible buffer overflow" nocase-ignored classtype:attempted-user sid:697 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_proxiedmetadata" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID698 " # "MS-SQL xp_proxiedmetadata possible buffer overflow" nocase-ignored classtype:attempted-user sid:698 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_printstatements" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID699 " # "MS-SQL xp_printstatements possible buffer overflow" nocase-ignored classtype:attempted-user sid:699 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_updatecolvbm" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID700 " # "MS-SQL xp_updatecolvbm possible buffer overflow" nocase-ignored classtype:attempted-user sid:700 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_updatecolvbm" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID701 " # "MS-SQL xp_updatecolvbm possible buffer overflow" nocase-ignored classtype:attempted-user sid:701 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_displayparamstmt" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID702 " # "MS-SQL xp_displayparamstmt possible buffer overflow" nocase-ignored classtype:attempted-user sid:702 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_setsqlsecurity" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID703 " # "MS-SQL xp_setsqlsecurity possible buffer overflow" nocase-ignored classtype:attempted-user sid:703 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_sprintf" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID704 " # "MS-SQL xp_sprintf possible buffer overflow" nocase-ignored classtype:attempted-user sid:704 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_showcolv" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID705 " # "MS-SQL xp_showcolv possible buffer overflow" nocase-ignored classtype:attempted-user sid:705 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_peekqueue" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID706 " # "MS-SQL xp_peekqueue possible buffer overflow" nocase-ignored classtype:attempted-user sid:706 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_proxiedmetadata" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID707 " # "MS-SQL xp_proxiedmetadata possible buffer overflow" nocase-ignored classtype:attempted-user sid:707 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_enumresultset" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID708 " # "MS-SQL xp_enumresultset possible buffer overflow" nocase-ignored classtype:attempted-user sid:708 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6000 --tcp-flags ACK ACK -m string --string "MIT-MAGIC-COOKIE-1" -j LOG --log-prefix " SID1225 " # "X11 MITcookie" arachnids,396 classtype:bad-unknown sid:1225 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6000 --tcp-flags ACK ACK -m string --string "l " -j LOG --log-prefix " SID1226 " # "X11 xopen" arachnids,395 classtype:unknown sid:1226 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 6000:6005 -d $HOME_NET --tcp-flags ALL ACK,SYN -j LOG --log-prefix " SID1227 " # "X11 outgoing" arachnids,126 classtype:unknown sid:1227 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "ISSPNGRQ" --icmp-type 8 -j LOG --log-prefix " SID465 " # "ICMP ISS Pinger" arachnids,158 classtype:attempted-recon sid:465 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI" --icmp-type 8/0 -j LOG --log-prefix " SID466 " # "ICMP L3retriever Ping" arachnids,311 classtype:attempted-recon sid:466 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m dsize --dsize 20 --icmp-type 8 -m string --string "" -j LOG --log-prefix " SID467 " #Cannot convert: icmp_id: 0 icmp_seq: 0 "ICMP Nemesis v1.1 Echo" arachnids,449 classtype:attempted-recon sid:467 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m dsize --dsize 0 --icmp-type 8 -j LOG --log-prefix " SID469 " # "ICMP PING NMAP" arachnids,162 classtype:attempted-recon sid:469 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m dsize --dsize 0 --icmp-type 8 -j LOG --log-prefix " SID471 " #Cannot convert: id: 666 icmp_id: 666 icmp_seq: 0 "ICMP icmpenum v1.1.1" arachnids,450 classtype:attempted-recon sid:471 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 5/1 -j LOG --log-prefix " SID472 " # "ICMP redirect host" arachnids,135 cve,CVE-1999-0265 classtype:bad-unknown sid:472 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 5/0 -j LOG --log-prefix " SID473 " # "ICMP redirect net" arachnids,199 cve,CVE-1999-0265 classtype:bad-unknown sid:473 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --icmp-type 8 -m dsize --dsize 8 -j LOG --log-prefix " SID474 " # "ICMP superscan echo" classtype:attempted-recon sid:474 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m ipv4options --rr --icmp-type 0 -j LOG --log-prefix " SID475 " # "ICMP traceroute ipopts" arachnids,238 classtype:attempted-recon sid:475 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "EEEEEEEEEEEE" --icmp-type 8/0 -j LOG --log-prefix " SID476 " # "ICMP webtrends scanner" arachnids,307 classtype:attempted-recon sid:476 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 4/0 -j LOG --log-prefix " SID477 " # "ICMP Source Quench" classtype:bad-unknown sid:477 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -m dsize --dsize 4 -j LOG --log-prefix " SID478 " #Cannot convert: icmp_id: 0 icmp_seq: 0 "ICMP Broadscan Smurf Scanner" classtype:attempted-recon sid:478 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "89:;<=>?" --icmp-type 8 -j LOG --log-prefix " SID480 " # "ICMP PING speedera" sid:480 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "TJPingPro by Jim" --icmp-type 8 -j LOG --log-prefix " SID481 " # "ICMP TJPingPro1.1Build 2 Windows" arachnids,167 sid:481 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "WhatsUp - A Netw" --icmp-type 8 -j LOG --log-prefix " SID482 " # "ICMP PING WhatsupGold Windows" arachnids,168 sid:482 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --icmp-type 8 -j LOG --log-prefix " SID483 " # "ICMP PING CyberKit 2.2 Windows" arachnids,154 sid:483 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -m string --string "Cinco Network, Inc." -j LOG --log-prefix " SID484 " # "ICMP PING Sniffer Pro/NetXRay network scan" sid:484 classtype:misc-activity iptables -A SnortRules -p icmp --icmp-type 3/13 -j LOG --log-prefix " SID485 " # "ICMP Destination Unreachable (Communication Administratively Prohibited)" sid:485 classtype:misc-activity iptables -A SnortRules -p icmp --icmp-type 3/10 -j LOG --log-prefix " SID486 " # "ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited)" sid:486 classtype:misc-activity iptables -A SnortRules -p icmp --icmp-type 3/9 -j LOG --log-prefix " SID487 " # "ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited)" sid:487 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 -m string --string "EML" --tcp-flags ACK ACK -j LOG --log-prefix " SID1293 " # "NETBIOS nimda .eml" classtype:bad-unknown url,www.datafellows.com/v-descs/nimda.shtml sid:1293 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 -m string --string "NWS" --tcp-flags ACK ACK -j LOG --log-prefix " SID1294 " # "NETBIOS nimda .nws" classtype:bad-unknown url,www.datafellows.com/v-descs/nimda.shtml sid:1294 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 -m string --string "RICHED20" --tcp-flags ACK ACK -j LOG --log-prefix " SID1295 " # "NETBIOS nimda RICHED20.DLL" classtype:bad-unknown url,www.datafellows.com/v-descs/nimda.shtml sid:1295 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\\\\*SMBSERVER" -j LOG --log-prefix " SID529 " # "NETBIOS DOS RFPoison" arachnids,454 classtype:attempted-dos sid:529 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "Windows NT 1381" -j LOG --log-prefix " SID530 " # "NETBIOS NT NULL session" bugtraq,1163 cve,CVE-2000-0347 arachnids,204 classtype:attempted-recon sid:530 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "BEAVIS" --string "yep yep" -j LOG --log-prefix " SID1239 " # "NETBIOS RFParalyze Attempt" classtype:attempted-recon sid:1239 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\ADMIN$A:" -j LOG --log-prefix " SID532 " # "NETBIOS SMB ADMIN$access" arachnids,340 classtype:attempted-admin sid:532 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\\C$A:" -j LOG --log-prefix " SID533 " # "NETBIOS SMB C$ access" arachnids,339 classtype:attempted-recon sid:533 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\../" -j LOG --log-prefix " SID534 " # "NETBIOS SMB CD.." arachnids,338 classtype:attempted-recon sid:534 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\..." -j LOG --log-prefix " SID535 " # "NETBIOS SMB CD..." arachnids,337 classtype:attempted-recon sid:535 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\D$A:" -j LOG --log-prefix " SID536 " # "NETBIOS SMB D$access" arachnids,336 classtype:attempted-recon sid:536 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\IPC$A:" -j LOG --log-prefix " SID537 " # "NETBIOS SMB IPC$access" arachnids,335 classtype:attempted-recon sid:537 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\\IPC$IPC" -j LOG --log-prefix " SID538 " # "NETBIOS SMB IPC$access" arachnids,334 classtype:attempted-recon sid:538 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "UnixSamba" -j LOG --log-prefix " SID539 " # "NETBIOS Samba clientaccess" arachnids,341 classtype:not-suspicious sid:539 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m dsize --dsize 801: -j LOG --log-prefix " SID499 " # "MISC Large ICMP Packet" arachnids,246 classtype:bad-unknown sid:499 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m ipv4options --lsrr -j LOG --log-prefix " SID500 " # "MISC source route lssr" bugtraq,646 cve,CVE-1999-0909 arachnids,418 classtype:bad-unknown sid:500 #iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID501 " #Cannot convert: ipopts:lsrre "MISC source route lssre" bugtraq,646 cve,CVE-1999-0909 arachnids,420 classtype:bad-unknown sid:501 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m ipv4options --ssrr -j LOG --log-prefix " SID502 " # "MISC source route ssrr" arachnids,422 classtype:bad-unknown sid:502 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 20 -d $HOME_NET --dport :1023 --tcp-flags ALL SYN -j LOG --log-prefix " SID503 " # "MISC Source Port 20 to <1024" arachnids,06 classtype:bad-unknown sid:503 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 53 -d $HOME_NET --dport :1023 --tcp-flags ALL SYN -j LOG --log-prefix " SID504 " # "MISC source port 53 to <1024" arachnids,07 classtype:bad-unknown sid:504 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 1417 -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " SID505 " # "MISC Insecure TIMBUKTU Password" arachnids,229 classtype:bad-unknown sid:505 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27374 --tcp-flags ACK ACK -m string --string "GET " -j LOG --log-prefix " SID506 " # "MISC ramen worm incoming" nocase-ignored arachnids,460 classtype:bad-unknown sid:506 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 5631 --tcp-flags ACK ACK -m string --string "ADMINISTRATOR" -j LOG --log-prefix " SID507 " # "MISC PCAnywhere Attempted Administrator Login" classtype:attempted-admin sid:507 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 70 -m string --string "ftp:" --string "@/" --tcp-flags ACK ACK -j LOG --log-prefix " SID508 " # "MISC gopher proxy" nocase-ignored arachnids,409 classtype:bad-unknown sid:508 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "pccsmysqladm/incs/dbconnect.inc" -j LOG --log-prefix " SID509 " # "MISC PCCS mysql database admin tool" nocase-ignored arachnids,300 classtype:attempted-user sid:509 iptables -A SnortRules -p tcp -s $HOME_NET --sport 5631 -d $EXTERNAL_NET -m string --string "Invalid login" --tcp-flags ACK ACK -j LOG --log-prefix " SID511 " # "MISC Invalid PCAnywhere Login" classtype:unsuccessful-user sid:511 iptables -A SnortRules -p tcp -s $HOME_NET --sport 5632 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "Invalid login" -j LOG --log-prefix " SID512 " # "MISC PCAnywhere Failed Login" arachnids,240 classtype:unsuccessful-user sid:512 iptables -A SnortRules -p tcp -s $HOME_NET --sport 7161 -d $EXTERNAL_NET --tcp-flags ALL ACK,SYN -j LOG --log-prefix " SID513 " # "MISC Cisco Catalyst Remote Access" arachnids,129 cve,CVE-1999-0430 classtype:bad-unknown sid:513 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 27374 --tcp-flags ACK ACK -m string --string "GET " -j LOG --log-prefix " SID514 " # "MISC ramen worm outgoing" nocase-ignored arachnids,461 classtype:bad-unknown sid:514 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161 -m string --string "+@" -j LOG --log-prefix " SID516 " # "MISC SNMP NT UserList" classtype:attempted-recon sid:516 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 177 -m string --string "" -j LOG --log-prefix " SID517 " # "MISC xdmcp query" arachnids,476 classtype:attempted-recon sid:517 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m dsize --dsize 4001: -j LOG --log-prefix " SID521 " # "MISC Large UDP Packet" arachnids,247 classtype:bad-unknown sid:521 #iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m dsize --dsize :24 -j LOG --log-prefix " SID522 " #Cannot convert: fragbits:M "MISC Tiny Fragments" classtype:bad-unknown sid:522 iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Volume Serial Number" --tcp-flags ACK ACK -j LOG --log-prefix " SID1292 " # "ATTACK RESPONSES http dir listing" classtype:bad-unknown sid:1292 iptables -A SnortRules -p tcp --tcp-flags ACK ACK -m string --string "uid=0(root)" -j LOG --log-prefix " SID498 " # "ATTACK RESPONSES id check returned root" classtype:bad-unknown sid:498 iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Command completed" --tcp-flags ACK ACK -j LOG --log-prefix " SID494 " # "ATTACK RESPONSES command completed" nocase-ignored classtype:bad-unknown sid:494 iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Bad command or filename" --tcp-flags ACK ACK -j LOG --log-prefix " SID495 " # "ATTACK RESPONSES command error" nocase-ignored classtype:bad-unknown sid:495 iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Directory Listing of" --tcp-flags ACK ACK -j LOG --log-prefix " SID496 " # "ATTACK RESPONSES directory listing" nocase-ignored classtype:unknown sid:496 iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "1 file(s) copied" --tcp-flags ACK ACK -j LOG --log-prefix " SID497 " # "ATTACK RESPONSES file copied ok" nocase-ignored classtype:bad-unknown sid:497 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 27374 -d $HOME_NET --tcp-flags ACK ACK -m string --string " [RPL]002 " -j LOG --log-prefix " SID103 " # "BACKDOOR subseven 22" arachnids,485 sid:103 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 1024: -d $HOME_NET --dport 2589 --tcp-flags ACK ACK -m string --string " Connect" -j LOG --log-prefix " SID104 " # "BACKDOOR - Dagger_1.4.0_client_connect" arachnids,483 sid:104 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 2589 -d $EXTERNAL_NET --dport 1024: --tcp-flags ACK ACK -m string --string "2Drives\$" -j LOG --log-prefix " SID105 " # "BACKDOOR - Dagger_1.4.0" arachnids,484 sid:105 classtype:misc-activity #iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET --dport 1054 --tcp-flags ALL ACK -j LOG --log-prefix " SID106 " #Cannot convert: seq: 101058054 ack: 101058054 "BACKDOOR ACKcmdC trojan scan" arachnids,445 sid:106 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 16959 -d $HOME_NET -m string --string "PWD" --string "acidphreak" --tcp-flags ACK ACK -j LOG --log-prefix " SID107 " # "BACKDOOR subseven DEFCON8 2.1 access" nocase-ignored sid:107 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7597 --tcp-flags ACK ACK -m string --string "qazwsx.hsq" -j LOG --log-prefix " SID108 " # "BACKDOOR QAZ Worm Client Login access" MCAFEE,98775 sid:108 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 12345 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetBus" -j LOG --log-prefix " SID109 " # "BACKDOOR netbus active" arachnids,401 sid:109 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 12345 --tcp-flags ACK ACK -m string --string "GetInfo " -j LOG --log-prefix " SID110 " # "BACKDOOR netbus getinfo" arachnids,403 sid:110 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 12346 --tcp-flags ACK ACK -m string --string "GetInfo " -j LOG --log-prefix " SID111 " # "BACKDOOR netbus getinfo" arachnids,403 sid:111 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 80 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "server: BO/" -j LOG --log-prefix " SID112 " # "BACKDOOR BackOrifice access" arachnids,400 sid:112 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 4120 -d $HOME_NET -m string --string "--Ahhhhhhhhhh" -j LOG --log-prefix " SID113 " # "BACKDOOR DeepThroat access" arachnids,405 sid:113 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 12346 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetBus" -j LOG --log-prefix " SID114 " # "BACKDOOR netbus active" arachnids,401 sid:114 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 20034 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetBus" -j LOG --log-prefix " SID115 " # "BACKDOOR netbus active" arachnids,401 sid:115 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31337 -m string --string "c9" -j LOG --log-prefix " SID116 " # "BACKDOOR BackOrifice access" arachnids,399 sid:116 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 146 -d $EXTERNAL_NET --dport 1024: -m string --string "WHATISIT" --tcp-flags ACK ACK -j LOG --log-prefix " SID117 " # "BACKDOOR Infector.1.x" arachnids,315 sid:117 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 666 -d $EXTERNAL_NET --dport 1024: -m string --string "Remote: You are connected to me." --tcp-flags ACK ACK -j LOG --log-prefix " SID118 " # "BACKDOOR SatansBackdoor.2.0.Beta" arachnids,316 sid:118 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 6789 -d $EXTERNAL_NET -m string --string "Wtzup Use" --tcp-flags ACK ACK -j LOG --log-prefix " SID119 " # "BACKDOOR Doly 2.0 access" arachnids,312 sid:119 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 146 -d $EXTERNAL_NET --dport 1000:1300 -m string --string "WHATISIT" --tcp-flags ACK ACK -j LOG --log-prefix " SID120 " # "BACKDOOR Infector 1.6 Server to Client" sid:120 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 1000:1300 -d $HOME_NET --dport 146 -m string --string "FC " --tcp-flags ACK ACK -j LOG --log-prefix " SID121 " # "BACKDOOR Infector 1.6 Client to Server Connection Request" sid:121 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "13" -j LOG --log-prefix " SID122 " # "BACKDOOR DeepThroat 3.1 System Info Client Request" arachnids,106 sid:122 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "09" -j LOG --log-prefix " SID124 " # "BACKDOOR DeepThroat 3.1 FTP Status Client Request" arachnids,106 sid:124 classtype:misc-activity iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "Retreaving" -j LOG --log-prefix " SID125 " # "BACKDOOR DeepThroat 3.1 E-Mail Info From Server" arachnids,106 sid:125 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "12" -j LOG --log-prefix " SID126 " # "BACKDOOR DeepThroat 3.1 E-Mail Info Client Request" arachnids,106 sid:126 classtype:misc-activity iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "Host" -j LOG --log-prefix " SID127 " # "BACKDOOR DeepThroat 3.1 Server Status From Server" arachnids,106 sid:127 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "10" -j LOG --log-prefix " SID128 " # "BACKDOOR DeepThroat 3.1 Server Status Client Request" arachnids,106 sid:128 classtype:misc-activity iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "C - " -j LOG --log-prefix " SID129 " # "BACKDOOR DeepThroat 3.1 Drive Info From Server" arachnids,106 sid:129 classtype:misc-activity iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "Comp Name" -j LOG --log-prefix " SID130 " # "BACKDOOR DeepThroat 3.1 System Info From Server" arachnids,106 sid:130 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "130" -j LOG --log-prefix " SID131 " # "BACKDOOR DeepThroat 3.1 Drive Info Client Request" arachnids,106 sid:131 classtype:misc-activity iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "FTP Server changed to" -j LOG --log-prefix " SID132 " # "BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server" arachnids,106 sid:132 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "16" -j LOG --log-prefix " SID133 " # "BACKDOOR DeepThroat 3.1 Cached Passwords Client Request" arachnids,106 sid:133 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "17" -j LOG --log-prefix " SID134 " # "BACKDOOR DeepThroat 3.1 RAS Passwords Client Request" arachnids,106 sid:134 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "91" -j LOG --log-prefix " SID135 " # "BACKDOOR DeepThroat 3.1 Server Password Change Client Request" arachnids,106 sid:135 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "92" -j LOG --log-prefix " SID136 " # "BACKDOOR DeepThroat 3.1 Server Password Remove Client Request" arachnids,106 sid:136 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "911" -j LOG --log-prefix " SID137 " # "BACKDOOR DeepThroat 3.1 Rehash Client Request" arachnids,106 sid:137 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 3150 -m string --string "shutd0wnM0therF***eR" -j LOG --log-prefix " SID138 " # "BACKDOOR DeepThroat 3.1 Server Rehash Client Request" arachnids,106 sid:138 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "88" -j LOG --log-prefix " SID140 " # "BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request" arachnids,106 sid:140 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 31785 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "host" -j LOG --log-prefix " SID141 " # "BACKDOOR HackAttack 1.20 Connect" sid:141 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "40" -j LOG --log-prefix " SID142 " # "BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request" arachnids,106 sid:142 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "20" -j LOG --log-prefix " SID143 " # "BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request" arachnids,106 sid:143 classtype:misc-activity iptables -A SnortRules -p tcp -d $HOME_NET --dport 21 -s $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "USERw0rm " -j LOG --log-prefix " SID144 " # "BACKDOOR ADMw0rm ftp retrieval" arachnids,01 sid:144 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport ! 80 -d $HOME_NET --dport 21554 --tcp-flags ACK ACK -m string --string "Girl" -j LOG --log-prefix " SID145 " # "BACKDOOR GirlFriendaccess" arachnids,98 sid:145 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 30100 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetSphere" -j LOG --log-prefix " SID146 " # "BACKDOOR NetSphere access" arachnids,76 sid:146 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 6969 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "GateCrasher" -j LOG --log-prefix " SID147 " # "BACKDOOR GateCrasher" arachnids,99 sid:147 classtype:misc-activity iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "KeyLogger Is Enabled On port" -j LOG --log-prefix " SID148 " # "BACKDOOR DeepThroat 3.1 Keylogger Active on Network" arachnids,106 sid:148 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 3150 -m string --string "#" -j LOG --log-prefix " SID149 " # "BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network" arachnids,106 sid:149 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 3150 -d $HOME_NET --dport 60000 -m string --string "#" -j LOG --log-prefix " SID150 " # "BACKDOOR DeepThroat 3.1 Server Active on Network" arachnids,106 sid:150 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -j LOG --log-prefix " SID151 " # "BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network" arachnids,106 sid:151 classtype:misc-activity #iptables -A SnortRules -p tcp -s $HOME_NET --sport 5401:5402 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "c:\" -j LOG --log-prefix " SID152 " #Cannot convert: Mishandled quotes "BACKDOOR BackConstruction 2.1 Connection" sid:152 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 23476 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "pINg" -j LOG --log-prefix " SID153 " # "BACKDOOR DonaldDick 1.53 Traffic" sid:153 classtype:misc-activity iptables -A SnortRules -p udp -s $HOME_NET --sport 3150 -d $EXTERNAL_NET --dport 60000 -m string --string "Wrong Password" -j LOG --log-prefix " SID154 " # "BACKDOOR DeepThroat 3.1 Wrong Password" arachnids,106 sid:154 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 30100:30102 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetSphere" -j LOG --log-prefix " SID155 " # "BACKDOOR NetSphere 1.31.337 access" arachnids,76 sid:155 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "37" -j LOG --log-prefix " SID156 " # "BACKDOOR DeepThroat 3.1 Visible Window List Client Request" arachnids,106 sid:156 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 666 --tcp-flags ACK ACK -m string --string "FTPON" -j LOG --log-prefix " SID157 " # "BACKDOOR BackConstruction 2.1 Client FTP Open Request" sid:157 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 666 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "FTP Port open" -j LOG --log-prefix " SID158 " # "BACKDOOR BackConstruction 2.1 Server FTP Open Reply" sid:158 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 5032 --tcp-flags ACK ACK -m string --string "--" -j LOG --log-prefix " SID159 " # "BACKDOOR NetMetro File List" arachnids,79 sid:159 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 3344 -d $HOME_NET --dport 3345 -m string --string "activate" -j LOG --log-prefix " SID161 " # "BACKDOOR Matrix 2.0 Client connect" arachnids,83 sid:161 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 3345 -d $HOME_NET --dport 3344 -m string --string "logged in" -j LOG --log-prefix " SID162 " # "BACKDOOR Matrix 2.0 Server access" arachnids,83 sid:162 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 5714 -d $EXTERNAL_NET --tcp-flags ALL ACK,SYN -m string --string "" -j LOG --log-prefix " SID163 " # "BACKDOOR WinCrash 1.0 Server Active" arachnids,36 sid:163 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 2140 -d $HOME_NET --dport 60000 -j LOG --log-prefix " SID164 " # "BACKDOOR DeepThroat 3.1 Server Active on Network" arachnids,106 sid:164 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "KeyLogger Is Enabled On port" -j LOG --log-prefix " SID165 " # "BACKDOOR DeepThroat 3.1 Keylogger on Server ON" arachnids,106 sid:165 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "22" -j LOG --log-prefix " SID166 " # "BACKDOOR DeepThroat 3.1 Show Picture Client Request" arachnids,106 sid:166 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "32" -j LOG --log-prefix " SID167 " # "BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request" arachnids,106 sid:167 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "33" -j LOG --log-prefix " SID168 " # "BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request" arachnids,106 sid:168 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "34" -j LOG --log-prefix " SID169 " # "BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request" arachnids,106 sid:169 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "110" -j LOG --log-prefix " SID170 " # "BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request" arachnids,106 sid:170 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "35" -j LOG --log-prefix " SID171 " # "BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request" arachnids,106 sid:171 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "70" -j LOG --log-prefix " SID172 " # "BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request" arachnids,106 sid:172 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "71" -j LOG --log-prefix " SID173 " # "BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request" arachnids,106 sid:173 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "31" -j LOG --log-prefix " SID174 " # "BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request" arachnids,106 sid:174 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "125" -j LOG --log-prefix " SID175 " # "BACKDOOR DeepThroat 3.1 Resolution Change Client Request" arachnids,106 sid:175 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "04" -j LOG --log-prefix " SID176 " # "BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request" arachnids,106 sid:176 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "KeyLogger Shut Down" -j LOG --log-prefix " SID177 " # "BACKDOOR DeepThroat 3.1 Keylogger on Server OFF" arachnids,106 sid:177 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "21" -j LOG --log-prefix " SID179 " # "BACKDOOR DeepThroat 3.1 FTP Server Port Client Request" arachnids,106 sid:179 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "64" -j LOG --log-prefix " SID180 " # "BACKDOOR DeepThroat 3.1 Process List Client request" arachnids,106 sid:180 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "121" -j LOG --log-prefix " SID181 " # "BACKDOOR DeepThroat 3.1 Close Port Scan Client Request" arachnids,106 sid:181 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "89" -j LOG --log-prefix " SID182 " # "BACKDOOR DeepThroat 3.1 Registry Add Client Request" arachnids,106 sid:182 classtype:misc-activity iptables -A SnortRules -p icmp -s 255.255.255.0/24 -d $HOME_NET --icmp-type 0 -m dsize --dsize 2: -j LOG --log-prefix " SID183 " # "BACKDOOR SIGNATURE - Q ICMP" arachnids,202 sid:183 classtype:misc-activity iptables -A SnortRules -p tcp -s 255.255.255.0/24 -d $HOME_NET --tcp-flags ACK ACK -m dsize --dsize 2: -j LOG --log-prefix " SID184 " # "BACKDOOR Q access" arachnids,203 sid:184 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "ypi0ca" --tcp-flags ACK ACK -j LOG --log-prefix " SID185 " # "BACKDOOR CDK" nocase-ignored arachnids,263 sid:185 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "07" -j LOG --log-prefix " SID186 " # "BACKDOOR DeepThroat 3.1 Monitor on/off Client Request" arachnids,106 sid:186 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "41" -j LOG --log-prefix " SID187 " # "BACKDOOR DeepThroat 3.1 Delete File Client Request" arachnids,106 sid:187 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "38" -j LOG --log-prefix " SID188 " # "BACKDOOR DeepThroat 3.1 Kill Window Client Request" arachnids,106 sid:188 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "23" -j LOG --log-prefix " SID189 " # "BACKDOOR DeepThroat 3.1 Disable Window Client Request" arachnids,106 sid:189 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "24" -j LOG --log-prefix " SID190 " # "BACKDOOR DeepThroat 3.1 Enable Window Client Request" arachnids,106 sid:190 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "60" -j LOG --log-prefix " SID191 " # "BACKDOOR DeepThroat 3.1 Change Window Title Client Request" arachnids,106 sid:191 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "26" -j LOG --log-prefix " SID192 " # "BACKDOOR DeepThroat 3.1 Hide Window Client Request" arachnids,106 sid:192 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "25" -j LOG --log-prefix " SID193 " # "BACKDOOR DeepThroat 3.1 Show Window Client Request" arachnids,106 sid:193 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "63" -j LOG --log-prefix " SID194 " # "BACKDOOR DeepThroat 3.1 Send Text to Window Client Request" arachnids,106 sid:194 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "Ahhhh My Mouth Is Open" -j LOG --log-prefix " SID195 " # "BACKDOOR DeepThroat 3.1 Server Response" arachnids,106 sid:195 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "30" -j LOG --log-prefix " SID196 " # "BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request" arachnids,106 sid:196 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "39" -j LOG --log-prefix " SID197 " # "BACKDOOR DeepThroat 3.1 Create Directory Client Request" arachnids,106 sid:197 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "370" -j LOG --log-prefix " SID198 " # "BACKDOOR DeepThroat 3.1 All Window List Client Request" arachnids,106 sid:198 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "36" -j LOG --log-prefix " SID199 " # "BACKDOOR DeepThroat 3.1 Play Sound Client Request" arachnids,106 sid:199 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "14" -j LOG --log-prefix " SID200 " # "BACKDOOR DeepThroat 3.1 Run Program Normal Client Request" arachnids,106 sid:200 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "15" -j LOG --log-prefix " SID201 " # "BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request" arachnids,106 sid:201 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "100" -j LOG --log-prefix " SID202 " # "BACKDOOR DeepThroat 3.1 Get NET File Client Request" arachnids,106 sid:202 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "117" -j LOG --log-prefix " SID203 " # "BACKDOOR DeepThroat 3.1 Find File Client Request" arachnids,106 sid:203 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "118" -j LOG --log-prefix " SID204 " # "BACKDOOR DeepThroat 3.1 Find File Client Request" arachnids,106 sid:204 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "199" -j LOG --log-prefix " SID205 " # "BACKDOOR DeepThroat 3.1 HUP Modem Client Request" arachnids,106 sid:205 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "02" -j LOG --log-prefix " SID206 " # "BACKDOOR DeepThroat 3.1 CD ROM Open Client Request" arachnids,106 sid:206 classtype:misc-activity iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "03" -j LOG --log-prefix " SID207 " # "BACKDOOR DeepThroat 3.1 CD ROM Close Client Request" arachnids,106 sid:207 classtype:misc-activity iptables -A SnortRules -p tcp -s $HOME_NET --sport 555 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "phAse" -j LOG --log-prefix " SID208 " # "BACKDOOR PhaseZero Server Active on Network" sid:208 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "w00w00" -j LOG --log-prefix " SID209 " # "BACKDOOR w00w00 attempt" classtype:attempted-admin sid:209 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "backdoor" -j LOG --log-prefix " SID210 " # "BACKDOOR attempt" nocase-ignored classtype:attempted-admin sid:210 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "r00t" -j LOG --log-prefix " SID211 " # "BACKDOOR MISC r00t attempt" classtype:attempted-admin sid:211 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "rewt" -j LOG --log-prefix " SID212 " # "BACKDOOR MISC rewt attempt" classtype:attempted-admin sid:212 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "wh00t!" -j LOG --log-prefix " SID213 " # "BACKDOOR MISC linux rootkit attempt" classtype:attempted-admin sid:213 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "lrkr0x" -j LOG --log-prefix " SID214 " # "BACKDOOR MISC linux rootkit attempt lrkr0x" classtype:attempted-admin sid:214 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "d13hh[" -j LOG --log-prefix " SID215 " # "BACKDOOR MISC linux rootkit attempt" nocase-ignored classtype:attempted-admin sid:215 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "satori" -j LOG --log-prefix " SID216 " # "BACKDOOR MISC linux rootkit attempt" classtype:attempted-admin sid:216 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "hax0r" -j LOG --log-prefix " SID217 " # "BACKDOOR MISC sm4ck attempt" classtype:attempted-admin sid:217 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "friday" -j LOG --log-prefix " SID218 " # "BACKDOOR MISC solaris 2.5 attempt" classtype:attempted-user sid:218 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "StoogR" -j LOG --log-prefix " SID219 " # "BACKDOOR HidePak backdoor attempt" sid:219 classtype:misc-activity iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "wank" -j LOG --log-prefix " SID220 " # "BACKDOOR HideSource backdoor attempt" sid:220 classtype:misc-activity iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "  " -j LOG --log-prefix " SID647 " # "SHELLCODE sparc setuid 0" arachnids,282 classtype:system-call-detect sid:647 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "̀" -j LOG --log-prefix " SID649 " # "SHELLCODE x86 setgid 0" arachnids,284 classtype:system-call-detect sid:649 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "̀" -j LOG --log-prefix " SID650 " # "SHELLCODE x86 setuid 0" arachnids,436 classtype:system-call-detect sid:650 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "%%%%" -j LOG --log-prefix " SID638 " # "SHELLCODE SGI NOOP" arachnids,356 classtype:shellcode-detect sid:638 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "\$4\$4\$4\$4" -j LOG --log-prefix " SID639 " # "SHELLCODE SGI NOOP" arachnids,357 classtype:shellcode-detect sid:639 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "OOOO" -j LOG --log-prefix " SID640 " # "SHELLCODE aix NOOP" classtype:shellcode-detect sid:640 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "GGGG" -j LOG --log-prefix " SID641 " # "SHELLCODE digital unix NOOP" arachnids,352 classtype:shellcode-detect sid:641 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" -j LOG --log-prefix " SID642 " # "SHELLCODE hpux NOOP" arachnids,358 classtype:shellcode-detect sid:642 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string " 9 9 9 9" -j LOG --log-prefix " SID643 " # "SHELLCODE hpux NOOP" arachnids,359 classtype:shellcode-detect sid:643 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" -j LOG --log-prefix " SID644 " # "SHELLCODE sparc NOOP" arachnids,345 classtype:shellcode-detect sid:644 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "@@@@" -j LOG --log-prefix " SID645 " # "SHELLCODE sparc NOOP" arachnids,353 classtype:shellcode-detect sid:645 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" -j LOG --log-prefix " SID646 " # "SHELLCODE sparc NOOP" arachnids,355 classtype:shellcode-detect sid:646 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" -j LOG --log-prefix " SID648 " # "SHELLCODE x86 NOOP" arachnids,181 classtype:shellcode-detect sid:648 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" -j LOG --log-prefix " SID651 " # "SHELLCODE x86 stealth NOOP" arachnids,291 classtype:shellcode-detect sid:651 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" -j LOG --log-prefix " SID653 " # "SHELLCODE x86 unicode NOOP" classtype:shellcode-detect sid:653 iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "/bin/sh" -j LOG --log-prefix " SID652 " # "SHELLCODE linux shellcode" arachnids,343 classtype:shellcode-detect sid:652 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 1863 --tcp-flags ACK ACK -m string --string "text/plain" -j LOG --log-prefix " SID540 " # "INFO msn chat access" classtype:not-suspicious sid:540 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "User-Agent:ICQ" -j LOG --log-prefix " SID541 " # "INFO icq access" classtype:not-suspicious sid:541 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 6666:7000 --tcp-flags ACK ACK -m string --string "NICK " -j LOG --log-prefix " SID542 " # "INFO Possible IRC Access" classtype:not-suspicious sid:542 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "STOR 1MB" -j LOG --log-prefix " SID543 " # "FTP STOR 1MB possible warez site" nocase-ignored classtype:bad-unknown sid:543 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "RETR 1MB" -j LOG --log-prefix " SID544 " # "FTP RETR 1MB possible warez site" nocase-ignored classtype:bad-unknown sid:544 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CWD / " -j LOG --log-prefix " SID545 " # "FTP CWD / - possible warez site" nocase-ignored classtype:bad-unknown sid:545 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CWD " -j LOG --log-prefix " SID546 " # "FTP "CWD " possible warez site" nocase-ignored classtype:bad-unknown sid:546 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MKD " -j LOG --log-prefix " SID547 " # "FTP "MKD " possible warez site" nocase-ignored classtype:bad-unknown sid:547 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MKD ." -j LOG --log-prefix " SID548 " # "FTP "MKD . " possible warez site" nocase-ignored classtype:bad-unknown sid:548 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MKD / " -j LOG --log-prefix " SID554 " # "FTP "MKD / " possible warez site" nocase-ignored classtype:bad-unknown sid:554 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 8888 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " SID549 " # "INFO napster login" classtype:bad-unknown sid:549 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 8888 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " SID550 " # "INFO napster new user login" classtype:bad-unknown sid:550 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8888 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " SID551 " # "INFO napster download attempt" classtype:bad-unknown sid:551 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 8888 -d $HOME_NET --tcp-flags ACK ACK -m string --string "_" -j LOG --log-prefix " SID552 " # "INFO napster upload request" classtype:bad-unknown sid:552 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "anonymous" --tcp-flags ACK ACK -j LOG --log-prefix " SID553 " # "INFO FTP anonymous FTP" nocase-ignored classtype:not-suspicious sid:553 iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET -m string --string "WinGate>" --tcp-flags ACK ACK -j LOG --log-prefix " SID555 " # "INFO wingate telnet active" arachnids,366 cve,CAN-1999-0657 classtype:bad-unknown sid:555 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET -m string --string "GNUTELLA CONNECT" -j LOG --log-prefix " SID556 " # "INFO Outbound GNUTella Connect request" nocase-ignored classtype:bad-unknown sid:556 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET -m string --string "GNUTELLA OK" -j LOG --log-prefix " SID557 " # "INFO Inbound GNUTella Connect accept" nocase-ignored classtype:bad-unknown sid:557 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "GNUTELLA OK" -j LOG --log-prefix " SID558 " # "INFO Outbound GNUTella Connect accept" nocase-ignored classtype:bad-unknown sid:558 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "GNUTELLA CONNECT" -j LOG --log-prefix " SID559 " # "INFO Inbound GNUTella Connect request" nocase-ignored classtype:bad-unknown sid:559 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "RFB 003.003" -j LOG --log-prefix " SID560 " # "INFO VNC Active on Network" classtype:bad-unknown sid:560 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 6699 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG --log-prefix " SID561 " # "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:561 iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 6699 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG --log-prefix " SID561 " # "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:561 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 7777 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG --log-prefix " SID562 " # "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:562 iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 7777 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG --log-prefix " SID562 " # "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:562 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 6666 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG --log-prefix " SID563 " # "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:563 iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 6666 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG --log-prefix " SID563 " # "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:563 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 5555 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG --log-prefix " SID564 " # "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:564 iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 5555 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG --log-prefix " SID564 " # "INFO Napster Client Data" nocase-ignored classtype:bad-unknown sid:564 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 8875 --tcp-flags ACK ACK -m string --string "anon@napster.com" -j LOG --log-prefix " SID565 " # "INFO Napster Server Login" classtype:bad-unknown sid:565 iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 8875 --tcp-flags ACK ACK -m string --string "anon@napster.com" -j LOG --log-prefix " SID565 " # "INFO Napster Server Login" classtype:bad-unknown sid:565 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 5632 -m string --string "ST" -j LOG --log-prefix " SID566 " # "MISC PCAnywhere Startup" arachnids,239 classtype:bad-unknown sid:566 iptables -A SnortRules -p tcp -s $SMTP --sport 25 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "550 5.7.1" -j LOG --log-prefix " SID567 " # "SMTP relaying denied" arachnids,249 classtype:bad-unknown sid:567 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 9100 --tcp-flags ACK ACK -m string --string "@PJL RDYMSG DISPLAY =" -j LOG --log-prefix " SID568 " # "INFO hp jetdirect LCD modification attempt" classtype:bad-unknown bugtraq,2245 arachnids,302 sid:568 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 9001 --tcp-flags ACK ACK -m string --string "@PJL RDYMSG DISPLAY =" -j LOG --log-prefix " SID510 " # "INFO hp jetdirect LCD modification attempt" classtype:bad-unknown bugtraq,2245 arachnids,302 sid:510 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "FREE XXX" --tcp-flags ACK ACK -j LOG --log-prefix " SID1310 " # "PORN free XXX" nocase-ignored classtype:kickass-porn sid:1310 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "hardcore anal" --tcp-flags ACK ACK -j LOG --log-prefix " SID1311 " # "PORN hardcore anal" nocase-ignored classtype:kickass-porn sid:1311 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "nude cheerleader" --tcp-flags ACK ACK -j LOG --log-prefix " SID1312 " # "PORN nude cheerleader" nocase-ignored classtype:kickass-porn sid:1312 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "up skirt" --tcp-flags ACK ACK -j LOG --log-prefix " SID1313 " # "PORN up skirt" nocase-ignored classtype:kickass-porn sid:1313 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "young teen" --tcp-flags ACK ACK -j LOG --log-prefix " SID1314 " # "PORN young teen" nocase-ignored classtype:kickass-porn sid:1314 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "hot young sex" --tcp-flags ACK ACK -j LOG --log-prefix " SID1315 " # "PORN hot young sex" nocase-ignored classtype:kickass-porn sid:1315 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "fuck fuck fuck" --tcp-flags ACK ACK -j LOG --log-prefix " SID1316 " # "PORN fuck fuck fuck" nocase-ignored classtype:kickass-porn sid:1316 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "anal sex" --tcp-flags ACK ACK -j LOG --log-prefix " SID1317 " # "PORN anal sex" nocase-ignored classtype:kickass-porn sid:1317 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "hardcore rape" --tcp-flags ACK ACK -j LOG --log-prefix " SID1318 " # "PORN hardcore rape" nocase-ignored classtype:kickass-porn sid:1318 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "real snuff" --tcp-flags ACK ACK -j LOG --log-prefix " SID1319 " # "PORN real snuff" nocase-ignored classtype:kickass-porn sid:1319 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "fuck movies" --tcp-flags ACK ACK -j LOG --log-prefix " SID1320 " # "PORN fuck movies" nocase-ignored classtype:kickass-porn sid:1320 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "Connection closed by foreign host" --tcp-flags ACK ACK -j LOG --log-prefix " SID488 " # "INFO Connection Closed MSG from Port 80" nocase-ignored classtype:unknown sid:488 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "pass " --tcp-flags ACK ACK -j LOG --log-prefix " SID489 " # "INFO FTP No Password" nocase-ignored arachnids,322 classtype:unknown sid:489 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 -m string --string "BattleMail" --tcp-flags ACK ACK -j LOG --log-prefix " SID490 " # "INFO battle-mail traffic" classtype:unknown sid:490 iptables -A SnortRules -p tcp -s $HOME_NET --sport 21 -d $EXTERNAL_NET -m string --string "530 Login " --tcp-flags ACK ACK -j LOG --log-prefix " SID491 " # "FTP Bad login" nocase-ignored classtype:bad-unknown sid:491 iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET -m string --string "Login failed" --tcp-flags ACK ACK -j LOG --log-prefix " SID492 " # "TELNET Bad Login" nocase-ignored classtype:bad-unknown sid:492 iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET -m string --string "Login incorrect" --tcp-flags ACK ACK -j LOG --log-prefix " SID1251 " # "TELNET Bad Login" nocase-ignored classtype:bad-unknown sid:1251 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET -m string --string "Welcome!psyBNC@lam3rz.de" --tcp-flags ACK ACK -j LOG --log-prefix " SID493 " # "INFO psyBNC access" classtype:bad-unknown sid:493 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 9 -j LOG --log-prefix " SID363 " # "ICMP IRDP router advertisement" bugtraq,578 cve,CVE-1999-0875 arachnids,173 sid:363 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 10 -j LOG --log-prefix " SID364 " # "ICMP IRDP router selection" bugtraq,578 cve,CVE-1999-0875 arachnids,174 sid:364 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --icmp-type 8 -j LOG --log-prefix " SID366 " # "ICMP PING *NIX" sid:366 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -m string --string " " -j LOG --log-prefix " SID368 " # "ICMP PING BSDtype" arachnids,152 sid:368 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -m string --string " " -j LOG --log-prefix " SID369 " # "ICMP PING BayRS Router" arachnids,438 arachnids,444 sid:369 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string " " --icmp-type 8 -j LOG --log-prefix " SID370 " # "ICMP PING BeOS4.x" arachnids,151 sid:370 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "ͫͫͫͫͫͫͫ" --icmp-type 8 -j LOG --log-prefix " SID371 " # "ICMP PING Cisco Type.x" arachnids,153 sid:371 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "Pinging from Del" --icmp-type 8 -j LOG --log-prefix " SID372 " # "ICMP PING Delphi-Piette Windows" arachnids,155 sid:372 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -m string --string " " -j LOG --log-prefix " SID373 " # "ICMP PING Flowpoint2200 or Network Management Software" arachnids,156 sid:373 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string " Sustainable So" --icmp-type 8 -j LOG --log-prefix " SID374 " # "ICMP PING IP NetMonitor Macintosh" arachnids,157 sid:374 classtype:misc-activity #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m dsize --dsize 8 --icmp-type 8 -j LOG --log-prefix " SID375 " #Cannot convert: id:13170 "ICMP PING LINUX/*BSD" arachnids,447 sid:375 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "0123456789abcdefghijklmnop" --icmp-type 8 -j LOG --log-prefix " SID376 " # "ICMP PING Microsoft Windows" arachnids,159 sid:376 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "================" --icmp-type 8 -j LOG --log-prefix " SID377 " # "ICMP PING Network Toolbox 3 Windows" arachnids,161 sid:377 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "OMeterObeseArmad" --icmp-type 8 -j LOG --log-prefix " SID378 " # "ICMP PING Ping-O-MeterWindows" arachnids,164 sid:378 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "Data" --icmp-type 8 -j LOG --log-prefix " SID379 " # "ICMP PING Pinger Windows" arachnids,163 sid:379 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string " " --icmp-type 8 -j LOG --log-prefix " SID380 " # "ICMP PING Seer Windows" arachnids,166 sid:380 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m dsize --dsize 8 --icmp-type 8 -j LOG --log-prefix " SID381 " # "ICMP PING Sun Solaris" arachnids,448 sid:381 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "abcdefghijklmnop" --icmp-type 8 -j LOG --log-prefix " SID382 " # "ICMP PING Windows" arachnids,169 sid:382 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8/0 -j LOG --log-prefix " SID384 " # "ICMP PING" sid:384 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m ttl --ttl-eq 1 --icmp-type 8 -j LOG --log-prefix " SID385 " # "ICMP traceroute " arachnids,118 classtype:attempted-recon sid:385 iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET --icmp-type 18/0 -j LOG --log-prefix " SID386 " # "ICMP Address Mask Reply" sid:386 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 18 -j LOG --log-prefix " SID387 " # "ICMP Address Mask Reply (Undefined Code!)" sid:387 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 17/0 -j LOG --log-prefix " SID388 " # "ICMP Address Mask Request" sid:388 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 17 -j LOG --log-prefix " SID389 " # "ICMP Address Mask Request (Undefined Code!)" sid:389 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 6/0 -j LOG --log-prefix " SID390 " # "ICMP Alternate Host Address" sid:390 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 6 -j LOG --log-prefix " SID391 " # "ICMP Alternate Host Address (Undefined Code!)" sid:391 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 31/0 -j LOG --log-prefix " SID392 " # "ICMP Datagram Conversion Error" sid:392 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 31 -j LOG --log-prefix " SID393 " # "ICMP Datagram Conversion Error (Undefined Code!)" sid:393 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/7 -j LOG --log-prefix " SID394 " # "ICMP Destination Unreachable (Destination Host Unknown)" sid:394 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/6 -j LOG --log-prefix " SID395 " # "ICMP Destination Unreachable (Destination Network Unknown)" sid:395 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/4 -j LOG --log-prefix " SID396 " # "ICMP Destination Unreachable (Fragmentation Needed and DF bit was set)" sid:396 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/14 -j LOG --log-prefix " SID397 " # "ICMP Destination Unreachable (Host Precedence Violation)" sid:397 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/12 -j LOG --log-prefix " SID398 " # "ICMP Destination Unreachable (Host Unreachable for Type of Service)" sid:398 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/1 -j LOG --log-prefix " SID399 " # "ICMP Destination Unreachable (Host Unreachable)" sid:399 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/11 -j LOG --log-prefix " SID400 " # "ICMP Destination Unreachable (Network Unreachable for Type of Service)" sid:400 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/0 -j LOG --log-prefix " SID401 " # "ICMP Destination Unreachable (Network Unreachable)" sid:401 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/3 -j LOG --log-prefix " SID402 " # "ICMP Destination Unreachable (Port Unreachable)" sid:402 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/15 -j LOG --log-prefix " SID403 " # "ICMP Destination Unreachable (Precedence Cutoff in effect)" sid:403 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/2 -j LOG --log-prefix " SID404 " # "ICMP Destination Unreachable (Protocol Unreachable)" sid:404 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/8 -j LOG --log-prefix " SID405 " # "ICMP Destination Unreachable (Source Host Isolated)" sid:405 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/5 -j LOG --log-prefix " SID406 " # "ICMP Destination Unreachable (Source Route Failed)" sid:406 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3 -j LOG --log-prefix " SID407 " # "ICMP Destination Unreachable (Undefined Code!)" sid:407 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0/0 -j LOG --log-prefix " SID408 " # "ICMP Echo Reply" sid:408 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0 -j LOG --log-prefix " SID409 " # "ICMP Echo Reply (Undefined Code!)" sid:409 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 11/1 -j LOG --log-prefix " SID410 " # "ICMP Fragment Reassembly Time Exceeded" sid:410 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 34/0 -j LOG --log-prefix " SID411 " # "ICMP IPV6 I-Am-Here" sid:411 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 34 -j LOG --log-prefix " SID412 " # "ICMP IPV6 I-Am-Here (Undefined Code!" sid:412 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 33/0 -j LOG --log-prefix " SID413 " # "ICMP IPV6 Where-Are-You" sid:413 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 33 -j LOG --log-prefix " SID414 " # "ICMP IPV6 Where-Are-You (Undefined Code!)" sid:414 classtype:misc-activity iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET --icmp-type 16/0 -j LOG --log-prefix " SID415 " # "ICMP Information Reply" sid:415 classtype:misc-activity iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET --icmp-type 16 -j LOG --log-prefix " SID416 " # "ICMP Information Reply (Undefined Code!)" sid:416 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 15/0 -j LOG --log-prefix " SID417 " # "ICMP Information Request" sid:417 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 15 -j LOG --log-prefix " SID418 " # "ICMP Information Request (Undefined Code!)" sid:418 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 32/0 -j LOG --log-prefix " SID419 " # "ICMP Mobile Host Redirect" sid:419 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 32 -j LOG --log-prefix " SID420 " # "ICMP Mobile Host Redirect (Undefined Code!)" sid:420 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 36/0 -j LOG --log-prefix " SID421 " # "ICMP Mobile Registration Reply" sid:421 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 36 -j LOG --log-prefix " SID422 " # "ICMP Mobile Registration Reply (Undefined Code!)" sid:422 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 35/0 -j LOG --log-prefix " SID423 " # "ICMP Mobile Registration Request" sid:423 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 35 -j LOG --log-prefix " SID424 " # "ICMP Mobile Registration Request (Undefined Code!" sid:424 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 12/2 -j LOG --log-prefix " SID425 " # "ICMP Parameter Problem (Bad Length)" sid:425 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 12/1 -j LOG --log-prefix " SID426 " # "ICMP Parameter Problem (Missing a Requiered Option)" sid:426 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 12/0 -j LOG --log-prefix " SID427 " # "ICMP Parameter Problem (Unspecified Error)" sid:427 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 12 -j LOG --log-prefix " SID428 " # "ICMP Parameter Problem (Undefined Code!)" sid:428 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 40/0 -j LOG --log-prefix " SID429 " # "ICMP Photuris (Reserved)" sid:429 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 40/1 -j LOG --log-prefix " SID430 " # "ICMP Photuris (Unknown Security Parameters Index)" sid:430 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 40/2 -j LOG --log-prefix " SID431 " # "ICMP Photuris (Valid Security Parameters, But Authentication Failed)" sid:431 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 40/3 -j LOG --log-prefix " SID432 " # "ICMP Photuris (Valid Security Parameters, But Decryption Failed)" sid:432 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 40 -j LOG --log-prefix " SID433 " # "ICMP Photuris (Undefined Code!)" sid:433 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 5/3 -j LOG --log-prefix " SID436 " # "ICMP Redirect (for TOS and Host)" sid:436 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 5/2 -j LOG --log-prefix " SID437 " # "ICMP Redirect (for TOS and Network)" sid:437 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 5 -j LOG --log-prefix " SID438 " # "ICMP Redirect (Undefined Code!)" sid:438 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 19/0 -j LOG --log-prefix " SID439 " # "ICMP Reserved for Security (Type 19)" sid:439 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 19 -j LOG --log-prefix " SID440 " # "ICMP Reserved for Security (Type 19) (Undefined Code!)" sid:440 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 9/0 -j LOG --log-prefix " SID441 " # "ICMP Router Advertisment" arachnids,173 sid:441 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 10/0 -j LOG --log-prefix " SID443 " # "ICMP Router Selection" arachnids,174 sid:443 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 39/0 -j LOG --log-prefix " SID445 " # "ICMP SKIP" sid:445 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 39 -j LOG --log-prefix " SID446 " # "ICMP SKIP (Undefined Code!" sid:446 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 4 -j LOG --log-prefix " SID448 " # "ICMP Source Quench (Undefined Code!)" sid:448 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 11/0 -j LOG --log-prefix " SID449 " # "ICMP Time-To-Live Exceeded in Transit" sid:449 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 11 -j LOG --log-prefix " SID450 " # "ICMP Time-To-Live Exceeded in Transit (Undefined Code!)" sid:450 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 14/0 -j LOG --log-prefix " SID451 " # "ICMP Timestamp Reply" sid:451 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 14 -j LOG --log-prefix " SID452 " # "ICMP Timestamp Reply (Undefined Code!)" sid:452 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 13/0 -j LOG --log-prefix " SID453 " # "ICMP Timestamp Request" sid:453 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 13 -j LOG --log-prefix " SID454 " # "ICMP Timestamp Request (Undefined Code!)" sid:454 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m ipv4options --rr --icmp-type 0 -j LOG --log-prefix " SID455 " # "ICMP Traceroute ipopts" arachnids,238 sid:455 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 30/0 -j LOG --log-prefix " SID456 " # "ICMP Traceroute" sid:456 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 30 -j LOG --log-prefix " SID457 " # "ICMP Traceroute (Undefined Code!)" sid:457 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 1/0 -j LOG --log-prefix " SID458 " # "ICMP Unassigned! (Type 1)" sid:458 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 1 -j LOG --log-prefix " SID459 " # "ICMP Unassigned! (Type 1) (Undefined Code)" sid:459 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 2/0 -j LOG --log-prefix " SID460 " # "ICMP Unassigned! (Type 2)" sid:460 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 2 -j LOG --log-prefix " SID461 " # "ICMP Unassigned! (Type 2) (Undefined Code)" sid:461 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 7/0 -j LOG --log-prefix " SID462 " # "ICMP Unassigned! (Type 7)" sid:462 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 7 -j LOG --log-prefix " SID463 " # "ICMP Unassigned! (Type 7) (Undefined Code!)" sid:463 classtype:misc-activity iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -j LOG --log-prefix " SID365 " # "ICMP PING (Undefined Code!)" sid:365 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "Suddlently" -j LOG --log-prefix " SID720 " # "Virus - SnowWhite Trojan Incoming" sid:720 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string ".pif" -j LOG --log-prefix " SID721 " # "Virus - Possible pif Worm" nocase-ignored sid:721 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "NAVIDAD.EXE" -j LOG --log-prefix " SID722 " # "Virus - Possible NAVIDAD Worm" nocase-ignored sid:722 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "myromeo.exe" -j LOG --log-prefix " SID723 " # "Virus - Possible MyRomeo Worm" nocase-ignored sid:723 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "myjuliet.chm" -j LOG --log-prefix " SID724 " # "Virus - Possible MyRomeo Worm" nocase-ignored sid:724 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "ble bla" -j LOG --log-prefix " SID725 " # "Virus - Possible MyRomeo Worm" nocase-ignored sid:725 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "I Love You" -j LOG --log-prefix " SID726 " # "Virus - Possible MyRomeo Worm" sid:726 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "Sorry... Hey you !" -j LOG --log-prefix " SID727 " # "Virus - Possible MyRomeo Worm" sid:727 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "my picture from shake-beer" -j LOG --log-prefix " SID728 " # "Virus - Possible MyRomeo Worm" sid:728 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string ".scr" -j LOG --log-prefix " SID729 " # "Virus - Possible scr Worm" nocase-ignored sid:729 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string ".shs" -j LOG --log-prefix " SID730 " # "Virus - Possible shs Worm" nocase-ignored sid:730 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "qazwsx.hsq" -j LOG --log-prefix " SID731 " # "Virus - Possible QAZ Worm" MCAFEE,98775 sid:731 classtype:misc-activity iptables -A SnortRules -p tcp --dport 139 --tcp-flags ALL ACK -m string --string "qazwsx.hsq" -j LOG --log-prefix " SID732 " # "Virus - Possible QAZ Worm Infection" MCAFEE,98775 sid:732 classtype:misc-activity iptables -A SnortRules -p tcp --dport 25 -m string --string "nongmin_cn" -j LOG --log-prefix " SID733 " # "Virus - Possible QAZ Worm Calling Home" MCAFEE,98775 sid:733 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "Software provide by [MATRiX]" -j LOG --log-prefix " SID734 " # "Virus - Possible Matrix worm" nocase-ignored sid:734 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "Matrix has you..." -j LOG --log-prefix " SID735 " # "Virus - Possible MyRomeo Worm" sid:735 classtype:misc-activity iptables -A SnortRules -p tcp --dport 25 --tcp-flags ALL ACK,PSH -m string --string "funguscrack@hotmail.com" -j LOG --log-prefix " SID736 " # "Virus - Successful eurocalculator execution" nocase-ignored sid:736 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string "eurocalculator.exe" -j LOG --log-prefix " SID737 " # "Virus - Possible eurocalculator.exe file" nocase-ignored sid:737 classtype:misc-activity iptables -A SnortRules -p tcp --dport 110 --tcp-flags ALL ACK,PSH -m string --string "Pikachu Pokemon" -j LOG --log-prefix " SID738 " # "Virus - Possible Pikachu Pokemon Virus" MCAFEE,98696 sid:738 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="666TEST.VBS"" -j LOG --log-prefix " SID739 " # "Virus - Possible Triplesix Worm" nocase-ignored MCAFEE,10389 sid:739 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="tune.vbs"" -j LOG --log-prefix " SID740 " # "Virus - Possible Tune.vbs" nocase-ignored MCAFEE,10497 sid:740 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "Market share tipoff" -j LOG --log-prefix " SID741 " # "Virus - Possible NAIL Worm" MCAFEE,10109 sid:741 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"WWIII" -j LOG --log-prefix " SID742 " # "Virus - Possible NAIL Worm" MCAFEE,10109 sid:742 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "New Developments" -j LOG --log-prefix " SID743 " # "Virus - Possible NAIL Worm" MCAFEE,10109 sid:743 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "Good Times" -j LOG --log-prefix " SID744 " # "Virus - Possible NAIL Worm" MCAFEE,10109 sid:744 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="XPASS.XLS"" -j LOG --log-prefix " SID745 " # "Virus - Possible Papa Worm" nocase-ignored MCAFEE,10145 sid:745 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "LINKS.VBS" -j LOG --log-prefix " SID746 " # "Virus - Possible Freelink Worm" MCAFEE,10225 sid:746 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="SETUP.EXE"" -j LOG --log-prefix " SID747 " # "Virus - Possible Simbiosis Worm" nocase-ignored sid:747 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"BADASS.EXE\"" -j LOG --log-prefix " SID748 " # "Virus - Possible BADASS Worm" MCAFEE,10388 sid:748 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"File_zippati.exe\"" -j LOG --log-prefix " SID749 " # "Virus - Possible ExploreZip.B Worm" MCAFEE,10471 sid:749 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="KAK.HTA"" -j LOG --log-prefix " SID751 " # "Virus - Possible wscript.KakWorm" nocase-ignored MCAFEE,10509 sid:751 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Suppl.doc"" -j LOG --log-prefix " SID752 " # "Virus Possible Suppl Worm" nocase-ignored MCAFEE,10361 sid:752 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="THEOBBQ.EXE"" -j LOG --log-prefix " SID753 " # "Virus - Possible NewApt.Worm - theobbq.exe" nocase-ignored MCAFEE,10540 sid:753 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="MONEY.DOC"" -j LOG --log-prefix " SID754 " # "Virus - Possible Word Macro - VALE" nocase-ignored MCAFEE,10502 sid:754 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="irok.exe"" -j LOG --log-prefix " SID755 " # "Virus - Possible IROK Worm" nocase-ignored MCAFEE,98552 sid:755 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Fix2001.exe"" -j LOG --log-prefix " SID756 " # "Virus - Possible Fix2001 Worm" nocase-ignored MCAFEE,10355 sid:756 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Y2K.EXE"" -j LOG --log-prefix " SID757 " # "Virus - Possible Y2K Zelu Trojan" nocase-ignored MCAFEE,10505 sid:757 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="THE_FLY.CHM"" -j LOG --log-prefix " SID758 " # "Virus - Possible The_Fly Trojan" nocase-ignored MCAFEE,10478 sid:758 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="DINHEIRO.DOC"" -j LOG --log-prefix " SID759 " # "Virus - Possible Word Macro - VALE" nocase-ignored MCAFEE,10502 sid:759 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="ICQ_GREETINGS.EXE"" -j LOG --log-prefix " SID760 " # "Virus - Possible Passion Worm" nocase-ignored MCAFEE,10467 sid:760 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="COOLER3.EXE"" -j LOG --log-prefix " SID761 " # "Virus - Possible NewApt.Worm - cooler3.exe" nocase-ignored MCAFEE,10540 sid:761 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="PARTY.EXE"" -j LOG --log-prefix " SID762 " # "Virus - Possible NewApt.Worm - party.exe" nocase-ignored MCAFEE,10540 sid:762 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="HOG.EXE"" -j LOG --log-prefix " SID763 " # "Virus - Possible NewApt.Worm - hog.exe" nocase-ignored MCAFEE,10540 sid:763 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="GOAL1.EXE"" -j LOG --log-prefix " SID764 " # "Virus - Possible NewApt.Worm - goal1.exe" nocase-ignored MCAFEE,10540 sid:764 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="PIRATE.EXE"" -j LOG --log-prefix " SID765 " # "Virus - Possible NewApt.Worm - pirate.exe" nocase-ignored MCAFEE,10540 sid:765 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="VIDEO.EXE"" -j LOG --log-prefix " SID766 " # "Virus - Possible NewApt.Worm - video.exe" nocase-ignored MCAFEE,10540 sid:766 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="BABY.EXE"" -j LOG --log-prefix " SID767 " # "Virus - Possible NewApt.Worm - baby.exe" nocase-ignored MCAFEE,10540 sid:767 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="COOLER1.EXE"" -j LOG --log-prefix " SID768 " # "Virus - Possible NewApt.Worm - cooler1.exe" nocase-ignored MCAFEE,10540 sid:768 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="BOSS.EXE"" -j LOG --log-prefix " SID769 " # "Virus - Possible NewApt.Worm - boss.exe" nocase-ignored MCAFEE,10540 sid:769 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="G-ZILLA.EXE"" -j LOG --log-prefix " SID770 " # "Virus - Possible NewApt.Worm - g-zilla.exe" nocase-ignored MCAFEE,10540 sid:770 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Toadie.exe"" -j LOG --log-prefix " SID771 " # "Virus - Possible ToadieE-mail Trojan" nocase-ignored MCAFEE,10540 sid:771 classtype:misc-activity #iptables -A SnortRules -p tcp --sport 110 -m string --string "\CoolProgs\" -j LOG --log-prefix " SID772 " #Cannot convert: Mishandled quotes "Virus - Possible PrettyPark Trojan" MCAFEE,10175 sid:772 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "X-Spanska:Yes" -j LOG --log-prefix " SID773 " # "Virus - Possible Happy99 Virus" MCAFEE,10144 sid:773 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"links.vbs\"" -j LOG --log-prefix " SID774 " # "Virus - Possible CheckThis Trojan" sid:774 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "BubbleBoy is back!" -j LOG --log-prefix " SID775 " # "Virus - Possible Bubbleboy Worm" MCAFEE,10418 sid:775 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="COPIER.EXE"" -j LOG --log-prefix " SID776 " # "Virus - Possible NewApt.Worm - copier.exe" nocase-ignored MCAFEE,10540 sid:776 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"pics4you.exe\"" -j LOG --log-prefix " SID777 " # "Virus - Possible MyPics Worm" MCAFEE,10467 sid:777 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"X-MAS.EXE\"" -j LOG --log-prefix " SID778 " # "Virus - Possible Babylonia - X-MAS.exe" MCAFEE,10461 sid:778 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="GADGET.EXE"" -j LOG --log-prefix " SID779 " # "Virus - Possible NewApt.Worm - gadget.exe" nocase-ignored MCAFEE,10540 sid:779 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="IRNGLANT.EXE"" -j LOG --log-prefix " SID780 " # "Virus - Possible NewApt.Worm - irnglant.exe" nocase-ignored MCAFEE,10540 sid:780 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="CASPER.EXE"" -j LOG --log-prefix " SID781 " # "Virus - Possible NewApt.Worm - casper.exe" nocase-ignored MCAFEE,10540 sid:781 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="FBORFW.EXE"" -j LOG --log-prefix " SID782 " # "Virus - Possible NewApt.Worm - fborfw.exe" nocase-ignored MCAFEE,10540 sid:782 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="SADDAM.EXE"" -j LOG --log-prefix " SID783 " # "Virus - Possible NewApt.Worm - saddam.exe" nocase-ignored MCAFEE,10540 sid:783 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="BBOY.EXE"" -j LOG --log-prefix " SID784 " # "Virus - Possible NewApt.Worm - bboy.exe" nocase-ignored MCAFEE,10540 sid:784 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="MONICA.EXE"" -j LOG --log-prefix " SID785 " # "Virus - Possible NewApt.Worm - monica.exe" nocase-ignored MCAFEE,10540 sid:785 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="GOAL.EXE"" -j LOG --log-prefix " SID786 " # "Virus - Possible NewApt.Worm - goal.exe" nocase-ignored MCAFEE,10540 sid:786 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="PANTHER.EXE"" -j LOG --log-prefix " SID787 " # "Virus - Possible NewApt.Worm - panther.exe" nocase-ignored MCAFEE,10540 sid:787 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="CHESTBURST.EXE"" -j LOG --log-prefix " SID788 " # "Virus - Possible NewApt.Worm - chestburst.exe" nocase-ignored MCAFEE,10540 sid:788 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="FARTER.EXE"" -j LOG --log-prefix " SID789 " # "Virus - Possible NewApt.Worm - farter.exe" nocase-ignored MCAFEE,1054 sid:789 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"THE_FLY.CHM\"" -j LOG --log-prefix " SID790 " # "Virus - Possible Common Sense Worm" sid:790 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="CUPID2.EXE"" -j LOG --log-prefix " SID791 " # "Virus - Possible NewApt.Worm - cupid2.exe" nocase-ignored MCAFEE,10540 sid:791 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="RESUME1.DOC"" -j LOG --log-prefix " SID792 " # "Virus - Possible Resume Worm" nocase-ignored MCAFEE,98661 sid:792 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "multipart" --string "name=" --string ".vbs" -j LOG --log-prefix " SID793 " # "Virus - Mail .VBS" nocase-ignored sid:793 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Explorer.doc"" -j LOG --log-prefix " SID794 " # "Virus - Possible Resume Worm" nocase-ignored MCAFEE,98661 sid:794 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".txt.vbs" -j LOG --log-prefix " SID795 " # "Virus - Possible Worm - txt.vbs file" nocase-ignored sid:795 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".xls.vbs" -j LOG --log-prefix " SID796 " # "Virus - Possible Worm - xls.vbs file" nocase-ignored sid:796 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".jpg.vbs" -j LOG --log-prefix " SID797 " # "Virus - Possible Worm - jpg.vbs file" nocase-ignored sid:797 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".gif.vbs" -j LOG --log-prefix " SID798 " # "Virus - Possible Worm - gif.vbs file" nocase-ignored sid:798 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="TIMOFONICA.TXT.vbs"" -j LOG --log-prefix " SID799 " # "Virus - Possible Timofonica Worm" nocase-ignored MCAFEE,98674 sid:799 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="NORMAL.DOT"" -j LOG --log-prefix " SID800 " # "Virus - Possible Resume Worm" nocase-ignored MCAFEE,98661 sid:800 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".doc.vbs" -j LOG --log-prefix " SID801 " # "Virus - Possible Worm - doc.vbs file" nocase-ignored sid:801 classtype:misc-activity iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"Zipped_Files.EXE\"" -j LOG --log-prefix " SID802 " # "Virus - Possbile Zipped Files Trojan" MCAFEE,10450 sid:802 classtype:misc-activity