HOME_NET=0/0
EXTERNAL_NET=0/0
SMTP=$HOME_NET
HTTP_SERVERS=$HOME_NET
SQL_SERVERS=$HOME_NET
DNS_SERVERS=$HOME_NET
RULE_PATH=../rules
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 0 -j LOG --log-prefix " SID524 "	# "BAD TRAFFIC tcp port 0 traffic" sid:524 classtype:misc-activity
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 0 -j LOG --log-prefix " SID524 "	# "BAD TRAFFIC tcp port 0 traffic" sid:524 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 0 -j LOG --log-prefix " SID525 "	# "BAD TRAFFIC udp port 0 traffic" sid:525 classtype:misc-activity
iptables -A SnortRules -p udp -d $EXTERNAL_NET -s $HOME_NET --sport 0 -j LOG --log-prefix " SID525 "	# "BAD TRAFFIC udp port 0 traffic" sid:525 classtype:misc-activity
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID526 "	#Cannot convert: dsize:>6	 "BAD TRAFFIC data in TCP SYN packet" url,www.cert.org/incident_notes/IN-99-07.html sid:526 classtype:misc-activity
iptables -A SnortRules -d 127.0.0.0/8 -j LOG --log-prefix " SID528 "	# "BAD TRAFFIC loopback traffic" classtype:bad-unknown sid:528
iptables -A SnortRules -s 127.0.0.0/8 -j LOG --log-prefix " SID528 "	# "BAD TRAFFIC loopback traffic" classtype:bad-unknown sid:528
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID523 "	#Cannot convert: fragbits:R	 "BAD TRAFFIC ip reserved bit set" sid:523 classtype:misc-activity
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m ttl --ttl-eq 0 -j LOG --log-prefix " SID1321 "	#Cannot convert: EN-US q138268	 "BAD TRAFFIC 0 ttl" url,www.isi.edu/in-notes/rfc1122.txt url,support.microsoft.com/default.aspx?scid=kb sid:1321 classtype:misc-activity
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID1322 "	#Cannot convert: fragbits: MD	 "BAD TRAFFIC bad frag bits" sid:1322 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "/bin/sh" -j LOG --log-prefix " SID1324 "	# "EXPLOIT ssh CRC32 overflow /bin/sh" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1324
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " SID1326 "	# "EXPLOIT ssh CRC32 overflow NOOP" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1326
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "W" --string "ÿÿÿÿ" -j LOG --log-prefix " SID1327 "	# "EXPLOIT ssh CRC32 overflow" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1327
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "3É±?éQ<úG3ÀP÷ÐP" --tcp-flags ACK ACK -j LOG --log-prefix " SID283 "	# "EXPLOIT netscape 4.7 client overflow" bugtraq,822 arachnids,215 classtype:attempted-user sid:283
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 109 --tcp-flags ACK ACK -m string --string "ë,[‰Ù€Á9Ù|€" -j LOG --log-prefix " SID284 "	# "EXPLOIT pop2 x86 linux overflow" classtype:attempted-admin sid:284
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 109 --tcp-flags ACK ACK -m string --string "ÿÿÿ/BIN/SH" -j LOG --log-prefix " SID285 "	# "EXPLOIT pop2 x86 linux overflow" classtype:attempted-admin sid:285
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "^1À°;~‰ú‰ù" -j LOG --log-prefix " SID286 "	# "EXPLOIT pop3 x86 bsd overflow" classtype:attempted-admin sid:286
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "h]^ÿÕÿÔÿõ‹õf1" -j LOG --log-prefix " SID287 "	# "EXPLOIT pop3 x86 bsd overflow" classtype:attempted-admin sid:287
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "Ø@Í€èÙÿÿÿ/bin/sh" -j LOG --log-prefix " SID288 "	# "EXPLOIT pop3 x86 linux overflow" classtype:attempted-admin sid:288
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "V1À°;~‰ù‰ù" -j LOG --log-prefix " SID289 "	# "EXPLOIT pop3 x86 sco overflow" classtype:attempted-admin sid:289
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "èÙÿÿÿ/bin/sh" -j LOG --log-prefix " SID290 "	# "EXPLOIT qpopper overflow" bugtraq,830 cve,CAN-1999-0822 classtype:attempted-admin sid:290
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 119 --tcp-flags ACK ACK -m string --string "AUTHINFO USER" -j LOG --log-prefix " SID291 "	#Cannot convert: dsize: >512	 "EXPLOIT NNTP Cassandra Overflow" nocase-ignored cve,CAN-2000-0341 arachnids,274 classtype:attempted-user sid:291
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "ë/_ëJ^‰û‰>‰ò" -j LOG --log-prefix " SID292 "	# "EXPLOIT x86 linux samba overflow" bugtraq,1816 cve,CVE-1999-0811 cve,CVE-1999-0182 classtype:attempted-admin sid:292
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "èÀÿÿÿ/bin/sh" -j LOG --log-prefix " SID293 "	# "EXPLOIT imap overflow" classtype:attempted-admin sid:293
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "‰Ø@Í€èÈÿÿÿ/" -j LOG --log-prefix " SID295 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:295
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ë4^‰^1Ò‰V" -j LOG --log-prefix " SID296 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:296
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ë5^€F0€F0€F0" -j LOG --log-prefix " SID297 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:297
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ë8^‰ó‰Ø€F €F" -j LOG --log-prefix " SID298 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:298
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ëX^1ÛƒÃƒÃˆ^&" -j LOG --log-prefix " SID299 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 cve, CVE-1999-0005 classtype:attempted-admin sid:299
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2766 --tcp-flags ACK ACK -m string --string "ë#^3ÀˆFú‰Fõ‰6" -j LOG --log-prefix " SID300 "	# "EXPLOIT nlps x86 solaris overflow" classtype:attempted-admin sid:300 bugtraq,2319
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 515 --tcp-flags ACK ACK -m string --string "C‰[K‰C°Í€1ÀþÀÍ€è”ÿÿÿ/bin/sh" -j LOG --log-prefix " SID301 "	# "EXPLOIT LPRng overflow" bugtraq,1712 classtype:attempted-admin sid:301
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 515 --tcp-flags ACK ACK -m string --string "XXXX%.172u%300\$n" -j LOG --log-prefix " SID302 "	# "EXPLOIT redhat 7.0 lprd overflow" classtype:attempted-admin sid:302
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6373 --tcp-flags ACK ACK -m string --string "ë]UþM˜þM›" -j LOG --log-prefix " SID304 "	# "EXPLOIT sco calserver overflow" bugtraq,2353 classtype:attempted-admin sid:304
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 -m string --string "whois://" --tcp-flags ACK ACK -j LOG --log-prefix " SID305 "	#Cannot convert: dsize: >1000	 "EXPLOIT delegate proxy overflow" nocase-ignored arachnids,267 classtype:attempted-admin sid:305 bugtraq,808 cve,CVE-2000-0165
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 9090 --tcp-flags ACK ACK -m string --string "GET / HTTP/1.1" -j LOG --log-prefix " SID306 "	# "EXPLOIT VQServer admin" nocase-ignored bugtraq,1610 cve,CAN-2000-0766 classtype:attempted-admin sid:306
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6666:7000 --tcp-flags ACK ACK -m string --string "ëK[S2äƒÃKˆ#¸Pw" -j LOG --log-prefix " SID307 "	# "EXPLOIT IRC topic overflow" cve,CVE-1999-0672 bugtraq,573 classtype:attempted-user sid:307
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "´ ´‹Ìƒé‹3Éf¹" -j LOG --log-prefix " SID308 "	# "EXPLOIT NextFTP client overflow" bugtraq,572 cve,CVE-1999-0671 classtype:attempted-user sid:308
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "from:" -j LOG --log-prefix " SID309 "	#Cannot convert: dsize: >512	 "EXPLOIT sniffit overflow" nocase-ignored bugtraq,1158 cve,CAN-2000-0343 arachnids,273 classtype:attempted-admin sid:309
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "ëEë [ü3É±‚‹ó€+" -j LOG --log-prefix " SID310 "	# "EXPLOIT x86 windows MailMax overflow" bugtraq,2312 cve,CVE-1999-0404 classtype:attempted-admin sid:310
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 80 -m string --string "3É±?éQ<úG3ÀP÷ÐP" --tcp-flags ACK ACK -j LOG --log-prefix " SID311 "	# "EXPLOIT netscape 4.7 unsucessful overflow" arachnids,214 classtype:unsuccessful-user sid:311 bugtraq,822
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 123 -j LOG --log-prefix " SID312 "	#Cannot convert: dsize: >128	 "EXPLOIT ntpdx overflow attempt" arachnids,492 classtype:attempted-admin sid:312
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 518 -m string --string "è" -j LOG --log-prefix " SID313 "	# "EXPLOIT ntalkd x86 linux overflow" bugtraq,210 classtype:attempted-admin sid:313
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "«Í	€    a" -j LOG --log-prefix " SID303 "	# "EXPLOIT named tsig overflow attempt" cve,CVE-2001-0010 bugtraq,2302 arachnids,482 classtype:attempted-admin sid:303
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "€?/bin/sh" -j LOG --log-prefix " SID314 "	# "EXPLOIT named tsig overflow attempt" classtype:attempted-admin sid:314 cve,CVE-2001-0010 bugtraq,2302
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "^°‰þÈ‰F°‰F" -j LOG --log-prefix " SID315 "	# "EXPLOIT x86 linux mountd overflow" cve,CVE-1999-0002 classtype:attempted-admin sid:315
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "ëV^VVV1ÒˆVˆV" -j LOG --log-prefix " SID316 "	# "EXPLOIT x86 linux mountd overflow" cve,CVE-1999-0002 classtype:attempted-admin sid:316
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "ë@^1À@‰F‰Ã@‰" -j LOG --log-prefix " SID317 "	# "EXPLOIT x86 linux mountd overflow" cve,CVE-1999-0002 classtype:attempted-admin sid:317
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 67 -m string --string "echo netrjs stre" -j LOG --log-prefix " SID318 "	# "EXPLOIT bootp x86 bsd overflow" classtype:attempted-admin sid:318 bugtraq,324 cve,CVE-1999-0914
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 67 -m string --string "A90À¨/bin/sh" -j LOG --log-prefix " SID319 "	# "EXPLOIT bootp x86 linux overflow" cve,CVE-1999-0799 cve,CAN-1999-0798 cve,CAN-1999-0389 classtype:attempted-admin sid:319
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2224 --tcp-flags ACK ACK -m string --string "1ÛÍ€è[ÿÿÿ" -j LOG --log-prefix " SID1240 "	# "EXPLOIT MDBMS overflow" bugtraq,1252 cve,CVE-2000-0446 classtype:attempted-admin sid:1240
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 4242 -m string --string "ÿûxÿûxÿûxÿûx" --string "@ŠÿÈ@‚ÿØ;6þ;vþ" --tcp-flags ACK ACK -j LOG --log-prefix " SID1261 "	#Cannot convert: dsize:>1000	 "EXPLOIT aix pdnsd overflow" bugtraq,3237 classtype:attempted-user sid:1261
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 4321 -m string --string "-soa %p" --tcp-flags ACK ACK -j LOG --log-prefix " SID1323 "	# "EXPLOIT rwhoisd format string attempt" bugtraq,3474 classtype:misc-attack sid:1323
#iptables -A SnortRules -p tcp --dport 6667 --tcp-flags ACK ACK -m string --string "PRIVMSG nickserv IDENTIFY" -j LOG --log-prefix " SID1382 "	#Cannot convert: dsize:>200	 "EXPLOIT Ettercap IRC parse overflow attempt" nocase-ignored url,www.bugtraq.org/dev/GOBBLES-12.txt classtype:misc-attack sid:1382
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 10101 -d $HOME_NET -m ttl --ttl-gt 220 --tcp-flags ALL SYN -j LOG --log-prefix " SID613 "	#Cannot convert: ack: 0	 "SCAN myscan" arachnids,439 classtype:attempted-recon sid:613
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 31790 -d $HOME_NET --dport 31789 -m string --string "A" --tcp-flags ACK ACK -j LOG --log-prefix " SID614 "	# "SCAN trojan hack-a-tack probe" arachnids,314 classtype:attempted-recon sid:614
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 1080 --tcp-flags ALL SYN -j LOG --log-prefix " SID615 "	# "SCAN Proxy attempt" url,help.undernet.org/proxyscan/ classtype:attempted-recon sid:615
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 113 --tcp-flags ACK ACK -m string --string "VERSION" -j LOG --log-prefix " SID616 "	# "SCAN ident version" arachnids,303 classtype:attempted-recon sid:616
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 3128 --tcp-flags ALL SYN -j LOG --log-prefix " SID618 "	# "INFO - Possible Squid Scan" classtype:attempted-recon sid:618
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ALL FIN,SYN -j LOG --log-prefix " SID619 "	#Cannot convert: Flag1 Flag2 dsize: 0	 "SCAN cybercop os probe" arachnids,146 classtype:attempted-recon sid:619
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 --tcp-flags ALL SYN -j LOG --log-prefix " SID620 "	# "SCAN Proxy attempt" classtype:attempted-recon sid:620
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN -j LOG --log-prefix " SID621 "	# "SCAN FIN" arachnids,27 classtype:attempted-recon sid:621
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID622 "	#Cannot convert: seq: 1958810375	 "SCAN IP Eye SYN Scan" arachnids,236 classtype:attempted-recon sid:622
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL NONE -j LOG --log-prefix " SID623 "	#Cannot convert: seq:0 ack:0	 "SCAN NULL" arachnids,4 classtype:attempted-recon sid:623
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,SYN -j LOG --log-prefix " SID624 "	# "SCAN SYN FIN" arachnids,198 classtype:attempted-recon sid:624
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL ACK,FIN,PSH,SYN,RST,URG -j LOG --log-prefix " SID625 "	# "SCAN XMAS" arachnids,144 classtype:attempted-recon sid:625
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID626 "	#Cannot convert: Flag1 Flag2	 "SCAN cybercop os probe" arachnids,149 classtype:attempted-recon sid:626
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL FIN,SYN,URG -j LOG --log-prefix " SID627 "	#Cannot convert: Flag1 Flag2 ack: 0	 "SCAN cybercop os probe" arachnids,150 classtype:attempted-recon sid:627
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL ACK -j LOG --log-prefix " SID628 "	#Cannot convert: ack:0	 "SCAN nmap TCP" arachnids,28 classtype:attempted-recon sid:628
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,PSH,SYN,URG -j LOG --log-prefix " SID629 "	# "SCAN nmap fingerprint attempt" arachnids,05 classtype:attempted-recon sid:629
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,SYN -j LOG --log-prefix " SID630 "	#Cannot convert: id: 39426	 "SCAN synscan portscan" arachnids,441 classtype:attempted-recon sid:630
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "ehlo cybercopquit" -j LOG --log-prefix " SID631 "	# "SMTP cybercop scan ehlo" arachnids,372 classtype:attempted-recon sid:631
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "expn cybercop" -j LOG --log-prefix " SID632 "	# "SMTP cybercop scan expn" arachnids,371 classtype:attempted-recon sid:632
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10080:10081 -m string --string "Amanda" -j LOG --log-prefix " SID634 "	# "SCAN Amanda client version" nocase-ignored classtype:attempted-recon sid:634
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 49 -m string --string "€" -j LOG --log-prefix " SID635 "	# "SCAN XTACACS logout" arachnids,408 classtype:bad-unknown sid:635
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 7 -m string --string "cybercop" -j LOG --log-prefix " SID636 "	# "SCAN cybercop udp bomb" arachnids,363 classtype:bad-unknown sid:636
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "helpquit" -j LOG --log-prefix " SID637 "	# "SCAN Webtrends Scanner UDP Probe" arachnids,308 classtype:attempted-recon sid:637
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,PSH,URG -j LOG --log-prefix " SID1228 "	# "SCAN NMAP XMAS" arachnids,30 classtype:attempted-recon sid:1228
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "cmd_rootsh" -j LOG --log-prefix " SID320 "	# "FINGER cmd_rootsh backdoor attempt" classtype:attempted-admin url,www.sans.org/y2k/TFN_toolkit.htm url,www.sans.org/y2k/fingerd.htm sid:320
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "a b c d e f" -j LOG --log-prefix " SID321 "	# "FINGER account enumeration attempt" nocase-ignored classtype:attempted-recon sid:321
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "search" -j LOG --log-prefix " SID322 "	# "FINGER search queary" arachnids,375 classtype:attempted-recon sid:322
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "root" -j LOG --log-prefix " SID323 "	# "FINGER root query" arachnids,376 classtype:attempted-recon sid:323
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " SID324 "	# "FINGER null request" arachnids,377 classtype:attempted-recon sid:324
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string ";" -j LOG --log-prefix " SID326 "	#Cannot convert: execution attempt"	 "FINGER remote command cve,CVE-1999-0150 bugtraq,974 arachnids,379 classtype:attempted-user sid:326
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "|" -j LOG --log-prefix " SID327 "	# "FINGER remote command pipe execution attempt" cve,CVE-1999-0152 bugtraq,2220 arachnids,380 classtype:attempted-user sid:327
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "@@" -j LOG --log-prefix " SID328 "	# "FINGER bomb attempt" arachnids,381 cve,CAN-1999-0106 classtype:attempted-dos sid:328
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "@" --tcp-flags ACK ACK -j LOG --log-prefix " SID330 "	# "FINGER redirection attempt" arachnids,251 cve,CAN-1999-0105 classtype:attempted-recon sid:330
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string " " --tcp-flags ACK ACK -j LOG --log-prefix " SID331 "	# "FINGER cybercop query" arachnids,132 cve,CVE-1999-0612 classtype:attempted-recon sid:331
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "0" -j LOG --log-prefix " SID332 "	# "FINGER 0 query" arachnids,378 arachnids,131 cve,CAN-1999-0197 classtype:attempted-recon sid:332
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "." -j LOG --log-prefix " SID333 "	# "FINGER . query" arachnids,130 cve,CAN-1999-0198 classtype:attempted-recon sid:333
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "stat " -j LOG --log-prefix " SID1379 "	#Cannot convert: dsize:>1000	 "FTP EXPLOIT stat overflow" nocase-ignored url,labs.defcom.com/adv/2001/def-2001-31.txt classtype:attempted-admin sid:1379
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string ".forward" --tcp-flags ACK ACK -j LOG --log-prefix " SID334 "	# "FTP .forward" arachnids,319 classtype:suspicious-filename-detect sid:334
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string ".rhosts" -j LOG --log-prefix " SID335 "	# "FTP .rhosts" arachnids,328 classtype:suspicious-filename-detect sid:335
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "cwd ~root" --tcp-flags ACK ACK -j LOG --log-prefix " SID336 "	# "FTP CWD ~root" nocase-ignored cve,CVE-1999-0082 arachnids,318 classtype:bad-unknown sid:336
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CEL " -j LOG --log-prefix " SID337 "	#Cannot convert: dsize:>1300	 "FTP EXPLOIT aix overflow" bugtraq,679 cve,CVE-1999-0789 arachnids,257 classtype:attempted-admin sid:337
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "SITE EXEC %020d|%.f%.f|" -j LOG --log-prefix " SID338 "	# "FTP EXPLOIT format string" nocase-ignored cve,CVE-2000-0573 bugtraq,1387 arachnids,453 classtype:attempted-user sid:338
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string " 1À™RR°Í€hÌsh" -j LOG --log-prefix " SID339 "	# "FTP EXPLOIT OpenBSD x86 ftpd" cve,CVE-2001-0053 bugtraq,2124 arachnids,446 classtype:attempted-user sid:339
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "PWD/i" -j LOG --log-prefix " SID340 "	# "FTP EXPLOIT overflow" classtype:attempted-admin sid:340
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "XXXXX/" -j LOG --log-prefix " SID341 "	# "FTP EXPLOIT overflow" classtype:attempted-admin sid:341
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "À‚ ‘Ð " -j LOG --log-prefix " SID342 "	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8" bugtraq,1387 cve,CAN-2000-0573 arachnids,451 classtype:attempted-user sid:342
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "1ÀPPP°~Í€1Û1À" --tcp-flags ACK ACK -j LOG --log-prefix " SID343 "	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD" arachnids,228 bugtraq,1387 cve,CAN-2000-0573 classtype:attempted-admin sid:343
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "1À1Û1É°FÍ€1À1Û" --tcp-flags ACK ACK -j LOG --log-prefix " SID344 "	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux" bugtraq,1387 cve,CAN-2000-0573 arachnids,287 classtype:attempted-admin sid:344
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "SITE EXEC %p" --tcp-flags ACK ACK -j LOG --log-prefix " SID345 "	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic" nocase-ignored bugtraq,1387 cve,CAN-2000-0573 arachnids,285 classtype:attempted-admin sid:345
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "f%.f%.f%.f%.f%." --tcp-flags ACK ACK -j LOG --log-prefix " SID346 "	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check" arachnids,286 bugtraq,1387 cve,CAN-2000-0573 classtype:attempted-recon sid:346
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "..11venglin@" -j LOG --log-prefix " SID348 "	# "FTP EXPLOIT wu-ftpd 2.6.0" arachnids,440 bugtraq,1387 classtype:attempted-user sid:348
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MKD AAAAAA" -j LOG --log-prefix " SID349 "	# "FTP EXPLOIT MKD overflow" bugtraq,113 cve,CVE-1999-0368 classtype:attempted-admin sid:349
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "1À1Û°Í€1À°Í€" -j LOG --log-prefix " SID350 "	# "FTP EXPLOIT x86 linux overflow" bugtraq,113 cve,CVE-1999-0368 classtype:attempted-admin sid:350
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "1Û‰Ø°Í€ë," -j LOG --log-prefix " SID351 "	# "FTP EXPLOIT x86 linux overflow" bugtraq,113 cve,CVE-1999-0368 classtype:attempted-admin sid:351
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "ƒì^ƒÆpƒÆ(ÕàÀ" -j LOG --log-prefix " SID352 "	# "FTP EXPLOIT x86 linux overflow" bugtraq, 113 cve, CVE-1999-0368 classtype:attempted-admin sid:352
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "PASS ddd@" -j LOG --log-prefix " SID353 "	# "FTP adm scan" arachnids,332 classtype:suspicious-login sid:353
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -iss@iss" -j LOG --log-prefix " SID354 "	# "FTP iss scan" arachnids,331 classtype:suspicious-login sid:354
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "pass wh00t" --tcp-flags ACK ACK -j LOG --log-prefix " SID355 "	# "FTP pass wh00t" nocase-ignored arachnids,324 classtype:suspicious-login sid:355
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "RETR" --string "passwd" --tcp-flags ACK ACK -j LOG --log-prefix " SID356 "	# "FTP passwd retreval attempt" nocase-ignored arachnids,213 classtype:suspicious-filename-detect sid:356
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -cklaus" -j LOG --log-prefix " SID357 "	# "FTP piss scan" classtype:suspicious-login sid:357
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -saint" -j LOG --log-prefix " SID358 "	# "FTP saint scan" arachnids,330 classtype:suspicious-login sid:358
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -satan" -j LOG --log-prefix " SID359 "	# "FTP satan scan" arachnids,329 classtype:suspicious-login sid:359
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string ".%20." -j LOG --log-prefix " SID360 "	# "FTP serv-u directory transversal" nocase-ignored bugtraq,2025 cve,CVE-2001-0054 classtype:bad-unknown sid:360
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "site exec" --tcp-flags ACK ACK -j LOG --log-prefix " SID361 "	# "FTP site exec" nocase-ignored bugtraq,2241 arachnids,317 classtype:bad-unknown sid:361
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "RETR --use-compress-program" -j LOG --log-prefix " SID362 "	# "FTP tar parameters" nocase-ignored bugtraq,2240 arachnids,134 cve,CVE-1999-0202 classtype:bad-unknown sid:362
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CWD ..." -j LOG --log-prefix " SID1229 "	# "FTP CWD ..." classtype:bad-unknown sid:1229
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "~" --string "[" -j LOG --log-prefix " SID1377 "	# "FTP wu-ftp file completion attempt [" bugtraq,3581 classtype:misc-attack sid:1377
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "~" --string "{" -j LOG --log-prefix " SID1378 "	# "FTP wu-ftp file completion attempt {" bugtraq,3581 classtype:misc-attack sid:1378
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "USER w0rm" -j LOG --log-prefix " SID144 "	# "FTP ADMw0rm ftp login attempt" arachnids,01 sid:144 classtype:suspicious-login
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "_RLD" --string "/bin/sh" -j LOG --log-prefix " SID711 "	# "TELNET SGI telnetd format bug" arachnids,304 classtype:attempted-admin sid:711
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "ld_library_path" -j LOG --log-prefix " SID712 "	# "TELNET ld_library_path" arachnids,367 classtype:attempted-admin sid:712
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "ÿóÿóÿóÿóÿó" -j LOG --log-prefix " SID713 "	# "TELNET livingston DOS" arachnids,370 classtype:attempted-dos sid:713
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "resolv_host_conf" -j LOG --log-prefix " SID714 "	# "TELNET resolv_host_conf" arachnids,369 classtype:attempted-admin sid:714
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 -m string --string "to su root" --tcp-flags ACK ACK -j LOG --log-prefix " SID715 "	# "TELNET Attempted SU from wrong group" nocase-ignored classtype:attempted-admin sid:715
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 --tcp-flags ACK ACK -m string --string "not on system console" -j LOG --log-prefix " SID717 "	# "TELNET not on console" nocase-ignored arachnids,365 classtype:bad-unknown sid:717
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 -m string --string "Login incorrect" --tcp-flags ACK ACK -j LOG --log-prefix " SID718 "	# "TELNET login incorrect" arachnids,127 classtype:bad-unknown sid:718
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 -m string --string "login: root" --tcp-flags ACK ACK -j LOG --log-prefix " SID719 "	# "TELNET root login" classtype:suspicious-login sid:719
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 --tcp-flags ACK ACK -m string --string "[Yes]ÿþÿý&" -j LOG --log-prefix " SID1252 "	# "TELNET bsd telnet exploit response" classtype: attempted-admin sid:1252 bugtraq,3064 cve,CAN-2001-0554
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "ÿöÿöÿûÿö" -j LOG --log-prefix " SID1253 "	#Cannot convert: dsize: >200	 "TELNET bsd exploit client finishing" classtype: successful-admin sid:1253 bugtraq,3064 cve,CAN-2001-0554
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "4Dgifts" -j LOG --log-prefix " SID709 "	# "TELNET 4Dgifts SGI account attempt" classtype:suspicious-login sid:709
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "OutOfBox" -j LOG --log-prefix " SID710 "	# "TELNET EZsetup account attempt" classtype:suspicious-login sid:710
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 23 --tcp-flags ACK ACK -m string --string "ÿýÿýÿý#ÿý'ÿý\$" -j LOG --log-prefix " SID716 "	# "TELNET access" arachnids,08 cve,CAN-1999-0619 classtype:not-suspicious sid:716
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "rcpt to:" -j LOG --log-prefix " SID654 "	#Cannot convert: dsize:>800	 "SMTP RCPT TO overflow" cve,CAN-2001-0260 bugtraq,2283 classtype:attempted-admin sid:654
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 113 -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "D/" -j LOG --log-prefix " SID655 "	# "SMTP sendmail 8.6.9 exploit" arachnids,140 cve,CVE-1999-0204 classtype:attempted-admin sid:655
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "ëSë [ü3É±‚‹ó€+" -j LOG --log-prefix " SID656 "	# "SMTP EXPLOIT x86 windows CSMMail overflow" bugtraq,895 cve,CVE-2000-0042 classtype:attempted-admin sid:656
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 -m string --string "HELP " --tcp-flags ACK ACK -j LOG --log-prefix " SID657 "	#Cannot convert: dsize: >500	 "SMTP chameleon overflow" nocase-ignored bugtraq,2387 arachnids,266 cve,CAN-1999-0261 classtype:attempted-admin sid:657
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "charset = \"\"" -j LOG --log-prefix " SID658 "	# "SMTP exchange mime DOS" classtype:attempted-dos sid:658
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "expn decode" -j LOG --log-prefix " SID659 "	# "SMTP expn decode" nocase-ignored arachnids,32 classtype:attempted-recon sid:659
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "expn root" -j LOG --log-prefix " SID660 "	# "SMTP expn root" nocase-ignored arachnids,31 classtype:attempted-recon sid:660
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "eply-to: a~.`/bin/" -j LOG --log-prefix " SID661 "	#Cannot convert: Mishandled quotes	 "SMTP majordomo ifs" cve,CVE-1999-0208 arachnids,143 classtype:attempted-admin sid:661
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "mail from: \"|" -j LOG --log-prefix " SID662 "	# "SMTP sendmail 5.5.5 exploit" nocase-ignored arachnids,119 classtype:attempted-admin sid:662
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "|sed -e '1,/^\$/'" -j LOG --log-prefix " SID663 "	# "SMTP sendmail 5.5.8 overflow" arachnids,172 cve,CVE-1999-0095 classtype:attempted-admin sid:663
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "rcpt to: decode" -j LOG --log-prefix " SID664 "	# "SMTP sendmail 5.6.4 exploit" nocase-ignored arachnids,121 classtype:attempted-admin sid:664
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "MAIL FROM: |/usr/ucb/tail" -j LOG --log-prefix " SID665 "	# "SMTP sendmail 5.6.5 exploit" nocase-ignored arachnids,122 classtype:attempted-user sid:665
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "rcpt to: | sed '1,/^$/d'|" -j LOG --log-prefix " SID666 "	# "SMTP sendmail 8.4.1 exploit" nocase-ignored arachnids,120 classtype:attempted-user sid:666
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "CrootMprog, P=/bin/" -j LOG --log-prefix " SID667 "	# "SMTP sendmail 8.6.10 exploit" arachnids,123 classtype:attempted-user sid:667
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "Croot							Mprog,P=/bin" -j LOG --log-prefix " SID668 "	# "SMTP sendmail 8.6.10 exploit" arachnids,124 classtype:attempted-user sid:668
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "CrootMprog" -j LOG --log-prefix " SID669 "	# "SMTP sendmail 8.6.9 exploit" arachnids,142 cve,CVE-1999-0204 classtype:attempted-user sid:669
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "C:daemonR" -j LOG --log-prefix " SID670 "	# "SMTP sendmail 8.6.9 exploit" cve,CVE-1999-0204 arachnids,139 classtype:attempted-user sid:670
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "CrootMprog" -j LOG --log-prefix " SID671 "	# "SMTP sendmail 8.6.9c exploit" arachnids,141 cve,CVE-1999-0204 classtype:attempted-user sid:671
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "vrfy decode" -j LOG --log-prefix " SID672 "	# "SMTP vrfy decode" nocase-ignored arachnids,373 classtype:attempted-recon sid:672
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "œ" --string "‡™" -j LOG --log-prefix " SID569 "	# "RPC snmpXdmi overflow attempt" bugtraq,2417 cve,CAN-2001-0236 url,www.cert.org/advisories/CA-2001-05.html classtype:attempted-admin sid:569
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771:34000 -m string --string "À\"?ü¢ 	À,ÿâ\"?ô" --tcp-flags ACK ACK -j LOG --log-prefix " SID570 "	#Cannot convert: dsize: >999	 "RPC EXPLOIT ttdbserv solaris overflow" url,www.cert.org/advisories/CA-2001-27.html bugtraq,122 cve,CVE-1999-0003 arachnids,242 classtype:attempted-admin sid:570
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771:34000 --tcp-flags ACK ACK -m string --string "†ó" -j LOG --log-prefix " SID571 "	#Cannot convert: dsize: >999	 "RPC EXPLOIT ttdbserv Solaris overflow" url,www.cert.org/advisories/CA-2001-27.html bugtraq,122 cve,CVE-1999-0003 arachnids,242 classtype:attempted-admin sid:571
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771:34000 --tcp-flags ACK ACK -m string --string "†ó" -j LOG --log-prefix " SID572 "	# "RPC DOS ttdbserv solaris" bugtraq,122 arachnids,241 cve,CVE-1999-0003 classtype:attempted-dos sid:572
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 634:1400 --tcp-flags ACK ACK -m string --string "€,Lu[" -j LOG --log-prefix " SID573 "	# "RPC AMD Overflow" arachnids,217 classtype:attempted-admin sid:573
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771: --tcp-flags ACK ACK -m string --string "†¥" -j LOG --log-prefix " SID574 "	# "RPC NFS Showmount" arachnids,26 classtype:attempted-recon sid:574
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†÷" -j LOG --log-prefix " SID575 "	# "RPC portmap request admind" arachnids,18 classtype:rpc-portmap-decode sid:575
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†÷" --tcp-flags ACK ACK -j LOG --log-prefix " SID1262 "	# "RPC portmap request admind" arachnids,18 classtype:rpc-portmap-decode sid:1262
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡" -j LOG --log-prefix " SID576 "	# "RPC portmap request amountd" arachnids,19 classtype:rpc-portmap-decode sid:576
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡" --tcp-flags ACK ACK -j LOG --log-prefix " SID1263 "	# "RPC portmap request amountd" arachnids,19 classtype:rpc-portmap-decode sid:1263
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†º" -j LOG --log-prefix " SID577 "	# "RPC portmap request bootparam" arachnids,16 classtype:rpc-portmap-decode sid:577
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†º" --tcp-flags ACK ACK -j LOG --log-prefix " SID1264 "	# "RPC portmap request bootparam" arachnids,16 classtype:rpc-portmap-decode sid:1264
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ä" -j LOG --log-prefix " SID578 "	# "RPC portmap request cmsd" arachnids,17 classtype:rpc-portmap-decode sid:578
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ä" --tcp-flags ACK ACK -j LOG --log-prefix " SID1265 "	# "RPC portmap request cmsd" arachnids,17 classtype:rpc-portmap-decode sid:1265
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¥" -j LOG --log-prefix " SID579 "	# "RPC portmap request mountd" arachnids,13 classtype:rpc-portmap-decode sid:579
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¥" --tcp-flags ACK ACK -j LOG --log-prefix " SID1266 "	# "RPC portmap request mountd" arachnids,13 classtype:rpc-portmap-decode sid:1266
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡Ì" -j LOG --log-prefix " SID580 "	# "RPC portmap request nisd" arachnids,21 classtype:rpc-portmap-decode sid:580
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡Ì" --tcp-flags ACK ACK -j LOG --log-prefix " SID1267 "	# "RPC portmap request nisd" arachnids,21 classtype:rpc-portmap-decode sid:1267
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "Iñ" -j LOG --log-prefix " SID581 "	# "RPC portmap request pcnfsd" arachnids,22 classtype:rpc-portmap-decode sid:581
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "Iñ" --tcp-flags ACK ACK -j LOG --log-prefix " SID1268 "	# "RPC portmap request pcnfsd" arachnids,22 classtype:rpc-portmap-decode sid:1268
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†±" -j LOG --log-prefix " SID582 "	# "RPC portmap request rexd" arachnids,23 classtype:rpc-portmap-decode sid:582
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†±" --tcp-flags ACK ACK -j LOG --log-prefix " SID1269 "	# "RPC portmap request rexd" arachnids,23 classtype:rpc-portmap-decode sid:1269
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¡" -j LOG --log-prefix " SID583 "	# "RPC portmap request rstatd" arachnids,10 classtype:rpc-portmap-decode sid:583
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¡" --tcp-flags ACK ACK -j LOG --log-prefix " SID1270 "	# "RPC portmap request rstatd" arachnids,10 classtype:rpc-portmap-decode sid:1270
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¢" --tcp-flags ACK ACK -j LOG --log-prefix " SID1271 "	# "RPC portmap request rusers" arachnids,133 classtype:rpc-portmap-decode sid:1271
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¢" -j LOG --log-prefix " SID584 "	# "RPC portmap request rusers" arachnids,133 classtype:rpc-portmap-decode sid:584
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡ˆ" --tcp-flags ACK ACK -j LOG --log-prefix " SID1272 "	# "RPC portmap request sadmind" arachnids,20 classtype:rpc-portmap-decode sid:1272
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡ˆ" -j LOG --log-prefix " SID585 "	# "RPC portmap request sadmind" arachnids,20 classtype:rpc-portmap-decode sid:585
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¯" -j LOG --log-prefix " SID586 "	# "RPC portmap request selection_svc" arachnids,25 classtype:rpc-portmap-decode sid:586
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¯" --tcp-flags ACK ACK -j LOG --log-prefix " SID1273 "	# "RPC portmap request selection_svc" arachnids,25 classtype:rpc-portmap-decode sid:1273
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¸" -j LOG --log-prefix " SID587 "	# "RPC portmap request status" arachnids,15 classtype:rpc-portmap-decode sid:587
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ó" -j LOG --log-prefix " SID588 "	# "RPC portmap request ttdbserv" cve,CAN-2001-0717 cve,CVE-1999-0003 cve,CVE-1999-0687 cve,CAN-1999-1075 cve,CAN-2001-0717 url,www.cert.org/advisories/CA-2001-05.html arachnids,24 classtype:rpc-portmap-decode sid:588
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ó" --tcp-flags ACK ACK -j LOG --log-prefix " SID1274 "	# "RPC portmap request ttdbserv" cve,CAN-2001-0717 cve,CVE-1999-0003 cve,CVE-1999-0687 cve,CAN-1999-1075 cve,CAN-2001-0717 url,www.cert.org/advisories/CA-2001-05.html arachnids,24 classtype:rpc-portmap-decode sid:1274
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†©" -j LOG --log-prefix " SID589 "	# "RPC portmap request yppasswd" arachnids,14 classtype:rpc-portmap-decode sid:589
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†©" --tcp-flags ACK ACK -j LOG --log-prefix " SID1275 "	# "RPC portmap request yppasswd" arachnids,14 classtype:rpc-portmap-decode sid:1275
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¤" --tcp-flags ACK ACK -j LOG --log-prefix " SID1276 "	# "RPC portmap request ypserv" arachnids,12 classtype:rpc-portmap-decode sid:1276
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¤" -j LOG --log-prefix " SID590 "	# "RPC portmap request ypserv" arachnids,12 classtype:rpc-portmap-decode sid:590
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¼" -j LOG --log-prefix " SID1277 "	# "RPC portmap request ypupdated" arachnids,125 classtype:rpc-portmap-decode sid:1277
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -m string --string "†¼" -j LOG --log-prefix " SID591 "	# "RPC portmap request ypupdated" arachnids,125 classtype:rpc-portmap-decode sid:591
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 32770: -m string --string "†¡" -j LOG --log-prefix " SID592 "	# "RPC rstatd query" arachnids,9 classtype:attempted-recon sid:592
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32770: --tcp-flags ACK ACK -m string --string "†¡" -j LOG --log-prefix " SID1278 "	# "RPC rstatd query" arachnids,9 classtype:attempted-recon sid:1278
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG --log-prefix " SID1298 "	#Cannot convert: rpc:100083,*,*	 "RPC portmap request tooltalk" cve,CAN-2001-0717 cve,CVE-1999-0003 cve,CVE-1999-0687 cve,CAN-1999-1075 cve,CAN-2001-0717 url,www.cert.org/advisories/CA-2001-05.html classtype:rpc-portmap-decode sid:1298
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG --log-prefix " SID1299 "	#Cannot convert: rpc:100083,*,*	 "RPC portmap request tooltalk" cve,CAN-2001-0717 cve,CVE-1999-0003 cve,CVE-1999-0687 cve,CAN-1999-1075 cve,CAN-2001-0717 url,www.cert.org/advisories/CA-2001-05.html classtype:rpc-portmap-decode sid:1299
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG --log-prefix " SID593 "	#Cannot convert: rpc:100249,*,*	 "RPC portmap request snmpXdmi" cve,CAN-2001-0236 url,www.cert.org/advisories/CA-2001-05.html bugtraq,2417 classtype:rpc-portmap-decode sid:593
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG --log-prefix " SID1279 "	#Cannot convert: rpc:100249,*,*	 "RPC portmap request snmpXdmi" bugtraq,2417 classtype:rpc-portmap-decode sid:1279
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG --log-prefix " SID594 "	#Cannot convert: rpc:391029,*,*	 "RPC portmap request espd" cve,CAN-2001-0331 classtype:rpc-portmap-decode sid:594
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG --log-prefix " SID595 "	#Cannot convert: rpc:391029,*,*	 "RPC portmap request espd" cve,CAN-2001-0331 classtype:rpc-portmap-decode sid:595
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG --log-prefix " SID1296 "	#Cannot convert: rpc:100009,*,*	 "RPC portmap request yppasswdd" bugtraq,2763 classtype:rpc-portmap-decode sid:1296
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG --log-prefix " SID1297 "	#Cannot convert: rpc:100009,*,*	 "RPC portmap request yppasswdd" bugtraq,2763 classtype:rpc-portmap-decode sid:1297
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG --log-prefix " SID596 "	#Cannot convert: rpc: 100000,*,*	 "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:596
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 --tcp-flags ACK ACK -j LOG --log-prefix " SID597 "	#Cannot convert: rpc: 100000,*,*	 "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:597
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " -j LOG --log-prefix " SID1280 "	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:1280
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -m string --string "† " -j LOG --log-prefix " SID598 "	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:598
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 --tcp-flags ACK ACK -m string --string "† " -j LOG --log-prefix " SID599 "	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:599
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 -m string --string "† " -j LOG --log-prefix " SID1281 "	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:1281
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "/binÇF/sh" -j LOG --log-prefix " SID600 "	# "RPC EXPLOIT statdx" arachnids,442 classtype:attempted-admin sid:600
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "/binÇF/sh" -j LOG --log-prefix " SID1282 "	# "RPC EXPLOIT statdx" arachnids,442 classtype:attempted-admin sid:1282
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 32770: -m string --string "†¢" -j LOG --log-prefix " SID612 "	# "RPC rusers query" cve,CVE-1999-0626 arachnids,136 classtype:attempted-recon sid:612
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "::::::::::::::::" -j LOG --log-prefix " SID601 "	# "RSERVICES rlogin LinuxNIS" classtype:bad-unknown sid:601
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "binbin" -j LOG --log-prefix " SID602 "	# "RSERVICES rlogin bin" arachnids,384 classtype:attempted-user sid:602
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "echo \" + + \"" -j LOG --log-prefix " SID603 "	# "RSERVICES rlogin echo++" arachnids,385 classtype:bad-unknown sid:603
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "-froot" -j LOG --log-prefix " SID604 "	# "RSERVICES rsh froot" arachnids,386 classtype:attempted-admin sid:604
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "login incorrect" -j LOG --log-prefix " SID605 "	# "RSERVICES rlogin login failure" arachnids,393 classtype:unsuccessful-user sid:605
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "rootroot" -j LOG --log-prefix " SID606 "	# "RSERVICES rlogin root" arachnids,389 classtype:attempted-admin sid:606
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "binbin" -j LOG --log-prefix " SID607 "	# "RSERVICES rsh bin" arachnids,390 classtype:attempted-user sid:607
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "echo \"+ +\"" -j LOG --log-prefix " SID608 "	# "RSERVICES rsh echo + +" arachnids,388 classtype:attempted-user sid:608
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "-froot" -j LOG --log-prefix " SID609 "	# "RSERVICES rsh froot" arachnids,387 classtype:attempted-admin sid:609
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "rootroot" -j LOG --log-prefix " SID610 "	# "RSERVICES rsh root" arachnids,391 classtype:attempted-admin sid:610
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "rlogind: Permission denied." -j LOG --log-prefix " SID611 "	# "RSERVICES rlogin login failure" arachnids,392 classtype:unsuccessful-user sid:611
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID268 "	#Cannot convert: fragbits: M dsize:408	 "DOS Jolt attack" cve,CAN-1999-0345 classtype:attempted-dos sid:268
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID269 "	#Cannot convert: id:3868 seq: 3868	 "DOS Land attack" classtype:attempted-dos sid:269
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID270 "	#Cannot convert: id:242 fragbits:M	 "DOS Teardrop attack" cve,CAN-1999-0015 url,www.cert.org/advisories/CA-1997-28.html bugtraq,124 classtype:attempted-dos sid:270
iptables -A SnortRules -p udp --sport 19 -d $HOME_NET --dport 7 -j LOG --log-prefix " SID271 "	# "DOS UDP Bomb" classtype:attempted-dos sid:271
iptables -A SnortRules -p udp --dport 19 -s $HOME_NET --sport 7 -j LOG --log-prefix " SID271 "	# "DOS UDP Bomb" classtype:attempted-dos sid:271
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --proto ip_proto: 2 -j LOG --log-prefix " SID272 "	#Cannot convert: fragbits: M+	 "DOS IGMP dos attack" classtype:attempted-dos sid:272
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --proto ip_proto: 2 -j LOG --log-prefix " SID273 "	#Cannot convert: fragbits: M+	 "DOS IGMP dos attack" classtype:attempted-dos sid:273
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "+++ath" --icmp-type 8 -j LOG --log-prefix " SID274 "	# "DOS ath" nocase-ignored arachnids,264 classtype:attempted-dos sid:274
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID275 "	#Cannot convert: seq: 6060842 id: 413	 "DOS NAPTHA" url,razor.bindview.com/publish/advisories/adv_NAPTHA.html classtype:attempted-dos sid:275
#iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID275 "	#Cannot convert: seq: 6060842 id: 413	 "DOS NAPTHA" url,razor.bindview.com/publish/advisories/adv_NAPTHA.html classtype:attempted-dos sid:275
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7070 --tcp-flags ACK ACK -m string --string "ÿôÿý" -j LOG --log-prefix " SID276 "	# "DOS Real Audio Server" bugtraq,1288 cve,CVE-2000-0474 arachnids,411 classtype:attempted-dos sid:276
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7070 --tcp-flags ACK ACK -m string --string "/viewsource/template.html?" -j LOG --log-prefix " SID277 "	# "DOS Real Server template.html" nocase-ignored cve,CVE-2000-0474 bugtraq,1288 classtype:attempted-dos sid:277
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 --tcp-flags ACK ACK -m string --string "/viewsource/template.html?" -j LOG --log-prefix " SID278 "	# "DOS Real Server template.html" nocase-ignored cve,CVE-2000-0474 bugtraq,1288 classtype:attempted-dos sid:278
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161 -j LOG --log-prefix " SID279 "	#Cannot convert: dsize:0	 "DOS Bay/Nortel Nautica Marlin" bugtraq,1009 cve,CVE-2000-0221 classtype:attempted-dos sid:279
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 9 -m string --string "NAMENAME" -j LOG --log-prefix " SID281 "	# "DOS Ascend Route" bugtraq,714 cve,CVE-1999-0060 arachnids,262 classtype:attempted-dos sid:281
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 617 --tcp-flags ACK ACK -j LOG --log-prefix " SID282 "	#Cannot convert: dsize: >1445	 "DOS arkiea backup" bugtraq,662 cve,CVE-1999-0788 arachnids,261 classtype:attempted-dos sid:282
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags URG URG -j LOG --log-prefix " SID1257 "	# "DOS Winnuke attack" bugtraq,2010 cve,CVE-1999-0153 classtype: attempted-dos sid:1257
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -m string --string "1234" -j LOG --log-prefix " SID221 "	#Cannot convert: id: 678	 "DDOS TFN Probe" arachnids,443 classtype:attempted-recon sid:221
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0 -m string --string "AAAAAAAAAA" -j LOG --log-prefix " SID222 "	#Cannot convert: icmp_id: 0	 "DDOS tfn2k icmp possible communication" arachnids,425 classtype:attempted-dos sid:222
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "PONG" -j LOG --log-prefix " SID223 "	# "DDOS Trin00:DaemontoMaster(PONGdetected)" arachnids,187 classtype:attempted-recon sid:223
#iptables -A SnortRules -p icmp -s 3.3.3.3/32 -d $EXTERNAL_NET --icmp-type 0 -j LOG --log-prefix " SID224 "	#Cannot convert: icmp_id: 666	 "DDOS Stacheldraht server-spoof" arachnids,193 classtype:attempted-dos sid:224
#iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET -m string --string "sicken" --icmp-type 0 -j LOG --log-prefix " SID225 "	#Cannot convert: icmp_id: 669	 "DDOS Stacheldraht server-response-gag" arachnids,195 classtype:attempted-dos sid:225
#iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET -m string --string "ficken" --icmp-type 0 -j LOG --log-prefix " SID226 "	#Cannot convert: icmp_id: 667	 "DDOS Stacheldraht server-response" arachnids,191 classtype:attempted-dos sid:226
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "spoofworks" --icmp-type 0 -j LOG --log-prefix " SID227 "	#Cannot convert: icmp_id: 1000	 "DDOS Stacheldraht client-spoofworks" arachnids,192 classtype:attempted-dos sid:227
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0 -j LOG --log-prefix " SID228 "	#Cannot convert: icmp_id: 456 icmp_seq: 0	 "DDOS TFN client command BE" arachnids,184 classtype:attempted-dos sid:228
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "skillz" --icmp-type 0 -j LOG --log-prefix " SID229 "	#Cannot convert: icmp_id: 666	 "DDOS Stacheldraht client-check" arachnids,190 classtype:attempted-dos sid:229
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 20432 --tcp-flags ACK ACK -j LOG --log-prefix " SID230 "	# "DDOS shaft client to handler" arachnids,254 classtype:attempted-dos sid:230
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "l44" -j LOG --log-prefix " SID231 "	# "DDOS Trin00:DaemontoMaster(messagedetected)" arachnids,186 classtype:attempted-dos sid:231
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "*HELLO*" -j LOG --log-prefix " SID232 "	# "DDOS Trin00:DaemontoMaster(*HELLO*detected)" arachnids,185 url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm classtype:attempted-dos sid:232
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 --tcp-flags ACK ACK -m string --string "betaalmostdone" -j LOG --log-prefix " SID233 "	# "DDOS Trin00:Attacker to Master default startup password" arachnids,197 classtype:attempted-dos sid:233
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 --tcp-flags ACK ACK -m string --string "gOrave" -j LOG --log-prefix " SID234 "	# "DDOS Trin00 Attacker to Master default password" classtype:attempted-dos sid:234
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 --tcp-flags ACK ACK -m string --string "killme" -j LOG --log-prefix " SID235 "	# "DDOS Trin00 Attacker to Master default mdie password" classtype:bad-unknown sid:235
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "gesundheit" --icmp-type 0 -j LOG --log-prefix " SID236 "	#Cannot convert: icmp_id: 668	 "DDOS Stacheldraht client-check-gag" arachnids,194 classtype:attempted-dos sid:236
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 27444 -m string --string "l44adsl" -j LOG --log-prefix " SID237 "	# "DDOS Trin00:MastertoDaemon(defaultpassdetected!)" arachnids,197 classtype:attempted-dos sid:237
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "shell bound to port" --icmp-type 0 -j LOG --log-prefix " SID238 "	#Cannot convert: icmp_id: 123 icmp_seq: 0	 "DDOS TFN server response" arachnids,182 classtype:attempted-dos sid:238
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 18753 -m string --string "alive tijgu" -j LOG --log-prefix " SID239 "	# "DDOS shaft handler to agent" arachnids,255 classtype:attempted-dos sid:239
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 20433 -m string --string "alive" -j LOG --log-prefix " SID240 "	# "DDOS shaft agent to handler" arachnids,256 classtype:attempted-dos sid:240
#iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID241 "	#Cannot convert: seq: 674711609	 "DDOS shaft synflood" arachnids,253 classtype:attempted-dos sid:241
#iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID241 "	#Cannot convert: seq: 674711609	 "DDOS shaft synflood" arachnids,253 classtype:attempted-dos sid:241
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 6838 -m string --string "newserver" -j LOG --log-prefix " SID243 "	# "DDOS mstream agent to handler" classtype:attempted-dos sid:243
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "stream/" -j LOG --log-prefix " SID244 "	# "DDOS mstream handler to agent" cve,CAN-2000-0138 classtype:attempted-dos sid:244
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "ping" -j LOG --log-prefix " SID245 "	# "DDOS mstream handler ping to agent" cve,CAN-2000-0138 classtype:attempted-dos sid:245
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "pong" -j LOG --log-prefix " SID246 "	# "DDOS mstream agent pong to handler" classtype:attempted-dos sid:246
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 12754 -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " SID247 "	# "DDOS mstream client to handler" cve,CAN-2000-0138 classtype:attempted-dos sid:247
iptables -A SnortRules -p tcp -s $HOME_NET --sport 12754 -d $EXTERNAL_NET -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " SID248 "	# "DDOS mstream handler to client" cve,CAN-2000-0138 classtype:attempted-dos sid:248
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 15104 --tcp-flags ALL SYN -j LOG --log-prefix " SID249 "	# "DDOS mstream client to handler" arachnids,111 cve,CAN-2000-0138 classtype:attempted-dos sid:249
iptables -A SnortRules -p tcp -s $HOME_NET --sport 15104 -d $EXTERNAL_NET -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " SID250 "	# "DDOS mstream handler to client" cve,CAN-2000-0138 classtype:attempted-dos sid:250
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0 -j LOG --log-prefix " SID251 "	#Cannot convert: icmp_id: 51201 icmp_seq: 0	 "DDOS - TFN client command LE" arachnids,183 classtype:attempted-dos sid:251
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "	€" -j LOG --log-prefix " SID252 "	# "DNS named iquery attempt" arachnids,277 cve,CVE-1999-0009 bugtraq,134 url,www.rfc-editor.org/rfc/rfc1035.txt classtype:attempted-recon sid:252
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 53 -d $HOME_NET -m string --string "…€" --string "À<" -j LOG --log-prefix " SID253 "	# "DNS SPOOF query response PTR with TTL: 1 min. and no authority" classtype:bad-unknown sid:253
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 53 -d $HOME_NET -m string --string "€" --string "À<" -j LOG --log-prefix " SID254 "	# "DNS SPOOF query response with ttl: 1 min. and no authority" classtype:bad-unknown sid:254
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "ü" --tcp-flags ACK ACK -j LOG --log-prefix " SID255 "	# "DNS zone transfer" arachnids,212 classtype:attempted-recon sid:255
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "authors" --string "bind" -j LOG --log-prefix " SID256 "	# "DNS named authors attempt" nocase-ignored arachnids,480 classtype:attempted-recon sid:256
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "version" --string "bind" -j LOG --log-prefix " SID257 "	# "DNS named version attempt" nocase-ignored arachnids,278 classtype:attempted-recon sid:257
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "../../../../../../../../../" -j LOG --log-prefix " SID258 "	# "DNS EXPLOIT named 8.2->8.2.1" cve,CVE-1999-0833 classtype:attempted-admin sid:258
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool" -j LOG --log-prefix " SID259 "	# "DNS EXPLOIT named overflow" cve,CVE-1999-0833 classtype:attempted-admin sid:259
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "ADMROCKS" -j LOG --log-prefix " SID260 "	# "DNS EXPLOIT named" cve,CVE-1999-0833 classtype:attempted-admin sid:260
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "Í€è×ÿÿÿ/bin/sh" -j LOG --log-prefix " SID261 "	# "DNS EXPLOIT named" classtype:attempted-admin sid:261
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "1À°?1Û³ÿ1ÉÍ€1À" -j LOG --log-prefix " SID262 "	# "DNS EXPLOIT x86 linux" classtype:attempted-admin sid:262
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "1À°Í€…ÀuLëL^°" -j LOG --log-prefix " SID264 "	# "DNS EXPLOIT x86 linux" classtype:attempted-admin sid:264
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "‰÷)Ç‰ó‰ù‰ò¬<þ" -j LOG --log-prefix " SID265 "	# "DNS EXPLOIT x86 linux ADMv2" classtype:attempted-admin sid:265
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "ën^Æš1É‰NÆF" -j LOG --log-prefix " SID266 "	# "DNS EXPLOIT x86 freebsd" classtype:attempted-admin sid:266
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "À ’ Ð#¿ø" -j LOG --log-prefix " SID267 "	# "DNS EXPLOIT sparc" classtype:attempted-admin sid:267
iptables -A SnortRules -p udp --dport 69 -m string --string "Admin.dlloctet" -j LOG --log-prefix " SID1289 "	# "TFTP GET Admin.dll" classtype:successful-admin url,www.cert.org/advisories/CA-2001-26.html sid:1289
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "" -j LOG --log-prefix " SID518 "	# "TFTP Write" cve,CVE-1999-0183 arachnids,148 classtype:bad-unknown sid:518
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string ".." -j LOG --log-prefix " SID519 "	# "TFTP parent directory" arachnids,137 cve,CVE-1999-0183 classtype:bad-unknown sid:519
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "/" -j LOG --log-prefix " SID520 "	# "TFTP root directory" arachnids,138 cve,CVE-1999-0183 classtype:bad-unknown sid:520
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/hsx.cgi" --string "../../" --string "%00" --tcp-flags ACK ACK -j LOG --log-prefix " SID803 "	# "WEB-CGI HyperSeek directory traversal attempt" bugtraq,2314 cve,CAN-2001-0253 classtype:web-application-attack sid:803
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/s.cgi" --string "tmpl=" --tcp-flags ACK ACK -j LOG --log-prefix " SID804 "	#Cannot convert: dsize:>500	 "WEB-CGI SWSoft ASPSeek Overflow attempt" nocase-ignored bugtraq,2492 classtype:web-application-attack sid:804
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wsisa.dll/WService=" --string "WSMadmin" -j LOG --log-prefix " SID805 "	# "WEB-CGI webspeed access" nocase-ignored nocase-ignored arachnids,467 classtype:attempted-user sid:805
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/YaBB.pl" --string "../" -j LOG --log-prefix " SID806 "	# "WEB-CGI yabb access" arachnids,462 classtype:attempted-recon sid:806
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wwwboard/passwd.txt" -j LOG --log-prefix " SID807 "	# "WEB-CGI wwwboard passwd access" nocase-ignored arachnids,463 cve,CVE-1999-0953 bugtraq,649 classtype:attempted-recon sid:807
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webdriver" -j LOG --log-prefix " SID808 "	# "WEB-CGI webdriver access" nocase-ignored arachnids,473 classtype:attempted-recon sid:808
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/whois_raw.cgi?" --string "" -j LOG --log-prefix " SID809 "	# "WEB-CGI whoisraw attempt" arachnids,466 classtype:web-application-attack sid:809
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/whois_raw.cgi" -j LOG --log-prefix " SID810 "	# "WEB-CGI whoisraw access" arachnids,466 classtype:attempted-recon sid:810
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string " /HTTP/1." -j LOG --log-prefix " SID811 "	# "WEB-CGI websitepro path access" nocase-ignored arachnids,468 classtype:attempted-recon sid:811
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus?about " -j LOG --log-prefix " SID812 "	# "WEB-CGI webplus version access" nocase-ignored arachnids,470 classtype:attempted-recon sid:812
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus?script" --string "../" -j LOG --log-prefix " SID813 "	# "WEB-CGI webplus directory trasversal" nocase-ignored arachnids,471 classtype:web-application-attack sid:813
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/websendmail" -j LOG --log-prefix " SID815 "	# "WEB-CGI websendmail access" nocase-ignored cve,CVE-1999-0196 arachnids,469 bugtraq,2077 classtype:attempted-recon sid:815
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dcboard.cgi" --string "command=register" --string "%7cadmin" -j LOG --log-prefix " SID817 "	# "WEB-CGI dcforum.cgi invalid user addition attempt" classtype:web-application-attack sid:817
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/dcforum.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID818 "	# "WEB-CGI dcforum.cgi access" classtype:attempted-recon sid:818
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/mmstdod.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID819 "	# "WEB-CGI mmstdod.cgi access" nocase-ignored classtype:attempted-recon sid:819
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/apexec.pl" --string "template=../" -j LOG --log-prefix " SID820 "	# "WEB-CGI anaconda directory transversal attempt" nocase-ignored cve,CVE-2000-0975 bugtraq,2388 classtype:web-application-attack sid:820
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ALL ACK -m string --string "/imagemap.exe?" -j LOG --log-prefix " SID821 "	#Cannot convert: dsize: >1000	 "WEB-CGI imagemap overflow attempt" nocase-ignored arachnids,412 classtype:web-application-attack sid:821
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cvsweb.cgi" -j LOG --log-prefix " SID823 "	# "WEB-CGI cvsweb.cgi access" nocase-ignored cve,CVE-2000-0670 bugtraq,1469 classtype:attempted-recon sid:823
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/php.cgi" -j LOG --log-prefix " SID824 "	# "WEB-CGI php access" nocase-ignored bugtraq,2250 arachnids,232 classtype:attempted-recon sid:824
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/glimpse" -j LOG --log-prefix " SID825 "	# "WEB-CGI glimpse access" nocase-ignored bugtraq,2026 classtype:attempted-recon sid:825
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/htmlscript" -j LOG --log-prefix " SID826 "	# "WEB-CGI htmlscript access" nocase-ignored bugtraq,2001 cve,CVE-1999-0264 classtype:attempted-recon sid:826
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/info2www" -j LOG --log-prefix " SID827 "	# "WEB-CGI info2www access" nocase-ignored bugtraq,1995 cve,CVE-1999-0266 classtype:attempted-recon sid:827
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/maillist.pl" -j LOG --log-prefix " SID828 "	# "WEB-CGI maillist.pl access" nocase-ignored classtype:attempted-recon sid:828
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nph-test-cgi" -j LOG --log-prefix " SID829 "	# "WEB-CGI nph-test-cgi access" nocase-ignored arachnids,224 cve,CVE-1999-0045 bugtraq,686 classtype:attempted-recon sid:829
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nph-publish" -j LOG --log-prefix " SID830 "	# "WEB-CGI NPH-publish access" nocase-ignored classtype:attempted-recon sid:830
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/perl.exe" -j LOG --log-prefix " SID832 "	# "WEB-CGI perl.exe access" nocase-ignored arachnids,219 classtype:attempted-recon sid:832
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rguest.exe" -j LOG --log-prefix " SID833 "	# "WEB-CGI rguest.exe access" nocase-ignored cve,CAN-1999-0467 bugtraq,2024 classtype:attempted-recon sid:833
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rwwwshell.pl" -j LOG --log-prefix " SID834 "	# "WEB-CGI rwwwshell.pl access" nocase-ignored classtype:attempted-recon sid:834
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/test-cgi" -j LOG --log-prefix " SID835 "	# "WEB-CGI test-cgi access" nocase-ignored cve,CVE-1999-0070 arachnids,218 classtype:attempted-recon sid:835
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/textcounter.pl" -j LOG --log-prefix " SID836 "	# "WEB-CGI testcounter.pl access" nocase-ignored classtype:attempted-recon sid:836
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/uploader.exe" -j LOG --log-prefix " SID837 "	# "WEB-CGI uploader.exe access" nocase-ignored cve,CVE-1999-0177 classtype:attempted-recon sid:837
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webgais" -j LOG --log-prefix " SID838 "	# "WEB-CGI webgais access" nocase-ignored arachnids,472 bugtraq,2058 cve,CVE-1999-0176 classtype:attempted-recon sid:838
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/finger" -j LOG --log-prefix " SID839 "	# "WEB-CGI finger access" nocase-ignored arachnids,221 cve,CVE-1999-0612 classtype:attempted-recon sid:839
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/perlshop.cgi" -j LOG --log-prefix " SID840 "	# "WEB-CGI perlshop.cgi access" nocase-ignored classtype:attempted-recon sid:840
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/pfdisplay.cgi" -j LOG --log-prefix " SID841 "	# "WEB-CGI pfdisplay.cgi access" nocase-ignored bugtraq,64 cve,CVE-1999-0270 classtype:attempted-recon sid:841
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/aglimpse" -j LOG --log-prefix " SID842 "	# "WEB-CGI aglimpse access" nocase-ignored cve,CVE-1999-0147 bugtraq,2026 classtype:attempted-recon sid:842
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AnForm2" -j LOG --log-prefix " SID843 "	# "WEB-CGI anform2 access" nocase-ignored cve,CVE-1999-0066 arachnids,225 classtype:attempted-recon sid:843
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/args.bat" -j LOG --log-prefix " SID844 "	# "WEB-CGI args.bat access" nocase-ignored classtype:attempted-recon sid:844
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AT-admin.cgi" -j LOG --log-prefix " SID845 "	# "WEB-CGI AT-admin.cgi access" nocase-ignored classtype:attempted-recon sid:845
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bnbform.cgi" -j LOG --log-prefix " SID846 "	# "WEB-CGI bnbform.cgi access" nocase-ignored cve,CVE-1999-0937 bugtraq,1469 classtype:attempted-recon sid:846
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/campas" -j LOG --log-prefix " SID847 "	# "WEB-CGI campas access" nocase-ignored cve,CVE-1999-0146 bugtraq,1975 classtype:attempted-recon sid:847
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/view-source" --string "../" -j LOG --log-prefix " SID848 "	# "WEB-CGI view-source directory traversal" nocase-ignored nocase-ignored cve,CVE-1999-0174 classtype:web-application-attack sid:848
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/view-source" -j LOG --log-prefix " SID849 "	# "WEB-CGI view-source access" nocase-ignored cve,CVE-1999-0174 classtype:attempted-recon sid:849
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wais.pl" -j LOG --log-prefix " SID850 "	# "WEB-CGI wais.p access" nocase-ignored classtype:attempted-recon sid:850
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/files.pl" -j LOG --log-prefix " SID851 "	# "WEB-CGI files.pl access" nocase-ignored classtype:attempted-recon sid:851
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wguest.exe" -j LOG --log-prefix " SID852 "	# "WEB-CGI wguest.exe access" nocase-ignored cve,CAN-1999-0467 bugtraq,2024 classtype:attempted-recon sid:852
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wrap" -j LOG --log-prefix " SID853 "	# "WEB-CGI wrap access" bugtraq,373 arachnids,234 cve,CVE-1999-0149 classtype:attempted-recon sid:853
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/classifieds.cgi" -j LOG --log-prefix " SID854 "	# "WEB-CGI classifieds.cgi access" nocase-ignored bugtraq,2020 cve,CVE-1999-0934 classtype:attempted-recon sid:854
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/edit.pl" -j LOG --log-prefix " SID855 "	# "WEB-CGI edit.pl access" nocase-ignored classtype:attempted-recon sid:855
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/environ.cgi" -j LOG --log-prefix " SID856 "	# "WEB-CGI environ.cgi access" nocase-ignored classtype:attempted-recon sid:856
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/faxsurvey" -j LOG --log-prefix " SID857 "	# "WEB-CGI faxsurvey access" nocase-ignored cve,CVE-1999-0262 bugtraq,2056 classtype:attempted-recon sid:857
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/filemail.pl" -j LOG --log-prefix " SID858 "	# "WEB-CGI filemail access" nocase-ignored classtype:attempted-recon sid:858
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/man.sh" -j LOG --log-prefix " SID859 "	# "WEB-CGI man.sh access" nocase-ignored classtype:attempted-recon sid:859
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/snork.bat" -j LOG --log-prefix " SID860 "	# "WEB-CGI snork.bat access" nocase-ignored bugtraq,1053 cve,CVE-2000-0169 arachnids,220 classtype:attempted-recon sid:860
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/w3-msql/" -j LOG --log-prefix " SID861 "	# "WEB-CGI w3-msql access" nocase-ignored bugtraq,591 cve,CVE-1999-0276 arachnids,210 classtype:attempted-recon sid:861
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/csh" -j LOG --log-prefix " SID862 "	# "WEB-CGI csh access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:862
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/zsh" -j LOG --log-prefix " SID1309 "	# "WEB-CGI zsh access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:1309
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/day5datacopier.cgi" -j LOG --log-prefix " SID863 "	# "WEB-CGI day5datacopier.cgi access" nocase-ignored classtype:attempted-recon sid:863
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/day5datanotifier.cgi" -j LOG --log-prefix " SID864 "	# "WEB-CGI day5datanotifier.cgi access" nocase-ignored classtype:attempted-recon sid:864
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ksh" -j LOG --log-prefix " SID865 "	# "WEB-CGI ksh access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:865
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/post-query" -j LOG --log-prefix " SID866 "	# "WEB-CGI post-query access" nocase-ignored classtype:attempted-recon sid:866
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/visadmin.exe" -j LOG --log-prefix " SID867 "	# "WEB-CGI visadmin.exe access" nocase-ignored bugtraq,1808 cve,CAN-1999-1970 classtype:attempted-recon sid:867
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rsh" -j LOG --log-prefix " SID868 "	# "WEB-CGI rsh access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:868
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dumpenv.pl" -j LOG --log-prefix " SID869 "	# "WEB-CGI dumpenv.pl access" nocase-ignored classtype:attempted-recon sid:869
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/snorkerz.cmd" -j LOG --log-prefix " SID870 "	# "WEB-CGI snorkerz.cmd access" nocase-ignored classtype:attempted-recon sid:870
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/survey.cgi" -j LOG --log-prefix " SID871 "	# "WEB-CGI survey.cgi access" nocase-ignored bugtraq,1817 cve,CVE-1999-0936 classtype:attempted-recon sid:871
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/tcsh" -j LOG --log-prefix " SID872 "	# "WEB-CGI tcsh access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:872
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "///" -j LOG --log-prefix " SID873 "	# "WEB-CGI scriptalias access" cve,CVE-1999-0236 bugtraq,2300 arachnids,227 classtype:attempted-recon sid:873
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/shA-cA/usr/openwin" -j LOG --log-prefix " SID874 "	# "WEB-CGI w3-msql solaris x86 access" nocase-ignored cve,CVE-1999-0276 arachnids,211 classtype:attempted-recon sid:874
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/win-c-sample.exe" -j LOG --log-prefix " SID875 "	# "WEB-CGI win-c-sample.exe access" nocase-ignored bugtraq,2078 arachnids,231 cve,CVE-1999-0178 classtype:attempted-recon sid:875
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rksh" -j LOG --log-prefix " SID877 "	# "WEB-CGI rksh access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:877
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/w3tvars.pm" -j LOG --log-prefix " SID878 "	# "WEB-CGI w2tvars.pm access" nocase-ignored classtype:attempted-recon sid:878
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.pl" -j LOG --log-prefix " SID879 "	# "WEB-CGI admin.pl access" nocase-ignored classtype:attempted-recon sid:879
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/LWGate" -j LOG --log-prefix " SID880 "	# "WEB-CGI LWGate access" nocase-ignored classtype:attempted-recon sid:880
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/archie" -j LOG --log-prefix " SID881 "	# "WEB-CGI archie access" nocase-ignored classtype:attempted-recon sid:881
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/calendar" -j LOG --log-prefix " SID882 "	# "WEB-CGI calendar access" nocase-ignored classtype:attempted-recon sid:882
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/flexform" -j LOG --log-prefix " SID883 "	# "WEB-CGI flexform access" nocase-ignored classtype:attempted-recon sid:883
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/formmail" -j LOG --log-prefix " SID884 "	# "WEB-CGI formmail access" nocase-ignored bugtraq,1187 cve,CVE-1999-0172 arachnids,226 classtype:attempted-recon sid:884
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bash" -j LOG --log-prefix " SID885 "	# "WEB-CGI bash access" nocase-ignored cve,CAN-1999-0509 classtype:attempted-recon sid:885
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/phf" -j LOG --log-prefix " SID886 "	# "WEB-CGI phf access" nocase-ignored bugtraq,629 arachnids,128 cve,CVE-1999-0067 classtype:attempted-recon sid:886
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/www-sql" -j LOG --log-prefix " SID887 "	# "WEB-CGI www-sql access" nocase-ignored classtype:attempted-recon sid:887
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wwwadmin.pl" -j LOG --log-prefix " SID888 "	# "WEB-CGI wwwadmin.pl access" nocase-ignored classtype:attempted-recon sid:888
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ppdscgi.exe" -j LOG --log-prefix " SID889 "	# "WEB-CGI ppdscgi.exe access" nocase-ignored bugtraq,491 classtype:attempted-recon sid:889
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/sendform.cgi" -j LOG --log-prefix " SID890 "	# "WEB-CGI sendform.cgi access" nocase-ignored classtype:attempted-recon sid:890
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/upload.pl" -j LOG --log-prefix " SID891 "	# "WEB-CGI upload.pl access" nocase-ignored classtype:attempted-recon sid:891
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AnyForm2" -j LOG --log-prefix " SID892 "	# "WEB-CGI AnyForm2 access" nocase-ignored bugtraq,719 cve,CVE-1999-0066 classtype:attempted-recon sid:892
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/MachineInfo" -j LOG --log-prefix " SID893 "	# "WEB-CGI MachineInfo access" nocase-ignored classtype:attempted-recon sid:893
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-hist.sh" -j LOG --log-prefix " SID894 "	# "WEB-CGI bb-hist.sh access" nocase-ignored bugtraq,142 classtype:attempted-recon sid:894
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/redirect" -j LOG --log-prefix " SID895 "	# "WEB-CGI redirect access" nocase-ignored bugtraq,1179 cve,CVE-2000-0382 classtype:attempted-recon sid:895
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/way-board/way-board.cgi" --string "db=" --string "../.." --tcp-flags ACK ACK -j LOG --log-prefix " SID1397 "	# "WEB-CGI wayboard attempt" nocase-ignored bugtraq,2370 cve,CAN-2001-0214 classtype:web-application-attack sid:1397
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/way-board" --tcp-flags ACK ACK -j LOG --log-prefix " SID896 "	# "WEB-CGI wayboard access" nocase-ignored bugtraq,2370 classtype:web-application-activity sid:896
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/pals-cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID897 "	# "WEB-CGI pals-cgi access" nocase-ignored cve,CAN-2001-0216 cve,CAN-2001-0217 bugtraq,2372 classtype:attempted-recon sid:897
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/commerce.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID898 "	# "WEB-CGI commerce.cgi access" nocase-ignored classtype:attempted-recon sid:898
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sendtemp.pl" --string "templ=" --tcp-flags ACK ACK -j LOG --log-prefix " SID899 "	# "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2504 classtype:web-application-attack sid:899
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/webspirs.cgi" --string "../../" --tcp-flags ACK ACK -j LOG --log-prefix " SID900 "	# "WEB-CGI webspirs directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2362 classtype:web-application-attack sid:900
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/webspirs.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID901 "	# "WEB-CGI webspirs access" nocase-ignored bugtraq,2362 classtype:attempted-recon sid:901
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "tstisapi.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID902 "	# "WEB-CGI tstisapi.dll access" nocase-ignored classtype:attempted-recon sid:902
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sendmessage.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID1308 "	# "WEB-CGI sendmessage.cgi access" nocase-ignored classtype:attempted-recon sid:1308
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/lastlines.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID1392 "	# "WEB-CGI lastlines.cgi access" nocase-ignored bugtraq,3755 bugtraq,3754 classtype:attempted-recon sid:1392
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/zml.cgi" --string "file=../" -j LOG --log-prefix " SID1395 "	# "WEB-CGI zml.cgi attempt" bugtraq,3759 classtype:web-application-activity sid:1395
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/zml.cgi" -j LOG --log-prefix " SID1396 "	# "WEB-CGI zml.cgi access" bugtraq,3759 classtype:web-application-activity sid:1396
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfcache.map" -j LOG --log-prefix " SID903 "	# "WEB-COLDFUSION cfcache.map access" nocase-ignored bugtraq,917 cve,CVE-2000-0057 classtype:attempted-recon sid:903
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/email/application.cfm" -j LOG --log-prefix " SID904 "	# "WEB-COLDFUSION exampleapp application.cfm" nocase-ignored bugtraq,1021 classtype:attempted-recon sid:904
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/publish/admin/application.cfm" -j LOG --log-prefix " SID905 "	# "WEB-COLDFUSION application.cfm access" nocase-ignored bugtraq,1021 classtype:attempted-recon sid:905
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/email/getfile.cfm" -j LOG --log-prefix " SID906 "	# "WEB-COLDFUSION getfile.cfm access" nocase-ignored bugtraq,229 classtype:attempted-recon sid:906
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/publish/admin/addcontent.cfm" -j LOG --log-prefix " SID907 "	# "WEB-COLDFUSION addcontent.cfm access" nocase-ignored classtype:attempted-recon sid:907
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cfide/administrator/index.cfm" --tcp-flags ACK ACK -j LOG --log-prefix " SID908 "	# "WEB-COLDFUSION administrator access" nocase-ignored classtype:attempted-recon sid:908
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_SETDATASOURCEUSERNAME()" -j LOG --log-prefix " SID909 "	# "WEB-COLDFUSION datasource username attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:909
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/fileexists.cfm" -j LOG --log-prefix " SID910 "	# "WEB-COLDFUSION fileexists.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:910
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/exprcalc.cfm" -j LOG --log-prefix " SID911 "	# "WEB-COLDFUSION exprcalc access" nocase-ignored cve,CVE-1999-0455 bugtraq,550 classtype:attempted-recon sid:911
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/parks/detail.cfm" -j LOG --log-prefix " SID912 "	# "WEB-COLDFUSION parks access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:912
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfappman/index.cfm" -j LOG --log-prefix " SID913 "	# "WEB-COLDFUSION cfappman access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:913
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/cvbeans/beaninfo.cfm" -j LOG --log-prefix " SID914 "	# "WEB-COLDFUSION beaninfo access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:914
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/evaluate.cfm" -j LOG --log-prefix " SID915 "	# "WEB-COLDFUSION evaluate.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:915
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_GETODBCDSN()" -j LOG --log-prefix " SID916 "	# "WEB-COLDFUSION getodbcdsn access" nocase-ignored bugtraq,550 classtype:web-application-attack sid:916
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_DBCONNECTIONS_FLUSH()" -j LOG --log-prefix " SID917 "	# "WEB-COLDFUSION db connections flush attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:917
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/" -j LOG --log-prefix " SID918 "	# "WEB-COLDFUSION expeval access" nocase-ignored bugtraq,550 cve,CAN-1999-0477 classtype:attempted-user sid:918
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_SETDATASOURCEPASSWORD()" -j LOG --log-prefix " SID919 "	# "WEB-COLDFUSION datasource passwordattempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:919
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_ISCOLDFUSIONDATASOURCE()" -j LOG --log-prefix " SID920 "	# "WEB-COLDFUSION datasource attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:920
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_ENCRYPT()" -j LOG --log-prefix " SID921 "	# "WEB-COLDFUSION admin encrypt attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:921
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/displayopenedfile.cfm" -j LOG --log-prefix " SID922 "	# "WEB-COLDFUSION displayfile access" nocase-ignored bugtraq,550 classtype:web-application-attack sid:922
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_GETODBCINI()" -j LOG --log-prefix " SID923 "	# "WEB-COLDFUSION getodbcin attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:923
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_DECRYPT()" -j LOG --log-prefix " SID924 "	# "WEB-COLDFUSION admin decrypt attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:924
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/mainframeset.cfm" -j LOG --log-prefix " SID925 "	# "WEB-COLDFUSION mainframeset access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:925
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_SETODBCINI()" -j LOG --log-prefix " SID926 "	# "WEB-COLDFUSION set odbc ini attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:926
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_SETTINGS_REFRESH()" -j LOG --log-prefix " SID927 "	# "WEB-COLDFUSION settings refresh attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:927
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/" -j LOG --log-prefix " SID928 "	# "WEB-COLDFUSION exampleapp access" nocase-ignored classtype:attempted-recon sid:928
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_VERIFYMAIL()" -j LOG --log-prefix " SID929 "	# "WEB-COLDFUSION CFUSION_VERIFYMAIL access" nocase-ignored bugtraq,550 classtype:attempted-user sid:929
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/" -j LOG --log-prefix " SID930 "	# "WEB-COLDFUSION snippets attempt" nocase-ignored bugtraq,550 classtype:attempted-recon sid:930
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/cfmlsyntaxcheck.cfm" -j LOG --log-prefix " SID931 "	# "WEB-COLDFUSION cfmlsyntaxcheck.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:931
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/application.cfm" -j LOG --log-prefix " SID932 "	# "WEB-COLDFUSION application.cfm access" nocase-ignored bugtraq,550 arachnids,268 cve,CAN-2000-0189 classtype:attempted-recon sid:932
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/onrequestend.cfm" -j LOG --log-prefix " SID933 "	# "WEB-COLDFUSION onrequestend.cfm access" nocase-ignored bugtraq,550 arachnids,269 cve,CAN-2000-0189 classtype:attempted-recon sid:933
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cfide/administrator/startstop.html" --tcp-flags ACK ACK -j LOG --log-prefix " SID935 "	# "WEB-COLDFUSION startstop DOS access" nocase-ignored bugtraq,247 classtype:web-application-attack sid:935
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/gettempdirectory.cfm" -j LOG --log-prefix " SID936 "	# "WEB-COLDFUSION gettempdirectory.cfm access " nocase-ignored bugtraq,550 classtype:attempted-recon sid:936
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "LOCK " -j LOG --log-prefix " SID969 "	# "WEB-IIS webdav file lock attempt" bugtraq,2736 classtype:web-application-activity sid:969
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".printer" --tcp-flags ACK ACK -j LOG --log-prefix " SID971 "	# "WEB-IIS ISAPI .printer access" nocase-ignored cve,CAN-2001-0241 arachnids,533 classtype:web-application-activity sid:971
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".ida?" --tcp-flags ACK ACK -j LOG --log-prefix " SID1243 "	#Cannot convert: dsize:>239	 "WEB-IIS ISAPI .ida attempt" nocase-ignored arachnids,552 classtype:web-application-attack cve,CAN-2000-0071 sid:1243
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".ida" --tcp-flags ACK ACK -j LOG --log-prefix " SID1242 "	# "WEB-IIS ISAPI .ida access" nocase-ignored arachnids,552 classtype:web-application-activity cve,CAN-2000-0071 sid:1242
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".idq?" --tcp-flags ACK ACK -j LOG --log-prefix " SID1244 "	#Cannot convert: dsize:>239	 "WEB-IIS ISAPI .idq attempt" nocase-ignored arachnids,553 classtype:web-application-attack cve,CAN-2000-0071 sid:1244
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".idq" --tcp-flags ACK ACK -j LOG --log-prefix " SID1245 "	# "WEB-IIS ISAPI .idq access" nocase-ignored arachnids,553 classtype:web-application-activity cve,CAN-2000-0071 sid:1245
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%2e.asp" -j LOG --log-prefix " SID972 "	# "WEB-IIS %2E-asp access" nocase-ignored bugtraq,1814 cve,CAN-1999-0253 classtype:web-application-activity sid:972
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "*.idc" -j LOG --log-prefix " SID973 "	# "WEB-IIS *.idc attempt" nocase-ignored bugtraq,1448 cve,CVE-1999-0874 classtype:web-application-attack sid:973
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "..\\.." -j LOG --log-prefix " SID974 "	# "WEB-IIS .... access" bugtraq,2218 cve,CAN-1999-0229 classtype:web-application-attack sid:974
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".asp::$data" -j LOG --log-prefix " SID975 "	# "WEB-IIS .asp$data access" nocase-ignored bugtraq,140 cve,CVE-1999-0278 classtype:web-application-attack sid:975
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".bat?" -j LOG --log-prefix " SID976 "	# "WEB-IIS .bat? access" nocase-ignored bugtraq,2023 cve,CVE-1999-0233 url,support.microsoft.com/support/kb/articles/Q148/1/88.asp url,support.microsoft.com/support/kb/articles/Q155/0/56.asp classtype:web-application-activity sid:976
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".cnf" --tcp-flags ACK ACK -j LOG --log-prefix " SID977 "	# "WEB-IIS .cnf access" nocase-ignored classtype:web-application-activity sid:977
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20" --string "&CiRestriction=none" --string "&CiHiliteType=Full" -j LOG --log-prefix " SID978 "	# "WEB-IIS ASP contents view" nocase-ignored nocase-ignored cve,CAN-2000-0302 bugtraq,1084 classtype:web-application-attack sid:978
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htw?CiWebHitsFile" -j LOG --log-prefix " SID979 "	# "WEB-IIS ASP contents view" bugtraq,1864 classtype:web-application-attack sid:979
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/CGImail.exe" -j LOG --log-prefix " SID980 "	# "WEB-IIS CGImail.exe access" nocase-ignored cve,CAN-2000-0726 bugtraq,1623 classtype:web-application-activity sid:980
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c0%af../" --tcp-flags ACK ACK -j LOG --log-prefix " SID981 "	# "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:981
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c1%1c../" --tcp-flags ACK ACK -j LOG --log-prefix " SID982 "	# "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:982
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c1%9c../" --tcp-flags ACK ACK -j LOG --log-prefix " SID983 "	# "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:983
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/proxy/w3proxy.dll" -j LOG --log-prefix " SID986 "	# "WEB-IIS MSProxy access" nocase-ignored classtype:web-application-activity sid:986
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htr" -j LOG --log-prefix " SID987 "	# "WEB-IIS Overflow-htr access" nocase-ignored classtype:web-application-attack sid:987
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "sam._" -j LOG --log-prefix " SID988 "	# "WEB-IIS SAM Attempt" nocase-ignored classtype:web-application-attack sid:988
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sensepost.exe" --tcp-flags ACK ACK -j LOG --log-prefix " SID989 "	# "WEB-IIS Unicode2.pl script (File permission canonicalization)" nocase-ignored classtype:web-application-activity sid:989
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_vti_inf.html" -j LOG --log-prefix " SID990 "	# "WEB-IIS _vti_inf access" nocase-ignored classtype:web-application-activity sid:990
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/achg.htr" -j LOG --log-prefix " SID991 "	# "WEB-IIS achg.htr access" nocase-ignored cve,CVE-1999-0407 bugtraq,2110 classtype:web-application-activity sid:991
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin" -j LOG --log-prefix " SID993 "	# "WEB-IIS admin access" nocase-ignored classtype:web-application-attack sid:993
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/default.htm" -j LOG --log-prefix " SID994 "	# "WEB-IIS /scripts/iisadmin/default.htm access" nocase-ignored classtype:web-application-attack sid:994
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/ism.dll?http/dir" -j LOG --log-prefix " SID995 "	# "WEB-IIS ism.dll access" nocase-ignored cve,CVE-2000-0630 bugtraq,189 classtype:web-application-attack sid:995
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/anot" -j LOG --log-prefix " SID996 "	# "WEB-IIS anot.htr access" nocase-ignored bugtraq,2110 cve,CAN-1999-0407 classtype:web-application-activity sid:996
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".asp." -j LOG --log-prefix " SID997 "	# "WEB-IIS asp-dot attempt" nocase-ignored classtype:web-application-attack sid:997
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.asp" -j LOG --log-prefix " SID998 "	# "WEB-IIS asp-srch attempt" nocase-ignored classtype:web-application-attack sid:998
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/bdir.htr" -j LOG --log-prefix " SID999 "	# "WEB-IIS bdir access" nocase-ignored classtype:web-application-activity sid:999
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/bdir.htr" --tcp-flags ACK ACK -j LOG --log-prefix " SID1000 "	# "WEB-IIS bdir.ht access" nocase-ignored classtype:web-application-activity sid:1000
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cmd.exe" -j LOG --log-prefix " SID1002 "	# "WEB-IIS cmd.exe access" nocase-ignored classtype:web-application-attack sid:1002
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".cmd?&" -j LOG --log-prefix " SID1003 "	# "WEB-IIS cmd? access" nocase-ignored classtype:web-application-attack sid:1003
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Form_JScript.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1007 "	# "WEB-IIS cross-site scripting attempt" nocase-ignored classtype:web-application-attack sid:1007
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Form_VBScript.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1380 "	# "WEB-IIS cross-site scripting attempt" nocase-ignored classtype:web-application-attack sid:1380
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "&del+/s+c:\*.*" -j LOG --log-prefix " SID1008 "	# "WEB-IIS del attempt" nocase-ignored classtype:web-application-attack sid:1008
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/ServerVariables_Jscript.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1009 "	# "WEB-IIS directory listing" nocase-ignored classtype:web-application-attack sid:1009
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%1u" -j LOG --log-prefix " SID1010 "	# "WEB-IIS encoding access" arachnids,200 classtype:web-application-activity sid:1010
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.exe" -j LOG --log-prefix " SID1011 "	# "WEB-IIS exec-src access" nocase-ignored classtype:web-application-activity sid:1011
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpcount.exe" --string "Digits=" -j LOG --log-prefix " SID1012 "	# "WEB-IIS fpcount attempt" nocase-ignored bugtraq,2252 classtype:web-application-attack sid:1012
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpcount.exe" -j LOG --log-prefix " SID1013 "	# "WEB-IIS fpcount access" nocase-ignored bugtraq,2252 classtype:web-application-activity sid:1013
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/tools/getdrvs.exe" -j LOG --log-prefix " SID1015 "	# "WEB-IIS getdrvs.exe access" nocase-ignored classtype:web-application-activity sid:1015
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "global.asa" -j LOG --log-prefix " SID1016 "	# "WEB-IIS global-asa access" nocase-ignored classtype:web-application-activity sid:1016
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.idc" -j LOG --log-prefix " SID1017 "	# "WEB-IIS idc-srch attempt" nocase-ignored cve,CVE-1999-0874 classtype:web-application-attack sid:1017
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/aexp" -j LOG --log-prefix " SID1018 "	# "WEB-IIS iisadmpwd attempt" nocase-ignored bugtraq,2110 cve,CVE-2000-0303 classtype:web-application-attack sid:1018
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?CiWebHitsFile=/" --string "&CiRestriction=none&CiHiliteType=Full" -j LOG --log-prefix " SID1019 "	# "WEB-IIS index server file sourcecode attempt" classtype:web-application-attack sid:1019
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".idc::$data" -j LOG --log-prefix " SID1020 "	# "WEB-IIS isc$data attempt" nocase-ignored bugtraq,307 cve,CVE-1999-0874 classtype:web-application-attack sid:1020
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20%20%20%20%20.htr" -j LOG --log-prefix " SID1021 "	# "WEB-IIS ism.dll attempt" nocase-ignored cve,CAN-2000-0457 bugtraq,1193 classtype:web-application-attack sid:1021
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/advworks/equipment/catalog_type.asp" -j LOG --log-prefix " SID1022 "	# "WEB-IIS jet vba access" nocase-ignored bugtraq,286 cve,CVE-1999-0874 classtype:web-application-activity sid:1022
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/msadc/msadcs.dll" -j LOG --log-prefix " SID1023 "	# "WEB-IIS msadc/msadcs.dll access" nocase-ignored cve,CVE-1999-1011 bugtraq,529 classtype:web-application-activity sid:1023
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/tools/newdsn.exe" -j LOG --log-prefix " SID1024 "	# "WEB-IIS newdsn.exe access" nocase-ignored bugtraq,1818 cve,CVE-1999-0191 classtype:web-application-activity sid:1024
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/perl" -j LOG --log-prefix " SID1025 "	# "WEB-IIS perl access" nocase-ignored classtype:web-application-activity sid:1025
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%0a.pl" -j LOG --log-prefix " SID1026 "	# "WEB-IIS perl-browse0a attempt" nocase-ignored classtype:web-application-attack sid:1026
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20.pl" -j LOG --log-prefix " SID1027 "	# "WEB-IIS perl-browse20 attempt" nocase-ignored classtype:web-application-attack sid:1027
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/ " -j LOG --log-prefix " SID1029 "	# "WEB-IIS scripts-browse access" nocase-ignored classtype:web-application-attack sid:1029
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/search97.vts" -j LOG --log-prefix " SID1030 "	# "WEB-IIS search97.vts access" bugtraq,162 classtype:web-application-activity sid:1030
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/adsamples/config/site.csc" -j LOG --log-prefix " SID1038 "	# "WEB-IIS site server config access" nocase-ignored bugtraq,256 classtype:web-application-activity sid:1038
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/samples/isapi/srch.htm" -j LOG --log-prefix " SID1039 "	# "WEB-IIS srch.htm access" nocase-ignored classtype:web-application-activity sid:1039
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/srchadm" -j LOG --log-prefix " SID1040 "	# "WEB-IIS srchadm access" nocase-ignored classtype:web-application-activity sid:1040
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/uploadn.asp" -j LOG --log-prefix " SID1041 "	# "WEB-IIS uploadn.asp access" nocase-ignored classtype:web-application-activity sid:1041
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "Translate: F" -j LOG --log-prefix " SID1042 "	# "WEB-IIS view source via translate header" nocase-ignored arachnids,305 bugtraq,1578 classtype:web-application-activity sid:1042
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".htw" --tcp-flags ACK ACK -j LOG --log-prefix " SID1044 "	#Cannot convert: dsize: >400	 "WEB-IIS webhits access" arachnids,237 classtype:web-application-activity sid:1044
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/site/iisamples" -j LOG --log-prefix " SID1046 "	# "WEB-IIS site/iisamples access" nocase-ignored classtype:web-application-activity sid:1046
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "scripts/root.exe?" -j LOG --log-prefix " SID1256 "	# "WEB-IIS CodeRed v2 root.exe access" nocase-ignored classtype:web-application-attack sid:1256
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/exchange/LogonFrm.asp?" --string "mailbox=" --string "%%%" -j LOG --log-prefix " SID1283 "	# "WEB-IIS outlook web dos" nocase-ignored nocase-ignored classtype:web-application-attack bugtraq,3223 sid:1283
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/samples/" --tcp-flags ACK ACK -j LOG --log-prefix " SID1400 "	# "WEB-IIS /scripts/samples/ access" nocase-ignored classtype:web-application-attack sid:1400
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/msadc/samples/" --tcp-flags ACK ACK -j LOG --log-prefix " SID1401 "	# "WEB-IIS /msadc/samples/ access" nocase-ignored classtype:web-application-attack sid:1401
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/iissamples/" --tcp-flags ACK ACK -j LOG --log-prefix " SID1402 "	# "WEB-IIS iissamples access" nocase-ignored classtype:web-application-attack sid:1402
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%5c" --string ".." -j LOG --log-prefix " SID970 "	# "WEB-IIS multiple decode attempt" cve,CAN-2001-0333 classtype:web-application-attack sid:970
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/msdac/" -j LOG --log-prefix " SID1285 "	# "WEB-IIS msdac access" nocase-ignored classtype:web-application-activity sid:1285
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_mem_bin/" -j LOG --log-prefix " SID1286 "	# "WEB-IIS _mem_bin access" nocase-ignored classtype:web-application-activity sid:1286
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/" -j LOG --log-prefix " SID1287 "	# "WEB-IIS scripts access" nocase-ignored classtype:web-application-activity sid:1287
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp30reg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID1246 "	#Cannot convert: dsize: >258	 "WEB-FRONTPAGE rad overflow attempt" nocase-ignored classtype:web-application-attack arachnids,555 bugtraq,2906 cve,CAN-2001-0341 url,www.microsoft.com/technet/security/bulletin/MS01-035.asp sid:1246
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp4areg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID1247 "	#Cannot convert: dsize: >259	 "WEB-FRONTPAGE rad overflow attempt" nocase-ignored cve,CAN-2001-0341 bugtraq,2906 classtype:web-application-attack sid:1247
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp30reg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID1248 "	# "WEB-FRONTPAGE rad fp30reg.dll access" nocase-ignored classtype:web-application-activity arachnids,555 bugtraq,2906 cve,CAN-2001-0341 url,www.microsoft.com/technet/security/bulletin/MS01-035.asp sid:1248
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp4areg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID1249 "	# "WEB-FRONTPAGE frontpage rad fp4areg.dll access" nocase-ignored cve,CAN-2001-0341 bugtraq,2906 classtype:web-application-activity sid:1249
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_rpc" -j LOG --log-prefix " SID937 "	# "WEB-FRONTPAGE _vti_rpc access" nocase-ignored bugtraq,2144 classtype:web-application-activity sid:937
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "POST" --string "/author.dll" -j LOG --log-prefix " SID939 "	# "WEB-FRONTPAGE posting" nocase-ignored classtype:web-application-activity sid:939
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/_vti_bin/shtml.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID940 "	# "WEB-FRONTPAGE shtml.dll access" nocase-ignored arachnids,292 classtype:web-application-activity sid:940
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admcgi/contents.htm" -j LOG --log-prefix " SID941 "	# "WEB-FRONTPAGE contents.htm access" nocase-ignored classtype:web-application-activity sid:941
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/orders.htm" -j LOG --log-prefix " SID942 "	# "WEB-FRONTPAGE orders.htm access" nocase-ignored classtype:web-application-activity sid:942
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpsrvadm.exe" -j LOG --log-prefix " SID943 "	# "WEB-FRONTPAGE fpsrvadm.exe access" nocase-ignored classtype:web-application-activity sid:943
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpremadm.exe" -j LOG --log-prefix " SID944 "	# "WEB-FRONTPAGE fpremadm.exe access" nocase-ignored classtype:web-application-activity sid:944
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admisapi/fpadmin.htm" -j LOG --log-prefix " SID945 "	# "WEB-FRONTPAGE fpadmin.htm access" nocase-ignored classtype:web-application-activity sid:945
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/Fpadmcgi.exe" -j LOG --log-prefix " SID946 "	# "WEB-FRONTPAGE fpadmcgi.exe access" nocase-ignored classtype:web-application-activity sid:946
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/orders.txt" -j LOG --log-prefix " SID947 "	# "WEB-FRONTPAGE orders.txt access" nocase-ignored classtype:web-application-activity sid:947
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/form_results.txt" -j LOG --log-prefix " SID948 "	# "WEB-FRONTPAGE form_results access" nocase-ignored classtype:web-application-activity sid:948
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/registrations.htm" -j LOG --log-prefix " SID949 "	# "WEB-FRONTPAGE registrations.htm access" nocase-ignored classtype:web-application-activity sid:949
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfgwiz.exe" -j LOG --log-prefix " SID950 "	# "WEB-FRONTPAGE cfgwiz.exe access" nocase-ignored classtype:web-application-activity sid:950
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/authors.pwd" -j LOG --log-prefix " SID951 "	# "WEB-FRONTPAGE authors.pwd access" nocase-ignored classtype:web-application-activity sid:951
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_bin/_vti_aut/author.exe" -j LOG --log-prefix " SID952 "	# "WEB-FRONTPAGE author.exe access" nocase-ignored classtype:web-application-activity sid:952
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/administrators.pwd" -j LOG --log-prefix " SID953 "	# "WEB-FRONTPAGE administrators.pwd" nocase-ignored bugtraq,1205 classtype:web-application-activity sid:953
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/form_results.htm" -j LOG --log-prefix " SID954 "	# "WEB-FRONTPAGE form_results.htm access" nocase-ignored classtype:web-application-activity sid:954
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/access.cnf" -j LOG --log-prefix " SID955 "	# "WEB-FRONTPAGE access.cnf access" nocase-ignored classtype:web-application-activity sid:955
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/register.txt" -j LOG --log-prefix " SID956 "	# "WEB-FRONTPAGE register.txt access" nocase-ignored classtype:web-application-activity sid:956
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/registrations.txt" -j LOG --log-prefix " SID957 "	# "WEB-FRONTPAGE registrations.txt access" nocase-ignored classtype:web-application-activity sid:957
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/service.cnf" -j LOG --log-prefix " SID958 "	# "WEB-FRONTPAGE service.cnf access" nocase-ignored classtype:web-application-activity sid:958
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dp