HOME_NET=0/0
EXTERNAL_NET=0/0
SMTP=$HOME_NET
HTTP_SERVERS=$HOME_NET
SQL_SERVERS=$HOME_NET
DNS_SERVERS=$HOME_NET
SHELLCODE_PORTS='\! 80'
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 0 -j LOG --log-prefix " SID524 "	# "BAD TRAFFIC tcp port 0 traffic" sid:524 classtype:misc-activity
iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 0 -j LOG --log-prefix " SID524 "	# "BAD TRAFFIC tcp port 0 traffic" sid:524 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 0 -j LOG --log-prefix " SID525 "	# "BAD TRAFFIC udp port 0 traffic" sid:525 classtype:misc-activity
iptables -A SnortRules -p udp -d $EXTERNAL_NET -s $HOME_NET --sport 0 -j LOG --log-prefix " SID525 "	# "BAD TRAFFIC udp port 0 traffic" sid:525 classtype:misc-activity
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID526 "	#Cannot convert: dsize:>6	 "BAD TRAFFIC data in TCP SYN packet" url,www.cert.org/incident_notes/IN-99-07.html sid:526 classtype:misc-activity
iptables -A SnortRules -d 127.0.0.0/8 -j LOG --log-prefix " SID528 "	# "BAD TRAFFIC loopback traffic" classtype:bad-unknown url,rr.sans.org/firewall/egress.php sid:528
iptables -A SnortRules -s 127.0.0.0/8 -j LOG --log-prefix " SID528 "	# "BAD TRAFFIC loopback traffic" classtype:bad-unknown url,rr.sans.org/firewall/egress.php sid:528
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID523 "	#Cannot convert: fragbits:R	 "BAD TRAFFIC ip reserved bit set" sid:523 classtype:misc-activity
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m ttl --ttl-eq 0 -j LOG --log-prefix " SID1321 "	#Cannot convert: EN-US q138268	 "BAD TRAFFIC 0 ttl" url,www.isi.edu/in-notes/rfc1122.txt url,support.microsoft.com/default.aspx?scid=kb sid:1321 classtype:misc-activity
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID1322 "	#Cannot convert: fragbits:MD	 "BAD TRAFFIC bad frag bits" sid:1322 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "/bin/sh" -j LOG --log-prefix " SID1324 "	# "EXPLOIT ssh CRC32 overflow /bin/sh" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1324
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " SID1326 "	# "EXPLOIT ssh CRC32 overflow NOOP" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1326
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 --tcp-flags ACK ACK -m string --string "W" --string "ÿÿÿÿ" -j LOG --log-prefix " SID1327 "	# "EXPLOIT ssh CRC32 overflow" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1327
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "3É±?éQ<úG3ÀP÷ÐP" --tcp-flags ACK ACK -j LOG --log-prefix " SID283 "	# "EXPLOIT netscape 4.7 client overflow" cve,CVE-2000-1187 bugtraq,822 arachnids,215 classtype:attempted-user sid:283
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 109 --tcp-flags ACK ACK -m string --string "ë,[‰Ù€Á9Ù|€" -j LOG --log-prefix " SID284 "	# "EXPLOIT pop2 x86 linux overflow" classtype:attempted-admin sid:284
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 109 --tcp-flags ACK ACK -m string --string "ÿÿÿ/BIN/SH" -j LOG --log-prefix " SID285 "	# "EXPLOIT pop2 x86 linux overflow" classtype:attempted-admin sid:285
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "^1À°;~‰ú‰ù" -j LOG --log-prefix " SID286 "	# "EXPLOIT pop3 x86 bsd overflow" classtype:attempted-admin sid:286
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "h]^ÿÕÿÔÿõ‹õf1" -j LOG --log-prefix " SID287 "	# "EXPLOIT pop3 x86 bsd overflow" classtype:attempted-admin sid:287
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "Ø@Í€èÙÿÿÿ/bin/sh" -j LOG --log-prefix " SID288 "	# "EXPLOIT pop3 x86 linux overflow" classtype:attempted-admin sid:288
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "V1À°;~‰ù‰ù" -j LOG --log-prefix " SID289 "	# "EXPLOIT pop3 x86 sco overflow" classtype:attempted-admin sid:289
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "èÙÿÿÿ/bin/sh" -j LOG --log-prefix " SID290 "	# "EXPLOIT qpopper overflow" bugtraq,830 cve,CAN-1999-0822 classtype:attempted-admin sid:290
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 119 --tcp-flags ACK ACK -m string --string "AUTHINFO USER" -j LOG --log-prefix " SID291 "	#Cannot convert: dsize: >512	 "EXPLOIT NNTP Cassandra Overflow" nocase-ignored cve,CAN-2000-0341 arachnids,274 classtype:attempted-user sid:291
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "ë/_ëJ^‰û‰>‰ò" -j LOG --log-prefix " SID292 "	# "EXPLOIT x86 linux samba overflow" bugtraq,1816 cve,CVE-1999-0811 cve,CVE-1999-0182 classtype:attempted-admin sid:292
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "èÀÿÿÿ/bin/sh" -j LOG --log-prefix " SID293 "	# "EXPLOIT imap overflow" classtype:attempted-admin sid:293
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "‰Ø@Í€èÈÿÿÿ/" -j LOG --log-prefix " SID295 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:295
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ë4^‰^1Ò‰V" -j LOG --log-prefix " SID296 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:296
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ë5^€F0€F0€F0" -j LOG --log-prefix " SID297 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:297
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ë8^‰ó‰Ø€F €F" -j LOG --log-prefix " SID298 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 cve,CVE-1999-0005 classtype:attempted-admin sid:298
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 143 --tcp-flags ACK ACK -m string --string "ëX^1ÛƒÃƒÃˆ^&" -j LOG --log-prefix " SID299 "	# "EXPLOIT imap x86 linux overflow" bugtraq,130 cve, CVE-1999-0005 classtype:attempted-admin sid:299
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2766 --tcp-flags ACK ACK -m string --string "ë#^3ÀˆFú‰Fõ‰6" -j LOG --log-prefix " SID300 "	# "EXPLOIT nlps x86 solaris overflow" classtype:attempted-admin sid:300 bugtraq,2319
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 515 --tcp-flags ACK ACK -m string --string "C‰[K‰C°Í€1ÀþÀÍ€è”ÿÿÿ/bin/sh" -j LOG --log-prefix " SID301 "	# "EXPLOIT LPRng overflow" cve,CVE-2000-0917 bugtraq,1712 classtype:attempted-admin sid:301
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 515 --tcp-flags ACK ACK -m string --string "XXXX%.172u%300\$n" -j LOG --log-prefix " SID302 "	# "EXPLOIT redhat 7.0 lprd overflow" classtype:attempted-admin sid:302
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6373 --tcp-flags ACK ACK -m string --string "ë]UþM˜þM›" -j LOG --log-prefix " SID304 "	# "EXPLOIT sco calserver overflow" cve,CVE-2000-0306 bugtraq,2353 classtype:attempted-admin sid:304
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 --tcp-flags ACK ACK -m string --string "whois://" -j LOG --log-prefix " SID305 "	#Cannot convert: dsize: >1000	 "EXPLOIT delegate proxy overflow" nocase-ignored arachnids,267 classtype:attempted-admin sid:305 bugtraq,808 cve,CVE-2000-0165
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 9090 --tcp-flags ACK ACK -m string --string "GET / HTTP/1.1" -j LOG --log-prefix " SID306 "	# "EXPLOIT VQServer admin" nocase-ignored bugtraq,1610 cve,CAN-2000-0766 classtype:attempted-admin sid:306
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6666:7000 --tcp-flags ACK ACK -m string --string "ëK[S2äƒÃKˆ#¸Pw" -j LOG --log-prefix " SID307 "	# "EXPLOIT IRC topic overflow" cve,CVE-1999-0672 bugtraq,573 classtype:attempted-user sid:307
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "´ ´‹Ìƒé‹3Éf¹" -j LOG --log-prefix " SID308 "	# "EXPLOIT NextFTP client overflow" bugtraq,572 cve,CVE-1999-0671 classtype:attempted-user sid:308
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "from:" -j LOG --log-prefix " SID309 "	#Cannot convert: dsize: >512	 "EXPLOIT sniffit overflow" nocase-ignored bugtraq,1158 cve,CAN-2000-0343 arachnids,273 classtype:attempted-admin sid:309
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "ëEë [ü3É±‚‹ó€+" -j LOG --log-prefix " SID310 "	# "EXPLOIT x86 windows MailMax overflow" bugtraq,2312 cve,CVE-1999-0404 classtype:attempted-admin sid:310
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 80 -m string --string "3É±?éQ<úG3ÀP÷ÐP" --tcp-flags ACK ACK -j LOG --log-prefix " SID311 "	# "EXPLOIT netscape 4.7 unsucessful overflow" cve,CVE-2000-1187 bugtraq,822 arachnids,214 classtype:unsuccessful-user sid:311
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 123 -j LOG --log-prefix " SID312 "	#Cannot convert: dsize: >128	 "EXPLOIT ntpdx overflow attempt" arachnids,492 classtype:attempted-admin sid:312
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 518 -m string --string "è" -j LOG --log-prefix " SID313 "	# "EXPLOIT ntalkd x86 linux overflow" bugtraq,210 classtype:attempted-admin sid:313
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "«Í	€    a" -j LOG --log-prefix " SID303 "	# "EXPLOIT named tsig overflow attempt" cve,CVE-2001-0010 bugtraq,2302 arachnids,482 classtype:attempted-admin sid:303
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "€?/bin/sh" -j LOG --log-prefix " SID314 "	# "EXPLOIT named tsig overflow attempt" classtype:attempted-admin sid:314 cve,CVE-2001-0010 bugtraq,2302
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "^°‰þÈ‰F°‰F" -j LOG --log-prefix " SID315 "	# "EXPLOIT x86 linux mountd overflow" cve,CVE-1999-0002 classtype:attempted-admin sid:315
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "ëV^VVV1ÒˆVˆV" -j LOG --log-prefix " SID316 "	# "EXPLOIT x86 linux mountd overflow" cve,CVE-1999-0002 classtype:attempted-admin sid:316
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "ë@^1À@‰F‰Ã@‰" -j LOG --log-prefix " SID317 "	# "EXPLOIT x86 linux mountd overflow" cve,CVE-1999-0002 classtype:attempted-admin sid:317
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 67 -m string --string "echo netrjs stre" -j LOG --log-prefix " SID318 "	# "EXPLOIT bootp x86 bsd overflow" classtype:attempted-admin sid:318 bugtraq,324 cve,CVE-1999-0914
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 67 -m string --string "A90À¨/bin/sh" -j LOG --log-prefix " SID319 "	# "EXPLOIT bootp x86 linux overflow" cve,CVE-1999-0799 cve,CAN-1999-0798 cve,CAN-1999-0389 classtype:attempted-admin sid:319
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2224 --tcp-flags ACK ACK -m string --string "1ÛÍ€è[ÿÿÿ" -j LOG --log-prefix " SID1240 "	# "EXPLOIT MDBMS overflow" bugtraq,1252 cve,CVE-2000-0446 classtype:attempted-admin sid:1240
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 4242 --tcp-flags ACK ACK -m string --string "ÿûxÿûxÿûxÿûx" --string "@ŠÿÈ@‚ÿØ;6þ;vþ" -j LOG --log-prefix " SID1261 "	#Cannot convert: dsize:>1000	 "EXPLOIT aix pdnsd overflow" cve,CVE-1999-0745 bugtraq,3237 classtype:attempted-user sid:1261
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 4321 --tcp-flags ACK ACK -m string --string "-soa %p" -j LOG --log-prefix " SID1323 "	# "EXPLOIT rwhoisd format string attempt" cve,CAN-2001-0838 bugtraq,3474 classtype:misc-attack sid:1323
#iptables -A SnortRules -p tcp --dport 6667 --tcp-flags ACK ACK -m string --string "PRIVMSG nickserv IDENTIFY" -j LOG --log-prefix " SID1382 "	#Cannot convert: dsize:>200	 "EXPLOIT Ettercap IRC parse overflow attempt" nocase-ignored url,www.bugtraq.org/dev/GOBBLES-12.txt classtype:misc-attack sid:1382
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6112 --tcp-flags ACK ACK -m string --string "1" --string !"000" -j LOG --log-prefix " SID1398 "	# "EXPLOIT CDE dtspcd exploit attempt" cve,CAN-2001-0803 url,www.cert.org/advisories/CA-2002-01.html classtype:misc-attack sid:1398
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 10101 -d $HOME_NET -m ttl --ttl-gt 220 --tcp-flags ALL SYN -j LOG --log-prefix " SID613 "	#Cannot convert: ack: 0	 "SCAN myscan" arachnids,439 classtype:attempted-recon sid:613
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 31790 -d $HOME_NET --dport 31789 -m string --string "A" --tcp-flags ACK ACK -j LOG --log-prefix " SID614 "	# "SCAN trojan hack-a-tack probe" arachnids,314 classtype:attempted-recon sid:614
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 1080 --tcp-flags ALL SYN -j LOG --log-prefix " SID615 "	# "SCAN Proxy attempt" url,help.undernet.org/proxyscan/ classtype:attempted-recon sid:615
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 113 --tcp-flags ACK ACK -m string --string "VERSION" -j LOG --log-prefix " SID616 "	# "SCAN ident version" arachnids,303 classtype:attempted-recon sid:616
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 3128 --tcp-flags ALL SYN -j LOG --log-prefix " SID618 "	# "INFO - Possible Squid Scan" classtype:attempted-recon sid:618
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ALL FIN,SYN -j LOG --log-prefix " SID619 "	#Cannot convert: Flag1 Flag2 dsize: 0	 "SCAN cybercop os probe" arachnids,146 classtype:attempted-recon sid:619
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 --tcp-flags ALL SYN -j LOG --log-prefix " SID620 "	# "SCAN Proxy attempt" classtype:attempted-recon sid:620
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN -j LOG --log-prefix " SID621 "	# "SCAN FIN" arachnids,27 classtype:attempted-recon sid:621
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID622 "	#Cannot convert: seq: 1958810375	 "SCAN IP Eye SYN Scan" arachnids,236 classtype:attempted-recon sid:622
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL NONE -j LOG --log-prefix " SID623 "	#Cannot convert: seq:0 ack:0	 "SCAN NULL" arachnids,4 classtype:attempted-recon sid:623
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,SYN -j LOG --log-prefix " SID624 "	# "SCAN SYN FIN" arachnids,198 classtype:attempted-recon sid:624
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL ACK,FIN,PSH,SYN,RST,URG -j LOG --log-prefix " SID625 "	# "SCAN XMAS" arachnids,144 classtype:attempted-recon sid:625
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID626 "	#Cannot convert: Flag1 Flag2	 "SCAN cybercop os probe" arachnids,149 classtype:attempted-recon sid:626
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL FIN,SYN,URG -j LOG --log-prefix " SID627 "	#Cannot convert: Flag1 Flag2 ack: 0	 "SCAN cybercop os probe" arachnids,150 classtype:attempted-recon sid:627
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL ACK -j LOG --log-prefix " SID628 "	#Cannot convert: ack:0	 "SCAN nmap TCP" arachnids,28 classtype:attempted-recon sid:628
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,PSH,SYN,URG -j LOG --log-prefix " SID629 "	# "SCAN nmap fingerprint attempt" arachnids,05 classtype:attempted-recon sid:629
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,SYN -j LOG --log-prefix " SID630 "	#Cannot convert: id: 39426	 "SCAN synscan portscan" arachnids,441 classtype:attempted-recon sid:630
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "ehlo cybercopquit" -j LOG --log-prefix " SID631 "	# "SMTP cybercop scan ehlo" arachnids,372 classtype:attempted-recon sid:631
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "expn cybercop" -j LOG --log-prefix " SID632 "	# "SMTP cybercop scan expn" arachnids,371 classtype:attempted-recon sid:632
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10080:10081 -m string --string "Amanda" -j LOG --log-prefix " SID634 "	# "SCAN Amanda client version" nocase-ignored classtype:attempted-recon sid:634
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 49 -m string --string "€" -j LOG --log-prefix " SID635 "	# "SCAN XTACACS logout" arachnids,408 classtype:bad-unknown sid:635
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 7 -m string --string "cybercop" -j LOG --log-prefix " SID636 "	# "SCAN cybercop udp bomb" arachnids,363 classtype:bad-unknown sid:636
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "helpquit" -j LOG --log-prefix " SID637 "	# "SCAN Webtrends Scanner UDP Probe" arachnids,308 classtype:attempted-recon sid:637
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,PSH,URG -j LOG --log-prefix " SID1228 "	# "SCAN NMAP XMAS" arachnids,30 classtype:attempted-recon sid:1228
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "cmd_rootsh" -j LOG --log-prefix " SID320 "	# "FINGER cmd_rootsh backdoor attempt" classtype:attempted-admin url,www.sans.org/y2k/TFN_toolkit.htm url,www.sans.org/y2k/fingerd.htm sid:320
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "a b c d e f" -j LOG --log-prefix " SID321 "	# "FINGER account enumeration attempt" nocase-ignored classtype:attempted-recon sid:321
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "search" -j LOG --log-prefix " SID322 "	# "FINGER search query" cve,CVE-1999-0259 arachnids,375 classtype:attempted-recon sid:322
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "root" -j LOG --log-prefix " SID323 "	# "FINGER root query" arachnids,376 classtype:attempted-recon sid:323
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " SID324 "	# "FINGER null request" arachnids,377 classtype:attempted-recon sid:324
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string ";" -j LOG --log-prefix " SID326 "	#Cannot convert: execution attempt"	 "FINGER remote command cve,CVE-1999-0150 bugtraq,974 arachnids,379 classtype:attempted-user sid:326
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "|" -j LOG --log-prefix " SID327 "	# "FINGER remote command pipe execution attempt" cve,CVE-1999-0152 bugtraq,2220 arachnids,380 classtype:attempted-user sid:327
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "@@" -j LOG --log-prefix " SID328 "	# "FINGER bomb attempt" arachnids,381 cve,CAN-1999-0106 classtype:attempted-dos sid:328
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "@" --tcp-flags ACK ACK -j LOG --log-prefix " SID330 "	# "FINGER redirection attempt" arachnids,251 cve,CAN-1999-0105 classtype:attempted-recon sid:330
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string " " --tcp-flags ACK ACK -j LOG --log-prefix " SID331 "	# "FINGER cybercop query" arachnids,132 cve,CVE-1999-0612 classtype:attempted-recon sid:331
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "0" -j LOG --log-prefix " SID332 "	# "FINGER 0 query" arachnids,378 arachnids,131 cve,CAN-1999-0197 classtype:attempted-recon sid:332
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "." -j LOG --log-prefix " SID333 "	# "FINGER . query" arachnids,130 cve,CAN-1999-0198 classtype:attempted-recon sid:333
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "stat " -j LOG --log-prefix " SID1379 "	#Cannot convert: dsize:>1000	 "FTP EXPLOIT stat overflow" nocase-ignored url,labs.defcom.com/adv/2001/def-2001-31.txt classtype:attempted-admin sid:1379
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string ".forward" --tcp-flags ACK ACK -j LOG --log-prefix " SID334 "	# "FTP .forward" arachnids,319 classtype:suspicious-filename-detect sid:334
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string ".rhosts" -j LOG --log-prefix " SID335 "	# "FTP .rhosts" arachnids,328 classtype:suspicious-filename-detect sid:335
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "cwd ~root" --tcp-flags ACK ACK -j LOG --log-prefix " SID336 "	# "FTP CWD ~root" nocase-ignored cve,CVE-1999-0082 arachnids,318 classtype:bad-unknown sid:336
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CEL " -j LOG --log-prefix " SID337 "	#Cannot convert: dsize:>1300	 "FTP EXPLOIT aix overflow" bugtraq,679 cve,CVE-1999-0789 arachnids,257 classtype:attempted-admin sid:337
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "SITE EXEC %020d|%.f%.f|" -j LOG --log-prefix " SID338 "	# "FTP EXPLOIT format string" nocase-ignored cve,CVE-2000-0573 bugtraq,1387 arachnids,453 classtype:attempted-user sid:338
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string " 1À™RR°Í€hÌsh" -j LOG --log-prefix " SID339 "	# "FTP EXPLOIT OpenBSD x86 ftpd" cve,CVE-2001-0053 bugtraq,2124 arachnids,446 classtype:attempted-user sid:339
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "PWD/i" -j LOG --log-prefix " SID340 "	# "FTP EXPLOIT overflow" classtype:attempted-admin sid:340
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "XXXXX/" -j LOG --log-prefix " SID341 "	# "FTP EXPLOIT overflow" classtype:attempted-admin sid:341
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "À‚ ‘Ð " -j LOG --log-prefix " SID342 "	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8" bugtraq,1387 cve,CAN-2000-0573 arachnids,451 classtype:attempted-user sid:342
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "1ÀPPP°~Í€1Û1À" -j LOG --log-prefix " SID343 "	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD" arachnids,228 bugtraq,1387 cve,CAN-2000-0573 classtype:attempted-admin sid:343
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "1À1Û1É°FÍ€1À1Û" -j LOG --log-prefix " SID344 "	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux" bugtraq,1387 cve,CAN-2000-0573 arachnids,287 classtype:attempted-admin sid:344
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "SITE EXEC %p" -j LOG --log-prefix " SID345 "	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic" nocase-ignored bugtraq,1387 cve,CAN-2000-0573 arachnids,285 classtype:attempted-admin sid:345
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "f%.f%.f%.f%.f%." -j LOG --log-prefix " SID346 "	# "FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check" arachnids,286 bugtraq,1387 cve,CAN-2000-0573 classtype:attempted-recon sid:346
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "..11venglin@" -j LOG --log-prefix " SID348 "	# "FTP EXPLOIT wu-ftpd 2.6.0" arachnids,440 bugtraq,1387 classtype:attempted-user sid:348
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MKD AAAAAA" -j LOG --log-prefix " SID349 "	# "FTP EXPLOIT MKD overflow" bugtraq,113 cve,CVE-1999-0368 classtype:attempted-admin sid:349
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "1À1Û°Í€1À°Í€" -j LOG --log-prefix " SID350 "	# "FTP EXPLOIT x86 linux overflow" bugtraq,113 cve,CVE-1999-0368 classtype:attempted-admin sid:350
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "1Û‰Ø°Í€ë," -j LOG --log-prefix " SID351 "	# "FTP EXPLOIT x86 linux overflow" bugtraq,113 cve,CVE-1999-0368 classtype:attempted-admin sid:351
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "ƒì^ƒÆpƒÆ(ÕàÀ" -j LOG --log-prefix " SID352 "	# "FTP EXPLOIT x86 linux overflow" bugtraq, 113 cve, CVE-1999-0368 classtype:attempted-admin sid:352
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "PASS ddd@" -j LOG --log-prefix " SID353 "	# "FTP adm scan" arachnids,332 classtype:suspicious-login sid:353
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -iss@iss" -j LOG --log-prefix " SID354 "	# "FTP iss scan" arachnids,331 classtype:suspicious-login sid:354
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass wh00t" -j LOG --log-prefix " SID355 "	# "FTP pass wh00t" nocase-ignored arachnids,324 classtype:suspicious-login sid:355
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "RETR" --string "passwd" -j LOG --log-prefix " SID356 "	# "FTP passwd retreval attempt" nocase-ignored arachnids,213 classtype:suspicious-filename-detect sid:356
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -cklaus" -j LOG --log-prefix " SID357 "	# "FTP piss scan" classtype:suspicious-login sid:357
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -saint" -j LOG --log-prefix " SID358 "	# "FTP saint scan" arachnids,330 classtype:suspicious-login sid:358
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "pass -satan" -j LOG --log-prefix " SID359 "	# "FTP satan scan" arachnids,329 classtype:suspicious-login sid:359
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string ".%20." -j LOG --log-prefix " SID360 "	# "FTP serv-u directory transversal" nocase-ignored bugtraq,2025 cve,CVE-2001-0054 classtype:bad-unknown sid:360
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "site " --string " exec " -j LOG --log-prefix " SID361 "	# "FTP site exec" nocase-ignored nocase-ignored bugtraq,2241 arachnids,317 classtype:bad-unknown sid:361
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "RETR " --string " --use-compress-program" -j LOG --log-prefix " SID362 "	# "FTP tar parameters" nocase-ignored nocase-ignored bugtraq,2240 arachnids,134 cve,CVE-1999-0202 classtype:bad-unknown sid:362
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CWD " --string " ..." -j LOG --log-prefix " SID1229 "	# "FTP CWD ..." classtype:bad-unknown sid:1229
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "~" --string "[" -j LOG --log-prefix " SID1377 "	# "FTP wu-ftp file completion attempt [" cve,CAN-2001-0886 bugtraq,3581 classtype:misc-attack sid:1377
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "~" --string "{" -j LOG --log-prefix " SID1378 "	# "FTP wu-ftp file completion attempt {" cve,CAN-2001-0886 bugtraq,3581 classtype:misc-attack sid:1378
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "USER w0rm" -j LOG --log-prefix " SID144 "	# "FTP ADMw0rm ftp login attempt" arachnids,01 sid:144 classtype:suspicious-login
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 21 --tcp-flags ACK ACK -m string --string "RETR " --string "file_id.diz" -j LOG --log-prefix " SID1445 "	# "FTP file_id.diz access" nocase-ignored nocase-ignored classtype:misc-activity sid:1445
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "STOR 1MB" -j LOG --log-prefix " SID543 "	# "FTP "STOR 1MB" possible warez site" nocase-ignored classtype:misc-activity sid:543
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "RETR 1MB" -j LOG --log-prefix " SID544 "	# "FTP "RETR 1MB" possible warez site" nocase-ignored classtype:misc-activity sid:544
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CWD / " -j LOG --log-prefix " SID545 "	# "FTP "CWD /" possible warez site" nocase-ignored classtype:misc-activity sid:545
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CWD " -j LOG --log-prefix " SID546 "	# "FTP "CWD " possible warez site" nocase-ignored classtype:misc-activity sid:546
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MKD " -j LOG --log-prefix " SID547 "	# "FTP "MKD " possible warez site" nocase-ignored classtype:misc-activity sid:547
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MKD ." -j LOG --log-prefix " SID548 "	# "FTP "MKD . " possible warez site" nocase-ignored classtype:misc-activity sid:548
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MKD / " -j LOG --log-prefix " SID554 "	# "FTP "MKD / " possible warez site" nocase-ignored classtype:misc-activity sid:554
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "_RLD" --string "bin/sh" -j LOG --log-prefix " SID711 "	# "TELNET SGI telnetd format bug" arachnids,304 classtype:attempted-admin sid:711
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "ld_library_path" -j LOG --log-prefix " SID712 "	# "TELNET ld_library_path" cve,CVE-1999-0073 arachnids,367 classtype:attempted-admin sid:712
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "ÿóÿóÿóÿóÿó" -j LOG --log-prefix " SID713 "	# "TELNET livingston DOS" arachnids,370 classtype:attempted-dos sid:713
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "resolv_host_conf" -j LOG --log-prefix " SID714 "	# "TELNET resolv_host_conf" arachnids,369 classtype:attempted-admin sid:714
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "to su root" -j LOG --log-prefix " SID715 "	# "TELNET Attempted SU from wrong group" nocase-ignored classtype:attempted-admin sid:715
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "not on system console" -j LOG --log-prefix " SID717 "	# "TELNET not on console" nocase-ignored arachnids,365 classtype:bad-unknown sid:717
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET -m string --string "Login incorrect" --tcp-flags ACK ACK -j LOG --log-prefix " SID718 "	# "TELNET login incorrect" arachnids,127 classtype:bad-unknown sid:718
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET -m string --string "login: root" --tcp-flags ACK ACK -j LOG --log-prefix " SID719 "	# "TELNET root login" classtype:suspicious-login sid:719
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "[Yes]ÿþÿý&" -j LOG --log-prefix " SID1252 "	# "TELNET bsd telnet exploit response" classtype: attempted-admin sid:1252 bugtraq,3064 cve,CAN-2001-0554
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "ÿöÿöÿûÿö" -j LOG --log-prefix " SID1253 "	#Cannot convert: dsize: >200	 "TELNET bsd exploit client finishing" classtype: successful-admin sid:1253 bugtraq,3064 cve,CAN-2001-0554
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "4Dgifts" -j LOG --log-prefix " SID709 "	# "TELNET 4Dgifts SGI account attempt" cve,CAN-1999-0501 classtype:suspicious-login sid:709
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "OutOfBox" -j LOG --log-prefix " SID710 "	# "TELNET EZsetup account attempt" cve,CAN-1999-0501 classtype:suspicious-login sid:710
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "ÿýÿýÿý#ÿý'ÿý\$" -j LOG --log-prefix " SID716 "	# "TELNET access" arachnids,08 cve,CAN-1999-0619 classtype:not-suspicious sid:716
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "rcpt to:" -j LOG --log-prefix " SID654 "	#Cannot convert: dsize:>800	 "SMTP RCPT TO overflow" cve,CAN-2001-0260 bugtraq,2283 classtype:attempted-admin sid:654
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 113 -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "D/" -j LOG --log-prefix " SID655 "	# "SMTP sendmail 8.6.9 exploit" arachnids,140 cve,CVE-1999-0204 classtype:attempted-admin sid:655
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "ëSë [ü3É±‚‹ó€+" -j LOG --log-prefix " SID656 "	# "SMTP EXPLOIT x86 windows CSMMail overflow" bugtraq,895 cve,CVE-2000-0042 classtype:attempted-admin sid:656
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "charset = \"\"" -j LOG --log-prefix " SID658 "	# "SMTP exchange mime DOS" classtype:attempted-dos sid:658
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "expn decode" -j LOG --log-prefix " SID659 "	# "SMTP expn decode" nocase-ignored arachnids,32 classtype:attempted-recon sid:659
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "expn root" -j LOG --log-prefix " SID660 "	# "SMTP expn root" nocase-ignored arachnids,31 classtype:attempted-recon sid:660
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "expn *@" -j LOG --log-prefix " SID1450 "	# "SMTP expn *@" nocase-ignored cve,CAN-1999-1200 classtype:misc-attack sid:1450
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "eply-to: a~.`/bin/" -j LOG --log-prefix " SID661 "	#Cannot convert: Mishandled quotes	 "SMTP majordomo ifs" cve,CVE-1999-0208 arachnids,143 classtype:attempted-admin sid:661
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "mail from: \"|" -j LOG --log-prefix " SID662 "	# "SMTP sendmail 5.5.5 exploit" nocase-ignored arachnids,119 classtype:attempted-admin sid:662
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "|sed -e '1,/^\$/'" -j LOG --log-prefix " SID663 "	# "SMTP sendmail 5.5.8 overflow" arachnids,172 cve,CVE-1999-0095 classtype:attempted-admin sid:663
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "rcpt to: decode" -j LOG --log-prefix " SID664 "	# "SMTP sendmail 5.6.4 exploit" nocase-ignored arachnids,121 classtype:attempted-admin sid:664
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "MAIL FROM: |/usr/ucb/tail" -j LOG --log-prefix " SID665 "	# "SMTP sendmail 5.6.5 exploit" nocase-ignored arachnids,122 classtype:attempted-user sid:665
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "rcpt to: | sed '1,/^$/d'|" -j LOG --log-prefix " SID666 "	# "SMTP sendmail 8.4.1 exploit" nocase-ignored arachnids,120 classtype:attempted-user sid:666
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "CrootMprog, P=/bin/" -j LOG --log-prefix " SID667 "	# "SMTP sendmail 8.6.10 exploit" arachnids,123 classtype:attempted-user sid:667
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "Croot							Mprog,P=/bin" -j LOG --log-prefix " SID668 "	# "SMTP sendmail 8.6.10 exploit" arachnids,124 classtype:attempted-user sid:668
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "CrootMprog" -j LOG --log-prefix " SID669 "	# "SMTP sendmail 8.6.9 exploit" arachnids,142 cve,CVE-1999-0204 classtype:attempted-user sid:669
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "C:daemonR" -j LOG --log-prefix " SID670 "	# "SMTP sendmail 8.6.9 exploit" cve,CVE-1999-0204 arachnids,139 classtype:attempted-user sid:670
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "CrootMprog" -j LOG --log-prefix " SID671 "	# "SMTP sendmail 8.6.9c exploit" arachnids,141 cve,CVE-1999-0204 classtype:attempted-user sid:671
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "vrfy decode" -j LOG --log-prefix " SID672 "	# "SMTP vrfy decode" nocase-ignored arachnids,373 classtype:attempted-recon sid:672
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 --tcp-flags ACK ACK -m string --string "vrfy root" -j LOG --log-prefix " SID1446 "	# "SMTP vrfy root" nocase-ignored classtype:attempted-recon sid:1446
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "œ" --string "‡™" -j LOG --log-prefix " SID569 "	# "RPC snmpXdmi overflow attempt" bugtraq,2417 cve,CAN-2001-0236 url,www.cert.org/advisories/CA-2001-05.html classtype:attempted-admin sid:569
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771:34000 -m string --string "À\"?ü¢ 	À,ÿâ\"?ô" --tcp-flags ACK ACK -j LOG --log-prefix " SID570 "	#Cannot convert: dsize: >999	 "RPC EXPLOIT ttdbserv solaris overflow" url,www.cert.org/advisories/CA-2001-27.html bugtraq,122 cve,CVE-1999-0003 arachnids,242 classtype:attempted-admin sid:570
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771:34000 --tcp-flags ACK ACK -m string --string "†ó" -j LOG --log-prefix " SID571 "	#Cannot convert: dsize: >999	 "RPC EXPLOIT ttdbserv Solaris overflow" url,www.cert.org/advisories/CA-2001-27.html bugtraq,122 cve,CVE-1999-0003 arachnids,242 classtype:attempted-admin sid:571
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771:34000 --tcp-flags ACK ACK -m string --string "†ó" -j LOG --log-prefix " SID572 "	# "RPC DOS ttdbserv solaris" bugtraq,122 arachnids,241 cve,CVE-1999-0003 classtype:attempted-dos sid:572
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 634:1400 --tcp-flags ACK ACK -m string --string "€,Lu[" -j LOG --log-prefix " SID573 "	# "RPC AMD Overflow" arachnids,217 classtype:attempted-admin sid:573
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771: --tcp-flags ACK ACK -m string --string "†¥" -j LOG --log-prefix " SID574 "	# "RPC NFS Showmount" arachnids,26 classtype:attempted-recon sid:574
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†÷" -j LOG --log-prefix " SID575 "	# "RPC portmap request admind" arachnids,18 classtype:rpc-portmap-decode sid:575
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -m string --string "†÷" -j LOG --log-prefix " SID1262 "	# "RPC portmap request admind" arachnids,18 classtype:rpc-portmap-decode sid:1262
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡" -j LOG --log-prefix " SID576 "	# "RPC portmap request amountd" arachnids,19 classtype:rpc-portmap-decode sid:576
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡" --tcp-flags ACK ACK -j LOG --log-prefix " SID1263 "	# "RPC portmap request amountd" arachnids,19 classtype:rpc-portmap-decode sid:1263
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†º" -j LOG --log-prefix " SID577 "	# "RPC portmap request bootparam" cve,CAN-1999-0647 arachnids,16 classtype:rpc-portmap-decode sid:577
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†º" --tcp-flags ACK ACK -j LOG --log-prefix " SID1264 "	# "RPC portmap request bootparam" cve,CAN-1999-0647 arachnids,16 classtype:rpc-portmap-decode sid:1264
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ä" -j LOG --log-prefix " SID578 "	# "RPC portmap request cmsd" arachnids,17 classtype:rpc-portmap-decode sid:578
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ä" --tcp-flags ACK ACK -j LOG --log-prefix " SID1265 "	# "RPC portmap request cmsd" arachnids,17 classtype:rpc-portmap-decode sid:1265
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¥" -j LOG --log-prefix " SID579 "	# "RPC portmap request mountd" arachnids,13 classtype:rpc-portmap-decode sid:579
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¥" --tcp-flags ACK ACK -j LOG --log-prefix " SID1266 "	# "RPC portmap request mountd" arachnids,13 classtype:rpc-portmap-decode sid:1266
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡Ì" -j LOG --log-prefix " SID580 "	# "RPC portmap request nisd" arachnids,21 classtype:rpc-portmap-decode sid:580
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡Ì" --tcp-flags ACK ACK -j LOG --log-prefix " SID1267 "	# "RPC portmap request nisd" arachnids,21 classtype:rpc-portmap-decode sid:1267
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "Iñ" -j LOG --log-prefix " SID581 "	# "RPC portmap request pcnfsd" arachnids,22 classtype:rpc-portmap-decode sid:581
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "Iñ" --tcp-flags ACK ACK -j LOG --log-prefix " SID1268 "	# "RPC portmap request pcnfsd" arachnids,22 classtype:rpc-portmap-decode sid:1268
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†±" -j LOG --log-prefix " SID582 "	# "RPC portmap request rexd" arachnids,23 classtype:rpc-portmap-decode sid:582
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†±" --tcp-flags ACK ACK -j LOG --log-prefix " SID1269 "	# "RPC portmap request rexd" arachnids,23 classtype:rpc-portmap-decode sid:1269
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¡" -j LOG --log-prefix " SID583 "	# "RPC portmap request rstatd" arachnids,10 classtype:rpc-portmap-decode sid:583
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¡" --tcp-flags ACK ACK -j LOG --log-prefix " SID1270 "	# "RPC portmap request rstatd" arachnids,10 classtype:rpc-portmap-decode sid:1270
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¢" --tcp-flags ACK ACK -j LOG --log-prefix " SID1271 "	# "RPC portmap request rusers" arachnids,133 cve,CVE-1999-0626 classtype:rpc-portmap-decode sid:1271
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¢" -j LOG --log-prefix " SID584 "	# "RPC portmap request rusers" cve,CVE-1999-0626 arachnids,133 classtype:rpc-portmap-decode sid:584
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡ˆ" --tcp-flags ACK ACK -j LOG --log-prefix " SID1272 "	# "RPC portmap request sadmind" arachnids,20 classtype:rpc-portmap-decode sid:1272
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡ˆ" -j LOG --log-prefix " SID585 "	# "RPC portmap request sadmind" arachnids,20 classtype:rpc-portmap-decode sid:585
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¯" -j LOG --log-prefix " SID586 "	# "RPC portmap request selection_svc" arachnids,25 classtype:rpc-portmap-decode sid:586
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¯" --tcp-flags ACK ACK -j LOG --log-prefix " SID1273 "	# "RPC portmap request selection_svc" arachnids,25 classtype:rpc-portmap-decode sid:1273
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¸" -j LOG --log-prefix " SID587 "	# "RPC portmap request status" arachnids,15 classtype:rpc-portmap-decode sid:587
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ó" -j LOG --log-prefix " SID588 "	# "RPC portmap request ttdbserv" cve,CVE-1999-0003 cve,CVE-1999-0687 cve,CAN-1999-1075 cve,CAN-2001-0717 url,www.cert.org/advisories/CA-2001-05.html arachnids,24 classtype:rpc-portmap-decode sid:588
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†ó" --tcp-flags ACK ACK -j LOG --log-prefix " SID1274 "	# "RPC portmap request ttdbserv" cve,CAN-2001-0717 cve,CVE-1999-0003 cve,CVE-1999-0687 cve,CAN-1999-1075 url,www.cert.org/advisories/CA-2001-05.html arachnids,24 classtype:rpc-portmap-decode sid:1274
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†©" -j LOG --log-prefix " SID589 "	# "RPC portmap request yppasswd" arachnids,14 classtype:rpc-portmap-decode sid:589
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†©" --tcp-flags ACK ACK -j LOG --log-prefix " SID1275 "	# "RPC portmap request yppasswd" arachnids,14 classtype:rpc-portmap-decode sid:1275
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¤" --tcp-flags ACK ACK -j LOG --log-prefix " SID1276 "	# "RPC portmap request ypserv" arachnids,12 classtype:rpc-portmap-decode sid:1276
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¤" -j LOG --log-prefix " SID590 "	# "RPC portmap request ypserv" arachnids,12 classtype:rpc-portmap-decode sid:590
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "†¼" -j LOG --log-prefix " SID1277 "	# "RPC portmap request ypupdated" arachnids,125 classtype:rpc-portmap-decode sid:1277
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -m string --string "†¼" -j LOG --log-prefix " SID591 "	# "RPC portmap request ypupdated" arachnids,125 classtype:rpc-portmap-decode sid:591
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 32770: -m string --string "†¡" -j LOG --log-prefix " SID592 "	# "RPC rstatd query" arachnids,9 classtype:attempted-recon sid:592
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32770: --tcp-flags ACK ACK -m string --string "†¡" -j LOG --log-prefix " SID1278 "	# "RPC rstatd query" arachnids,9 classtype:attempted-recon sid:1278
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG --log-prefix " SID1298 "	#Cannot convert: rpc:100083,*,*	 "RPC portmap request tooltalk" cve,CAN-2001-0717 cve,CVE-1999-0003 cve,CVE-1999-0687 cve,CAN-1999-1075 url,www.cert.org/advisories/CA-2001-05.html classtype:rpc-portmap-decode sid:1298
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG --log-prefix " SID1299 "	#Cannot convert: rpc:100083,*,*	 "RPC portmap request tooltalk" cve,CAN-2001-0717 cve,CVE-1999-0003 cve,CVE-1999-0687 cve,CAN-1999-1075 url,www.cert.org/advisories/CA-2001-05.html classtype:rpc-portmap-decode sid:1299
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡™" --tcp-flags ACK ACK -j LOG --log-prefix " SID593 "	# "RPC tcp portmap request snmpXdmi" cve,CAN-2001-0236 url,www.cert.org/advisories/CA-2001-05.html bugtraq,2417 classtype:rpc-portmap-decode sid:593
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "‡™" -j LOG --log-prefix " SID1279 "	# "RPC udp portmap request snmpXdmi" cve,CAN-2001-0236 url,www.cert.org/advisories/CA-2001-05.html bugtraq,2417 classtype:rpc-portmap-decode sid:1279
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG --log-prefix " SID595 "	#Cannot convert: rpc:391029,*,*	 "RPC portmap request espd" cve,CAN-2001-0331 classtype:rpc-portmap-decode sid:595
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -j LOG --log-prefix " SID1296 "	#Cannot convert: rpc:100009,*,*	 "RPC portmap request yppasswdd" bugtraq,2763 classtype:rpc-portmap-decode sid:1296
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG --log-prefix " SID1297 "	#Cannot convert: rpc:100009,*,*	 "RPC portmap request yppasswdd" bugtraq,2763 classtype:rpc-portmap-decode sid:1297
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -j LOG --log-prefix " SID596 "	#Cannot convert: rpc: 100000,*,*	 "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:596
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 --tcp-flags ACK ACK -j LOG --log-prefix " SID597 "	#Cannot convert: rpc: 100000,*,*	 "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:597
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " -j LOG --log-prefix " SID1280 "	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:1280
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 --tcp-flags ACK ACK -m string --string "† " -j LOG --log-prefix " SID598 "	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:598
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 --tcp-flags ACK ACK -m string --string "† " -j LOG --log-prefix " SID599 "	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:599
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 -m string --string "† " -j LOG --log-prefix " SID1281 "	# "RPC portmap listing" arachnids,429 classtype:rpc-portmap-decode sid:1281
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "/binÇF/sh" -j LOG --log-prefix " SID600 "	# "RPC EXPLOIT statdx" arachnids,442 classtype:attempted-admin sid:600
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "/binÇF/sh" -j LOG --log-prefix " SID1282 "	# "RPC EXPLOIT statdx" arachnids,442 classtype:attempted-admin sid:1282
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 32770: -m string --string "†¢" -j LOG --log-prefix " SID612 "	# "RPC rusers query" cve,CVE-1999-0626 arachnids,136 classtype:attempted-recon sid:612
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "::::::::::::::::" -j LOG --log-prefix " SID601 "	# "RSERVICES rlogin LinuxNIS" classtype:bad-unknown sid:601
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "binbin" -j LOG --log-prefix " SID602 "	# "RSERVICES rlogin bin" arachnids,384 classtype:attempted-user sid:602
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "echo \" + + \"" -j LOG --log-prefix " SID603 "	# "RSERVICES rlogin echo++" arachnids,385 classtype:bad-unknown sid:603
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "-froot" -j LOG --log-prefix " SID604 "	# "RSERVICES rsh froot" arachnids,386 classtype:attempted-admin sid:604
iptables -A SnortRules -p tcp -s $HOME_NET --sport 513 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "rlogind: Permission denied." -j LOG --log-prefix " SID611 "	# "RSERVICES rlogin login failure" arachnids,392 classtype:unsuccessful-user sid:611
iptables -A SnortRules -p tcp -s $HOME_NET --sport 513 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "login incorrect" -j LOG --log-prefix " SID605 "	# "RSERVICES rlogin login failure" arachnids,393 classtype:unsuccessful-user sid:605
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 --tcp-flags ACK ACK -m string --string "rootroot" -j LOG --log-prefix " SID606 "	# "RSERVICES rlogin root" arachnids,389 classtype:attempted-admin sid:606
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "binbin" -j LOG --log-prefix " SID607 "	# "RSERVICES rsh bin" arachnids,390 classtype:attempted-user sid:607
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "echo \"+ +\"" -j LOG --log-prefix " SID608 "	# "RSERVICES rsh echo + +" arachnids,388 classtype:attempted-user sid:608
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "-froot" -j LOG --log-prefix " SID609 "	# "RSERVICES rsh froot" arachnids,387 classtype:attempted-admin sid:609
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 --tcp-flags ACK ACK -m string --string "rootroot" -j LOG --log-prefix " SID610 "	# "RSERVICES rsh root" arachnids,391 classtype:attempted-admin sid:610
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID268 "	#Cannot convert: fragbits: M dsize:408	 "DOS Jolt attack" cve,CAN-1999-0345 classtype:attempted-dos sid:268
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID269 "	#Cannot convert: id:3868 seq: 3868	 "DOS Land attack" cve,CVE-1999-0016 classtype:attempted-dos sid:269
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID270 "	#Cannot convert: id:242 fragbits:M	 "DOS Teardrop attack" cve,CAN-1999-0015 url,www.cert.org/advisories/CA-1997-28.html bugtraq,124 classtype:attempted-dos sid:270
iptables -A SnortRules -p udp --sport 19 --dport 7 -j LOG --log-prefix " SID271 "	# "DOS UDP echo+chargen bomb" cve,CAN-1999-0635 cve,CVE-1999-0103 classtype:attempted-dos sid:271
iptables -A SnortRules -p udp --dport 19 --sport 7 -j LOG --log-prefix " SID271 "	# "DOS UDP echo+chargen bomb" cve,CAN-1999-0635 cve,CVE-1999-0103 classtype:attempted-dos sid:271
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --proto ip_proto: 2 -j LOG --log-prefix " SID272 "	#Cannot convert: fragbits: M+	 "DOS IGMP dos attack" cve,CVE-1999-0918 classtype:attempted-dos sid:272
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --proto ip_proto:2 -j LOG --log-prefix " SID273 "	#Cannot convert: fragbits:M+	 "DOS IGMP dos attack" cve,CVE-1999-0918 classtype:attempted-dos sid:273
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "+++ath" --icmp-type 8 -j LOG --log-prefix " SID274 "	# "DOS ath" nocase-ignored cve,CAN-1999-1228 arachnids,264 classtype:attempted-dos sid:274
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID275 "	#Cannot convert: seq: 6060842 id: 413	 "DOS NAPTHA" cve,CAN-2000-1039 url,www.microsoft.com/technet/security/bulletin/MS00-091.asp url,www.cert.org/advisories/CA-2000-21.html url,razor.bindview.com/publish/advisories/adv_NAPTHA.html classtype:attempted-dos sid:275
#iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID275 "	#Cannot convert: seq: 6060842 id: 413	 "DOS NAPTHA" cve,CAN-2000-1039 url,www.microsoft.com/technet/security/bulletin/MS00-091.asp url,www.cert.org/advisories/CA-2000-21.html url,razor.bindview.com/publish/advisories/adv_NAPTHA.html classtype:attempted-dos sid:275
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7070 --tcp-flags ACK ACK -m string --string "ÿôÿý" -j LOG --log-prefix " SID276 "	# "DOS Real Audio Server" bugtraq,1288 cve,CVE-2000-0474 arachnids,411 classtype:attempted-dos sid:276
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7070 --tcp-flags ACK ACK -m string --string "/viewsource/template.html?" -j LOG --log-prefix " SID277 "	# "DOS Real Server template.html" nocase-ignored cve,CVE-2000-0474 bugtraq,1288 classtype:attempted-dos sid:277
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 --tcp-flags ACK ACK -m string --string "/viewsource/template.html?" -j LOG --log-prefix " SID278 "	# "DOS Real Server template.html" nocase-ignored cve,CVE-2000-0474 bugtraq,1288 classtype:attempted-dos sid:278
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161 -j LOG --log-prefix " SID279 "	#Cannot convert: dsize:0	 "DOS Bay/Nortel Nautica Marlin" bugtraq,1009 cve,CVE-2000-0221 classtype:attempted-dos sid:279
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 9 -m string --string "NAMENAME" -j LOG --log-prefix " SID281 "	# "DOS Ascend Route" bugtraq,714 cve,CVE-1999-0060 arachnids,262 classtype:attempted-dos sid:281
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 617 --tcp-flags ACK ACK -j LOG --log-prefix " SID282 "	#Cannot convert: dsize: >1445	 "DOS arkiea backup" bugtraq,662 cve,CVE-1999-0788 arachnids,261 classtype:attempted-dos sid:282
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags URG URG -j LOG --log-prefix " SID1257 "	# "DOS Winnuke attack" bugtraq,2010 cve,CVE-1999-0153 classtype: attempted-dos sid:1257
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 3372 --tcp-flags ACK ACK -j LOG --log-prefix " SID1408 "	#Cannot convert: dsize:>1023	 "DOS MSDTC attempt" bugtraq,4006 classtype:attempted-dos sid:1408
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -m string --string "1234" -j LOG --log-prefix " SID221 "	#Cannot convert: id: 678	 "DDOS TFN Probe" arachnids,443 classtype:attempted-recon sid:221
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0 -m string --string "AAAAAAAAAA" -j LOG --log-prefix " SID222 "	#Cannot convert: icmp_id: 0	 "DDOS tfn2k icmp possible communication" arachnids,425 classtype:attempted-dos sid:222
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "PONG" -j LOG --log-prefix " SID223 "	# "DDOS Trin00:DaemontoMaster(PONGdetected)" arachnids,187 classtype:attempted-recon sid:223
#iptables -A SnortRules -p icmp -s 3.3.3.3/32 -d $EXTERNAL_NET --icmp-type 0 -j LOG --log-prefix " SID224 "	#Cannot convert: icmp_id: 666	 "DDOS Stacheldraht server-spoof" arachnids,193 classtype:attempted-dos sid:224
#iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET -m string --string "sicken" --icmp-type 0 -j LOG --log-prefix " SID225 "	#Cannot convert: icmp_id: 669	 "DDOS Stacheldraht server-response-gag" arachnids,195 classtype:attempted-dos sid:225
#iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET -m string --string "ficken" --icmp-type 0 -j LOG --log-prefix " SID226 "	#Cannot convert: icmp_id: 667	 "DDOS Stacheldraht server-response" arachnids,191 classtype:attempted-dos sid:226
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "spoofworks" --icmp-type 0 -j LOG --log-prefix " SID227 "	#Cannot convert: icmp_id: 1000	 "DDOS Stacheldraht client-spoofworks" arachnids,192 classtype:attempted-dos sid:227
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0 -j LOG --log-prefix " SID228 "	#Cannot convert: icmp_id: 456 icmp_seq: 0	 "DDOS TFN client command BE" arachnids,184 classtype:attempted-dos sid:228
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "skillz" --icmp-type 0 -j LOG --log-prefix " SID229 "	#Cannot convert: icmp_id: 666	 "DDOS Stacheldraht client-check" arachnids,190 classtype:attempted-dos sid:229
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 20432 --tcp-flags ACK ACK -j LOG --log-prefix " SID230 "	# "DDOS shaft client to handler" arachnids,254 classtype:attempted-dos sid:230
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "l44" -j LOG --log-prefix " SID231 "	# "DDOS Trin00:DaemontoMaster(messagedetected)" arachnids,186 classtype:attempted-dos sid:231
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "*HELLO*" -j LOG --log-prefix " SID232 "	# "DDOS Trin00:DaemontoMaster(*HELLO*detected)" arachnids,185 url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm classtype:attempted-dos sid:232
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 --tcp-flags ACK ACK -m string --string "betaalmostdone" -j LOG --log-prefix " SID233 "	# "DDOS Trin00:Attacker to Master default startup password" arachnids,197 classtype:attempted-dos sid:233
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 --tcp-flags ACK ACK -m string --string "gOrave" -j LOG --log-prefix " SID234 "	# "DDOS Trin00 Attacker to Master default password" classtype:attempted-dos sid:234
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 --tcp-flags ACK ACK -m string --string "killme" -j LOG --log-prefix " SID235 "	# "DDOS Trin00 Attacker to Master default mdie password" classtype:bad-unknown sid:235
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "gesundheit" --icmp-type 0 -j LOG --log-prefix " SID236 "	#Cannot convert: icmp_id: 668	 "DDOS Stacheldraht client-check-gag" arachnids,194 classtype:attempted-dos sid:236
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 27444 -m string --string "l44adsl" -j LOG --log-prefix " SID237 "	# "DDOS Trin00:MastertoDaemon(defaultpassdetected!)" arachnids,197 classtype:attempted-dos sid:237
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "shell bound to port" --icmp-type 0 -j LOG --log-prefix " SID238 "	#Cannot convert: icmp_id: 123 icmp_seq: 0	 "DDOS TFN server response" arachnids,182 classtype:attempted-dos sid:238
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 18753 -m string --string "alive tijgu" -j LOG --log-prefix " SID239 "	# "DDOS shaft handler to agent" arachnids,255 classtype:attempted-dos sid:239
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 20433 -m string --string "alive" -j LOG --log-prefix " SID240 "	# "DDOS shaft agent to handler" arachnids,256 classtype:attempted-dos sid:240
#iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID241 "	#Cannot convert: seq: 674711609	 "DDOS shaft synflood" arachnids,253 classtype:attempted-dos sid:241
#iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID241 "	#Cannot convert: seq: 674711609	 "DDOS shaft synflood" arachnids,253 classtype:attempted-dos sid:241
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 6838 -m string --string "newserver" -j LOG --log-prefix " SID243 "	# "DDOS mstream agent to handler" classtype:attempted-dos sid:243
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "stream/" -j LOG --log-prefix " SID244 "	# "DDOS mstream handler to agent" cve,CAN-2000-0138 classtype:attempted-dos sid:244
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "ping" -j LOG --log-prefix " SID245 "	# "DDOS mstream handler ping to agent" cve,CAN-2000-0138 classtype:attempted-dos sid:245
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "pong" -j LOG --log-prefix " SID246 "	# "DDOS mstream agent pong to handler" classtype:attempted-dos sid:246
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 12754 -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " SID247 "	# "DDOS mstream client to handler" cve,CAN-2000-0138 classtype:attempted-dos sid:247
iptables -A SnortRules -p tcp -s $HOME_NET --sport 12754 -d $EXTERNAL_NET -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " SID248 "	# "DDOS mstream handler to client" cve,CAN-2000-0138 classtype:attempted-dos sid:248
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 15104 --tcp-flags ALL SYN -j LOG --log-prefix " SID249 "	# "DDOS mstream client to handler" arachnids,111 cve,CAN-2000-0138 classtype:attempted-dos sid:249
iptables -A SnortRules -p tcp -s $HOME_NET --sport 15104 -d $EXTERNAL_NET -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " SID250 "	# "DDOS mstream handler to client" cve,CAN-2000-0138 classtype:attempted-dos sid:250
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0 -j LOG --log-prefix " SID251 "	#Cannot convert: icmp_id: 51201 icmp_seq: 0	 "DDOS - TFN client command LE" arachnids,183 classtype:attempted-dos sid:251
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "	€" -j LOG --log-prefix " SID252 "	# "DNS named iquery attempt" arachnids,277 cve,CVE-1999-0009 bugtraq,134 url,www.rfc-editor.org/rfc/rfc1035.txt classtype:attempted-recon sid:252
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 53 -d $HOME_NET -m string --string "…€" --string "À<" -j LOG --log-prefix " SID253 "	# "DNS SPOOF query response PTR with TTL: 1 min. and no authority" classtype:bad-unknown sid:253
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 53 -d $HOME_NET -m string --string "€" --string "À<" -j LOG --log-prefix " SID254 "	# "DNS SPOOF query response with ttl: 1 min. and no authority" classtype:bad-unknown sid:254
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "ü" -j LOG --log-prefix " SID255 "	# "DNS zone transfer" cve,CAN-1999-0532 arachnids,212 classtype:attempted-recon sid:255
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "authors" --string "bind" -j LOG --log-prefix " SID1435 "	# "DNS named authors attempt" nocase-ignored arachnids,480 classtype:attempted-recon sid:1435
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "authors" --string "bind" -j LOG --log-prefix " SID256 "	# "DNS named authors attempt" nocase-ignored arachnids,480 classtype:attempted-recon sid:256
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "version" --string "bind" -j LOG --log-prefix " SID257 "	# "DNS named version attempt" nocase-ignored arachnids,278 classtype:attempted-recon sid:257
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "version" --string "bind" -j LOG --log-prefix " SID1616 "	# "DNS named version attempt" nocase-ignored arachnids,278 classtype:attempted-recon sid:1616
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "../../../" -j LOG --log-prefix " SID258 "	# "DNS EXPLOIT named 8.2->8.2.1" cve,CVE-1999-0833 classtype:attempted-admin sid:258
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool" -j LOG --log-prefix " SID259 "	# "DNS EXPLOIT named overflow (ADM)" cve,CVE-1999-0833 classtype:attempted-admin sid:259
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "ADMROCKS" -j LOG --log-prefix " SID260 "	# "DNS EXPLOIT named overflow (ADMROCKS)" cve,CVE-1999-0833 url,www.cert.org/advisories/CA-1999-14.html classtype:attempted-admin sid:260
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "Í€è×ÿÿÿ/bin/sh" -j LOG --log-prefix " SID261 "	# "DNS EXPLOIT named overflow attempt" url,www.cert.org/advisories/CA-1998-05.html classtype:attempted-admin sid:261
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "1À°?1Û³ÿ1ÉÍ€1À" -j LOG --log-prefix " SID262 "	# "DNS EXPLOIT x86 linux overflow attempt" classtype:attempted-admin sid:262
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "1À°Í€…ÀuLëL^°" -j LOG --log-prefix " SID264 "	# "DNS EXPLOIT x86 linux overflow attempt" classtype:attempted-admin sid:264
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "‰÷)Ç‰ó‰ù‰ò¬<þ" -j LOG --log-prefix " SID265 "	# "DNS EXPLOIT x86 linux overflow attempt (ADMv2)" classtype:attempted-admin sid:265
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "ën^Æš1É‰NÆF" -j LOG --log-prefix " SID266 "	# "DNS EXPLOIT x86 freebsd overflow attempt" classtype:attempted-admin sid:266
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 --tcp-flags ACK ACK -m string --string "À ’ Ð#¿ø" -j LOG --log-prefix " SID267 "	# "DNS EXPLOIT sparc overflow attempt" classtype:attempted-admin sid:267
iptables -A SnortRules -p udp --dport 69 -m string --string "" --string "admin.dll" -j LOG --log-prefix " SID1289 "	# "TFTP GET Admin.dll" nocase-ignored classtype:successful-admin url,www.cert.org/advisories/CA-2001-26.html sid:1289
iptables -A SnortRules -p udp --dport 69 -m string --string "" --string "nc.exe" -j LOG --log-prefix " SID1441 "	# "TFTP GET nc.exe" nocase-ignored classtype:successful-admin sid:1441
iptables -A SnortRules -p udp --dport 69 -m string --string "" --string "shadow" -j LOG --log-prefix " SID1442 "	# "TFTP GET shadow" nocase-ignored classtype:successful-admin sid:1442
iptables -A SnortRules -p udp --dport 69 -m string --string "" --string "passwd" -j LOG --log-prefix " SID1443 "	# "TFTP GET passwd" nocase-ignored classtype:successful-admin sid:1443
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string ".." -j LOG --log-prefix " SID519 "	# "TFTP parent directory" arachnids,137 cve,CVE-1999-0183 classtype:bad-unknown sid:519
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "/" -j LOG --log-prefix " SID520 "	# "TFTP root directory" arachnids,138 cve,CVE-1999-0183 classtype:bad-unknown sid:520
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "" -j LOG --log-prefix " SID518 "	# "TFTP Put" cve,CVE-1999-0183 arachnids,148 classtype:bad-unknown sid:518
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "" -j LOG --log-prefix " SID1444 "	# "TFTP Get" classtype:bad-unknown sid:1444
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/hsx.cgi" --string "../../" --string "%00" --tcp-flags ACK ACK -j LOG --log-prefix " SID803 "	# "WEB-CGI HyperSeek hsx.cgi directory traversal attempt" bugtraq,2314 cve,CAN-2001-0253 classtype:web-application-attack sid:803
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/hsx.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID1607 "	# "WEB-CGI HyperSeek hsx.cgi access" bugtraq,2314 cve,CAN-2001-0253 classtype:web-application-activity sid:1607
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/s.cgi" --string "tmpl=" --tcp-flags ACK ACK -j LOG --log-prefix " SID804 "	#Cannot convert: dsize:>500	 "WEB-CGI SWSoft ASPSeek Overflow attempt" nocase-ignored cve,CAN-2001-0476 bugtraq,2492 classtype:web-application-attack sid:804
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wsisa.dll/WService=" --string "WSMadmin" -j LOG --log-prefix " SID805 "	# "WEB-CGI webspeed access" nocase-ignored nocase-ignored arachnids,467 cve,CVE-2000-0127 classtype:attempted-user sid:805
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/YaBB.pl" --string "../" -j LOG --log-prefix " SID806 "	# "WEB-CGI yabb directory traversal attempt" cve,CVE-2000-0853 arachnids,462 classtype:attempted-recon sid:806
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wwwboard/passwd.txt" -j LOG --log-prefix " SID807 "	# "WEB-CGI wwwboard passwd access" nocase-ignored arachnids,463 cve,CVE-1999-0953 bugtraq,649 classtype:attempted-recon sid:807
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webdriver" -j LOG --log-prefix " SID808 "	# "WEB-CGI webdriver access" nocase-ignored arachnids,473 bugtraq,2166 classtype:attempted-recon sid:808
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/whois_raw.cgi?" --string "" -j LOG --log-prefix " SID809 "	# "WEB-CGI whois_raw attempt" cve,CAN-1999-1063 arachnids,466 classtype:web-application-attack sid:809
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/whois_raw.cgi" -j LOG --log-prefix " SID810 "	# "WEB-CGI whois_raw access" cve,CAN-1999-1063 arachnids,466 classtype:attempted-recon sid:810
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string " /HTTP/1." -j LOG --log-prefix " SID811 "	# "WEB-CGI websitepro path access" nocase-ignored cve,CAN-2000-0066 arachnids,468 classtype:attempted-recon sid:811
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus?about" -j LOG --log-prefix " SID812 "	# "WEB-CGI webplus version access" nocase-ignored cve,CVE-2000-0282 arachnids,470 classtype:attempted-recon sid:812
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus?script" --string "../" -j LOG --log-prefix " SID813 "	# "WEB-CGI webplus directory traversal" nocase-ignored cve,CVE-2000-0282 arachnids,471 classtype:web-application-attack sid:813
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/websendmail" -j LOG --log-prefix " SID815 "	# "WEB-CGI websendmail access" nocase-ignored cve,CVE-1999-0196 arachnids,469 bugtraq,2077 classtype:attempted-recon sid:815
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dcforum.cgi" --string "forum=../.." -j LOG --log-prefix " SID1571 "	# "WEB-CGI dcforum.cgi directory traversal attempt" cve,CAN-2001-0436 classtype:web-application-attack sid:1571
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/dcforum.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID818 "	# "WEB-CGI dcforum.cgi access" bugtraq,2728 classtype:attempted-recon sid:818
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dcboard.cgi" --string "command=register" --string "%7cadmin" -j LOG --log-prefix " SID817 "	# "WEB-CGI dcboard.cgi invalid user addition attempt" bugtraq,2728 classtype:web-application-attack sid:817
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/dcboard.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID1410 "	# "WEB-CGI dcboard.cgi access" bugtraq,2728 classtype:attempted-recon sid:1410
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/mmstdod.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID819 "	# "WEB-CGI mmstdod.cgi access" nocase-ignored classtype:attempted-recon sid:819
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/apexec.pl" --string "template=../" -j LOG --log-prefix " SID820 "	# "WEB-CGI anaconda directory transversal attempt" nocase-ignored cve,CVE-2000-0975 bugtraq,2388 classtype:web-application-attack sid:820
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/imagemap.exe?" -j LOG --log-prefix " SID821 "	#Cannot convert: dsize: >1000	 "WEB-CGI imagemap overflow attempt" nocase-ignored arachnids,412 classtype:web-application-attack sid:821
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cvsweb.cgi" -j LOG --log-prefix " SID823 "	# "WEB-CGI cvsweb.cgi access" nocase-ignored cve,CVE-2000-0670 bugtraq,1469 classtype:attempted-recon sid:823
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/php.cgi" -j LOG --log-prefix " SID824 "	# "WEB-CGI php.cgi access" nocase-ignored cve,CAN-1999-0238 bugtraq,2250 arachnids,232 classtype:attempted-recon sid:824
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/glimpse" -j LOG --log-prefix " SID825 "	# "WEB-CGI glimpse access" nocase-ignored bugtraq,2026 classtype:attempted-recon sid:825
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/htmlscript?../.." -j LOG --log-prefix " SID1608 "	# "WEB-CGI htmlscript attempt" nocase-ignored bugtraq,2001 cve,CVE-1999-0264 classtype:web-application-attack sid:1608
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/htmlscript" -j LOG --log-prefix " SID826 "	# "WEB-CGI htmlscript access" nocase-ignored bugtraq,2001 cve,CVE-1999-0264 classtype:attempted-recon sid:826
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/info2www" -j LOG --log-prefix " SID827 "	# "WEB-CGI info2www access" nocase-ignored bugtraq,1995 cve,CVE-1999-0266 classtype:attempted-recon sid:827
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/maillist.pl" -j LOG --log-prefix " SID828 "	# "WEB-CGI maillist.pl access" nocase-ignored classtype:attempted-recon sid:828
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nph-test-cgi" -j LOG --log-prefix " SID829 "	# "WEB-CGI nph-test-cgi access" nocase-ignored arachnids,224 cve,CVE-1999-0045 bugtraq,686 classtype:attempted-recon sid:829
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nph-maillist.pl" -j LOG --log-prefix " SID1451 "	# "WEB-CGI NPH-publish access" nocase-ignored cve,CAN-2001-0400 classtype:attempted-recon sid:1451
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nph-publish" -j LOG --log-prefix " SID830 "	# "WEB-CGI NPH-publish access" nocase-ignored cve,CAN-1999-1177 classtype:attempted-recon sid:830
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rguest.exe" -j LOG --log-prefix " SID833 "	# "WEB-CGI rguest.exe access" nocase-ignored cve,CAN-1999-0467 bugtraq,2024 classtype:attempted-recon sid:833
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rwwwshell.pl" -j LOG --log-prefix " SID834 "	# "WEB-CGI rwwwshell.pl access" nocase-ignored classtype:attempted-recon sid:834
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/test-cgi" -j LOG --log-prefix " SID835 "	# "WEB-CGI test-cgi access" nocase-ignored cve,CVE-1999-0070 arachnids,218 classtype:attempted-recon sid:835
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/textcounter.pl" -j LOG --log-prefix " SID836 "	# "WEB-CGI testcounter.pl access" nocase-ignored classtype:attempted-recon sid:836
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/uploader.exe" -j LOG --log-prefix " SID837 "	# "WEB-CGI uploader.exe access" nocase-ignored cve,CVE-1999-0177 classtype:attempted-recon sid:837
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webgais" -j LOG --log-prefix " SID838 "	# "WEB-CGI webgais access" nocase-ignored arachnids,472 bugtraq,2058 cve,CVE-1999-0176 classtype:attempted-recon sid:838
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/finger" -j LOG --log-prefix " SID839 "	# "WEB-CGI finger access" nocase-ignored arachnids,221 cve,CVE-1999-0612 classtype:attempted-recon sid:839
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/perlshop.cgi" -j LOG --log-prefix " SID840 "	# "WEB-CGI perlshop.cgi access" nocase-ignored cve,CAN-1999-1374 classtype:attempted-recon sid:840
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/pfdisplay.cgi" -j LOG --log-prefix " SID841 "	# "WEB-CGI pfdisplay.cgi access" nocase-ignored bugtraq,64 cve,CVE-1999-0270 classtype:attempted-recon sid:841
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/aglimpse" -j LOG --log-prefix " SID842 "	# "WEB-CGI aglimpse access" nocase-ignored cve,CVE-1999-0147 bugtraq,2026 classtype:attempted-recon sid:842
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AnForm2" -j LOG --log-prefix " SID843 "	# "WEB-CGI anform2 access" nocase-ignored cve,CVE-1999-0066 arachnids,225 classtype:attempted-recon sid:843
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/args.bat" -j LOG --log-prefix " SID844 "	# "WEB-CGI args.bat access" nocase-ignored cve,CAN-1999-1374 classtype:attempted-recon sid:844
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/args.cmd" -j LOG --log-prefix " SID1452 "	# "WEB-CGI args.cmd access" nocase-ignored cve,CAN-1999-1374 classtype:attempted-recon sid:1452
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AT-admin.cgi" -j LOG --log-prefix " SID845 "	# "WEB-CGI AT-admin.cgi access" nocase-ignored cve,CAN-1999-1072 classtype:attempted-recon sid:845
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AT-generated.cgi" -j LOG --log-prefix " SID1453 "	# "WEB-CGI AT-generated.cgi access" nocase-ignored cve,CAN-1999-1072 classtype:attempted-recon sid:1453
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bnbform.cgi" -j LOG --log-prefix " SID846 "	# "WEB-CGI bnbform.cgi access" nocase-ignored cve,CVE-1999-0937 bugtraq,1469 classtype:attempted-recon sid:846
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/campas" -j LOG --log-prefix " SID847 "	# "WEB-CGI campas access" nocase-ignored cve,CVE-1999-0146 bugtraq,1975 classtype:attempted-recon sid:847
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/view-source" --string "../" -j LOG --log-prefix " SID848 "	# "WEB-CGI view-source directory traversal" nocase-ignored nocase-ignored cve,CVE-1999-0174 classtype:web-application-attack sid:848
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/view-source" -j LOG --log-prefix " SID849 "	# "WEB-CGI view-source access" nocase-ignored cve,CVE-1999-0174 classtype:attempted-recon sid:849
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wais.pl" -j LOG --log-prefix " SID850 "	# "WEB-CGI wais.pl access" nocase-ignored classtype:attempted-recon sid:850
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wwwwais" -j LOG --log-prefix " SID1454 "	# "WEB-CGI wwwwais access" nocase-ignored cve,CAN-2001-0223 classtype:attempted-recon sid:1454
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/files.pl" -j LOG --log-prefix " SID851 "	# "WEB-CGI files.pl access" nocase-ignored cve,CAN-1999-1081 classtype:attempted-recon sid:851
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wguest.exe" -j LOG --log-prefix " SID852 "	# "WEB-CGI wguest.exe access" nocase-ignored cve,CAN-1999-0467 bugtraq,2024 classtype:attempted-recon sid:852
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wrap" -j LOG --log-prefix " SID853 "	# "WEB-CGI wrap access" bugtraq,373 arachnids,234 cve,CVE-1999-0149 classtype:attempted-recon sid:853
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/classifieds.cgi" -j LOG --log-prefix " SID854 "	# "WEB-CGI classifieds.cgi access" nocase-ignored bugtraq,2020 cve,CVE-1999-0934 classtype:attempted-recon sid:854
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/edit.pl" -j LOG --log-prefix " SID855 "	# "WEB-CGI edit.pl access" nocase-ignored classtype:attempted-recon sid:855
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/environ.cgi" -j LOG --log-prefix " SID856 "	# "WEB-CGI environ.cgi access" nocase-ignored classtype:attempted-recon sid:856
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/faxsurvey?cat%20" -j LOG --log-prefix " SID1609 "	# "WEB-CGI faxsurvey attempt" nocase-ignored cve,CVE-1999-0262 bugtraq,2056 classtype:web-application-attack sid:1609
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/faxsurvey" -j LOG --log-prefix " SID857 "	# "WEB-CGI faxsurvey access" nocase-ignored cve,CVE-1999-0262 bugtraq,2056 classtype:web-application-activity sid:857
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/filemail.pl" -j LOG --log-prefix " SID858 "	# "WEB-CGI filemail access" nocase-ignored classtype:attempted-recon sid:858
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/man.sh" -j LOG --log-prefix " SID859 "	# "WEB-CGI man.sh access" nocase-ignored cve,CAN-1999-1179 classtype:attempted-recon sid:859
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/snork.bat" -j LOG --log-prefix " SID860 "	# "WEB-CGI snork.bat access" nocase-ignored bugtraq,1053 cve,CVE-2000-0169 arachnids,220 classtype:attempted-recon sid:860
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/w3-msql/" -j LOG --log-prefix " SID861 "	# "WEB-CGI w3-msql access" nocase-ignored bugtraq,591 cve,CVE-1999-0276 arachnids,210 classtype:attempted-recon sid:861
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/day5datacopier.cgi" -j LOG --log-prefix " SID863 "	# "WEB-CGI day5datacopier.cgi access" nocase-ignored cve,CAN-1999-1232 classtype:attempted-recon sid:863
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/day5datanotifier.cgi" -j LOG --log-prefix " SID864 "	# "WEB-CGI day5datanotifier.cgi access" nocase-ignored cve,CAN-1999-1232 classtype:attempted-recon sid:864
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/post-query" -j LOG --log-prefix " SID866 "	# "WEB-CGI post-query access" nocase-ignored cve,CAN-2001-0291 classtype:attempted-recon sid:866
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/visadmin.exe" -j LOG --log-prefix " SID867 "	# "WEB-CGI visadmin.exe access" nocase-ignored bugtraq,1808 cve,CAN-1999-1970 classtype:attempted-recon sid:867
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dumpenv.pl" -j LOG --log-prefix " SID869 "	# "WEB-CGI dumpenv.pl access" nocase-ignored cve,CAN-1999-1178 classtype:attempted-recon sid:869
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/calender.pl" -j LOG --log-prefix " SID1455 "	# "WEB-CGI calender.pl access" nocase-ignored cve,CVE-2000-0432 classtype:attempted-recon sid:1455
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/calender_admin.pl" -j LOG --log-prefix " SID1456 "	# "WEB-CGI calender_admin.pl access" nocase-ignored cve,CVE-2000-0432 classtype:attempted-recon sid:1456
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/user_update_admin.pl" -j LOG --log-prefix " SID1457 "	# "WEB-CGI user_update_admin.pl access" nocase-ignored cve,CVE-2000-0627 classtype:attempted-recon sid:1457
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/user_update_passwd.pl" -j LOG --log-prefix " SID1458 "	# "WEB-CGI user_update_passwd.pl access" nocase-ignored cve,CVE-2000-0627 classtype:attempted-recon sid:1458
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/snorkerz.cmd" -j LOG --log-prefix " SID870 "	# "WEB-CGI snorkerz.cmd access" nocase-ignored classtype:attempted-recon sid:870
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/survey.cgi" -j LOG --log-prefix " SID871 "	# "WEB-CGI survey.cgi access" nocase-ignored bugtraq,1817 cve,CVE-1999-0936 classtype:attempted-recon sid:871
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "///" -j LOG --log-prefix " SID873 "	# "WEB-CGI scriptalias access" cve,CVE-1999-0236 bugtraq,2300 arachnids,227 classtype:attempted-recon sid:873
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/shA-cA/usr/openwin" -j LOG --log-prefix " SID874 "	# "WEB-CGI w3-msql solaris x86 access" nocase-ignored cve,CVE-1999-0276 arachnids,211 classtype:attempted-recon sid:874
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/win-c-sample.exe" -j LOG --log-prefix " SID875 "	# "WEB-CGI win-c-sample.exe access" nocase-ignored bugtraq,2078 arachnids,231 cve,CVE-1999-0178 classtype:attempted-recon sid:875
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/w3tvars.pm" -j LOG --log-prefix " SID878 "	# "WEB-CGI w2tvars.pm access" nocase-ignored classtype:attempted-recon sid:878
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.pl" -j LOG --log-prefix " SID879 "	# "WEB-CGI admin.pl access" nocase-ignored classtype:attempted-recon sid:879
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/LWGate" -j LOG --log-prefix " SID880 "	# "WEB-CGI LWGate access" nocase-ignored classtype:attempted-recon sid:880
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/archie" -j LOG --log-prefix " SID881 "	# "WEB-CGI archie access" nocase-ignored classtype:attempted-recon sid:881
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/calendar" -j LOG --log-prefix " SID882 "	# "WEB-CGI calendar access" nocase-ignored classtype:attempted-recon sid:882
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/flexform" -j LOG --log-prefix " SID883 "	# "WEB-CGI flexform access" nocase-ignored classtype:attempted-recon sid:883
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/formmail" --string "%0a" -j LOG --log-prefix " SID1610 "	# "WEB-CGI formmail attempt" nocase-ignored nocase-ignored bugtraq,1187 cve,CVE-1999-0172 arachnids,226 classtype:web-application-attack sid:1610
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/formmail" -j LOG --log-prefix " SID884 "	# "WEB-CGI formmail access" nocase-ignored bugtraq,1187 cve,CVE-1999-0172 arachnids,226 classtype:web-application-activity sid:884
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/phf" -j LOG --log-prefix " SID886 "	# "WEB-CGI phf access" nocase-ignored bugtraq,629 arachnids,128 cve,CVE-1999-0067 classtype:attempted-recon sid:886
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/www-sql" -j LOG --log-prefix " SID887 "	# "WEB-CGI www-sql access" nocase-ignored classtype:attempted-recon sid:887
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/wwwadmin.pl" -j LOG --log-prefix " SID888 "	# "WEB-CGI wwwadmin.pl access" nocase-ignored classtype:attempted-recon sid:888
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ppdscgi.exe" -j LOG --log-prefix " SID889 "	# "WEB-CGI ppdscgi.exe access" nocase-ignored bugtraq,491 classtype:attempted-recon sid:889
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/sendform.cgi" -j LOG --log-prefix " SID890 "	# "WEB-CGI sendform.cgi access" nocase-ignored classtype:attempted-recon sid:890
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/upload.pl" -j LOG --log-prefix " SID891 "	# "WEB-CGI upload.pl access" nocase-ignored classtype:attempted-recon sid:891
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/AnyForm2" -j LOG --log-prefix " SID892 "	# "WEB-CGI AnyForm2 access" nocase-ignored bugtraq,719 cve,CVE-1999-0066 classtype:attempted-recon sid:892
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/MachineInfo" -j LOG --log-prefix " SID893 "	# "WEB-CGI MachineInfo access" nocase-ignored cve,CAN-1999-1067 classtype:attempted-recon sid:893
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-hist.sh?HISTFILE=../.." -j LOG --log-prefix " SID1531 "	# "WEB-CGI bb-hist.sh attempt" nocase-ignored cve,CAN-1999-1462 bugtraq,142 classtype:web-application-attack sid:1531
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-hist.sh" -j LOG --log-prefix " SID894 "	# "WEB-CGI bb-hist.sh access" nocase-ignored cve,CAN-1999-1462 bugtraq,142 classtype:attempted-recon sid:894
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-histlog.sh" -j LOG --log-prefix " SID1459 "	# "WEB-CGI bb-histlog.sh access" nocase-ignored bugtraq,142 cve,CAN-1999-1462 classtype:attempted-recon sid:1459
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-histsvc.sh" -j LOG --log-prefix " SID1460 "	# "WEB-CGI bb-histsvc.sh access" nocase-ignored bugtraq,142 cve,CAN-1999-1462 classtype:attempted-recon sid:1460
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-hostsvc.sh?HOSTSVC?../.." -j LOG --log-prefix " SID1532 "	# "WEB-CGI bb-hostscv.sh attempt" nocase-ignored cve,CVE-2000-0638 classtype:web-application-attack sid:1532
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-hostsvc.sh" -j LOG --log-prefix " SID1533 "	# "WEB-CGI bb-hostscv.sh access" nocase-ignored cve,CVE-2000-0638 classtype:web-application-activity sid:1533
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-rep.sh" -j LOG --log-prefix " SID1461 "	# "WEB-CGI bb-rep.sh access" nocase-ignored bugtraq,142 cve,CAN-1999-1462 classtype:attempted-recon sid:1461
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-replog.sh" -j LOG --log-prefix " SID1462 "	# "WEB-CGI bb-replog.sh access" nocase-ignored bugtraq,142 cve,CAN-1999-1462 classtype:attempted-recon sid:1462
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/redirect" -j LOG --log-prefix " SID895 "	# "WEB-CGI redirect access" nocase-ignored bugtraq,1179 cve,CVE-2000-0382 classtype:attempted-recon sid:895
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/way-board/way-board.cgi" --string "db=" --string "../.." --tcp-flags ACK ACK -j LOG --log-prefix " SID1397 "	# "WEB-CGI wayboard attempt" nocase-ignored bugtraq,2370 cve,CAN-2001-0214 classtype:web-application-attack sid:1397
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/way-board" --tcp-flags ACK ACK -j LOG --log-prefix " SID896 "	# "WEB-CGI wayboard access" nocase-ignored bugtraq,2370 cve,CAN-2001-0214 classtype:web-application-activity sid:896
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/pals-cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID897 "	# "WEB-CGI pals-cgi access" nocase-ignored cve,CAN-2001-0216 cve,CAN-2001-0217 bugtraq,2372 classtype:attempted-recon sid:897
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/commerce.cgi?page=../.." --tcp-flags ACK ACK -j LOG --log-prefix " SID1572 "	# "WEB-CGI commerce.cgi attempt" nocase-ignored bugtraq,2361 cve,CAN-2001-0210 classtype:attempted-recon sid:1572
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/commerce.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID898 "	# "WEB-CGI commerce.cgi access" nocase-ignored bugtraq,2361 cve,CAN-2001-0210 classtype:attempted-recon sid:898
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sendtemp.pl" --string "templ=" --tcp-flags ACK ACK -j LOG --log-prefix " SID899 "	# "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2504 cve,CAN-2001-0272 classtype:web-application-attack sid:899
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/webspirs.cgi" --string "../../" --tcp-flags ACK ACK -j LOG --log-prefix " SID900 "	# "WEB-CGI webspirs directory traversal attempt" nocase-ignored nocase-ignored cve,CAN-2001-0211 bugtraq,2362 classtype:web-application-attack sid:900
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/webspirs.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID901 "	# "WEB-CGI webspirs access" nocase-ignored cve,CAN-2001-0211 bugtraq,2362 classtype:attempted-recon sid:901
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "tstisapi.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID902 "	# "WEB-CGI tstisapi.dll access" nocase-ignored cve,CAN-2001-0302 classtype:attempted-recon sid:902
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sendmessage.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID1308 "	# "WEB-CGI sendmessage.cgi access" nocase-ignored classtype:attempted-recon sid:1308
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/lastlines.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID1392 "	# "WEB-CGI lastlines.cgi access" nocase-ignored bugtraq,3755 bugtraq,3754 classtype:attempted-recon sid:1392
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/zml.cgi" --string "file=../" -j LOG --log-prefix " SID1395 "	# "WEB-CGI zml.cgi attempt" bugtraq,3759 classtype:web-application-activity sid:1395
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/zml.cgi" -j LOG --log-prefix " SID1396 "	# "WEB-CGI zml.cgi access" bugtraq,3759 classtype:web-application-activity sid:1396
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/publisher/search.cgi" --string "template=" --tcp-flags ACK ACK -j LOG --log-prefix " SID1405 "	# "WEB-CGI AHG search.cgi access" nocase-ignored nocase-ignored bugtraq,3985 classtype:web-application-activity sid:1405
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/store/agora.cgi?cart_id=<SCRIPT>" -j LOG --log-prefix " SID1534 "	# "WEB-CGI agora.cgi attempt" nocase-ignored cve,CAN-2001-1199 bugtraq,3976 classtype:web-application-attack sid:1534
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/store/agora.cgi" -j LOG --log-prefix " SID1406 "	# "WEB-CGI agora.cgi access" nocase-ignored cve,CAN-2001-1199 bugtraq,3976 classtype:web-application-activity sid:1406
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rksh" -j LOG --log-prefix " SID877 "	# "WEB-CGI rksh access" nocase-ignored url,www.cert.org/advisories/CA-1996-11.html cve,CAN-1999-0509 classtype:attempted-recon sid:877
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bash" -j LOG --log-prefix " SID885 "	# "WEB-CGI bash access" nocase-ignored cve,CAN-1999-0509 url,www.cert.org/advisories/CA-1996-11.html classtype:web-application-activity classtype:web-application-activity sid:885
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/perl.exe" -j LOG --log-prefix " SID832 "	# "WEB-CGI perl.exe access" nocase-ignored url,www.cert.org/advisories/CA-1996-11.html arachnids,219 classtype:attempted-recon sid:832
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/zsh" -j LOG --log-prefix " SID1309 "	# "WEB-CGI zsh access" nocase-ignored url,www.cert.org/advisories/CA-1996-11.html cve,CAN-1999-0509 classtype:attempted-recon sid:1309
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/csh" -j LOG --log-prefix " SID862 "	# "WEB-CGI csh access" nocase-ignored url,www.cert.org/advisories/CA-1996-11.html cve,CAN-1999-0509 classtype:attempted-recon sid:862
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/tcsh" -j LOG --log-prefix " SID872 "	# "WEB-CGI tcsh access" nocase-ignored url,www.cert.org/advisories/CA-1996-11.html cve,CAN-1999-0509 classtype:attempted-recon sid:872
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rsh" -j LOG --log-prefix " SID868 "	# "WEB-CGI rsh access" nocase-ignored cve,CAN-1999-0509 url,www.cert.org/advisories/CA-1996-11.html classtype:attempted-recon sid:868
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ksh" -j LOG --log-prefix " SID865 "	# "WEB-CGI ksh access" nocase-ignored url,www.cert.org/advisories/CA-1996-11.html cve,CAN-1999-0509 classtype:attempted-recon sid:865
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/auktion.cgi" -j LOG --log-prefix " SID1465 "	# "WEB-CGI auktion.cgi access" nocase-ignored bugtraq,2367 cve,CAN-2001-0212 classtype:attempted-recon sid:1465
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgiforum.pl?thesection=../.." -j LOG --log-prefix " SID1573 "	# "WEB-CGI cgiforum.pl attempt" nocase-ignored bugtraq,1963 cve,CVE-2000-1171 classtype:web-application-attack sid:1573
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgiforum.pl" -j LOG	# "WEB-CGI cgiforum.pl access" nocase-ignored bugtraq,1963 cve,CVE-2000-1171 classtype:web-application-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/directorypro.cgi" --string "show=../.." -j LOG --log-prefix " SID1574 "	# "WEB-CGI directorypro.cgi attempt" nocase-ignored cve,CAN-2001-0780 classtype:web-application-attack sid:1574
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/directorypro.cgi" -j LOG --log-prefix " SID1467 "	# "WEB-CGI directorypro.cgi access" nocase-ignored cve,CAN-2001-0780 classtype:web-application-activity sid:1467
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/shopper.cgi" --string "newpage=../" -j LOG --log-prefix " SID1468 "	# "WEB-CGI Web Shopper shopper.cgi attempt" nocase-ignored nocase-ignored cve,CVE-2000-0922 bugtraq,1776 classtype:web-application-attack sid:1468
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/shopper.cgi" -j LOG --log-prefix " SID1469 "	# "WEB-CGI Web Shopper shopper.cgi access" nocase-ignored cve,CVE-2000-0922 bugtraq,1776 classtype:attempted-recon sid:1469
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/listrec.pl" -j LOG --log-prefix " SID1470 "	# "WEB-CGI listrec.pl access" nocase-ignored cve,CAN-2001-0997 classtype:attempted-recon sid:1470
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/mailnews.cgi" -j LOG --log-prefix " SID1471 "	# "WEB-CGI mailnews.cgi access" nocase-ignored cve,CAN-2001-0271 classtype:attempted-recon sid:1471
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/book.cgi" -j LOG --log-prefix " SID1472 "	# "WEB-CGI book.cgi access" nocase-ignored cve,CVE-2001-1114 bugtraq,3178 classtype:attempted-recon sid:1472
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/newsdesk.cgi" -j LOG --log-prefix " SID1473 "	# "WEB-CGI newsdesk.cgi access" nocase-ignored cve,CAN-2001-0232 classtype:attempted-recon sid:1473
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cal_make.pl" -j LOG --log-prefix " SID1474 "	# "WEB-CGI cal_make.pl access" nocase-ignored cve,CVE-2001-0463 bugtraq,2663 classtype:attempted-recon sid:1474
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/mailit.pl" -j LOG --log-prefix " SID1475 "	# "WEB-CGI mailit.pl access" nocase-ignored classtype:attempted-recon sid:1475
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/sdbsearch.cgi" -j LOG --log-prefix " SID1476 "	# "WEB-CGI sdbsearch.cgi access" nocase-ignored cve,CAN-2001-1130 classtype:attempted-recon sid:1476
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/swc" -j LOG --log-prefix " SID1477 "	#Cannot convert: dsize:>1000	 "WEB-CGI swc attempt" nocase-ignored classtype:attempted-recon sid:1477
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/swc" -j LOG --log-prefix " SID1478 "	# "WEB-CGI swc access" nocase-ignored classtype:attempted-recon sid:1478
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ttawebtop.cgi" --string "pg=../" -j LOG --log-prefix " SID1479 "	# "WEB-CGI ttawebtop.cgi attempt" nocase-ignored nocase-ignored cve,CVE-2001-0805 bugtraq,2890 classtype:web-application-attack sid:1479
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ttawebtop.cgi" -j LOG --log-prefix " SID1480 "	# "WEB-CGI ttawebtop.cgi access" nocase-ignored cve,CVE-2001-0805 bugtraq,2890 classtype:attempted-recon sid:1480
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/upload.cgi" -j LOG --log-prefix " SID1481 "	# "WEB-CGI upload.cgi access" nocase-ignored classtype:attempted-recon sid:1481
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/view_source" -j LOG --log-prefix " SID1482 "	# "WEB-CGI view_source access" nocase-ignored classtype:attempted-recon sid:1482
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ustorekeeper.pl" -j LOG --log-prefix " SID1483 "	# "WEB-CGI ustorekeeper.pl access" nocase-ignored classtype:attempted-recon sid:1483
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfcache.map" -j LOG --log-prefix " SID903 "	# "WEB-COLDFUSION cfcache.map access" nocase-ignored bugtraq,917 cve,CVE-2000-0057 classtype:attempted-recon sid:903
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/email/application.cfm" -j LOG --log-prefix " SID904 "	# "WEB-COLDFUSION exampleapp application.cfm" nocase-ignored bugtraq,1021 classtype:attempted-recon sid:904
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/publish/admin/application.cfm" -j LOG --log-prefix " SID905 "	# "WEB-COLDFUSION application.cfm access" nocase-ignored bugtraq,1021 classtype:attempted-recon sid:905
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/email/getfile.cfm" -j LOG --log-prefix " SID906 "	# "WEB-COLDFUSION getfile.cfm access" nocase-ignored bugtraq,229 classtype:attempted-recon sid:906
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/publish/admin/addcontent.cfm" -j LOG --log-prefix " SID907 "	# "WEB-COLDFUSION addcontent.cfm access" nocase-ignored classtype:attempted-recon sid:907
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cfide/administrator/index.cfm" --tcp-flags ACK ACK -j LOG --log-prefix " SID908 "	# "WEB-COLDFUSION administrator access" nocase-ignored cve,CVE-2000-0538 classtype:attempted-recon sid:908
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_SETDATASOURCEUSERNAME()" -j LOG --log-prefix " SID909 "	# "WEB-COLDFUSION datasource username attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:909
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/fileexists.cfm" -j LOG --log-prefix " SID910 "	# "WEB-COLDFUSION fileexists.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:910
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/exprcalc.cfm" -j LOG --log-prefix " SID911 "	# "WEB-COLDFUSION exprcalc access" nocase-ignored cve,CVE-1999-0455 bugtraq,550 classtype:attempted-recon sid:911
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/parks/detail.cfm" -j LOG --log-prefix " SID912 "	# "WEB-COLDFUSION parks access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:912
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfappman/index.cfm" -j LOG --log-prefix " SID913 "	# "WEB-COLDFUSION cfappman access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:913
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/cvbeans/beaninfo.cfm" -j LOG --log-prefix " SID914 "	# "WEB-COLDFUSION beaninfo access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:914
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/evaluate.cfm" -j LOG --log-prefix " SID915 "	# "WEB-COLDFUSION evaluate.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:915
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_GETODBCDSN()" -j LOG --log-prefix " SID916 "	# "WEB-COLDFUSION getodbcdsn access" nocase-ignored bugtraq,550 classtype:web-application-attack sid:916
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_DBCONNECTIONS_FLUSH()" -j LOG --log-prefix " SID917 "	# "WEB-COLDFUSION db connections flush attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:917
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/" -j LOG --log-prefix " SID918 "	# "WEB-COLDFUSION expeval access" nocase-ignored bugtraq,550 cve,CAN-1999-0477 classtype:attempted-user sid:918
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_SETDATASOURCEPASSWORD()" -j LOG --log-prefix " SID919 "	# "WEB-COLDFUSION datasource passwordattempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:919
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CF_ISCOLDFUSIONDATASOURCE()" -j LOG --log-prefix " SID920 "	# "WEB-COLDFUSION datasource attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:920
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_ENCRYPT()" -j LOG --log-prefix " SID921 "	# "WEB-COLDFUSION admin encrypt attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:921
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/expeval/displayopenedfile.cfm" -j LOG --log-prefix " SID922 "	# "WEB-COLDFUSION displayfile access" nocase-ignored bugtraq,550 classtype:web-application-attack sid:922
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_GETODBCINI()" -j LOG --log-prefix " SID923 "	# "WEB-COLDFUSION getodbcin attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:923
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_DECRYPT()" -j LOG --log-prefix " SID924 "	# "WEB-COLDFUSION admin decrypt attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:924
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/examples/mainframeset.cfm" -j LOG --log-prefix " SID925 "	# "WEB-COLDFUSION mainframeset access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:925
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_SETODBCINI()" -j LOG --log-prefix " SID926 "	# "WEB-COLDFUSION set odbc ini attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:926
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_SETTINGS_REFRESH()" -j LOG --log-prefix " SID927 "	# "WEB-COLDFUSION settings refresh attempt" nocase-ignored bugtraq,550 classtype:web-application-attack sid:927
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/exampleapp/" -j LOG --log-prefix " SID928 "	# "WEB-COLDFUSION exampleapp access" nocase-ignored classtype:attempted-recon sid:928
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "CFUSION_VERIFYMAIL()" -j LOG --log-prefix " SID929 "	# "WEB-COLDFUSION CFUSION_VERIFYMAIL access" nocase-ignored bugtraq,550 classtype:attempted-user sid:929
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/" -j LOG --log-prefix " SID930 "	# "WEB-COLDFUSION snippets attempt" nocase-ignored bugtraq,550 classtype:attempted-recon sid:930
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/cfmlsyntaxcheck.cfm" -j LOG --log-prefix " SID931 "	# "WEB-COLDFUSION cfmlsyntaxcheck.cfm access" nocase-ignored bugtraq,550 classtype:attempted-recon sid:931
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/application.cfm" -j LOG --log-prefix " SID932 "	# "WEB-COLDFUSION application.cfm access" nocase-ignored bugtraq,550 arachnids,268 cve,CAN-2000-0189 classtype:attempted-recon sid:932
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/onrequestend.cfm" -j LOG --log-prefix " SID933 "	# "WEB-COLDFUSION onrequestend.cfm access" nocase-ignored bugtraq,550 arachnids,269 cve,CAN-2000-0189 classtype:attempted-recon sid:933
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cfide/administrator/startstop.html" --tcp-flags ACK ACK -j LOG --log-prefix " SID935 "	# "WEB-COLDFUSION startstop DOS access" nocase-ignored bugtraq,247 classtype:web-application-attack sid:935
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfdocs/snippets/gettempdirectory.cfm" -j LOG --log-prefix " SID936 "	# "WEB-COLDFUSION gettempdirectory.cfm access " nocase-ignored bugtraq,550 classtype:attempted-recon sid:936
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/isapi/tstisapi.dll" -j LOG --log-prefix " SID1484 "	# "WEB-IIS /isapi/tstisapi.dll access" nocase-ignored cve,CAN-2001-0302 bugtraq,2381 classtype:web-application-activity sid:1484
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/mkilog.exe" -j LOG --log-prefix " SID1485 "	# "WEB-IIS mkilog.exe access" nocase-ignored classtype:web-application-activity sid:1485
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ctss.idc" -j LOG --log-prefix " SID1486 "	# "WEB-IIS ctss.idc access" nocase-ignored classtype:web-application-activity sid:1486
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/aexp2.htr" -j LOG --log-prefix " SID1487 "	# "WEB-IIS /iisadmpwd/aexp2.htr access" classtype:web-application-activity sid:1487
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "LOCK " -j LOG --log-prefix " SID969 "	# "WEB-IIS webdav file lock attempt" bugtraq,2736 classtype:web-application-activity sid:969
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".printer" --tcp-flags ACK ACK -j LOG --log-prefix " SID971 "	# "WEB-IIS ISAPI .printer access" nocase-ignored cve,CAN-2001-0241 arachnids,533 classtype:web-application-activity sid:971
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".ida?" --tcp-flags ACK ACK -j LOG --log-prefix " SID1243 "	#Cannot convert: dsize:>239	 "WEB-IIS ISAPI .ida attempt" nocase-ignored arachnids,552 classtype:web-application-attack cve,CAN-2000-0071 sid:1243
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".ida" --tcp-flags ACK ACK -j LOG --log-prefix " SID1242 "	# "WEB-IIS ISAPI .ida access" nocase-ignored arachnids,552 classtype:web-application-activity cve,CAN-2000-0071 sid:1242
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".idq?" --tcp-flags ACK ACK -j LOG --log-prefix " SID1244 "	#Cannot convert: dsize:>239	 "WEB-IIS ISAPI .idq attempt" nocase-ignored arachnids,553 classtype:web-application-attack cve,CAN-2000-0071 sid:1244
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".idq" --tcp-flags ACK ACK -j LOG --log-prefix " SID1245 "	# "WEB-IIS ISAPI .idq access" nocase-ignored arachnids,553 classtype:web-application-activity cve,CAN-2000-0071 sid:1245
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%2e.asp" -j LOG --log-prefix " SID972 "	# "WEB-IIS %2E-asp access" nocase-ignored bugtraq,1814 cve,CAN-1999-0253 classtype:web-application-activity sid:972
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "*.idc" -j LOG --log-prefix " SID973 "	# "WEB-IIS *.idc attempt" nocase-ignored bugtraq,1448 cve,CVE-1999-0874 classtype:web-application-attack sid:973
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "..\\.." -j LOG --log-prefix " SID974 "	# "WEB-IIS .... access" bugtraq,2218 cve,CAN-1999-0229 classtype:web-application-attack sid:974
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".asp::$DATA" -j LOG --log-prefix " SID975 "	#Cannot convert: EN-US q188806	 "WEB-IIS .asp::$DATA access" nocase-ignored bugtraq,149 url,support.microsoft.com/default.aspx?scid=kb cve,CVE-1999-0278 classtype:web-application-attack sid:975
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".bat?" -j LOG --log-prefix " SID976 "	# "WEB-IIS .bat? access" nocase-ignored bugtraq,2023 cve,CVE-1999-0233 url,support.microsoft.com/support/kb/articles/Q148/1/88.asp url,support.microsoft.com/support/kb/articles/Q155/0/56.asp classtype:web-application-activity sid:976
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".cnf" --tcp-flags ACK ACK -j LOG --log-prefix " SID977 "	# "WEB-IIS .cnf access" nocase-ignored classtype:web-application-activity sid:977
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20" --string "&CiRestriction=none" --string "&CiHiliteType=Full" -j LOG --log-prefix " SID978 "	# "WEB-IIS ASP contents view" nocase-ignored nocase-ignored cve,CAN-2000-0302 bugtraq,1084 classtype:web-application-attack sid:978
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htw?CiWebHitsFile" -j LOG --log-prefix " SID979 "	# "WEB-IIS ASP contents view" bugtraq,1864 classtype:web-application-attack sid:979
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/CGImail.exe" -j LOG --log-prefix " SID980 "	# "WEB-IIS CGImail.exe access" nocase-ignored cve,CAN-2000-0726 bugtraq,1623 classtype:web-application-activity sid:980
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c0%af../" --tcp-flags ACK ACK -j LOG --log-prefix " SID981 "	# "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:981
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c1%1c../" --tcp-flags ACK ACK -j LOG --log-prefix " SID982 "	# "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:982
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/..%c1%9c../" --tcp-flags ACK ACK -j LOG --log-prefix " SID983 "	# "WEB-IIS File permission canonicalization" nocase-ignored classtype:web-application-attack sid:983
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/proxy/w3proxy.dll" -j LOG --log-prefix " SID986 "	# "WEB-IIS MSProxy access" nocase-ignored classtype:web-application-activity sid:986
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htr" -j LOG --log-prefix " SID987 "	# "WEB-IIS Overflow-htr access" nocase-ignored classtype:web-application-attack sid:987
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "sam._" -j LOG --log-prefix " SID988 "	# "WEB-IIS SAM Attempt" nocase-ignored classtype:web-application-attack sid:988
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/sensepost.exe" --tcp-flags ACK ACK -j LOG --log-prefix " SID989 "	# "WEB-IIS Unicode2.pl script (File permission canonicalization)" nocase-ignored classtype:web-application-activity sid:989
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_vti_inf.html" -j LOG --log-prefix " SID990 "	# "WEB-IIS _vti_inf access" nocase-ignored classtype:web-application-activity sid:990
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/achg.htr" -j LOG --log-prefix " SID991 "	# "WEB-IIS achg.htr access" nocase-ignored cve,CVE-1999-0407 bugtraq,2110 classtype:web-application-activity sid:991
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin" -j LOG --log-prefix " SID993 "	# "WEB-IIS admin access" nocase-ignored classtype:web-application-attack sid:993
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/default.htm" -j LOG --log-prefix " SID994 "	# "WEB-IIS /scripts/iisadmin/default.htm access" nocase-ignored classtype:web-application-attack sid:994
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/ism.dll?http/dir" -j LOG --log-prefix " SID995 "	# "WEB-IIS ism.dll access" nocase-ignored cve,CVE-2000-0630 bugtraq,189 classtype:web-application-attack sid:995
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/anot" -j LOG --log-prefix " SID996 "	# "WEB-IIS anot.htr access" nocase-ignored bugtraq,2110 cve,CAN-1999-0407 classtype:web-application-activity sid:996
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".asp." -j LOG --log-prefix " SID997 "	# "WEB-IIS asp-dot attempt" nocase-ignored classtype:web-application-attack sid:997
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.asp" -j LOG --log-prefix " SID998 "	# "WEB-IIS asp-srch attempt" nocase-ignored classtype:web-application-attack sid:998
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/iisadmin/bdir.htr" -j LOG --log-prefix " SID999 "	# "WEB-IIS bdir access" nocase-ignored classtype:web-application-activity sid:999
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/bdir.htr" --tcp-flags ACK ACK -j LOG --log-prefix " SID1000 "	# "WEB-IIS bdir.ht access" nocase-ignored classtype:web-application-activity sid:1000
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cmd.exe" -j LOG --log-prefix " SID1002 "	# "WEB-IIS cmd.exe access" nocase-ignored classtype:web-application-attack sid:1002
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".cmd?&" -j LOG --log-prefix " SID1003 "	# "WEB-IIS cmd? access" nocase-ignored classtype:web-application-attack sid:1003
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Form_JScript.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1007 "	# "WEB-IIS cross-site scripting attempt" nocase-ignored classtype:web-application-attack sid:1007
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/Form_VBScript.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1380 "	# "WEB-IIS cross-site scripting attempt" nocase-ignored classtype:web-application-attack sid:1380
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "&del+/s+c:\*.*" -j LOG --log-prefix " SID1008 "	# "WEB-IIS del attempt" nocase-ignored classtype:web-application-attack sid:1008
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/ServerVariables_Jscript.asp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1009 "	# "WEB-IIS directory listing" nocase-ignored classtype:web-application-attack sid:1009
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%1u" -j LOG --log-prefix " SID1010 "	# "WEB-IIS encoding access" arachnids,200 classtype:web-application-activity sid:1010
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.exe" -j LOG --log-prefix " SID1011 "	# "WEB-IIS exec-src access" nocase-ignored classtype:web-application-activity sid:1011
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpcount.exe" --string "Digits=" -j LOG --log-prefix " SID1012 "	# "WEB-IIS fpcount attempt" nocase-ignored bugtraq,2252 classtype:web-application-attack sid:1012
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpcount.exe" -j LOG --log-prefix " SID1013 "	# "WEB-IIS fpcount access" nocase-ignored bugtraq,2252 classtype:web-application-activity sid:1013
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/tools/getdrvs.exe" -j LOG --log-prefix " SID1015 "	# "WEB-IIS getdrvs.exe access" nocase-ignored classtype:web-application-activity sid:1015
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "global.asa" -j LOG --log-prefix " SID1016 "	# "WEB-IIS global-asa access" nocase-ignored classtype:web-application-activity sid:1016
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "#filename=*.idc" -j LOG --log-prefix " SID1017 "	# "WEB-IIS idc-srch attempt" nocase-ignored cve,CVE-1999-0874 classtype:web-application-attack sid:1017
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/iisadmpwd/aexp" -j LOG --log-prefix " SID1018 "	# "WEB-IIS iisadmpwd attempt" nocase-ignored bugtraq,2110 cve,CVE-2000-0303 classtype:web-application-attack sid:1018
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?CiWebHitsFile=/" --string "&CiRestriction=none&CiHiliteType=Full" -j LOG --log-prefix " SID1019 "	# "WEB-IIS index server file sourcecode attempt" classtype:web-application-attack sid:1019
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".idc::$data" -j LOG --log-prefix " SID1020 "	# "WEB-IIS isc$data attempt" nocase-ignored bugtraq,307 cve,CVE-1999-0874 classtype:web-application-attack sid:1020
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20%20%20%20%20.htr" -j LOG --log-prefix " SID1021 "	# "WEB-IIS ism.dll attempt" nocase-ignored cve,CAN-2000-0457 bugtraq,1193 classtype:web-application-attack sid:1021
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/advworks/equipment/catalog_type.asp" -j LOG --log-prefix " SID1022 "	# "WEB-IIS jet vba access" nocase-ignored bugtraq,286 cve,CVE-1999-0874 classtype:web-application-activity sid:1022
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/msadc/msadcs.dll" -j LOG --log-prefix " SID1023 "	# "WEB-IIS msadc/msadcs.dll access" nocase-ignored cve,CVE-1999-1011 bugtraq,529 classtype:web-application-activity sid:1023
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/tools/newdsn.exe" -j LOG --log-prefix " SID1024 "	# "WEB-IIS newdsn.exe access" nocase-ignored bugtraq,1818 cve,CVE-1999-0191 classtype:web-application-activity sid:1024
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/perl" -j LOG --log-prefix " SID1025 "	# "WEB-IIS perl access" nocase-ignored classtype:web-application-activity sid:1025
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%0a.pl" -j LOG --log-prefix " SID1026 "	# "WEB-IIS perl-browse0a attempt" nocase-ignored classtype:web-application-attack sid:1026
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20.pl" -j LOG --log-prefix " SID1027 "	# "WEB-IIS perl-browse20 attempt" nocase-ignored classtype:web-application-attack sid:1027
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/ " -j LOG --log-prefix " SID1029 "	# "WEB-IIS scripts-browse access" nocase-ignored classtype:web-application-attack sid:1029
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/search97.vts" -j LOG --log-prefix " SID1030 "	# "WEB-IIS search97.vts access" bugtraq,162 classtype:web-application-activity sid:1030
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/adsamples/config/site.csc" -j LOG --log-prefix " SID1038 "	# "WEB-IIS site server config access" nocase-ignored bugtraq,256 classtype:web-application-activity sid:1038
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/samples/isapi/srch.htm" -j LOG --log-prefix " SID1039 "	# "WEB-IIS srch.htm access" nocase-ignored classtype:web-application-activity sid:1039
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/srchadm" -j LOG --log-prefix " SID1040 "	# "WEB-IIS srchadm access" nocase-ignored classtype:web-application-activity sid:1040
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/uploadn.asp" -j LOG --log-prefix " SID1041 "	# "WEB-IIS uploadn.asp access" nocase-ignored classtype:web-application-activity sid:1041
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "Translate: F" -j LOG --log-prefix " SID1042 "	# "WEB-IIS view source via translate header" nocase-ignored arachnids,305 bugtraq,1578 classtype:web-application-activity sid:1042
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".htw" --tcp-flags ACK ACK -j LOG --log-prefix " SID1044 "	#Cannot convert: dsize: >400	 "WEB-IIS webhits access" arachnids,237 classtype:web-application-activity sid:1044
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/site/iisamples" -j LOG --log-prefix " SID1046 "	# "WEB-IIS site/iisamples access" nocase-ignored classtype:web-application-activity sid:1046
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "scripts/root.exe?" -j LOG --log-prefix " SID1256 "	# "WEB-IIS CodeRed v2 root.exe access" nocase-ignored classtype:web-application-attack url,www.cert.org/advisories/CA-2001-19.html sid:1256
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/exchange/LogonFrm.asp?" --string "mailbox=" --string "%%%" -j LOG --log-prefix " SID1283 "	# "WEB-IIS outlook web dos" nocase-ignored nocase-ignored classtype:web-application-attack bugtraq,3223 sid:1283
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/scripts/samples/" --tcp-flags ACK ACK -j LOG --log-prefix " SID1400 "	# "WEB-IIS /scripts/samples/ access" nocase-ignored classtype:web-application-attack sid:1400
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/msadc/samples/" --tcp-flags ACK ACK -j LOG --log-prefix " SID1401 "	# "WEB-IIS /msadc/samples/ access" nocase-ignored classtype:web-application-attack sid:1401
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/iissamples/" --tcp-flags ACK ACK -j LOG --log-prefix " SID1402 "	# "WEB-IIS iissamples access" nocase-ignored classtype:web-application-attack sid:1402
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%5c" --string ".." -j LOG --log-prefix " SID970 "	# "WEB-IIS multiple decode attempt" cve,CAN-2001-0333 classtype:web-application-attack sid:970
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/msdac/" -j LOG --log-prefix " SID1285 "	# "WEB-IIS msdac access" nocase-ignored classtype:web-application-activity sid:1285
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_mem_bin/" -j LOG --log-prefix " SID1286 "	# "WEB-IIS _mem_bin access" nocase-ignored classtype:web-application-activity sid:1286
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/" -j LOG --log-prefix " SID1287 "	# "WEB-IIS scripts access" nocase-ignored classtype:web-application-activity sid:1287
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp30reg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID1246 "	#Cannot convert: dsize: >258	 "WEB-FRONTPAGE rad overflow attempt" nocase-ignored classtype:web-application-attack arachnids,555 bugtraq,2906 cve,CAN-2001-0341 url,www.microsoft.com/technet/security/bulletin/MS01-035.asp sid:1246
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp4areg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID1247 "	#Cannot convert: dsize: >259	 "WEB-FRONTPAGE rad overflow attempt" nocase-ignored cve,CAN-2001-0341 bugtraq,2906 classtype:web-application-attack sid:1247
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp30reg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID1248 "	# "WEB-FRONTPAGE rad fp30reg.dll access" nocase-ignored classtype:web-application-activity arachnids,555 bugtraq,2906 cve,CAN-2001-0341 url,www.microsoft.com/technet/security/bulletin/MS01-035.asp sid:1248
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/fp4areg.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID1249 "	# "WEB-FRONTPAGE frontpage rad fp4areg.dll access" nocase-ignored cve,CAN-2001-0341 bugtraq,2906 classtype:web-application-activity sid:1249
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_rpc" -j LOG --log-prefix " SID937 "	# "WEB-FRONTPAGE _vti_rpc access" nocase-ignored bugtraq,2144 classtype:web-application-activity sid:937
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "POST" --string "/author.dll" -j LOG --log-prefix " SID939 "	# "WEB-FRONTPAGE posting" nocase-ignored classtype:web-application-activity sid:939
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/_vti_bin/shtml.dll" --tcp-flags ACK ACK -j LOG --log-prefix " SID940 "	# "WEB-FRONTPAGE shtml.dll access" nocase-ignored arachnids,292 classtype:web-application-activity sid:940
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admcgi/contents.htm" -j LOG --log-prefix " SID941 "	# "WEB-FRONTPAGE contents.htm access" nocase-ignored classtype:web-application-activity sid:941
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/orders.htm" -j LOG --log-prefix " SID942 "	# "WEB-FRONTPAGE orders.htm access" nocase-ignored classtype:web-application-activity sid:942
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpsrvadm.exe" -j LOG --log-prefix " SID943 "	# "WEB-FRONTPAGE fpsrvadm.exe access" nocase-ignored classtype:web-application-activity sid:943
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/fpremadm.exe" -j LOG --log-prefix " SID944 "	# "WEB-FRONTPAGE fpremadm.exe access" nocase-ignored classtype:web-application-activity sid:944
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admisapi/fpadmin.htm" -j LOG --log-prefix " SID945 "	# "WEB-FRONTPAGE fpadmin.htm access" nocase-ignored classtype:web-application-activity sid:945
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/Fpadmcgi.exe" -j LOG --log-prefix " SID946 "	# "WEB-FRONTPAGE fpadmcgi.exe access" nocase-ignored classtype:web-application-activity sid:946
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/orders.txt" -j LOG --log-prefix " SID947 "	# "WEB-FRONTPAGE orders.txt access" nocase-ignored classtype:web-application-activity sid:947
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/form_results.txt" -j LOG --log-prefix " SID948 "	# "WEB-FRONTPAGE form_results access" nocase-ignored classtype:web-application-activity sid:948
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/registrations.htm" -j LOG --log-prefix " SID949 "	# "WEB-FRONTPAGE registrations.htm access" nocase-ignored classtype:web-application-activity sid:949
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cfgwiz.exe" -j LOG --log-prefix " SID950 "	# "WEB-FRONTPAGE cfgwiz.exe access" nocase-ignored classtype:web-application-activity sid:950
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/authors.pwd" -j LOG --log-prefix " SID951 "	# "WEB-FRONTPAGE authors.pwd access" nocase-ignored classtype:web-application-activity sid:951
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_bin/_vti_aut/author.exe" -j LOG --log-prefix " SID952 "	# "WEB-FRONTPAGE author.exe access" nocase-ignored classtype:web-application-activity sid:952
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/administrators.pwd" -j LOG --log-prefix " SID953 "	# "WEB-FRONTPAGE administrators.pwd" nocase-ignored bugtraq,1205 classtype:web-application-activity sid:953
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/form_results.htm" -j LOG --log-prefix " SID954 "	# "WEB-FRONTPAGE form_results.htm access" nocase-ignored classtype:web-application-activity sid:954
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/access.cnf" -j LOG --log-prefix " SID955 "	# "WEB-FRONTPAGE access.cnf access" nocase-ignored classtype:web-application-activity sid:955
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/register.txt" -j LOG --log-prefix " SID956 "	# "WEB-FRONTPAGE register.txt access" nocase-ignored classtype:web-application-activity sid:956
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/registrations.txt" -j LOG --log-prefix " SID957 "	# "WEB-FRONTPAGE registrations.txt access" nocase-ignored classtype:web-application-activity sid:957
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/service.cnf" -j LOG --log-prefix " SID958 "	# "WEB-FRONTPAGE service.cnf access" nocase-ignored classtype:web-application-activity sid:958
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/service.pwd" -j LOG --log-prefix " SID959 "	# "WEB-FRONTPAGE service.pwd" nocase-ignored bugtraq,1205 classtype:web-application-activity sid:959
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/service.stp" -j LOG --log-prefix " SID960 "	# "WEB-FRONTPAGE service.stp access" nocase-ignored classtype:web-application-activity sid:960
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/services.cnf" -j LOG --log-prefix " SID961 "	# "WEB-FRONTPAGE services.cnf access" nocase-ignored classtype:web-application-activity sid:961
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_bin/shtml.exe" -j LOG --log-prefix " SID962 "	# "WEB-FRONTPAGE shtml.exe access" nocase-ignored cve,CAN-2000-0413 cve,CAN-2000-0709 bugtraq,1608 bugtraq,1174 classtype:web-application-activity sid:962
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/svcacl.cnf" -j LOG --log-prefix " SID963 "	# "WEB-FRONTPAGE svcacl.cnf access" nocase-ignored classtype:web-application-activity sid:963
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/users.pwd" -j LOG --log-prefix " SID964 "	# "WEB-FRONTPAGE users.pwd access" nocase-ignored classtype:web-application-activity sid:964
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_pvt/writeto.cnf" -j LOG --log-prefix " SID965 "	# "WEB-FRONTPAGE writeto.cnf access" nocase-ignored classtype:web-application-activity sid:965
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "..../" -j LOG --log-prefix " SID966 "	# "WEB-FRONTPAGE fourdots request" nocase-ignored bugtraq,989 cve,CAN-2000-0153 arachnids,248 classtype:web-application-attack sid:966
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dvwssr.dll" -j LOG --log-prefix " SID967 "	# "WEB-FRONTPAGE dvwssr.dll access" nocase-ignored bugtraq,1108 cve,CVE-2000-0260 arachnids,271 url,www.microsoft.com/technet/security/bulletin/ms00-025.asp classtype:web-application-activity sid:967
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_private/register.htm" -j LOG --log-prefix " SID968 "	# "WEB-FRONTPAGE register.htm access" nocase-ignored classtype:web-application-activity sid:968
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/_vti_bin/" -j LOG --log-prefix " SID1288 "	# "WEB-FRONTPAGE /_vti_bin/ access" nocase-ignored classtype:web-application-activity sid:1288
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/level/*/exec/" --tcp-flags ACK ACK -j LOG --log-prefix " SID1250 "	#Cannot convert: regex	 "WEB-MISC Cisco IOS HTTP configuration attempt" classtype:web-application-attack bugtraq,2936 sid:1250
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "REVLOG / " --tcp-flags ACK ACK -j LOG --log-prefix " SID1047 "	# "WEB-MISC Netscape Enterprise DOS" cve,CAN-2001-0251 bugtraq,2294 classtype:web-application-attack sid:1047
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "INDEX " --tcp-flags ACK ACK -j LOG --log-prefix " SID1048 "	# "WEB-MISC Netscape Enterprise directory listing attempt" cve,CAN-2001-0250 bugtraq,2285 classtype:web-application-attack sid:1048
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "GETPROPERTIES" -j LOG --log-prefix " SID1050 "	# "WEB-MISC iPlanet GETPROPERTIES attempt" classtype:web-application-attack sid:1050
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/technote/main.cgi" --string "filename=" --string "../../" -j LOG --log-prefix " SID1051 "	# "WEB-MISC technote main.cgi file directory traversal attempt" nocase-ignored nocase-ignored cve,CVE-2001-0075 bugtraq,2156 classtype:web-application-attack sid:1051
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/technote/print.cgi" --string "board=" --string "../../" --string "%00" -j LOG --log-prefix " SID1052 "	# "WEB-MISC technote print.cgi directory traversal attempt" nocase-ignored nocase-ignored cve,CAN-2001-0075 bugtraq,2156 classtype:web-application-attack sid:1052
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ads.cgi" --string "file=" --string "../../" --string " -j LOG --log-prefix " SID1053 "	#Cannot convert: misconvert on quoted pipe: sid:1053	 "WEB-MISC ads.cgi command execution attempt" nocase-ignored nocase-ignored cve,CAN-2001-0025 bugtraq,2103 classtype:web-application-attack sid:1053
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".js%70" -j LOG --log-prefix " SID1054 "	# "WEB-MISC weblogic view source attempt" bugtraq,2527 classtype:web-application-attack sid:1054
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%00.jsp" -j LOG --log-prefix " SID1055 "	# "WEB-MISC tomcat directory traversal attempt" bugtraq,2518 classtype:web-application-attack sid:1055
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%252ejsp" -j LOG --log-prefix " SID1056 "	# "WEB-MISC tomcat view source attempt" bugtraq,2527 classtype:web-application-attack sid:1056
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ftp.exe" -j LOG --log-prefix " SID1057 "	# "WEB-MISC ftp attempt" nocase-ignored classtype:web-application-activity sid:1057
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_enumdsn" -j LOG --log-prefix " SID1058 "	# "WEB-MISC enumdsn attempt" nocase-ignored classtype:web-application-attack sid:1058
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_filelist" -j LOG --log-prefix " SID1059 "	# "WEB-MISC filelist attempt" nocase-ignored classtype:web-application-attack sid:1059
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_availablemedia" -j LOG --log-prefix " SID1060 "	# "WEB-MISC availablemedia attempt" nocase-ignored classtype:web-application-attack sid:1060
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_cmdshell" -j LOG --log-prefix " SID1061 "	# "WEB-MISC cmdshell attempt" nocase-ignored classtype:web-application-attack sid:1061
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "nc.exe" -j LOG --log-prefix " SID1062 "	# "WEB-MISC nc.exe attempt" nocase-ignored classtype:web-application-activity sid:1062
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "wsh.exe" -j LOG --log-prefix " SID1064 "	# "WEB-MISC wsh attempt" nocase-ignored classtype:web-application-activity sid:1064
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "rcmd.exe" -j LOG --log-prefix " SID1065 "	# "WEB-MISC rcmd attempt" nocase-ignored classtype:web-application-activity sid:1065
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "telnet.exe" -j LOG --log-prefix " SID1066 "	# "WEB-MISC telnet attempt" nocase-ignored classtype:web-application-activity sid:1066
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "net.exe" -j LOG --log-prefix " SID1067 "	# "WEB-MISC net attempt" nocase-ignored classtype:web-application-activity sid:1067
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "tftp.exe" -j LOG --log-prefix " SID1068 "	# "WEB-MISC tftp attempt" nocase-ignored classtype:web-application-activity sid:1068
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "xp_regread" -j LOG --log-prefix " SID1069 "	# "WEB-MISC regread attempt" nocase-ignored classtype:web-application-activity sid:1069
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "SEARCH " -j LOG --log-prefix " SID1070 "	# "WEB-MISC webdav search access" nocase-ignored arachnids,474 classtype:web-application-activity sid:1070
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htpasswd" -j LOG --log-prefix " SID1071 "	# "WEB-MISC .htpasswd access" nocase-ignored classtype:web-application-attack sid:1071
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string ".nsf/" --string "../" --tcp-flags ACK ACK -j LOG --log-prefix " SID1072 "	# "WEB-MISC Lotus Domino directory traversal" nocase-ignored cve,CVE-2001-0009 bugtraq,2173 classtype:web-application-attack sid:1072
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/samples/search/webhits.exe" -j LOG --log-prefix " SID1073 "	# "WEB-MISC webhits.exe access" nocase-ignored classtype:web-application-activity sid:1073
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/postinfo.asp" -j LOG --log-prefix " SID1075 "	# "WEB-MISC postinfo.asp access" nocase-ignored classtype:web-application-activity sid:1075
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/repost.asp" -j LOG --log-prefix " SID1076 "	# "WEB-MISC repost.asp access" nocase-ignored classtype:web-application-activity sid:1076
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/samples/search/queryhit.htm" -j LOG --log-prefix " SID1077 "	# "WEB-MISC queryhit.htm access" nocase-ignored classtype:web-application-activity sid:1077
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/counter.exe" -j LOG --log-prefix " SID1078 "	# "WEB-MISC counter.exe access" nocase-ignored bugtraq,267 classtype:web-application-activity sid:1078
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "<a:propfind" --string "xmlns:a="DAV">" --tcp-flags ACK ACK -j LOG --log-prefix " SID1079 "	# "WEB-MISC webdav propfind access" nocase-ignored nocase-ignored cve,CVE-2000-0869 classtype:web-application-activity sid:1079
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/servlet/com.unify.servletexec.UploadServlet" --tcp-flags ACK ACK -j LOG --log-prefix " SID1080 "	# "WEB-MISC unify eWave ServletExec upload" nocase-ignored classtype:web-application-attack sid:1080 bugtraq,1868 cve,CVE-2000-1024
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dsgw/bin/search?context=" -j LOG --log-prefix " SID1081 "	# "WEB-MISC netscape servers suite DOS" nocase-ignored classtype:web-application-attack sid:1081 bugtraq,1868
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ref%3Cscript%20language%3D%22Javascript" -j LOG --log-prefix " SID1082 "	# "WEB-MISC amazon 1-click cookie theft" nocase-ignored classtype:web-application-attack sid:1082 bugtraq,1194 cve,CVE-2000-0439
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/servlet/ServletExec" -j LOG --log-prefix " SID1083 "	# "WEB-MISC unify eWave ServletExec DOS" classtype:web-application-activity sid:1083
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "servlet/......." -j LOG --log-prefix " SID1084 "	# "WEB-MISC Allaire JRUN DOS attempt" nocase-ignored classtype:web-application-attack sid:1084 bugtraq,2337
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ºIþÿÿ÷Ò¹¿ÿÿÿ÷Ñ" -j LOG --log-prefix " SID1085 "	# "WEB-MISC PHP strings overflow" bugtraq,802 arachnids,431 classtype:web-application-attack sid:1085
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?STRENGUR " -j LOG --log-prefix " SID1086 "	# "WEB-MISC PHP strings overflow" arachnids,430 classtype:web-application-attack sid:1086
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/web_store.cgi" --string "page=../" -j LOG --log-prefix " SID1088 "	# "WEB-MISC eXtropia webstore directory traversal" bugtraq,1774 cve,CVE-2000-1005 classtype:web-application-attack sid:1088
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/web_store.cgi" -j LOG --log-prefix " SID1611 "	# "WEB-MISC eXtropia webstore access" bugtraq,1774 cve,CVE-2000-1005 classtype:web-application-activity sid:1611
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/shop.cgi" --string "page=../" -j LOG --log-prefix " SID1089 "	# "WEB-MISC shopping cart directory traversal" bugtraq,1777 classtype:web-application-attack sid:1089
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/authenticate.cgi?PASSWORD" --string "config.ini" -j LOG --log-prefix " SID1090 "	# "WEB-MISC Allaire Pro Web Shell attempt" classtype:web-application-attack sid:1090
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "??????????" -j LOG --log-prefix " SID1091 "	# "WEB-MISC ICQ Webfront HTTP DOS" classtype:web-application-attack sid:1091
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/search.cgi?keys" --string "catigory=../" -j LOG --log-prefix " SID1092 "	# "WEB-MISC Armada Style Master Index directory traversal" classtype:web-application-attack sid:1092
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cached_feed.cgi" --string "../" -j LOG --log-prefix " SID1093 "	# "WEB-MISC moreover shopping cart directory traversal" bugtraq,1762 classtype:web-application-attack sid:1093
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus.exe?script=test.wml" -j LOG --log-prefix " SID1095 "	# "WEB-MISC Talentsoft Web+ Source Code view access" bugtraq,1722 classtype:web-application-attack sid:1095
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus.exe?about" -j LOG --log-prefix " SID1096 "	# "WEB-MISC Talentsoft Web+ internal IP Address access" bugtraq,1720 classtype:web-application-activity sid:1096
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webplus.cgi?Script=/webplus/webping/webping.wml" -j LOG --log-prefix " SID1097 "	# "WEB-MISC Talentsoft Web+ exploit attempt" bugtraq,1725 classtype:web-application-attack sid:1097
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_private/shopping_cart.mdb" -j LOG --log-prefix " SID1098 "	# "WEB-MISC SmartWin CyberOffice Shopping Cart access" bugtraq,1734 classtype:web-application-attack sid:1098
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cybercop" -j LOG --log-prefix " SID1099 "	# "WEB-MISC cybercop scan" nocase-ignored arachnids,374 classtype:web-application-activity sid:1099
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "User-Agent: Java1.2.1" --tcp-flags ACK ACK -j LOG --log-prefix " SID1100 "	# "WEB-MISC L3retriever HTTP Probe" arachnids,310 classtype:web-application-activity sid:1100
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "User-Agent: Webtrends Security Analyzer" --tcp-flags ACK ACK -j LOG --log-prefix " SID1101 "	# "WEB-MISC Webtrends HTTP probe" arachnids,309 classtype:web-application-activity sid:1101
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/nessus_is_probing_you_" -j LOG --log-prefix " SID1102 "	# "WEB-MISC Nessus 404 probe" arachnids,301 classtype:web-application-activity sid:1102
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin-serv/config/admpw" -j LOG --log-prefix " SID1103 "	# "WEB-MISC netscape admin passwd" nocase-ignored bugtraq,1579 classtype:web-application-attack sid:1103
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bb-hostsvc.sh?HOSTSVC" -j LOG --log-prefix " SID1105 "	# "WEB-MISC BigBrother access" nocase-ignored classtype:attempted-recon sid:1105
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/pollit/Poll_It_SSI_v2.0.cgi" -j LOG --log-prefix " SID1106 "	# "WEB-MISC Poll-it access" nocase-ignored cve,CAN-2000-0590 bugtraq,1431 classtype:attempted-recon sid:1106
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ftp.pl?dir=../.." -j LOG --log-prefix " SID1612 "	# "WEB-MISC ftp.pl attempt" nocase-ignored cve,CAN-2000-0674 bugtraq,1471 classtype:web-application-attack sid:1612
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ftp.pl" -j LOG --log-prefix " SID1107 "	# "WEB-MISC ftp.pl access" nocase-ignored cve,CAN-2000-0674 bugtraq,1471 classtype:web-application-activity sid:1107
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/jsp/snp/*.snp" -j LOG --log-prefix " SID1108 "	#Cannot convert: regex	 "WEB-MISC tomcat server snoop access" cve,CAN-2000-0760 bugtraq,1532 classtype:attempted-recon sid:1108
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/%00" -j LOG --log-prefix " SID1109 "	# "WEB-MISC ROXEN directory list attempt" bugtraq,1510 cve,CVE-2000-0671 classtype:attempted-recon sid:1109
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/site/eg/source.asp" -j LOG --log-prefix " SID1110 "	# "WEB-MISC apache source.asp file access" nocase-ignored bugtraq,1457 cve,CVE-2000-0628 classtype:attempted-recon sid:1110
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/contextAdmin/contextAdmin.html" -j LOG --log-prefix " SID1111 "	# "WEB-MISC tomcat server exploit access" nocase-ignored classtype:attempted-recon sid:1111
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "..\" -j LOG --log-prefix " SID1112 "	#Cannot convert: Mishandled quotes	 "WEB-MISC http directory traversal" arachnids,298 classtype:attempted-recon sid:1112
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "get //" -j LOG --log-prefix " SID1114 "	# "WEB-MISC prefix-get //" nocase-ignored classtype:attempted-recon sid:1114
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".html/......" -j LOG --log-prefix " SID1115 "	# "WEB-MISC ICQ webserver DOS" nocase-ignored cve,CVE-1999-0474 classtype:attempted-dos sid:1115
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?DeleteDocument" -j LOG --log-prefix " SID1116 "	# "WEB-MISC Lotus DelDoc attempt" nocase-ignored classtype:attempted-recon sid:1116
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?EditDocument" -j LOG --log-prefix " SID1117 "	# "WEB-MISC Lotus EditDoc attempt" nocase-ignored classtype:attempted-recon url,www.securiteam.com/exploits/5NP080A1RE.html sid:1117
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ls%20-l" -j LOG --log-prefix " SID1118 "	# "WEB-MISC ls%20-l" nocase-ignored classtype:attempted-recon sid:1118
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/mlog.phtml" -j LOG --log-prefix " SID1119 "	# "WEB-MISC mlog.phtml access" nocase-ignored bugtraq,713 cve,CVE-1999-0346 classtype:attempted-recon sid:1119
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/mylog.phtml" -j LOG --log-prefix " SID1120 "	# "WEB-MISC mylog.phtml access" nocase-ignored bugtraq,713 cve,CVE-1999-0346 classtype:attempted-recon sid:1120
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgi-dos/args.bat" -j LOG --log-prefix " SID1121 "	# "WEB-MISC O'Reilly args.bat access" nocase-ignored classtype:attempted-recon sid:1121
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/etc/passwd" -j LOG --log-prefix " SID1122 "	# "WEB-MISC /etc/passwd" nocase-ignored classtype:attempted-recon sid:1122
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?PageServices" -j LOG --log-prefix " SID1123 "	# "WEB-MISC PageService access" nocase-ignored bugtraq,1063 cve,CVE-1999-0269 classtype:attempted-recon sid:1123
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/config/check.txt" -j LOG --log-prefix " SID1124 "	# "WEB-MISC Ecommerce check.txt access" nocase-ignored classtype:attempted-recon sid:1124
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webcart/" -j LOG --log-prefix " SID1125 "	# "WEB-MISC webcart access" nocase-ignored classtype:attempted-recon sid:1125
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_AuthChangeUrl?" -j LOG --log-prefix " SID1126 "	# "WEB-MISC AuthChangeUrl access" nocase-ignored classtype:attempted-recon sid:1126
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/convert.bas" -j LOG --log-prefix " SID1127 "	# "WEB-MISC convert.bas access" nocase-ignored bugtraq,2025 cve,CVE-1999-0175 classtype:attempted-recon sid:1127
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/scripts/cpshost.dll" -j LOG --log-prefix " SID1128 "	# "WEB-MISC cpshost.dll access" nocase-ignored classtype:attempted-recon sid:1128
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htaccess" -j LOG --log-prefix " SID1129 "	# "WEB-MISC .htaccess access" nocase-ignored classtype:attempted-recon sid:1129
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".wwwacl" -j LOG --log-prefix " SID1130 "	# "WEB-MISC .wwwacl access" nocase-ignored classtype:attempted-recon sid:1130
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".www_acl" -j LOG --log-prefix " SID1131 "	# "WEB-MISC .wwwacl access" nocase-ignored classtype:attempted-recon sid:1131
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 457 -m string --string "ë_šÿÿÿÿÿÃ^1À‰F" --tcp-flags ACK ACK -j LOG --log-prefix " SID1132 "	# "WEB-MISC netscape unixware overflow" arachnids,180 classtype:attempted-recon sid:1132
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL FIN,PSH,SYN -j LOG --log-prefix " SID1133 "	#Cannot convert: ack: 0	 "SCAN cybercop os probe" arachnids,145 classtype:attempted-recon sid:1133
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.php3" -j LOG --log-prefix " SID1134 "	# "WEB-MISC Phorum admin access" nocase-ignored bugtraq,2271 arachnids,205 classtype:attempted-recon sid:1134
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cd.." -j LOG --log-prefix " SID1136 "	# "WEB-MISC cd.." nocase-ignored classtype:attempted-recon sid:1136
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "PHP_AUTH_USER=boogieman" -j LOG --log-prefix " SID1137 "	# "WEB-MISC Phorum auth access" nocase-ignored bugtraq,2274 arachnids,206 classtype:attempted-recon sid:1137
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string " /%%" -j LOG --log-prefix " SID1138 "	# "WEB-MISC Cisco Web DOS attempt" arachnids,275 classtype:attempted-dos sid:1138
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/guestbook.pl" -j LOG --log-prefix " SID1140 "	# "WEB-MISC guestbook.pl access" nocase-ignored bugtraq,776 cve,CVE-1999-0237 arachnids,228 classtype:attempted-recon sid:1140
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/handler" --string " -j LOG --log-prefix " SID1613 "	# "WEB-MISC handler attempt" nocase-ignored bugtraq,380 arachnids,235 cve,CVE-1999-0148 classtype:web-application-attack sid:1613
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/handler" -j LOG --log-prefix " SID1141 "	# "WEB-MISC handler access" nocase-ignored bugtraq,380 arachnids,235 cve,CVE-1999-0148 classtype:web-application-activity sid:1141
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/...." -j LOG --log-prefix " SID1142 "	# "WEB-MISC /...." classtype:attempted-recon sid:1142
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "///cgi-bin" -j LOG --log-prefix " SID1143 "	# "WEB-MISC ///cgi-bin" nocase-ignored classtype:attempted-recon sid:1143
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgi-bin///" -j LOG --log-prefix " SID1144 "	# "WEB-MISC /cgi-bin/// access" nocase-ignored classtype:attempted-recon sid:1144
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/~root" -j LOG --log-prefix " SID1145 "	# "WEB-MISC /~root" nocase-ignored classtype:attempted-recon sid:1145
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/config/import.txt" -j LOG --log-prefix " SID1146 "	# "WEB-MISC Ecommerce import.txt access" nocase-ignored classtype:attempted-recon sid:1146
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cat%20" -j LOG --log-prefix " SID1147 "	# "WEB-MISC cat%20 access" nocase-ignored cve,CVE-1999-0039 bugtraq,374 classtype:attempted-recon sid:1147
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/orders/import.txt" -j LOG --log-prefix " SID1148 "	# "WEB-MISC Ecommerce import.txt access" nocase-ignored classtype:attempted-recon sid:1148
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/count.cgi" -j LOG --log-prefix " SID1149 "	# "WEB-MISC count.cgi access" nocase-ignored bugtraq,128 cve,CVE-1999-0021 classtype:attempted-recon sid:1149
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/catalog.nsf" -j LOG --log-prefix " SID1150 "	# "WEB-MISC Domino catalog.ns access" nocase-ignored classtype:attempted-recon sid:1150
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/domcfg.nsf" -j LOG --log-prefix " SID1151 "	# "WEB-MISC Domino domcfg.nsf access" nocase-ignored classtype:attempted-recon sid:1151
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/domlog.nsf" -j LOG --log-prefix " SID1152 "	# "WEB-MISC Domino domlog.nsf access" nocase-ignored classtype:attempted-recon sid:1152
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/log.nsf" -j LOG --log-prefix " SID1153 "	# "WEB-MISC Domino log.nsf access" nocase-ignored classtype:attempted-recon sid:1153
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/names.nsf" -j LOG --log-prefix " SID1154 "	# "WEB-MISC Domino names.nsf access" nocase-ignored classtype:attempted-recon sid:1154
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/mab.nsf" -j LOG --log-prefix " SID1575 "	# "WEB-MISC Domino mab.nsf access" nocase-ignored classtype:attempted-recon sid:1575
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cersvr.nsf" -j LOG --log-prefix " SID1576 "	# "WEB-MISC Domino cersvr.nsf access" nocase-ignored classtype:attempted-recon sid:1576
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/setup.nsf" -j LOG --log-prefix " SID1577 "	# "WEB-MISC Domino setup.nsf access" nocase-ignored classtype:attempted-recon sid:1577
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/statrep.nsf" -j LOG --log-prefix " SID1578 "	# "WEB-MISC Domino statrep.nsf access" nocase-ignored classtype:attempted-recon sid:1578
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/webadmin.nsf" -j LOG --log-prefix " SID1579 "	# "WEB-MISC Domino webadmin.nsf access" nocase-ignored classtype:attempted-recon sid:1579
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/events4.nsf" -j LOG --log-prefix " SID1580 "	# "WEB-MISC Domino events4.nsf access" nocase-ignored classtype:attempted-recon sid:1580
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ntsync4.nsf" -j LOG --log-prefix " SID1581 "	# "WEB-MISC Domino ntsync4.nsf access" nocase-ignored classtype:attempted-recon sid:1581
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/collect4.nsf" -j LOG --log-prefix " SID1582 "	# "WEB-MISC Domino collect4.nsf access" nocase-ignored classtype:attempted-recon sid:1582
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/mailw46.nsf" -j LOG --log-prefix " SID1583 "	# "WEB-MISC Domino mailw46.nsf access" nocase-ignored classtype:attempted-recon sid:1583
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bookmark.nsf" -j LOG --log-prefix " SID1584 "	# "WEB-MISC Domino bookmark.nsf access" nocase-ignored classtype:attempted-recon sid:1584
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/agentrunner.nsf" -j LOG --log-prefix " SID1585 "	# "WEB-MISC Domino agentrunner.nsf access" nocase-ignored classtype:attempted-recon sid:1585
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/mail.box" -j LOG --log-prefix " SID1586 "	# "WEB-MISC Domino mail.box access" nocase-ignored classtype:attempted-recon sid:1586
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/orders/checks.txt" -j LOG --log-prefix " SID1155 "	# "WEB-MISC Ecommerce checks.txt access" nocase-ignored classtype:attempted-recon sid:1155
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "////////" -j LOG --log-prefix " SID1156 "	# "WEB-MISC apache DOS attempt" classtype:attempted-dos sid:1156
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/PSUser/PSCOErrPage.htm?" -j LOG --log-prefix " SID1157 "	# "WEB-MISC netscape PublishingXpert 2 Exploit" nocase-ignored cve,CAN-2000-1196 classtype:attempted-recon sid:1157
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/windmail.exe" --string "-n" --string "mail" -j LOG --log-prefix " SID1158 "	# "WEB-MISC windmail access" nocase-ignored nocase-ignored cve,CAN-2000-0242 bugtraq,1073 arachnids,465 classtype:attempted-recon sid:1158
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "webplus?script" --tcp-flags ACK ACK -j LOG --log-prefix " SID1159 "	# "WEB-MISC webplus access" nocase-ignored cve,CVE-2000-1005 bugtraq,1174 bugtraq,1720 bugtraq,1722 bugtraq,1725 classtype:attempted-recon sid:1159
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-" -j LOG --log-prefix " SID1160 "	# "WEB-MISC netscape dir index wp" nocase-ignored bugtraq,1063 cve,CVE-2000-0236 arachnids,270 classtype:attempted-recon sid:1160
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/passwd.php3" -j LOG --log-prefix " SID1161 "	# "WEB-MISC piranha passwd.php3 access" bugtraq,1149 cve,CVE-2000-0322 arachnids,272 classtype:attempted-recon sid:1161
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/c32web.exe/ChangeAdminPassword" -j LOG --log-prefix " SID1162 "	# "WEB-MISC cart 32 AdminPwd access" nocase-ignored cve,CAN-2000-0429 bugtraq,1153 classtype:attempted-recon sid:1162
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/webdist.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID1163 "	# "WEB-MISC webdist.cgi access" nocase-ignored bugtraq,374 cve,CVE-1999-0039 classtype:attempted-recon sid:1163
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/quikstore.cfg" --tcp-flags ACK ACK -j LOG --log-prefix " SID1164 "	# "WEB-MISC shopping cart access access" nocase-ignored classtype:attempted-recon sid:1164
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/GWWEB.EXE?HELP=" -j LOG --log-prefix " SID1614 "	# "WEB-MISC novell groupwise gwweb.exe attempt" nocase-ignored bugtraq,879 cve,CAN-1999-1006 classtype:attempted-recon sid:1614
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/GWWEB.EXE" -j LOG --log-prefix " SID1165 "	# "WEB-MISC novell groupwise gwweb.exe access" nocase-ignored bugtraq,879 cve,CAN-1999-1006 classtype:attempted-recon sid:1165
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/ws_ftp.ini" --tcp-flags ACK ACK -j LOG --log-prefix " SID1166 "	# "WEB-MISC ws_ftp.ini access" nocase-ignored cve,CAN-1999-1078 bugtraq,547 classtype:attempted-recon sid:1166
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/rmp_query" -j LOG --log-prefix " SID1167 "	# "WEB-MISC rpm_query access" nocase-ignored cve,CVE-2000-0192 bugtraq,1036 classtype:attempted-recon sid:1167
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/mall_log_files/order.log" --tcp-flags ACK ACK -j LOG --log-prefix " SID1168 "	# "WEB-MISC mall log order access" nocase-ignored classtype:attempted-recon sid:1168
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/bigconf.cgi" --tcp-flags ACK ACK -j LOG --log-prefix " SID1172 "	# "WEB-MISC bigconf.cgi access" nocase-ignored bugtraq,778 cve,CVE-1999-1550 classtype:attempted-recon sid:1172
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/ews/architext_query.pl" --tcp-flags ACK ACK -j LOG --log-prefix " SID1173 "	# "WEB-MISC architext_query.pl access" nocase-ignored classtype:attempted-recon sid:1173
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cgi-bin/jj" --tcp-flags ACK ACK -j LOG --log-prefix " SID1174 "	# "WEB-MISC /cgi-bin/jj attempt" nocase-ignored bugtraq,2002 cve,CVE-1999-0260 classtype:attempted-recon sid:1174
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/wwwboard.pl" --tcp-flags ACK ACK -j LOG --log-prefix " SID1175 "	# "WEB-MISC wwwboard.pl access" nocase-ignored bugtraq,649 bugtraq,1795 cve,CAN-1999-0930 classtype:attempted-recon sid:1175
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/admin_files/order.log" --tcp-flags ACK ACK -j LOG --log-prefix " SID1176 "	# "WEB-MISC order.log access" nocase-ignored classtype:attempted-recon sid:1176
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-verify-link" -j LOG --log-prefix " SID1177 "	# "WEB-MISC Netscape Enterprise Server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1177
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/read.php3" -j LOG --log-prefix " SID1178 "	# "WEB-MISC Phorum read access" nocase-ignored arachnids,208 classtype:attempted-recon sid:1178
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/violation.php3" -j LOG --log-prefix " SID1179 "	# "WEB-MISC Phorum violation access" nocase-ignored bugtraq,2272 arachnids,209 classtype:attempted-recon sid:1179
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/get32.exe" -j LOG --log-prefix " SID1180 "	# "WEB-MISC get32.exe access" nocase-ignored bugtraq,1485 arachnids,258 classtype:attempted-recon sid:1180
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ping?query=" -j LOG --log-prefix " SID1181 "	#Cannot convert: dsize:>1446	 "WEB-MISC Annex Terminal DOS attempt" cve,CAN-1999-1070 arachnids,260 classtype:attempted-dos sid:1181
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/cgitest.exeuser" --tcp-flags ACK ACK -j LOG --log-prefix " SID1182 "	# "WEB-MISC cgitest.exe attempt" nocase-ignored cve,CVE-2000-1171 bugtraq,3885 arachnids,265 classtype:web-application-attack sid:1182
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgitest.exe" -j LOG --log-prefix " SID1587 "	# "WEB-MISC cgitest.exe access" nocase-ignored cve,CVE-2000-1171 bugtraq,3885 arachnids,265 classtype:web-application-activity sid:1587
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-cs-dump" -j LOG --log-prefix " SID1183 "	# "WEB-MISC Netscape Enterprise Server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1183
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-ver-info" -j LOG --log-prefix " SID1184 "	# "WEB-MISC Netscape Enterprise Server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1184
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bizdb1-search.cgi" --string "mail" -j LOG --log-prefix " SID1185 "	# "WEB-MISC bizdbsearch attempt" nocase-ignored nocase-ignored cve,CAN-2000-0287 bugtraq,1104 classtype:web-application-attack sid:1185
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bizdb1-search.cgi" -j LOG --log-prefix " SID1535 "	# "WEB-MISC bizdbsearch access" nocase-ignored cve,CAN-2000-0287 bugtraq,1104 classtype:web-application-activity sid:1535
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-ver-diff" -j LOG --log-prefix " SID1186 "	# "WEB-MISC Netscape Enterprise Server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1186
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/slxweb.dll/admin?command=" -j LOG --log-prefix " SID1187 "	# "WEB-MISC SalesLogix Eviewer web command attempt" nocase-ignored bugtraq,1089 cve,CAN-2000-0289 classtype:web-application-attack sid:1187
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/slxweb.dll" -j LOG --log-prefix " SID1588 "	# "WEB-MISC SalesLogix Eviewer access" nocase-ignored bugtraq,1089 cve,CAN-2000-0289 classtype:web-application-activity sid:1588
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-start-ver" -j LOG --log-prefix " SID1188 "	# "WEB-MISC Netscape Enterprise Server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1188
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-stop-ver" -j LOG --log-prefix " SID1189 "	# "WEB-MISC Netscape Enterprise Server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1189
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-uncheckout" -j LOG --log-prefix " SID1190 "	# "WEB-MISC Netscape Enterprise Server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1190
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-html-rend" -j LOG --log-prefix " SID1191 "	# "WEB-MISC Netscape Enterprise Server directory view" nocase-ignored bugtraq,1063 classtype:attempted-recon sid:1191
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/officescan/cgi/jdkRqNotify.exe?" --string "domain=" --string "event=" -j LOG --log-prefix " SID1381 "	# "WEB-MISC Trend Micro OfficeScan attempt" nocase-ignored nocase-ignored nocase-ignored bugtraq,1057 classtype:attempted-recon sid:1381
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/officescan/cgi/jdkRqNotify.exe" -j LOG --log-prefix " SID1192 "	# "WEB-MISC Trend Micro OfficeScan access" nocase-ignored bugtraq,1057 classtype:attempted-recon sid:1192
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ows-bin/&" -j LOG --log-prefix " SID1193 "	# "WEB-MISC oracle web listener batch access" nocase-ignored cve,CVE-2000-0169 bugtraq,1053 classtype:attempted-recon sid:1193
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/sojourn.cgi?cat=" --string "%00" -j LOG --log-prefix " SID1194 "	# "WEB-MISC Sojourn File attempt" nocase-ignored bugtraq,1052 cve,CAN-2000-0180 classtype:attempted-user sid:1194
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/sojourn.cgi" -j LOG --log-prefix " SID1195 "	# "WEB-MISC Sojourn access" nocase-ignored bugtraq,1052 cve,CAN-2000-0180 classtype:attempted-recon sid:1195
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/infosrch.cgi?" --string "fname=" -j LOG --log-prefix " SID1196 "	# "WEB-MISC SGI InfoSearch fname access" nocase-ignored bugtraq,1031 arachnids,290 cve,CVE-2000-0207 classtype:attempted-recon sid:1196
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/code.php3" -j LOG --log-prefix " SID1197 "	# "WEB-MISC Phorum code access" nocase-ignored arachnids,207 classtype:attempted-recon sid:1197
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "?wp-usr-prop" -j LOG --log-prefix " SID1198 "	# "WEB-MISC Netscape Enterprise Server directory view" nocase-ignored bugtraq,1063 classtype:web-application-attack sid:1198
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2301 --tcp-flags ACK ACK -m string --string "../" -j LOG --log-prefix " SID1199 "	# "WEB-MISC Compaq Insight directory traversal" bugtraq,282 arachnids,244 cve,CVE-1999-0771 classtype:web-application-attack sid:1199
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Invalid URL" --tcp-flags ACK ACK -j LOG --log-prefix " SID1200 "	# "WEB-MISC Invalid URL" nocase-ignored classtype:attempted-recon sid:1200
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "HTTP/1.1 403" -j LOG --log-prefix " SID1201 "	# "WEB-MISC 403 Forbidden" classtype:attempted-recon sid:1201
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/search.vts" -j LOG --log-prefix " SID1202 "	# "WEB-MISC search.vts access" classtype:attempted-recon sid:1202
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ax-admin.cgi" -j LOG --log-prefix " SID1204 "	# "WEB-MISC ax-admin.cgi access" classtype:attempted-recon sid:1204
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/axs.cgi" -j LOG --log-prefix " SID1205 "	# "WEB-MISC axs.cgi access" classtype:attempted-recon sid:1205
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cachemgr.cgi" -j LOG --log-prefix " SID1206 "	# "WEB-MISC cachemgr.cgi access" cve,CVE-1999-0710 classtype:attempted-recon sid:1206
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/htgrep" --string "hdr=/" -j LOG --log-prefix " SID1615 "	# "WEB-MISC htgrep attempt" classtype:web-application-attack cve,CAN-2000-0832 sid:1615
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/htgrep" -j LOG --log-prefix " SID1207 "	# "WEB-MISC htgrep access" classtype:web-application-activity cve,CAN-2000-0832 sid:1207
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/responder.cgi" -j LOG --log-prefix " SID1208 "	# "WEB-MISC responder.cgi access" classtype:attempted-recon sid:1208
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/.nsconfig" -j LOG --log-prefix " SID1209 "	# "WEB-MISC .nsconfig access" classtype:attempted-recon sid:1209
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/web-map.cgi" -j LOG --log-prefix " SID1211 "	# "WEB-MISC web-map.cgi access" classtype:attempted-recon sid:1211
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin_files" -j LOG --log-prefix " SID1212 "	# "WEB-MISC Admin_files access" nocase-ignored classtype:attempted-recon sid:1212
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/backup" -j LOG --log-prefix " SID1213 "	# "WEB-MISC backup access" nocase-ignored classtype:attempted-recon sid:1213
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/intranet/" -j LOG --log-prefix " SID1214 "	# "WEB-MISC intranet access" nocase-ignored classtype:attempted-recon sid:1214
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ministats/admin.cgi" -j LOG --log-prefix " SID1215 "	# "WEB-MISC ministats admin access" nocase-ignored classtype:attempted-recon sid:1215
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/filemail" -j LOG --log-prefix " SID1216 "	# "WEB-MISC filemail access" nocase-ignored classtype:attempted-recon sid:1216
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/plusmail" -j LOG --log-prefix " SID1217 "	# "WEB-MISC plusmail access" nocase-ignored classtype:attempted-recon sid:1217
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/adminlogin" -j LOG --log-prefix " SID1218 "	# "WEB-MISC adminlogin access" nocase-ignored classtype:attempted-recon sid:1218
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/dfire.cgi" -j LOG --log-prefix " SID1219 "	# "WEB-MISC dfire.cgi access" nocase-ignored cve,CAN-1999-0913 classtype:attempted-recon sid:1219
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ultraboard" -j LOG --log-prefix " SID1220 "	# "WEB-MISC ultraboard access" nocase-ignored classtype:attempted-recon sid:1220
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/empower?DB=" -j LOG --log-prefix " SID1589 "	# "WEB-MISC musicat empower attempt" nocase-ignored classtype:web-application-attack sid:1589
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/empower" -j LOG --log-prefix " SID1221 "	# "WEB-MISC musicat empower access" nocase-ignored classtype:web-application-activity sid:1221
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/pals-cgi" --string "documentName=" -j LOG --log-prefix " SID1222 "	# "WEB-MISC WebPALS attempt" nocase-ignored classtype:attempted-recon cve,CAN-2001-0217 bugtraq,2372 sid:1222
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/ROADS/cgi-bin/search.pl" --string "form=" -j LOG --log-prefix " SID1224 "	# "WEB-MISC ROADS search.pl attempt" nocase-ignored cve,CAN-2001-0215 bugtraq,2371 classtype:attempted-recon sid:1224
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/FtpSave.dll" -j LOG --log-prefix " SID1230 "	# "WEB-MISC VirusWall FtpSave access" nocase-ignored bugtraq,2808 classtype:attempted-recon sid:1230
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/catinfo" -j LOG --log-prefix " SID1231 "	# "WEB-MISC VirusWall access" nocase-ignored bugtraq,2808 classtype:attempted-recon sid:1231
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 1812 --tcp-flags ACK ACK -m string --string "/catinfo" -j LOG --log-prefix " SID1232 "	# "WEB-MISC VirusWall access" nocase-ignored bugtraq,2579 classtype:attempted-recon sid:1232
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 80 -m string --string ".ewl" --tcp-flags ACK ACK -j LOG --log-prefix " SID1233 "	# "WEB-MISC Outlook EML access" classtype:attempted-admin sid:1233
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/FtpSaveCSP.dll" -j LOG --log-prefix " SID1234 "	# "WEB-MISC VirusWall FtpSaveCSP access" nocase-ignored classtype:attempted-recon sid:1234
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/FtpSaveCVP.dll" -j LOG --log-prefix " SID1235 "	# "WEB-MISC VirusWall FtpSaveCVP access" nocase-ignored classtype:attempted-recon sid:1235
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".js%2570" -j LOG --log-prefix " SID1236 "	# "WEB-MISC Tomcat sourcode view" nocase-ignored classtype:attempted-recon sid:1236
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".j%2573p" -j LOG --log-prefix " SID1237 "	# "WEB-MISC Tomcat sourcode view" nocase-ignored classtype:attempted-recon sid:1237
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".%256Asp" -j LOG --log-prefix " SID1238 "	# "WEB-MISC Tomcat sourcode view" nocase-ignored classtype:attempted-recon sid:1238
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/SWEditServlet" --string "template=../../../" --tcp-flags ACK ACK -j LOG --log-prefix " SID1241 "	# "WEB-MISC SWEditServlet directory traversal attempt" classtype:attempted-user sid:1241
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "/SWEditServlet" --tcp-flags ACK ACK -j LOG --log-prefix " SID1259 "	# "WEB-MISC SWEditServlet access" classtype:attempted-recon sid:1259
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "HEAD" --tcp-flags ACK ACK -j LOG --log-prefix " SID1171 "	#Cannot convert: dsize:>512	 "WEB-MISC whisker HEAD with large datagram" nocase-ignored classtype:attempted-recon url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html sid:1171
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "HEAD/./" -j LOG --log-prefix " SID1139 "	# "WEB-MISC whisker HEAD/./" classtype:attempted-recon url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html sid:1139
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string " " --tcp-flags ACK ACK -j LOG --log-prefix " SID1104 "	#Cannot convert: dsize:1	 "WEB-MISC whisker space splice attack" arachnids,296 classtype:attempted-recon url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html sid:1104
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "	" -j LOG --log-prefix " SID1087 "	#Cannot convert: dsize: <5	 "WEB-MISC whisker tab splice attack" arachnids,415 classtype:attempted-recon url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html sid:1087
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "_PHPLIB[libdir]" -j LOG --log-prefix " SID1254 "	# "WEB-MISC PHPLIB remote command attempt" bugtraq,3079 classtype:attempted-user sid:1254
iptables -A SnortRules -p tcp -s $HTTP_SERVERS -d $EXTERNAL_NET --dport 80 --tcp-flags ACK ACK -m string --string "/db_mysql.inc" -j LOG --log-prefix " SID1255 "	# "WEB-MISC PHPLIB remote command attempt" bugtraq,3079 classtype:attempted-user sid:1255
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid=" -j LOG --log-prefix " SID1258 "	#Cannot convert: dsize:>202	 "WEB-MISC HP Openview Manager DOS" nocase-ignored bugtraq,2845 sid:1258 classtype:misc-activity
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "Authorization: Basic " -j LOG --log-prefix " SID1260 "	#Cannot convert: dsize:>1000	 "WEB-MISC long basic authorization string" nocase-ignored classtype:attempted-dos bugtraq,3230 sid:1260
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET --tcp-flags ACK ACK -m string --string "window.open("readme.eml"" -j LOG --log-prefix " SID1290 "	# "WEB-MISC readme.eml autoload attempt" nocase-ignored classtype:attempted-user sid:1290 url,www.cert.org/advisories/CA-2001-26.html
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET --tcp-flags ACK ACK -m string --string "readme.eml" -j LOG --log-prefix " SID1284 "	# "WEB-MISC readme.eml attempt" nocase-ignored classtype:attempted-user sid:1284 url,www.cert.org/advisories/CA-2001-26.html
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/graphics/sml3com" -j LOG --log-prefix " SID1291 "	# "WEB-MISC sml3com access" classtype:attempted-dos bugtraq,2721 sid:1291
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/carbo.dll" --string "icatcommand=" -j LOG --log-prefix " SID1001 "	# "WEB-MISC carbo.dll access" nocase-ignored cve,CAN-1999-1069 bugtraq,2126 classtype:attempted-recon sid:1001
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.php" --string "file_name=" -j LOG --log-prefix " SID1300 "	# "WEB-MISC admin.php file upload attempt" nocase-ignored bugtraq,3361 classtype:attempted-admin sid:1300
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin.php" -j LOG --log-prefix " SID1301 "	# "WEB-MISC admin.php access" nocase-ignored bugtraq,3361 classtype:attempted-recon sid:1301
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgi-bin/console.exe" -j LOG --log-prefix " SID1302 "	# "WEB-MISC console.exe access" nocase-ignored bugtraq,3375 classtype:attempted-recon sid:1302
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/cgi-bin/cs.exe" -j LOG --log-prefix " SID1303 "	# "WEB-MISC cs.exe access" nocase-ignored bugtraq,3375 classtype:attempted-recon sid:1303
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/txt2html.cgi" --string "/../../../../" -j LOG --log-prefix " SID1305 "	# "WEB-MISC txt2html attempt" nocase-ignored classtype:attempted-admin sid:1305
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/txt2html.cgi" -j LOG --log-prefix " SID1304 "	# "WEB-MISC txt2html access" nocase-ignored classtype:attempted-recon sid:1304
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/store.cgi" --string "product=" --string "../.." -j LOG --log-prefix " SID1306 "	# "WEB-MISC store.cgi attempt" nocase-ignored bugtraq,2385 cve,CAN-2001-0305 classtype:attempted-admin sid:1306
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/store.cgi" --string "StartID=" --string "../" -j LOG --log-prefix " SID1488 "	# "WEB-MISC store.cgi attempt" nocase-ignored bugtraq,2385 cve,CAN-2001-0305 classtype:attempted-admin sid:1488
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/store.cgi" -j LOG --log-prefix " SID1307 "	# "WEB-MISC store.cgi access" nocase-ignored bugtraq,2385 cve,CAN-2001-0305 classtype:attempted-recon sid:1307
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "../" -j LOG --log-prefix " SID1113 "	# "WEB-MISC http directory traversal" arachnids,297 classtype:attempted-recon sid:1113
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "GET x HTTP/1.0" -j LOG --log-prefix " SID1375 "	# "WEB-MISC sadmind worm access" classtype:attempted-recon url,www.cert.org/advisories/CA-2001-11.html sid:1375
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/%3f.jsp" -j LOG --log-prefix " SID1376 "	# "WEB-MISC jrun directory browse attempt" classtype:web-application-attack sid:1376
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/admin_/" -j LOG --log-prefix " SID1385 "	# "WEB-MISC mod-plsql administration access" bugtraq,3726 bugtraq,3727 classtype:web-application-activity sid:1385
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "includedir=" -j LOG --log-prefix " SID1391 "	# "WEB-MISC Phorecast remote code execution attempt" bugtraq,3388 classtype:web-application-attack sid:1391
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/viewcode" -j LOG --log-prefix " SID1403 "	# "WEB-MISC viewcode access" classtype:web-application-attack sid:1403
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/showcode" -j LOG --log-prefix " SID1404 "	# "WEB-MISC showcode access" classtype:web-application-attack sid:1404
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/smssend.php" -j LOG --log-prefix " SID1407 "	# "WEB-MISC smssend.php access" classtype:web-application-activity bugtraq,3982 sid:1407
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "index.php" --string "file=http://" -j LOG --log-prefix " SID1399 "	# "WEB-MISC PHP-Nuke remote file include attempt" nocase-ignored nocase-ignored bugtraq,3889 classtype:web-application-attack sid:1399
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string ".history" -j LOG --log-prefix " SID1433 "	# "WEB-MISC .history access" classtype:web-application-attack sid:1433
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string ".bash_history" -j LOG --log-prefix " SID1434 "	# "WEB-MISC .bash_history access" classtype:web-application-attack sid:1434
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/~nobody" -j LOG --log-prefix " SID1489 "	# "WEB-MISC /~nobody access" classtype:web-application-attack sid:1489
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/support/common.php" --string "ForumLang=../" -j LOG --log-prefix " SID1490 "	# "WEB-MISC phorum /support/common.php attempt" classtype:web-application-attack sid:1490
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/support/common.php" -j LOG --log-prefix " SID1491 "	# "WEB-MISC phorum /support/common.php access" classtype:web-application-attack sid:1491
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/newuser?Image=../.." -j LOG --log-prefix " SID1492 "	# "WEB-MISC RBS ISP /newuser attempt" classtype:web-application-attack sid:1492
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/newuser" -j LOG --log-prefix " SID1493 "	# "WEB-MISC RBS ISP /newuser access" classtype:web-application-activity sid:1493
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/generate.cgi" --string "content=../" -j LOG --log-prefix " SID1494 "	# "WEB-MISC SIX webboard generate.cgi attempt" cve,CAN-2001-1115 bugtraq,3175 classtype:web-application-attack sid:1494
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/generate.cgi" -j LOG --log-prefix " SID1495 "	# "WEB-MISC SIX webboard generate.cgi access" cve,CAN-2001-1115 bugtraq,3175 classtype:web-application-activity sid:1495
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/spin_client.cgi" -j LOG --log-prefix " SID1496 "	# "WEB-MISC spin_client.cgi access" classtype:web-application-activity sid:1496
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/ps" -j LOG --log-prefix " SID1328 "	# "WEB-ATTACKS ps command attempt" nocase-ignored sid:1328 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "ps%20" -j LOG --log-prefix " SID1329 "	# "WEB-ATTACKS /bin/ps command attempt" nocase-ignored sid:1329 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "wget%20" -j LOG --log-prefix " SID1330 "	# "WEB-ATTACKS wget command attempt" nocase-ignored sid:1330 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "uname%20-a" -j LOG --log-prefix " SID1331 "	# "WEB-ATTACKS uname -a command attempt" nocase-ignored sid:1331 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/id" -j LOG --log-prefix " SID1332 "	# "WEB-ATTACKS /usr/bin/id command attempt" nocase-ignored sid:1332 classtype:web-application-attack
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string " -j LOG --log-prefix " SID1333 "	#Cannot convert: id" misconvert in content semicolon: sid:1333	 "WEB-ATTACKS id command attempt" nocase-ignored sid:1333 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/echo" -j LOG --log-prefix " SID1334 "	# "WEB-ATTACKS echo command attempt" nocase-ignored sid:1334 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/kill" -j LOG --log-prefix " SID1335 "	# "WEB-ATTACKS kill command attempt" nocase-ignored sid:1335 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/chmod" -j LOG --log-prefix " SID1336 "	# "WEB-ATTACKS chmod command attempt" nocase-ignored sid:1336 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/chgrp" -j LOG --log-prefix " SID1337 "	# "WEB-ATTACKS chgrp command attempt" nocase-ignored sid:1337 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/sbin/chown" -j LOG --log-prefix " SID1338 "	# "WEB-ATTACKS chown command attempt" nocase-ignored sid:1338 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/chsh" -j LOG --log-prefix " SID1339 "	# "WEB-ATTACKS chsh command attempt" nocase-ignored sid:1339 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "tftp%20" -j LOG --log-prefix " SID1340 "	# "WEB-ATTACKS tftp command attempt" nocase-ignored sid:1340 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/gcc" -j LOG --log-prefix " SID1341 "	# "WEB-ATTACKS /usr/bin/gcc command attempt" nocase-ignored sid:1341 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "gcc%20-o" -j LOG --log-prefix " SID1342 "	# "WEB-ATTACKS gcc command attempt" nocase-ignored sid:1342 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/cc" -j LOG --log-prefix " SID1343 "	# "WEB-ATTACKS /usr/bin/cc command attempt" nocase-ignored sid:1343 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cc%20" -j LOG --log-prefix " SID1344 "	# "WEB-ATTACKS cc command attempt" nocase-ignored sid:1344 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/cpp" -j LOG --log-prefix " SID1345 "	# "WEB-ATTACKS /usr/bin/cpp command attempt" nocase-ignored sid:1345 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "cpp%20" -j LOG --log-prefix " SID1346 "	# "WEB-ATTACKS cpp command attempt" nocase-ignored sid:1346 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/g++" -j LOG --log-prefix " SID1347 "	# "WEB-ATTACKS /usr/bin/g++ command attempt" nocase-ignored sid:1347 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "g++%20" -j LOG --log-prefix " SID1348 "	# "WEB-ATTACKS g++ command attempt" nocase-ignored sid:1348 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "bin/python" -j LOG --log-prefix " SID1349 "	# "WEB-ATTACKS bin/python access attempt" nocase-ignored sid:1349 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "python%20" -j LOG --log-prefix " SID1350 "	# "WEB-ATTACKS python access attempt" nocase-ignored sid:1350 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "bin/tclsh" -j LOG --log-prefix " SID1351 "	# "WEB-ATTACKS bin/tclsh execution attempt" nocase-ignored sid:1351 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "tclsh8%20" -j LOG --log-prefix " SID1352 "	# "WEB-ATTACKS tclsh execution attempt" nocase-ignored sid:1352 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "bin/nasm" -j LOG --log-prefix " SID1353 "	# "WEB-ATTACKS bin/nasm command attempt" nocase-ignored sid:1353 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "nasm%20" -j LOG --log-prefix " SID1354 "	# "WEB-ATTACKS nasm command attempt" nocase-ignored sid:1354 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/bin/perl" -j LOG --log-prefix " SID1355 "	# "WEB-ATTACKS /usr/bin/perl execution attempt" nocase-ignored sid:1355 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "perl%20" -j LOG --log-prefix " SID1356 "	# "WEB-ATTACKS perl execution attempt" nocase-ignored sid:1356 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "net localgroup administrators /add" -j LOG --log-prefix " SID1357 "	# "WEB-ATTACKS nt admin addition attempt" nocase-ignored sid:1357 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "traceroute%20" -j LOG --log-prefix " SID1358 "	# "WEB-ATTACKS traceroute command attempt" nocase-ignored sid:1358 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/ping" -j LOG --log-prefix " SID1359 "	# "WEB-ATTACKS ping command attempt" nocase-ignored sid:1359 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "nc%20" -j LOG --log-prefix " SID1360 "	# "WEB-ATTACKS netcat command attempt" nocase-ignored sid:1360 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "nmap%20" -j LOG --log-prefix " SID1361 "	# "WEB-ATTACKS nmap command attempt" nocase-ignored sid:1361 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/usr/X11R6/bin/xterm" -j LOG --log-prefix " SID1362 "	# "WEB-ATTACKS xterm command attempt" nocase-ignored sid:1362 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "%20-display%20" -j LOG --log-prefix " SID1363 "	# "WEB-ATTACKS X application to remote host attempt" nocase-ignored sid:1363 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "lsof%20" -j LOG --log-prefix " SID1364 "	# "WEB-ATTACKS lsof command attempt" nocase-ignored sid:1364 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "rm%20" -j LOG --log-prefix " SID1365 "	# "WEB-ATTACKS rm command attempt" nocase-ignored sid:1365 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/mail" -j LOG --log-prefix " SID1366 "	# "WEB-ATTACKS mail command attempt" nocase-ignored sid:1366 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "mail%20" -j LOG --log-prefix " SID1367 "	# "WEB-ATTACKS mail command attempt" nocase-ignored sid:1367 classtype:web-application-attack
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/ls -j LOG --log-prefix " SID1368 "	#Cannot convert: misconvert in content pipe: sid:1368	 "WEB-ATTACKS /bin/ls| command attempt" nocase-ignored sid:1368 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/bin/ls" -j LOG --log-prefix " SID1369 "	# "WEB-ATTACKS /bin/ls command attempt" nocase-ignored sid:1369 classtype:web-application-attack
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/etc/inetd.conf" -j LOG --log-prefix " SID1370 "	# "WEB-ATTACKS /etc/inetd.conf access" nocase-ignored sid:1370 classtype:web-application-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/etc/motd" -j LOG --log-prefix " SID1371 "	# "WEB-ATTACKS /etc/motd access" nocase-ignored sid:1371 classtype:web-application-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "/etc/shadow" -j LOG --log-prefix " SID1372 "	# "WEB-ATTACKS /etc/shadow access" nocase-ignored sid:1372 classtype:web-application-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string "conf/httpd.conf" -j LOG --log-prefix " SID1373 "	# "WEB-ATTACKS conf/httpd.conf attempt" nocase-ignored classtype:web-application-activity sid:1373
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 --tcp-flags ACK ACK -m string --string ".htgroup" -j LOG --log-prefix " SID1374 "	# "WEB-ATTACKS .htgroup access" nocase-ignored sid:1374 classtype:web-application-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "sp_start_job" --tcp-flags ACK ACK -j LOG --log-prefix " SID676 "	# "MS-SQL/SMB sp_start_job - program execution" nocase-ignored classtype:attempted-user sid:676
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "sp_start_job" --tcp-flags ACK ACK -j LOG --log-prefix " SID673 "	# "MS-SQL sp_start_job - program execution" nocase-ignored classtype:attempted-user sid:673
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_displayparamstmt" --tcp-flags ACK ACK -j LOG --log-prefix " SID674 "	# "MS-SQL xp_displayparamstmt possible buffer overflow" nocase-ignored bugtraq,2030 cve,CAN-2000-1081 classtype:attempted-user sid:674
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_setsqlsecurity" --tcp-flags ACK ACK -j LOG --log-prefix " SID675 "	# "MS-SQL xp_setsqlsecurity possible buffer overflow" nocase-ignored bugtraq,2043 classtype:attempted-user sid:675
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "sp_password" --tcp-flags ACK ACK -j LOG --log-prefix " SID677 "	# "MS-SQL/SMB sp_password password change" nocase-ignored classtype:attempted-user sid:677
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "sp_delete_ale" --tcp-flags ACK ACK -j LOG --log-prefix " SID678 "	# "MS-SQL/SMB sp_delete_alert log file deletion" nocase-ignored classtype:attempted-user sid:678
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "sp_adduser" --tcp-flags ACK ACK -j LOG --log-prefix " SID679 "	# "MS-SQL/SMB sp_adduser database user creation" nocase-ignored classtype:attempted-user sid:679
iptables -A SnortRules -p tcp -s $SQL_SERVERS --sport 139 -d $EXTERNAL_NET -m string --string "Login failed for user 'sa'" --tcp-flags ACK ACK -j LOG --log-prefix " SID680 "	# "MS-SQL/SMB sa login failed" classtype:attempted-user sid:680
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_cmdshell" --tcp-flags ACK ACK -j LOG --log-prefix " SID681 "	# "MS-SQL/SMB xp_cmdshell program execution" nocase-ignored classtype:attempted-user sid:681
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_enumresultset" --tcp-flags ACK ACK -j LOG --log-prefix " SID682 "	# "MS-SQL xp_enumresultset possible buffer overflow" nocase-ignored classtype:attempted-user sid:682
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "sp_password" --tcp-flags ACK ACK -j LOG --log-prefix " SID683 "	# "MS-SQL sp_password - password change" nocase-ignored classtype:attempted-user sid:683
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "sp_delete_alert" --tcp-flags ACK ACK -j LOG --log-prefix " SID684 "	# "MS-SQL sp_delete_alert log file deletion" nocase-ignored classtype:attempted-user sid:684
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "sp_adduser" --tcp-flags ACK ACK -j LOG --log-prefix " SID685 "	# "MS-SQL sp_adduser - database user creation" nocase-ignored classtype:attempted-user sid:685
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_reg" --tcp-flags ACK ACK -j LOG --log-prefix " SID686 "	# "MS-SQL xp_reg* - registry access" nocase-ignored classtype:attempted-user sid:686
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_cmdshell" --tcp-flags ACK ACK -j LOG --log-prefix " SID687 "	# "MS-SQL xp_cmdshell - program execution" nocase-ignored classtype:attempted-user sid:687
#iptables -A SnortRules -p tcp -s $SQL_SERVERS --sport 1433 -d $EXTERNAL_NET -m string --string "Login failed for user 'sa'" --tcp-flags ACK ACK -j LOG --log-prefix " SID688 "	#Cannot convert: Mishandled quotes	 "MS-SQL sa login failed" classtype:unsuccessful-user sid:688
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_reg" --tcp-flags ACK ACK -j LOG --log-prefix " SID689 "	# "MS-SQL/SMB xp_reg* registry access" nocase-ignored classtype:attempted-user sid:689
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_printstatements" --tcp-flags ACK ACK -j LOG --log-prefix " SID690 "	# "MS-SQL/SMB xp_printstatements possible buffer overflow" nocase-ignored bugtraq,2041 cve,CAN-2000-1086 classtype:attempted-user sid:690
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "9 Ð’ÂRU9 ì" --tcp-flags ACK ACK -j LOG --log-prefix " SID691 "	# "MS-SQL shellcode attempt" classtype:shellcode-detect sid:691
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "9 Ð’ÂRU9 ì" --tcp-flags ACK ACK -j LOG --log-prefix " SID692 "	# "MS-SQL/SMB shellcode attempt" classtype:shellcode-detect sid:692
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "H%xw3ÀPh." --tcp-flags ACK ACK -j LOG --log-prefix " SID693 "	# "MS-SQL shellcode attempt" classtype:shellcode-detect sid:693
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "H%xw3ÀPh." --tcp-flags ACK ACK -j LOG --log-prefix " SID694 "	# "MS-SQL/SMB shellcode attempt" classtype:attempted-user sid:694
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_sprintf" --tcp-flags ACK ACK -j LOG --log-prefix " SID695 "	# "MS-SQL/SMB xp_sprintf possible buffer overflow" nocase-ignored bugtraq,1204 classtype:attempted-user sid:695
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_showcolv" --tcp-flags ACK ACK -j LOG --log-prefix " SID696 "	# "MS-SQL/SMB xp_showcolv possible buffer overflow" nocase-ignored bugtraq,2038 classtype:attempted-user sid:696
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_peekqueue" --tcp-flags ACK ACK -j LOG --log-prefix " SID697 "	# "MS-SQL/SMB xp_peekqueue possible buffer overflow" nocase-ignored bugtraq,2040 cve,CAN-2000-1085 classtype:attempted-user sid:697
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_proxiedmetadata" --tcp-flags ACK ACK -j LOG --log-prefix " SID698 "	# "MS-SQL/SMB xp_proxiedmetadata possible buffer overflow" nocase-ignored bugtraq,2042 cve,CAN-2000-1087 classtype:attempted-user sid:698
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_printstatements" --tcp-flags ACK ACK -j LOG --log-prefix " SID699 "	# "MS-SQL xp_printstatements possible buffer overflow" nocase-ignored bugtraq,2041 cve,CAN-2000-1086 classtype:attempted-user sid:699
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_updatecolvbm" --tcp-flags ACK ACK -j LOG --log-prefix " SID700 "	# "MS-SQL/SMB xp_updatecolvbm possible buffer overflow" nocase-ignored bugtraq,2039 cve,CAN-2000-1084 classtype:attempted-user sid:700
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_updatecolvbm" --tcp-flags ACK ACK -j LOG --log-prefix " SID701 "	# "MS-SQL xp_updatecolvbm possible buffer overflow" nocase-ignored bugtraq,2039 cve,CAN-2000-1084 classtype:attempted-user sid:701
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_displayparamstmt" --tcp-flags ACK ACK -j LOG --log-prefix " SID702 "	# "MS-SQL/SMB xp_displayparamstmt possible buffer overflow" nocase-ignored bugtraq,2030 cve,CAN-2000-1081 classtype:attempted-user sid:702
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_setsqlsecurity" --tcp-flags ACK ACK -j LOG --log-prefix " SID703 "	# "MS-SQL/SMB xp_setsqlsecurity possible buffer overflow" nocase-ignored classtype:attempted-user bugtraq,2043 sid:703
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_sprintf" --tcp-flags ACK ACK -j LOG --log-prefix " SID704 "	# "MS-SQL xp_sprintf possible buffer overflow" nocase-ignored bugtraq,1204 classtype:attempted-user sid:704
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_showcolv" --tcp-flags ACK ACK -j LOG --log-prefix " SID705 "	# "MS-SQL xp_showcolv possible buffer overflow" nocase-ignored bugtraq,2038 cve,CAN-2000-1083 classtype:attempted-user sid:705
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_peekqueue" --tcp-flags ACK ACK -j LOG --log-prefix " SID706 "	# "MS-SQL xp_peekqueue possible buffer overflow" nocase-ignored bugtraq,2040 cve,CAN-2000-1085 classtype:attempted-user sid:706
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "xp_proxiedmetadata" --tcp-flags ACK ACK -j LOG --log-prefix " SID707 "	# "MS-SQL xp_proxiedmetadata possible buffer overflow" nocase-ignored bugtraq,2024 cve,CAN-2000-1087 classtype:attempted-user sid:707
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "xp_enumresultset" --tcp-flags ACK ACK -j LOG --log-prefix " SID708 "	# "MS-SQL/SMB xp_enumresultset possible buffer overflow" nocase-ignored bugtraq,2031 cve,CAN-2000-1082 classtype:attempted-user sid:708
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 139 -m string --string "raiserror" --tcp-flags ACK ACK -j LOG --log-prefix " SID1386 "	# "MS-SQL/SMB raiserror possible buffer overflow" nocase-ignored bugtraq,3733 classtype:attempted-user sid:1386
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SQL_SERVERS --dport 1433 -m string --string "raiserror" --tcp-flags ACK ACK -j LOG --log-prefix " SID1387 "	# "MS-SQL raiserror possible buffer overflow" nocase-ignored bugtraq,3733 classtype:attempted-user sid:1387
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6000 --tcp-flags ACK ACK -m string --string "MIT-MAGIC-COOKIE-1" -j LOG --log-prefix " SID1225 "	# "X11 MITcookie" arachnids,396 classtype:bad-unknown sid:1225
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6000 --tcp-flags ACK ACK -m string --string "l" -j LOG --log-prefix " SID1226 "	# "X11 xopen" arachnids,395 classtype:unknown sid:1226
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 6000:6005 -d $HOME_NET --tcp-flags ALL ACK,SYN -j LOG --log-prefix " SID1227 "	# "X11 outgoing" arachnids,126 classtype:unknown sid:1227
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "ISSPNGRQ" --icmp-type 8 -j LOG --log-prefix " SID465 "	# "ICMP ISS Pinger" arachnids,158 classtype:attempted-recon sid:465
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI" --icmp-type 8/0 -j LOG --log-prefix " SID466 "	# "ICMP L3retriever Ping" arachnids,311 classtype:attempted-recon sid:466
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -m string --string "" -j LOG --log-prefix " SID467 "	#Cannot convert: dsize: 20 icmp_id: 0 icmp_seq: 0	 "ICMP Nemesis v1.1 Echo" arachnids,449 classtype:attempted-recon sid:467
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -j LOG --log-prefix " SID469 "	#Cannot convert: dsize: 0	 "ICMP PING NMAP" arachnids,162 classtype:attempted-recon sid:469
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -j LOG --log-prefix " SID471 "	#Cannot convert: id: 666 dsize: 0 icmp_id: 666  icmp_seq: 0	 "ICMP icmpenum v1.1.1" arachnids,450 classtype:attempted-recon sid:471
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 5/1 -j LOG --log-prefix " SID472 "	# "ICMP redirect host" arachnids,135 cve,CVE-1999-0265 classtype:bad-unknown sid:472
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 5/0 -j LOG --log-prefix " SID473 "	# "ICMP redirect net" arachnids,199 cve,CVE-1999-0265 classtype:bad-unknown sid:473
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --icmp-type 8 -j LOG --log-prefix " SID474 "	#Cannot convert: dsize:8	 "ICMP superscan echo" classtype:attempted-recon sid:474
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m ipv4options --rr --icmp-type 0 -j LOG --log-prefix " SID475 "	# "ICMP traceroute ipopts" arachnids,238 classtype:attempted-recon sid:475
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "EEEEEEEEEEEE" --icmp-type 8/0 -j LOG --log-prefix " SID476 "	# "ICMP webtrends scanner" arachnids,307 classtype:attempted-recon sid:476
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 4/0 -j LOG --log-prefix " SID477 "	# "ICMP Source Quench" classtype:bad-unknown sid:477
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -j LOG --log-prefix " SID478 "	#Cannot convert: icmp_id: 0 icmp_seq: 0 dsize:4	 "ICMP Broadscan Smurf Scanner" classtype:attempted-recon sid:478
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "89:;<=>?" --icmp-type 8 -j LOG --log-prefix " SID480 "	# "ICMP PING speedera" sid:480 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "TJPingPro by Jim" --icmp-type 8 -j LOG --log-prefix " SID481 "	# "ICMP TJPingPro1.1Build 2 Windows" arachnids,167 sid:481 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "WhatsUp - A Netw" --icmp-type 8 -j LOG --log-prefix " SID482 "	# "ICMP PING WhatsupGold Windows" arachnids,168 sid:482 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "ªªªªªªªªªªªªªªªª" --icmp-type 8 -j LOG --log-prefix " SID483 "	# "ICMP PING CyberKit 2.2 Windows" arachnids,154 sid:483 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -m string --string "Cinco Network, Inc." -j LOG --log-prefix " SID484 "	# "ICMP PING Sniffer Pro/NetXRay network scan" sid:484 classtype:misc-activity
iptables -A SnortRules -p icmp --icmp-type 3/13 -j LOG --log-prefix " SID485 "	# "ICMP Destination Unreachable (Communication Administratively Prohibited)" sid:485 classtype:misc-activity
iptables -A SnortRules -p icmp --icmp-type 3/10 -j LOG --log-prefix " SID486 "	# "ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited)" sid:486 classtype:misc-activity
iptables -A SnortRules -p icmp --icmp-type 3/9 -j LOG --log-prefix " SID487 "	# "ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited)" sid:487 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 -m string --string "EML" --tcp-flags ACK ACK -j LOG --log-prefix " SID1293 "	# "NETBIOS nimda .eml" classtype:bad-unknown url,www.datafellows.com/v-descs/nimda.shtml sid:1293
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 -m string --string "NWS" --tcp-flags ACK ACK -j LOG --log-prefix " SID1294 "	# "NETBIOS nimda .nws" classtype:bad-unknown url,www.datafellows.com/v-descs/nimda.shtml sid:1294
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 -m string --string "RICHED20" --tcp-flags ACK ACK -j LOG --log-prefix " SID1295 "	# "NETBIOS nimda RICHED20.DLL" classtype:bad-unknown url,www.datafellows.com/v-descs/nimda.shtml sid:1295
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\\\\*SMBSERVERÿÿÿÿ" -j LOG --log-prefix " SID529 "	# "NETBIOS DOS RFPoison" arachnids,454 classtype:attempted-dos sid:529
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "Windows NT 1381" -j LOG --log-prefix " SID530 "	# "NETBIOS NT NULL session" bugtraq,1163 cve,CVE-2000-0347 arachnids,204 classtype:attempted-recon sid:530
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "BEAVIS" --string "yep yep" -j LOG --log-prefix " SID1239 "	# "NETBIOS RFParalyze Attempt" classtype:attempted-recon sid:1239
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\ADMIN$A:" -j LOG --log-prefix " SID532 "	# "NETBIOS SMB ADMIN$access" arachnids,340 classtype:attempted-admin sid:532
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\\C$A:" -j LOG --log-prefix " SID533 "	# "NETBIOS SMB C$ access" arachnids,339 classtype:attempted-recon sid:533
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\../" -j LOG --log-prefix " SID534 "	# "NETBIOS SMB CD.." arachnids,338 classtype:attempted-recon sid:534
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\..." -j LOG --log-prefix " SID535 "	# "NETBIOS SMB CD..." arachnids,337 classtype:attempted-recon sid:535
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\D$A:" -j LOG --log-prefix " SID536 "	# "NETBIOS SMB D$access" arachnids,336 classtype:attempted-recon sid:536
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\IPC$A:" -j LOG --log-prefix " SID537 "	# "NETBIOS SMB IPC$access" arachnids,335 classtype:attempted-recon sid:537
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "\\IPC$IPC" -j LOG --log-prefix " SID538 "	# "NETBIOS SMB IPC$access" arachnids,334 classtype:attempted-recon sid:538
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 --tcp-flags ACK ACK -m string --string "UnixSamba" -j LOG --log-prefix " SID539 "	# "NETBIOS Samba clientaccess" arachnids,341 classtype:not-suspicious sid:539
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID499 "	#Cannot convert: dsize: >800	 "MISC Large ICMP Packet" arachnids,246 classtype:bad-unknown sid:499
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m ipv4options --lsrr -j LOG --log-prefix " SID500 "	# "MISC source route lssr" bugtraq,646 cve,CVE-1999-0909 arachnids,418 classtype:bad-unknown sid:500
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID501 "	#Cannot convert: ipopts:lsrre	 "MISC source route lssre" bugtraq,646 cve,CVE-1999-0909 arachnids,420 classtype:bad-unknown sid:501
iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m ipv4options --ssrr -j LOG --log-prefix " SID502 "	# "MISC source route ssrr" arachnids,422 classtype:bad-unknown sid:502
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 20 -d $HOME_NET --dport :1023 --tcp-flags ALL SYN -j LOG --log-prefix " SID503 "	# "MISC Source Port 20 to <1024" arachnids,06 classtype:bad-unknown sid:503
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 53 -d $HOME_NET --dport :1023 --tcp-flags ALL SYN -j LOG --log-prefix " SID504 "	# "MISC source port 53 to <1024" arachnids,07 classtype:bad-unknown sid:504
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 1417 -m string --string ">" --tcp-flags ACK ACK -j LOG --log-prefix " SID505 "	# "MISC Insecure TIMBUKTU Password" arachnids,229 classtype:bad-unknown sid:505
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 5631 --tcp-flags ACK ACK -m string --string "ADMINISTRATOR" -j LOG --log-prefix " SID507 "	# "MISC PCAnywhere Attempted Administrator Login" classtype:attempted-admin sid:507
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 70 --tcp-flags ACK ACK -m string --string "ftp:" --string "@/" -j LOG --log-prefix " SID508 "	# "MISC gopher proxy" nocase-ignored arachnids,409 classtype:bad-unknown sid:508
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "pccsmysqladm/incs/dbconnect.inc" -j LOG --log-prefix " SID509 "	# "MISC PCCS mysql database admin tool" nocase-ignored arachnids,300 classtype:attempted-user sid:509
iptables -A SnortRules -p tcp -s $HOME_NET --sport 5631:5632 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "Invalid login" -j LOG --log-prefix " SID512 "	# "MISC PCAnywhere Failed Login" arachnids,240 classtype:unsuccessful-user sid:512
iptables -A SnortRules -p tcp -s $HOME_NET --sport 7161 -d $EXTERNAL_NET --tcp-flags ALL ACK,SYN -j LOG --log-prefix " SID513 "	# "MISC Cisco Catalyst Remote Access" arachnids,129 cve,CVE-1999-0430 classtype:bad-unknown sid:513
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 27374 --tcp-flags ACK ACK -m string --string "GET " -j LOG --log-prefix " SID514 "	# "MISC ramen worm" nocase-ignored arachnids,461 classtype:bad-unknown sid:514
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161 -m string --string "+@Ñ" -j LOG --log-prefix " SID516 "	# "MISC SNMP NT UserList" classtype:attempted-recon sid:516
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 177 -m string --string "" -j LOG --log-prefix " SID517 "	# "MISC xdmcp query" arachnids,476 classtype:attempted-recon sid:517
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID521 "	#Cannot convert: dsize: >4000	 "MISC Large UDP Packet" arachnids,247 classtype:bad-unknown sid:521
#iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID522 "	#Cannot convert: fragbits:M dsize: < 25	 "MISC Tiny Fragments" classtype:bad-unknown sid:522
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 1900 -m string --string "NOTIFY attack-responses.rules backdoor.rules bad-traffic.rules chat.rules classification.config ddos.rules dns.rules dos.rules experimental.rules exploit.rules finger.rules ftp.rules icmp-info.rules icmp.rules info.rules iptables.cvs.20020427.v0.1.6 local.rules misc.rules multimedia.rules netbios.rules p2p.rules policy.rules porn.rules rpc.rules rservices.rules scan.rules shellcode.rules sid-msg.map smtp.rules snort.conf snort.conf.pristine sql.rules telnet.rules tftp.rules virus.rules web-attacks.rules web-cgi.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules x11.rules " -j LOG --log-prefix " SID1384 "	# "MISC UPNP malformed advertisement" nocase-ignored classtype:misc-attack cve,CAN-2001-0876 cve,CAN-2001-0877 sid:1384
#iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 1900 -m string --string "Location:" -j LOG --log-prefix " SID1388 "	#Cannot convert: dsize:>500	 "MISC UPNP Location overflow" nocase-ignored classtype:misc-attack cve,CAN-2001-0876 cve,CAN-2001-0877 sid:1388
iptables -A SnortRules -p tcp -s [64.12.163.0/24,205.188.9.0/24] -d $HOME_NET --tcp-flags ACK ACK -m string --string "aim:AddGame?" -j LOG --log-prefix " SID1393 "	# "MISC AIM AddGame attempt" nocase-ignored url,www.w00w00.org/files/w00aimexp/ bugtraq,3769 cve,CAN-2002-0005 classtype:misc-attack sid:1393
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Volume Serial Number" --tcp-flags ACK ACK -j LOG --log-prefix " SID1292 "	# "ATTACK RESPONSES http dir listing" classtype:bad-unknown sid:1292
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Command completed" --tcp-flags ACK ACK -j LOG --log-prefix " SID494 "	# "ATTACK RESPONSES command completed" nocase-ignored classtype:bad-unknown sid:494
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "Bad command or filename" --tcp-flags ACK ACK -j LOG --log-prefix " SID495 "	# "ATTACK RESPONSES command error" nocase-ignored classtype:bad-unknown sid:495
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 80 -d $EXTERNAL_NET -m string --string "1 file(s) copied" --tcp-flags ACK ACK -j LOG --log-prefix " SID497 "	# "ATTACK RESPONSES file copied ok" nocase-ignored classtype:bad-unknown sid:497
iptables -A SnortRules -p tcp -s $HTTP_SERVERS --sport 8002 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "Oracle Applications One-Hour Install" -j LOG --log-prefix " SID1464 "	# "ATTACK RESPONSES oracle one hour install" classtype:bad-unknown sid:1464
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 27374 -d $HOME_NET --tcp-flags ACK ACK -m string --string "[RPL]002" -j LOG --log-prefix " SID103 "	# "BACKDOOR subseven 22" arachnids,485 url,www.hackfix.org/subseven/ sid:103 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 1024: -d $HOME_NET --dport 2589 --tcp-flags ACK ACK -m string --string "Connect" -j LOG --log-prefix " SID104 "	# "BACKDOOR - Dagger_1.4.0_client_connect" url,www.tlsecurity.net/backdoor/Dagger.1.4.html arachnids,483 sid:104 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 2589 -d $EXTERNAL_NET --dport 1024: --tcp-flags ACK ACK -m string --string "2Drives\$" -j LOG --log-prefix " SID105 "	# "BACKDOOR - Dagger_1.4.0" arachnids,484 url,www.tlsecurity.net/backdoor/Dagger.1.4.html sid:105 classtype:misc-activity
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET --dport 1054 --tcp-flags ALL ACK -j LOG --log-prefix " SID106 "	#Cannot convert: seq: 101058054 ack: 101058054	 "BACKDOOR ACKcmdC trojan scan" arachnids,445 sid:106 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 16959 -d $HOME_NET -m string --string "PWD" --string "acidphreak" --tcp-flags ACK ACK -j LOG --log-prefix " SID107 "	# "BACKDOOR subseven DEFCON8 2.1 access" nocase-ignored sid:107 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7597 --tcp-flags ACK ACK -m string --string "qazwsx.hsq" -j LOG --log-prefix " SID108 "	# "BACKDOOR QAZ Worm Client Login access" MCAFEE,98775 sid:108 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 12345 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetBus" -j LOG --log-prefix " SID109 "	# "BACKDOOR netbus active" arachnids,401 sid:109 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 12345 --tcp-flags ACK ACK -m string --string "GetInfo" -j LOG --log-prefix " SID110 "	# "BACKDOOR netbus getinfo" arachnids,403 sid:110 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 12346 --tcp-flags ACK ACK -m string --string "GetInfo" -j LOG --log-prefix " SID111 "	# "BACKDOOR netbus getinfo" arachnids,403 sid:111 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 80 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "server: BO/" -j LOG --log-prefix " SID112 "	# "BACKDOOR BackOrifice access" arachnids,400 sid:112 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 4120 -d $HOME_NET -m string --string "--Ahhhhhhhhhh" -j LOG --log-prefix " SID113 "	# "BACKDOOR DeepThroat access" arachnids,405 sid:113 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 12346 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetBus" -j LOG --log-prefix " SID114 "	# "BACKDOOR netbus active" arachnids,401 sid:114 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 20034 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetBus" -j LOG --log-prefix " SID115 "	# "BACKDOOR netbus active" arachnids,401 sid:115 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31337 -m string --string "ÎcÑÒçÏ9¥¥†" -j LOG --log-prefix " SID116 "	# "BACKDOOR BackOrifice access" arachnids,399 sid:116 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 146 -d $EXTERNAL_NET --dport 1024: -m string --string "WHATISIT" --tcp-flags ACK ACK -j LOG --log-prefix " SID117 "	# "BACKDOOR Infector.1.x" arachnids,315 sid:117 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 666 -d $EXTERNAL_NET --dport 1024: -m string --string "Remote: You are connected to me." --tcp-flags ACK ACK -j LOG --log-prefix " SID118 "	# "BACKDOOR SatansBackdoor.2.0.Beta" arachnids,316 sid:118 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 6789 -d $EXTERNAL_NET -m string --string "Wtzup Use" --tcp-flags ACK ACK -j LOG --log-prefix " SID119 "	# "BACKDOOR Doly 2.0 access" arachnids,312 sid:119 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 146 -d $EXTERNAL_NET --dport 1000:1300 -m string --string "WHATISIT" --tcp-flags ACK ACK -j LOG --log-prefix " SID120 "	# "BACKDOOR Infector 1.6 Server to Client" sid:120 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 1000:1300 -d $HOME_NET --dport 146 -m string --string "FC " --tcp-flags ACK ACK -j LOG --log-prefix " SID121 "	# "BACKDOOR Infector 1.6 Client to Server Connection Request" sid:121 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "13" -j LOG --log-prefix " SID122 "	# "BACKDOOR DeepThroat 3.1 System Info Client Request" arachnids,106 sid:122 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "09" -j LOG --log-prefix " SID124 "	# "BACKDOOR DeepThroat 3.1 FTP Status Client Request" arachnids,106 sid:124 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "Retreaving" -j LOG --log-prefix " SID125 "	# "BACKDOOR DeepThroat 3.1 E-Mail Info From Server" arachnids,106 sid:125 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "12" -j LOG --log-prefix " SID126 "	# "BACKDOOR DeepThroat 3.1 E-Mail Info Client Request" arachnids,106 sid:126 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "Host" -j LOG --log-prefix " SID127 "	# "BACKDOOR DeepThroat 3.1 Server Status From Server" arachnids,106 sid:127 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "10" -j LOG --log-prefix " SID128 "	# "BACKDOOR DeepThroat 3.1 Server Status Client Request" arachnids,106 sid:128 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "C - " -j LOG --log-prefix " SID129 "	# "BACKDOOR DeepThroat 3.1 Drive Info From Server" arachnids,106 sid:129 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "Comp Name" -j LOG --log-prefix " SID130 "	# "BACKDOOR DeepThroat 3.1 System Info From Server" arachnids,106 sid:130 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "130" -j LOG --log-prefix " SID131 "	# "BACKDOOR DeepThroat 3.1 Drive Info Client Request" arachnids,106 sid:131 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "FTP Server changed to" -j LOG --log-prefix " SID132 "	# "BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server" arachnids,106 sid:132 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "16" -j LOG --log-prefix " SID133 "	# "BACKDOOR DeepThroat 3.1 Cached Passwords Client Request" arachnids,106 sid:133 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "17" -j LOG --log-prefix " SID134 "	# "BACKDOOR DeepThroat 3.1 RAS Passwords Client Request" arachnids,106 sid:134 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "91" -j LOG --log-prefix " SID135 "	# "BACKDOOR DeepThroat 3.1 Server Password Change Client Request" arachnids,106 sid:135 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "92" -j LOG --log-prefix " SID136 "	# "BACKDOOR DeepThroat 3.1 Server Password Remove Client Request" arachnids,106 sid:136 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "911" -j LOG --log-prefix " SID137 "	# "BACKDOOR DeepThroat 3.1 Rehash Client Request" arachnids,106 sid:137 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 3150 -m string --string "shutd0wnM0therF***eR" -j LOG --log-prefix " SID138 "	# "BACKDOOR DeepThroat 3.1 Server Rehash Client Request" arachnids,106 sid:138 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "88" -j LOG --log-prefix " SID140 "	# "BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request" arachnids,106 sid:140 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 31785 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "host" -j LOG --log-prefix " SID141 "	# "BACKDOOR HackAttack 1.20 Connect" sid:141 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "40" -j LOG --log-prefix " SID142 "	# "BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request" arachnids,106 sid:142 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "20" -j LOG --log-prefix " SID143 "	# "BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request" arachnids,106 sid:143 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport ! 80 -d $HOME_NET --dport 21554 --tcp-flags ACK ACK -m string --string "Girl" -j LOG --log-prefix " SID145 "	# "BACKDOOR GirlFriendaccess" arachnids,98 sid:145 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 30100 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetSphere" -j LOG --log-prefix " SID146 "	# "BACKDOOR NetSphere access" arachnids,76 sid:146 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 6969 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "GateCrasher" -j LOG --log-prefix " SID147 "	# "BACKDOOR GateCrasher" arachnids,99 sid:147 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 2140 -d $EXTERNAL_NET --dport 60000 -m string --string "KeyLogger Is Enabled On port" -j LOG --log-prefix " SID148 "	# "BACKDOOR DeepThroat 3.1 Keylogger Active on Network" arachnids,106 sid:148 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 3150 -m string --string "#" -j LOG --log-prefix " SID149 "	# "BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network" arachnids,106 sid:149 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 3150 -d $HOME_NET --dport 60000 -m string --string "#" -j LOG --log-prefix " SID150 "	# "BACKDOOR DeepThroat 3.1 Server Active on Network" arachnids,106 sid:150 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -j LOG --log-prefix " SID151 "	# "BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network" arachnids,106 sid:151 classtype:misc-activity
#iptables -A SnortRules -p tcp -s $HOME_NET --sport 5401:5402 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "c:\" -j LOG --log-prefix " SID152 "	#Cannot convert: Mishandled quotes	 "BACKDOOR BackConstruction 2.1 Connection" sid:152 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23476 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "pINg" -j LOG --log-prefix " SID153 "	# "BACKDOOR DonaldDick 1.53 Traffic" sid:153 classtype:misc-activity
iptables -A SnortRules -p udp -s $HOME_NET --sport 3150 -d $EXTERNAL_NET --dport 60000 -m string --string "Wrong Password" -j LOG --log-prefix " SID154 "	# "BACKDOOR DeepThroat 3.1 Wrong Password" arachnids,106 sid:154 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 30100:30102 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "NetSphere" -j LOG --log-prefix " SID155 "	# "BACKDOOR NetSphere 1.31.337 access" arachnids,76 sid:155 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "37" -j LOG --log-prefix " SID156 "	# "BACKDOOR DeepThroat 3.1 Visible Window List Client Request" arachnids,106 sid:156 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 666 --tcp-flags ACK ACK -m string --string "FTPON" -j LOG --log-prefix " SID157 "	# "BACKDOOR BackConstruction 2.1 Client FTP Open Request" sid:157 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 666 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "FTP Port open" -j LOG --log-prefix " SID158 "	# "BACKDOOR BackConstruction 2.1 Server FTP Open Reply" sid:158 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 5032 --tcp-flags ACK ACK -m string --string "--" -j LOG --log-prefix " SID159 "	# "BACKDOOR NetMetro File List" arachnids,79 sid:159 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 3344 -d $HOME_NET --dport 3345 -m string --string "activate" -j LOG --log-prefix " SID161 "	# "BACKDOOR Matrix 2.0 Client connect" arachnids,83 sid:161 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 3345 -d $HOME_NET --dport 3344 -m string --string "logged in" -j LOG --log-prefix " SID162 "	# "BACKDOOR Matrix 2.0 Server access" arachnids,83 sid:162 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 5714 -d $EXTERNAL_NET --tcp-flags ALL ACK,SYN -m string --string "´´" -j LOG --log-prefix " SID163 "	# "BACKDOOR WinCrash 1.0 Server Active" arachnids,36 sid:163 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 2140 -d $HOME_NET --dport 60000 -j LOG --log-prefix " SID164 "	# "BACKDOOR DeepThroat 3.1 Server Active on Network" arachnids,106 sid:164 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "KeyLogger Is Enabled On port" -j LOG --log-prefix " SID165 "	# "BACKDOOR DeepThroat 3.1 Keylogger on Server ON" arachnids,106 sid:165 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "22" -j LOG --log-prefix " SID166 "	# "BACKDOOR DeepThroat 3.1 Show Picture Client Request" arachnids,106 sid:166 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "32" -j LOG --log-prefix " SID167 "	# "BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request" arachnids,106 sid:167 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "33" -j LOG --log-prefix " SID168 "	# "BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request" arachnids,106 sid:168 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "34" -j LOG --log-prefix " SID169 "	# "BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request" arachnids,106 sid:169 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "110" -j LOG --log-prefix " SID170 "	# "BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request" arachnids,106 sid:170 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "35" -j LOG --log-prefix " SID171 "	# "BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request" arachnids,106 sid:171 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "70" -j LOG --log-prefix " SID172 "	# "BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request" arachnids,106 sid:172 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "71" -j LOG --log-prefix " SID173 "	# "BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request" arachnids,106 sid:173 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "31" -j LOG --log-prefix " SID174 "	# "BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request" arachnids,106 sid:174 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "125" -j LOG --log-prefix " SID175 "	# "BACKDOOR DeepThroat 3.1 Resolution Change Client Request" arachnids,106 sid:175 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "04" -j LOG --log-prefix " SID176 "	# "BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request" arachnids,106 sid:176 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "KeyLogger Shut Down" -j LOG --log-prefix " SID177 "	# "BACKDOOR DeepThroat 3.1 Keylogger on Server OFF" arachnids,106 sid:177 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "21" -j LOG --log-prefix " SID179 "	# "BACKDOOR DeepThroat 3.1 FTP Server Port Client Request" arachnids,106 sid:179 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "64" -j LOG --log-prefix " SID180 "	# "BACKDOOR DeepThroat 3.1 Process List Client request" arachnids,106 sid:180 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "121" -j LOG --log-prefix " SID181 "	# "BACKDOOR DeepThroat 3.1 Close Port Scan Client Request" arachnids,106 sid:181 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "89" -j LOG --log-prefix " SID182 "	# "BACKDOOR DeepThroat 3.1 Registry Add Client Request" arachnids,106 sid:182 classtype:misc-activity
#iptables -A SnortRules -p icmp -s 255.255.255.0/24 -d $HOME_NET --icmp-type 0 -j LOG --log-prefix " SID183 "	#Cannot convert: dsize: >1	 "BACKDOOR SIGNATURE - Q ICMP" arachnids,202 sid:183 classtype:misc-activity
#iptables -A SnortRules -p tcp -s 255.255.255.0/24 -d $HOME_NET --tcp-flags ACK ACK -j LOG --log-prefix " SID184 "	#Cannot convert: dsize: >1	 "BACKDOOR Q access" arachnids,203 sid:184 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "ypi0ca" --tcp-flags ACK ACK -j LOG --log-prefix " SID185 "	# "BACKDOOR CDK" nocase-ignored arachnids,263 sid:185 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "07" -j LOG --log-prefix " SID186 "	# "BACKDOOR DeepThroat 3.1 Monitor on/off Client Request" arachnids,106 sid:186 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "41" -j LOG --log-prefix " SID187 "	# "BACKDOOR DeepThroat 3.1 Delete File Client Request" arachnids,106 sid:187 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "38" -j LOG --log-prefix " SID188 "	# "BACKDOOR DeepThroat 3.1 Kill Window Client Request" arachnids,106 sid:188 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "23" -j LOG --log-prefix " SID189 "	# "BACKDOOR DeepThroat 3.1 Disable Window Client Request" arachnids,106 sid:189 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "24" -j LOG --log-prefix " SID190 "	# "BACKDOOR DeepThroat 3.1 Enable Window Client Request" arachnids,106 sid:190 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "60" -j LOG --log-prefix " SID191 "	# "BACKDOOR DeepThroat 3.1 Change Window Title Client Request" arachnids,106 sid:191 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "26" -j LOG --log-prefix " SID192 "	# "BACKDOOR DeepThroat 3.1 Hide Window Client Request" arachnids,106 sid:192 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "25" -j LOG --log-prefix " SID193 "	# "BACKDOOR DeepThroat 3.1 Show Window Client Request" arachnids,106 sid:193 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "63" -j LOG --log-prefix " SID194 "	# "BACKDOOR DeepThroat 3.1 Send Text to Window Client Request" arachnids,106 sid:194 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "Ahhhh My Mouth Is Open" -j LOG --log-prefix " SID195 "	# "BACKDOOR DeepThroat 3.1 Server Response" arachnids,106 sid:195 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "30" -j LOG --log-prefix " SID196 "	# "BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request" arachnids,106 sid:196 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "39" -j LOG --log-prefix " SID197 "	# "BACKDOOR DeepThroat 3.1 Create Directory Client Request" arachnids,106 sid:197 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "370" -j LOG --log-prefix " SID198 "	# "BACKDOOR DeepThroat 3.1 All Window List Client Request" arachnids,106 sid:198 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "36" -j LOG --log-prefix " SID199 "	# "BACKDOOR DeepThroat 3.1 Play Sound Client Request" arachnids,106 sid:199 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "14" -j LOG --log-prefix " SID200 "	# "BACKDOOR DeepThroat 3.1 Run Program Normal Client Request" arachnids,106 sid:200 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "15" -j LOG --log-prefix " SID201 "	# "BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request" arachnids,106 sid:201 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "100" -j LOG --log-prefix " SID202 "	# "BACKDOOR DeepThroat 3.1 Get NET File Client Request" arachnids,106 sid:202 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "117" -j LOG --log-prefix " SID203 "	# "BACKDOOR DeepThroat 3.1 Find File Client Request" arachnids,106 sid:203 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "118" -j LOG --log-prefix " SID204 "	# "BACKDOOR DeepThroat 3.1 Find File Client Request" arachnids,106 sid:204 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "199" -j LOG --log-prefix " SID205 "	# "BACKDOOR DeepThroat 3.1 HUP Modem Client Request" arachnids,106 sid:205 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "02" -j LOG --log-prefix " SID206 "	# "BACKDOOR DeepThroat 3.1 CD ROM Open Client Request" arachnids,106 sid:206 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 60000 -d $HOME_NET --dport 2140 -m string --string "03" -j LOG --log-prefix " SID207 "	# "BACKDOOR DeepThroat 3.1 CD ROM Close Client Request" arachnids,106 sid:207 classtype:misc-activity
iptables -A SnortRules -p tcp -s $HOME_NET --sport 555 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "phAse" -j LOG --log-prefix " SID208 "	# "BACKDOOR PhaseZero Server Active on Network" sid:208 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "w00w00" -j LOG --log-prefix " SID209 "	# "BACKDOOR w00w00 attempt" arachnids,510 classtype:attempted-admin sid:209
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "backdoor" -j LOG --log-prefix " SID210 "	# "BACKDOOR attempt" nocase-ignored classtype:attempted-admin sid:210
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "r00t" -j LOG --log-prefix " SID211 "	# "BACKDOOR MISC r00t attempt" classtype:attempted-admin sid:211
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "rewt" -j LOG --log-prefix " SID212 "	# "BACKDOOR MISC rewt attempt" classtype:attempted-admin sid:212
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "wh00t!" -j LOG --log-prefix " SID213 "	# "BACKDOOR MISC linux rootkit attempt" classtype:attempted-admin sid:213
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "lrkr0x" -j LOG --log-prefix " SID214 "	# "BACKDOOR MISC linux rootkit attempt lrkr0x" classtype:attempted-admin sid:214
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "d13hh[" -j LOG --log-prefix " SID215 "	# "BACKDOOR MISC linux rootkit attempt" nocase-ignored classtype:attempted-admin sid:215
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "satori" -j LOG --log-prefix " SID216 "	# "BACKDOOR MISC linux rootkit satori attempt" arachnids,516 classtype:attempted-admin sid:216
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "hax0r" -j LOG --log-prefix " SID217 "	# "BACKDOOR MISC sm4ck attempt" classtype:attempted-admin sid:217
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "friday" -j LOG --log-prefix " SID218 "	# "BACKDOOR MISC solaris 2.5 attempt" classtype:attempted-user sid:218
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "StoogR" -j LOG --log-prefix " SID219 "	# "BACKDOOR HidePak backdoor attempt" sid:219 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string "wank" -j LOG --log-prefix " SID220 "	# "BACKDOOR HideSource backdoor attempt" sid:220 classtype:misc-activity
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "‚ ‘Ð " -j LOG --log-prefix " SID647 "	# "SHELLCODE sparc setuid 0" arachnids,282 classtype:system-call-detect sid:647
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "‚ ‘Ð " -j LOG --log-prefix " SID647 "	# "SHELLCODE sparc setuid 0" arachnids,282 classtype:system-call-detect sid:647
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "°µÍ€" -j LOG --log-prefix " SID649 "	# "SHELLCODE x86 setgid 0" arachnids,284 classtype:system-call-detect sid:649
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "°µÍ€" -j LOG --log-prefix " SID649 "	# "SHELLCODE x86 setgid 0" arachnids,284 classtype:system-call-detect sid:649
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "°Í€" -j LOG --log-prefix " SID650 "	# "SHELLCODE x86 setuid 0" arachnids,436 classtype:system-call-detect sid:650
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "°Í€" -j LOG --log-prefix " SID650 "	# "SHELLCODE x86 setuid 0" arachnids,436 classtype:system-call-detect sid:650
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "àø%àø%àø%àø%" -j LOG --log-prefix " SID638 "	# "SHELLCODE SGI NOOP" arachnids,356 classtype:shellcode-detect sid:638
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "àø%àø%àø%àø%" -j LOG --log-prefix " SID638 "	# "SHELLCODE SGI NOOP" arachnids,356 classtype:shellcode-detect sid:638
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "\$4\$4\$4\$4" -j LOG --log-prefix " SID639 "	# "SHELLCODE SGI NOOP" arachnids,357 classtype:shellcode-detect sid:639
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "\$4\$4\$4\$4" -j LOG --log-prefix " SID639 "	# "SHELLCODE SGI NOOP" arachnids,357 classtype:shellcode-detect sid:639
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "Oÿû‚Oÿû‚Oÿû‚Oÿû‚" -j LOG --log-prefix " SID640 "	# "SHELLCODE aix NOOP" classtype:shellcode-detect sid:640
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "Oÿû‚Oÿû‚Oÿû‚Oÿû‚" -j LOG --log-prefix " SID640 "	# "SHELLCODE aix NOOP" classtype:shellcode-detect sid:640
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "GÿGÿGÿGÿ" -j LOG --log-prefix " SID641 "	# "SHELLCODE digital unix NOOP" arachnids,352 classtype:shellcode-detect sid:641
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "GÿGÿGÿGÿ" -j LOG --log-prefix " SID641 "	# "SHELLCODE digital unix NOOP" arachnids,352 classtype:shellcode-detect sid:641
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "€€€€" -j LOG --log-prefix " SID642 "	# "SHELLCODE hpux NOOP" arachnids,358 classtype:shellcode-detect sid:642
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "€€€€" -j LOG --log-prefix " SID642 "	# "SHELLCODE hpux NOOP" arachnids,358 classtype:shellcode-detect sid:642
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "9€9€9€9€" -j LOG --log-prefix " SID643 "	# "SHELLCODE hpux NOOP" arachnids,359 classtype:shellcode-detect sid:643
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "9€9€9€9€" -j LOG --log-prefix " SID643 "	# "SHELLCODE hpux NOOP" arachnids,359 classtype:shellcode-detect sid:643
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "À¦À¦À¦À¦" -j LOG --log-prefix " SID644 "	# "SHELLCODE sparc NOOP" arachnids,345 classtype:shellcode-detect sid:644
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "À¦À¦À¦À¦" -j LOG --log-prefix " SID644 "	# "SHELLCODE sparc NOOP" arachnids,345 classtype:shellcode-detect sid:644
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "€@€@€@€@" -j LOG --log-prefix " SID645 "	# "SHELLCODE sparc NOOP" arachnids,353 classtype:shellcode-detect sid:645
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "€@€@€@€@" -j LOG --log-prefix " SID645 "	# "SHELLCODE sparc NOOP" arachnids,353 classtype:shellcode-detect sid:645
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "¦À¦À¦À¦À" -j LOG --log-prefix " SID646 "	# "SHELLCODE sparc NOOP" arachnids,355 classtype:shellcode-detect sid:646
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "¦À¦À¦À¦À" -j LOG --log-prefix " SID646 "	# "SHELLCODE sparc NOOP" arachnids,355 classtype:shellcode-detect sid:646
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "" -j LOG --log-prefix " SID648 "	# "SHELLCODE x86 NOOP" arachnids,181 classtype:shellcode-detect sid:648
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "" -j LOG --log-prefix " SID648 "	# "SHELLCODE x86 NOOP" arachnids,181 classtype:shellcode-detect sid:648
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "ëëë" -j LOG --log-prefix " SID651 "	# "SHELLCODE x86 stealth NOOP" arachnids,291 classtype:shellcode-detect sid:651
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "ëëë" -j LOG --log-prefix " SID651 "	# "SHELLCODE x86 stealth NOOP" arachnids,291 classtype:shellcode-detect sid:651
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "" -j LOG --log-prefix " SID653 "	# "SHELLCODE x86 unicode NOOP" classtype:shellcode-detect sid:653
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "" -j LOG --log-prefix " SID653 "	# "SHELLCODE x86 unicode NOOP" classtype:shellcode-detect sid:653
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "èÀÿÿÿ/bin/sh" -j LOG --log-prefix " SID652 "	# "SHELLCODE linux shellcode" arachnids,343 classtype:shellcode-detect sid:652
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "èÀÿÿÿ/bin/sh" -j LOG --log-prefix " SID652 "	# "SHELLCODE linux shellcode" arachnids,343 classtype:shellcode-detect sid:652
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "CCCCCCCCCCCCCCCCCCCCCCCC" -j LOG --log-prefix " SID1390 "	# "SHELLCODE x86 inc ebx NOOP" classtype:shellcode-detect sid:1390
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "CCCCCCCCCCCCCCCCCCCCCCCC" -j LOG --log-prefix " SID1390 "	# "SHELLCODE x86 inc ebx NOOP" classtype:shellcode-detect sid:1390
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "aaaaaaaaaaaaaaaaaaaaa" -j LOG --log-prefix " SID1394 "	# "SHELLCODE x86 NOOP" classtype:shellcode-detect sid:1394
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "aaaaaaaaaaaaaaaaaaaaa" -j LOG --log-prefix " SID1394 "	# "SHELLCODE x86 NOOP" classtype:shellcode-detect sid:1394
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "ëëëëëëëë" -j LOG --log-prefix " SID1424 "	# "SHELLCODE x86 EB OC NOOP" classtype:shellcode-detect sid:1424
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport $SHELLCODE_PORTS -m string --string "ëëëëëëëë" -j LOG --log-prefix " SID1424 "	# "SHELLCODE x86 EB OC NOOP" classtype:shellcode-detect sid:1424
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "USER" --string " anonymous" --tcp-flags ACK ACK -j LOG --log-prefix " SID553 "	# "INFO FTP anonymous login attempt" nocase-ignored nocase-ignored classtype:misc-activity sid:553
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "USER" --string " ftp" --tcp-flags ACK ACK -j LOG --log-prefix " SID1449 "	# "INFO FTP anonymous (ftp) login attempt" nocase-ignored nocase-ignored classtype:misc-activity sid:1449
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET -m string --string "WinGate>" --tcp-flags ACK ACK -j LOG --log-prefix " SID555 "	# "INFO WinGate telnet server response" arachnids,366 cve,CAN-1999-0657 classtype:misc-activity sid:555
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ACK ACK -m string --string "RFB 003.003" -j LOG --log-prefix " SID560 "	# "INFO VNC server response" classtype:misc-activity sid:560
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 5632 -m string --string "ST" -j LOG --log-prefix " SID566 "	# "INFO PCAnywhere server response" arachnids,239 classtype:misc-activity sid:566
iptables -A SnortRules -p tcp -s $SMTP --sport 25 -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "550 5.7.1" -j LOG --log-prefix " SID567 "	# "INFO SMTP relaying denied" url,mail-abuse.org/tsi/ar-fix.html arachnids,249 classtype:misc-activity sid:567
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 9100 --tcp-flags ACK ACK -m string --string "@PJL RDYMSG DISPLAY =" -j LOG --log-prefix " SID568 "	# "INFO HP JetDirect LCD modification attempt" classtype:misc-activity bugtraq,2245 arachnids,302 sid:568
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 9000:9002 --tcp-flags ACK ACK -m string --string "@PJL RDYMSG DISPLAY =" -j LOG --log-prefix " SID510 "	# "INFO HP JetDirect LCD modification attempt" classtype:misc-activity bugtraq,2245 arachnids,302 sid:510
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "FREE XXX" --tcp-flags ACK ACK -j LOG --log-prefix " SID1310 "	# "PORN free XXX" nocase-ignored classtype:kickass-porn sid:1310
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "hardcore anal" --tcp-flags ACK ACK -j LOG --log-prefix " SID1311 "	# "PORN hardcore anal" nocase-ignored classtype:kickass-porn sid:1311
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "nude cheerleader" --tcp-flags ACK ACK -j LOG --log-prefix " SID1312 "	# "PORN nude cheerleader" nocase-ignored classtype:kickass-porn sid:1312
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "up skirt" --tcp-flags ACK ACK -j LOG --log-prefix " SID1313 "	# "PORN up skirt" nocase-ignored classtype:kickass-porn sid:1313
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "young teen" --tcp-flags ACK ACK -j LOG --log-prefix " SID1314 "	# "PORN young teen" nocase-ignored classtype:kickass-porn sid:1314
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "hot young sex" --tcp-flags ACK ACK -j LOG --log-prefix " SID1315 "	# "PORN hot young sex" nocase-ignored classtype:kickass-porn sid:1315
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "fuck fuck fuck" --tcp-flags ACK ACK -j LOG --log-prefix " SID1316 "	# "PORN fuck fuck fuck" nocase-ignored classtype:kickass-porn sid:1316
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "anal sex" --tcp-flags ACK ACK -j LOG --log-prefix " SID1317 "	# "PORN anal sex" nocase-ignored classtype:kickass-porn sid:1317
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "hardcore rape" --tcp-flags ACK ACK -j LOG --log-prefix " SID1318 "	# "PORN hardcore rape" nocase-ignored classtype:kickass-porn sid:1318
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "real snuff" --tcp-flags ACK ACK -j LOG --log-prefix " SID1319 "	# "PORN real snuff" nocase-ignored classtype:kickass-porn sid:1319
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "fuck movies" --tcp-flags ACK ACK -j LOG --log-prefix " SID1320 "	# "PORN fuck movies" nocase-ignored classtype:kickass-porn sid:1320
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "Connection closed by foreign host" --tcp-flags ACK ACK -j LOG --log-prefix " SID488 "	# "INFO Connection Closed MSG from Port 80" nocase-ignored classtype:unknown sid:488
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "pass " --tcp-flags ACK ACK -j LOG --log-prefix " SID489 "	# "INFO FTP No Password" nocase-ignored arachnids,322 classtype:unknown sid:489
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP --dport 25 -m string --string "BattleMail" --tcp-flags ACK ACK -j LOG --log-prefix " SID490 "	# "INFO battle-mail traffic" classtype:unknown sid:490
iptables -A SnortRules -p tcp -s $HOME_NET --sport 21 -d $EXTERNAL_NET -m string --string "530 Login " --tcp-flags ACK ACK -j LOG --log-prefix " SID491 "	# "FTP Bad login" nocase-ignored classtype:bad-unknown sid:491
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET -m string --string "Login failed" --tcp-flags ACK ACK -j LOG --log-prefix " SID492 "	# "TELNET Bad Login" nocase-ignored classtype:bad-unknown sid:492
iptables -A SnortRules -p tcp -s $HOME_NET --sport 23 -d $EXTERNAL_NET -m string --string "Login incorrect" --tcp-flags ACK ACK -j LOG --log-prefix " SID1251 "	# "TELNET Bad Login" nocase-ignored classtype:bad-unknown sid:1251
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET -m string --string "Welcome!psyBNC@lam3rz.de" --tcp-flags ACK ACK -j LOG --log-prefix " SID493 "	# "INFO psyBNC access" classtype:bad-unknown sid:493
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 9 -j LOG --log-prefix " SID363 "	# "ICMP IRDP router advertisement" bugtraq,578 cve,CVE-1999-0875 arachnids,173 sid:363 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 10 -j LOG --log-prefix " SID364 "	# "ICMP IRDP router selection" bugtraq,578 cve,CVE-1999-0875 arachnids,174 sid:364 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --icmp-type 8 -j LOG --log-prefix " SID366 "	# "ICMP PING *NIX" sid:366 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -m string --string "	" -j LOG --log-prefix " SID368 "	# "ICMP PING BSDtype" arachnids,152 sid:368 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -m string --string "	" -j LOG --log-prefix " SID369 "	# "ICMP PING BayRS Router" arachnids,438 arachnids,444 sid:369 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "	" --icmp-type 8 -j LOG --log-prefix " SID370 "	# "ICMP PING BeOS4.x" arachnids,151 sid:370 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "«Í«Í«Í«Í«Í«Í«Í«Í" --icmp-type 8 -j LOG --log-prefix " SID371 "	# "ICMP PING Cisco Type.x" arachnids,153 sid:371 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "Pinging from Del" --icmp-type 8 -j LOG --log-prefix " SID372 "	# "ICMP PING Delphi-Piette Windows" arachnids,155 sid:372 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -m string --string "	" -j LOG --log-prefix " SID373 "	# "ICMP PING Flowpoint2200 or Network Management Software" arachnids,156 sid:373 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "© Sustainable So" --icmp-type 8 -j LOG --log-prefix " SID374 "	# "ICMP PING IP NetMonitor Macintosh" arachnids,157 sid:374 classtype:misc-activity
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -j LOG --log-prefix " SID375 "	#Cannot convert: dsize:8 id:13170	 "ICMP PING LINUX/*BSD" arachnids,447 sid:375 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "0123456789abcdefghijklmnop" --icmp-type 8 -j LOG --log-prefix " SID376 "	# "ICMP PING Microsoft Windows" arachnids,159 sid:376 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "================" --icmp-type 8 -j LOG --log-prefix " SID377 "	# "ICMP PING Network Toolbox 3 Windows" arachnids,161 sid:377 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "OMeterObeseArmad" --icmp-type 8 -j LOG --log-prefix " SID378 "	# "ICMP PING Ping-O-MeterWindows" arachnids,164 sid:378 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "Data" --icmp-type 8 -j LOG --log-prefix " SID379 "	# "ICMP PING Pinger Windows" arachnids,163 sid:379 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "ˆ              " --icmp-type 8 -j LOG --log-prefix " SID380 "	# "ICMP PING Seer Windows" arachnids,166 sid:380 classtype:misc-activity
#iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -j LOG --log-prefix " SID381 "	#Cannot convert: dsize:8	 "ICMP PING Sun Solaris" arachnids,448 sid:381 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "abcdefghijklmnop" --icmp-type 8 -j LOG --log-prefix " SID382 "	# "ICMP PING Windows" arachnids,169 sid:382 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8/0 -j LOG --log-prefix " SID384 "	# "ICMP PING" sid:384 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m ttl --ttl-eq 1 --icmp-type 8 -j LOG --log-prefix " SID385 "	# "ICMP traceroute " arachnids,118 classtype:attempted-recon sid:385
iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET --icmp-type 18/0 -j LOG --log-prefix " SID386 "	# "ICMP Address Mask Reply" sid:386 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 18 -j LOG --log-prefix " SID387 "	# "ICMP Address Mask Reply (Undefined Code!)" sid:387 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 17/0 -j LOG --log-prefix " SID388 "	# "ICMP Address Mask Request" sid:388 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 17 -j LOG --log-prefix " SID389 "	# "ICMP Address Mask Request (Undefined Code!)" sid:389 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 6/0 -j LOG --log-prefix " SID390 "	# "ICMP Alternate Host Address" sid:390 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 6 -j LOG --log-prefix " SID391 "	# "ICMP Alternate Host Address (Undefined Code!)" sid:391 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 31/0 -j LOG --log-prefix " SID392 "	# "ICMP Datagram Conversion Error" sid:392 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 31 -j LOG --log-prefix " SID393 "	# "ICMP Datagram Conversion Error (Undefined Code!)" sid:393 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/7 -j LOG --log-prefix " SID394 "	# "ICMP Destination Unreachable (Destination Host Unknown)" sid:394 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/6 -j LOG --log-prefix " SID395 "	# "ICMP Destination Unreachable (Destination Network Unknown)" sid:395 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/4 -j LOG --log-prefix " SID396 "	# "ICMP Destination Unreachable (Fragmentation Needed and DF bit was set)" sid:396 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/14 -j LOG --log-prefix " SID397 "	# "ICMP Destination Unreachable (Host Precedence Violation)" sid:397 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/12 -j LOG --log-prefix " SID398 "	# "ICMP Destination Unreachable (Host Unreachable for Type of Service)" sid:398 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/1 -j LOG --log-prefix " SID399 "	# "ICMP Destination Unreachable (Host Unreachable)" sid:399 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/11 -j LOG --log-prefix " SID400 "	# "ICMP Destination Unreachable (Network Unreachable for Type of Service)" sid:400 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/0 -j LOG --log-prefix " SID401 "	# "ICMP Destination Unreachable (Network Unreachable)" sid:401 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/3 -j LOG --log-prefix " SID402 "	# "ICMP Destination Unreachable (Port Unreachable)" sid:402 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/15 -j LOG --log-prefix " SID403 "	# "ICMP Destination Unreachable (Precedence Cutoff in effect)" sid:403 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/2 -j LOG --log-prefix " SID404 "	# "ICMP Destination Unreachable (Protocol Unreachable)" sid:404 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/8 -j LOG --log-prefix " SID405 "	# "ICMP Destination Unreachable (Source Host Isolated)" sid:405 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3/5 -j LOG --log-prefix " SID406 "	# "ICMP Destination Unreachable (Source Route Failed)" sid:406 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 3 -j LOG --log-prefix " SID407 "	# "ICMP Destination Unreachable (Undefined Code!)" sid:407 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0/0 -j LOG --log-prefix " SID408 "	# "ICMP Echo Reply" sid:408 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0 -j LOG --log-prefix " SID409 "	# "ICMP Echo Reply (Undefined Code!)" sid:409 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 11/1 -j LOG --log-prefix " SID410 "	# "ICMP Fragment Reassembly Time Exceeded" sid:410 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 34/0 -j LOG --log-prefix " SID411 "	# "ICMP IPV6 I-Am-Here" sid:411 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 34 -j LOG --log-prefix " SID412 "	# "ICMP IPV6 I-Am-Here (Undefined Code!" sid:412 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 33/0 -j LOG --log-prefix " SID413 "	# "ICMP IPV6 Where-Are-You" sid:413 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 33 -j LOG --log-prefix " SID414 "	# "ICMP IPV6 Where-Are-You (Undefined Code!)" sid:414 classtype:misc-activity
iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET --icmp-type 16/0 -j LOG --log-prefix " SID415 "	# "ICMP Information Reply" sid:415 classtype:misc-activity
iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET --icmp-type 16 -j LOG --log-prefix " SID416 "	# "ICMP Information Reply (Undefined Code!)" sid:416 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 15/0 -j LOG --log-prefix " SID417 "	# "ICMP Information Request" sid:417 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 15 -j LOG --log-prefix " SID418 "	# "ICMP Information Request (Undefined Code!)" sid:418 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 32/0 -j LOG --log-prefix " SID419 "	# "ICMP Mobile Host Redirect" sid:419 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 32 -j LOG --log-prefix " SID420 "	# "ICMP Mobile Host Redirect (Undefined Code!)" sid:420 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 36/0 -j LOG --log-prefix " SID421 "	# "ICMP Mobile Registration Reply" sid:421 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 36 -j LOG --log-prefix " SID422 "	# "ICMP Mobile Registration Reply (Undefined Code!)" sid:422 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 35/0 -j LOG --log-prefix " SID423 "	# "ICMP Mobile Registration Request" sid:423 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 35 -j LOG --log-prefix " SID424 "	# "ICMP Mobile Registration Request (Undefined Code!" sid:424 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 12/2 -j LOG --log-prefix " SID425 "	# "ICMP Parameter Problem (Bad Length)" sid:425 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 12/1 -j LOG --log-prefix " SID426 "	# "ICMP Parameter Problem (Missing a Requiered Option)" sid:426 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 12/0 -j LOG --log-prefix " SID427 "	# "ICMP Parameter Problem (Unspecified Error)" sid:427 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 12 -j LOG --log-prefix " SID428 "	# "ICMP Parameter Problem (Undefined Code!)" sid:428 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 40/0 -j LOG --log-prefix " SID429 "	# "ICMP Photuris (Reserved)" sid:429 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 40/1 -j LOG --log-prefix " SID430 "	# "ICMP Photuris (Unknown Security Parameters Index)" sid:430 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 40/2 -j LOG --log-prefix " SID431 "	# "ICMP Photuris (Valid Security Parameters, But Authentication Failed)" sid:431 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 40/3 -j LOG --log-prefix " SID432 "	# "ICMP Photuris (Valid Security Parameters, But Decryption Failed)" sid:432 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 40 -j LOG --log-prefix " SID433 "	# "ICMP Photuris (Undefined Code!)" sid:433 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 5/3 -j LOG --log-prefix " SID436 "	# "ICMP Redirect (for TOS and Host)" sid:436 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 5/2 -j LOG --log-prefix " SID437 "	# "ICMP Redirect (for TOS and Network)" sid:437 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 5 -j LOG --log-prefix " SID438 "	# "ICMP Redirect (Undefined Code!)" sid:438 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 19/0 -j LOG --log-prefix " SID439 "	# "ICMP Reserved for Security (Type 19)" sid:439 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 19 -j LOG --log-prefix " SID440 "	# "ICMP Reserved for Security (Type 19) (Undefined Code!)" sid:440 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 9/0 -j LOG --log-prefix " SID441 "	# "ICMP Router Advertisment" arachnids,173 sid:441 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 10/0 -j LOG --log-prefix " SID443 "	# "ICMP Router Selection" arachnids,174 sid:443 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 39/0 -j LOG --log-prefix " SID445 "	# "ICMP SKIP" sid:445 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 39 -j LOG --log-prefix " SID446 "	# "ICMP SKIP (Undefined Code!" sid:446 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 4 -j LOG --log-prefix " SID448 "	# "ICMP Source Quench (Undefined Code!)" sid:448 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 11/0 -j LOG --log-prefix " SID449 "	# "ICMP Time-To-Live Exceeded in Transit" sid:449 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 11 -j LOG --log-prefix " SID450 "	# "ICMP Time-To-Live Exceeded in Transit (Undefined Code!)" sid:450 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 14/0 -j LOG --log-prefix " SID451 "	# "ICMP Timestamp Reply" sid:451 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 14 -j LOG --log-prefix " SID452 "	# "ICMP Timestamp Reply (Undefined Code!)" sid:452 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 13/0 -j LOG --log-prefix " SID453 "	# "ICMP Timestamp Request" sid:453 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 13 -j LOG --log-prefix " SID454 "	# "ICMP Timestamp Request (Undefined Code!)" sid:454 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m ipv4options --rr --icmp-type 0 -j LOG --log-prefix " SID455 "	# "ICMP Traceroute ipopts" arachnids,238 sid:455 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 30/0 -j LOG --log-prefix " SID456 "	# "ICMP Traceroute" sid:456 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 30 -j LOG --log-prefix " SID457 "	# "ICMP Traceroute (Undefined Code!)" sid:457 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 1/0 -j LOG --log-prefix " SID458 "	# "ICMP Unassigned! (Type 1)" sid:458 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 1 -j LOG --log-prefix " SID459 "	# "ICMP Unassigned! (Type 1) (Undefined Code)" sid:459 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 2/0 -j LOG --log-prefix " SID460 "	# "ICMP Unassigned! (Type 2)" sid:460 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 2 -j LOG --log-prefix " SID461 "	# "ICMP Unassigned! (Type 2) (Undefined Code)" sid:461 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 7/0 -j LOG --log-prefix " SID462 "	# "ICMP Unassigned! (Type 7)" sid:462 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 7 -j LOG --log-prefix " SID463 "	# "ICMP Unassigned! (Type 7) (Undefined Code!)" sid:463 classtype:misc-activity
iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -j LOG --log-prefix " SID365 "	# "ICMP PING (Undefined Code!)" sid:365 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "Suddlently" -j LOG --log-prefix " SID720 "	# "Virus - SnowWhite Trojan Incoming" sid:720 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string ".pif" -j LOG --log-prefix " SID721 "	# "Virus - Possible pif Worm" nocase-ignored sid:721 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "NAVIDAD.EXE" -j LOG --log-prefix " SID722 "	# "Virus - Possible NAVIDAD Worm" nocase-ignored sid:722 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "myromeo.exe" -j LOG --log-prefix " SID723 "	# "Virus - Possible MyRomeo Worm" nocase-ignored sid:723 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "myjuliet.chm" -j LOG --log-prefix " SID724 "	# "Virus - Possible MyRomeo Worm" nocase-ignored sid:724 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "ble bla" -j LOG --log-prefix " SID725 "	# "Virus - Possible MyRomeo Worm" nocase-ignored sid:725 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "I Love You" -j LOG --log-prefix " SID726 "	# "Virus - Possible MyRomeo Worm" sid:726 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "Sorry... Hey you !" -j LOG --log-prefix " SID727 "	# "Virus - Possible MyRomeo Worm" sid:727 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "my picture from shake-beer" -j LOG --log-prefix " SID728 "	# "Virus - Possible MyRomeo Worm" sid:728 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string ".scr" -j LOG --log-prefix " SID729 "	# "Virus - Possible scr Worm" nocase-ignored sid:729 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string ".shs" -j LOG --log-prefix " SID730 "	# "Virus - Possible shs Worm" nocase-ignored sid:730 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "qazwsx.hsq" -j LOG --log-prefix " SID731 "	# "Virus - Possible QAZ Worm" MCAFEE,98775 sid:731 classtype:misc-activity
iptables -A SnortRules -p tcp --dport 139 --tcp-flags ALL ACK -m string --string "qazwsx.hsq" -j LOG --log-prefix " SID732 "	# "Virus - Possible QAZ Worm Infection" MCAFEE,98775 sid:732 classtype:misc-activity
iptables -A SnortRules -p tcp --dport 25 -m string --string "nongmin_cn" -j LOG --log-prefix " SID733 "	# "Virus - Possible QAZ Worm Calling Home" MCAFEE,98775 sid:733 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "Software provide by [MATRiX]" -j LOG --log-prefix " SID734 "	# "Virus - Possible Matrix worm" nocase-ignored sid:734 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "Matrix has you..." -j LOG --log-prefix " SID735 "	# "Virus - Possible MyRomeo Worm" sid:735 classtype:misc-activity
iptables -A SnortRules -p tcp --dport 25 --tcp-flags ALL ACK,PSH -m string --string "funguscrack@hotmail.com" -j LOG --log-prefix " SID736 "	# "Virus - Successful eurocalculator execution" nocase-ignored sid:736 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string "eurocalculator.exe" -j LOG --log-prefix " SID737 "	# "Virus - Possible eurocalculator.exe file" nocase-ignored sid:737 classtype:misc-activity
iptables -A SnortRules -p tcp --dport 110 --tcp-flags ALL ACK,PSH -m string --string "Pikachu Pokemon" -j LOG --log-prefix " SID738 "	# "Virus - Possible Pikachu Pokemon Virus" MCAFEE,98696 sid:738 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="666TEST.VBS"" -j LOG --log-prefix " SID739 "	# "Virus - Possible Triplesix Worm" nocase-ignored MCAFEE,10389 sid:739 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="tune.vbs"" -j LOG --log-prefix " SID740 "	# "Virus - Possible Tune.vbs" nocase-ignored MCAFEE,10497 sid:740 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "Market share tipoff" -j LOG --log-prefix " SID741 "	# "Virus - Possible NAIL Worm" MCAFEE,10109 sid:741 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"WWIII" -j LOG --log-prefix " SID742 "	# "Virus - Possible NAIL Worm" MCAFEE,10109 sid:742 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "New Developments" -j LOG --log-prefix " SID743 "	# "Virus - Possible NAIL Worm" MCAFEE,10109 sid:743 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "Good Times" -j LOG --log-prefix " SID744 "	# "Virus - Possible NAIL Worm" MCAFEE,10109 sid:744 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="XPASS.XLS"" -j LOG --log-prefix " SID745 "	# "Virus - Possible Papa Worm" nocase-ignored MCAFEE,10145 sid:745 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "LINKS.VBS" -j LOG --log-prefix " SID746 "	# "Virus - Possible Freelink Worm" MCAFEE,10225 sid:746 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="SETUP.EXE"" -j LOG --log-prefix " SID747 "	# "Virus - Possible Simbiosis Worm" nocase-ignored sid:747 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"BADASS.EXE\"" -j LOG --log-prefix " SID748 "	# "Virus - Possible BADASS Worm" MCAFEE,10388 sid:748 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"File_zippati.exe\"" -j LOG --log-prefix " SID749 "	# "Virus - Possible ExploreZip.B Worm" MCAFEE,10471 sid:749 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="KAK.HTA"" -j LOG --log-prefix " SID751 "	# "Virus - Possible wscript.KakWorm" nocase-ignored MCAFEE,10509 sid:751 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Suppl.doc"" -j LOG --log-prefix " SID752 "	# "Virus Possible Suppl Worm" nocase-ignored MCAFEE,10361 sid:752 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="THEOBBQ.EXE"" -j LOG --log-prefix " SID753 "	# "Virus - Possible NewApt.Worm - theobbq.exe" nocase-ignored MCAFEE,10540 sid:753 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="MONEY.DOC"" -j LOG --log-prefix " SID754 "	# "Virus - Possible Word Macro - VALE" nocase-ignored MCAFEE,10502 sid:754 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="irok.exe"" -j LOG --log-prefix " SID755 "	# "Virus - Possible IROK Worm" nocase-ignored MCAFEE,98552 sid:755 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Fix2001.exe"" -j LOG --log-prefix " SID756 "	# "Virus - Possible Fix2001 Worm" nocase-ignored MCAFEE,10355 sid:756 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Y2K.EXE"" -j LOG --log-prefix " SID757 "	# "Virus - Possible Y2K Zelu Trojan" nocase-ignored MCAFEE,10505 sid:757 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="THE_FLY.CHM"" -j LOG --log-prefix " SID758 "	# "Virus - Possible The_Fly Trojan" nocase-ignored MCAFEE,10478 sid:758 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="DINHEIRO.DOC"" -j LOG --log-prefix " SID759 "	# "Virus - Possible Word Macro - VALE" nocase-ignored MCAFEE,10502 sid:759 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="ICQ_GREETINGS.EXE"" -j LOG --log-prefix " SID760 "	# "Virus - Possible Passion Worm" nocase-ignored MCAFEE,10467 sid:760 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="COOLER3.EXE"" -j LOG --log-prefix " SID761 "	# "Virus - Possible NewApt.Worm - cooler3.exe" nocase-ignored MCAFEE,10540 sid:761 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="PARTY.EXE"" -j LOG --log-prefix " SID762 "	# "Virus - Possible NewApt.Worm - party.exe" nocase-ignored MCAFEE,10540 sid:762 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="HOG.EXE"" -j LOG --log-prefix " SID763 "	# "Virus - Possible NewApt.Worm - hog.exe" nocase-ignored MCAFEE,10540 sid:763 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="GOAL1.EXE"" -j LOG --log-prefix " SID764 "	# "Virus - Possible NewApt.Worm - goal1.exe" nocase-ignored MCAFEE,10540 sid:764 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="PIRATE.EXE"" -j LOG --log-prefix " SID765 "	# "Virus - Possible NewApt.Worm - pirate.exe" nocase-ignored MCAFEE,10540 sid:765 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="VIDEO.EXE"" -j LOG --log-prefix " SID766 "	# "Virus - Possible NewApt.Worm - video.exe" nocase-ignored MCAFEE,10540 sid:766 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="BABY.EXE"" -j LOG --log-prefix " SID767 "	# "Virus - Possible NewApt.Worm - baby.exe" nocase-ignored MCAFEE,10540 sid:767 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="COOLER1.EXE"" -j LOG --log-prefix " SID768 "	# "Virus - Possible NewApt.Worm - cooler1.exe" nocase-ignored MCAFEE,10540 sid:768 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="BOSS.EXE"" -j LOG --log-prefix " SID769 "	# "Virus - Possible NewApt.Worm - boss.exe" nocase-ignored MCAFEE,10540 sid:769 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="G-ZILLA.EXE"" -j LOG --log-prefix " SID770 "	# "Virus - Possible NewApt.Worm - g-zilla.exe" nocase-ignored MCAFEE,10540 sid:770 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Toadie.exe"" -j LOG --log-prefix " SID771 "	# "Virus - Possible ToadieE-mail Trojan" nocase-ignored MCAFEE,10540 sid:771 classtype:misc-activity
#iptables -A SnortRules -p tcp --sport 110 -m string --string "\CoolProgs\" -j LOG --log-prefix " SID772 "	#Cannot convert: Mishandled quotes	 "Virus - Possible PrettyPark Trojan" MCAFEE,10175 sid:772 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "X-Spanska:Yes" -j LOG --log-prefix " SID773 "	# "Virus - Possible Happy99 Virus" MCAFEE,10144 sid:773 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"links.vbs\"" -j LOG --log-prefix " SID774 "	# "Virus - Possible CheckThis Trojan" sid:774 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "BubbleBoy is back!" -j LOG --log-prefix " SID775 "	# "Virus - Possible Bubbleboy Worm" MCAFEE,10418 sid:775 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="COPIER.EXE"" -j LOG --log-prefix " SID776 "	# "Virus - Possible NewApt.Worm - copier.exe" nocase-ignored MCAFEE,10540 sid:776 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"pics4you.exe\"" -j LOG --log-prefix " SID777 "	# "Virus - Possible MyPics Worm" MCAFEE,10467 sid:777 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"X-MAS.EXE\"" -j LOG --log-prefix " SID778 "	# "Virus - Possible Babylonia - X-MAS.exe" MCAFEE,10461 sid:778 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="GADGET.EXE"" -j LOG --log-prefix " SID779 "	# "Virus - Possible NewApt.Worm - gadget.exe" nocase-ignored MCAFEE,10540 sid:779 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="IRNGLANT.EXE"" -j LOG --log-prefix " SID780 "	# "Virus - Possible NewApt.Worm - irnglant.exe" nocase-ignored MCAFEE,10540 sid:780 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="CASPER.EXE"" -j LOG --log-prefix " SID781 "	# "Virus - Possible NewApt.Worm - casper.exe" nocase-ignored MCAFEE,10540 sid:781 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="FBORFW.EXE"" -j LOG --log-prefix " SID782 "	# "Virus - Possible NewApt.Worm - fborfw.exe" nocase-ignored MCAFEE,10540 sid:782 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="SADDAM.EXE"" -j LOG --log-prefix " SID783 "	# "Virus - Possible NewApt.Worm - saddam.exe" nocase-ignored MCAFEE,10540 sid:783 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="BBOY.EXE"" -j LOG --log-prefix " SID784 "	# "Virus - Possible NewApt.Worm - bboy.exe" nocase-ignored MCAFEE,10540 sid:784 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="MONICA.EXE"" -j LOG --log-prefix " SID785 "	# "Virus - Possible NewApt.Worm - monica.exe" nocase-ignored MCAFEE,10540 sid:785 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="GOAL.EXE"" -j LOG --log-prefix " SID786 "	# "Virus - Possible NewApt.Worm - goal.exe" nocase-ignored MCAFEE,10540 sid:786 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="PANTHER.EXE"" -j LOG --log-prefix " SID787 "	# "Virus - Possible NewApt.Worm - panther.exe" nocase-ignored MCAFEE,10540 sid:787 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="CHESTBURST.EXE"" -j LOG --log-prefix " SID788 "	# "Virus - Possible NewApt.Worm - chestburst.exe" nocase-ignored MCAFEE,10540 sid:788 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="FARTER.EXE"" -j LOG --log-prefix " SID789 "	# "Virus - Possible NewApt.Worm - farter.exe" nocase-ignored MCAFEE,1054 sid:789 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"THE_FLY.CHM\"" -j LOG --log-prefix " SID790 "	# "Virus - Possible Common Sense Worm" sid:790 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="CUPID2.EXE"" -j LOG --log-prefix " SID791 "	# "Virus - Possible NewApt.Worm - cupid2.exe" nocase-ignored MCAFEE,10540 sid:791 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="RESUME1.DOC"" -j LOG --log-prefix " SID792 "	# "Virus - Possible Resume Worm" nocase-ignored MCAFEE,98661 sid:792 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "multipart" --string "name=" --string ".vbs" -j LOG --log-prefix " SID793 "	# "Virus - Mail .VBS" nocase-ignored sid:793 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="Explorer.doc"" -j LOG --log-prefix " SID794 "	# "Virus - Possible Resume Worm" nocase-ignored MCAFEE,98661 sid:794 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".txt.vbs" -j LOG --log-prefix " SID795 "	# "Virus - Possible Worm - txt.vbs file" nocase-ignored sid:795 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".xls.vbs" -j LOG --log-prefix " SID796 "	# "Virus - Possible Worm - xls.vbs file" nocase-ignored sid:796 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".jpg.vbs" -j LOG --log-prefix " SID797 "	# "Virus - Possible Worm - jpg.vbs file" nocase-ignored sid:797 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".gif.vbs" -j LOG --log-prefix " SID798 "	# "Virus - Possible Worm - gif.vbs file" nocase-ignored sid:798 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="TIMOFONICA.TXT.vbs"" -j LOG --log-prefix " SID799 "	# "Virus - Possible Timofonica Worm" nocase-ignored MCAFEE,98674 sid:799 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename="NORMAL.DOT"" -j LOG --log-prefix " SID800 "	# "Virus - Possible Resume Worm" nocase-ignored MCAFEE,98661 sid:800 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "filename=" --string ".doc.vbs" -j LOG --log-prefix " SID801 "	# "Virus - Possible Worm - doc.vbs file" nocase-ignored sid:801 classtype:misc-activity
iptables -A SnortRules -p tcp --sport 110 -m string --string "name =\"Zipped_Files.EXE\"" -j LOG --log-prefix " SID802 "	# "Virus - Possbile Zipped Files Trojan" MCAFEE,10450 sid:802 classtype:misc-activity
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161:162 -m string --string "‚" -j LOG --log-prefix " SID1409 "	# "EXPERIMENTAL SNMP community string buffer overflow attempt" url,www.cert.org/advisories/CA-2002-03.html cve,CAN-2002-0012 cve,CAN-2002-0013 classtype:misc-attack sid:1409
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161:162 -m string --string " ‚" -j LOG --log-prefix " SID1422 "	# "EXPERIMENTAL SNMP community string buffer overflow attempt (with evasion)" url,www.cert.org/advisories/CA-2002-03.html cve,CAN-2002-0012 cve,CAN-2002-0013 classtype:misc-attack sid:1422
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161 -m string --string "public" -j LOG --log-prefix " SID1411 "	# "SNMP public access udp" cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1411 classtype:attempted-recon
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 161 --tcp-flags ACK ACK -m string --string "public" -j LOG --log-prefix " SID1412 "	# "SNMP public access tcp" cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1412 classtype:attempted-recon
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161 -m string --string "private" -j LOG --log-prefix " SID1413 "	# "SNMP private access udp" cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1413 classtype:attempted-recon
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 161 --tcp-flags ACK ACK -m string --string "private" -j LOG --log-prefix " SID1414 "	# "SNMP private access tcp" cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1414 classtype:attempted-recon
iptables -A SnortRules -p udp -d 255.255.255.255 --dport 161 -j LOG --log-prefix " SID1415 "	# "SNMP Broadcast request" cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1415 classtype:attempted-recon
iptables -A SnortRules -p udp -d 255.255.255.255 --dport 162 -j LOG --log-prefix " SID1416 "	# "SNMP broadcast trap" cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1416 classtype:attempted-recon
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161 -j LOG --log-prefix " SID1417 "	# "SNMP request udp" cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1417 classtype:attempted-recon
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 161 -j LOG --log-prefix " SID1418 "	# "SNMP request tcp" cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1418 classtype:attempted-recon
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 162 -j LOG --log-prefix " SID1419 "	# "SNMP trap udp" cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1419 classtype:attempted-recon
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 162 -j LOG --log-prefix " SID1420 "	# "SNMP trap tcp" cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1420 classtype:attempted-recon
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 705 -j LOG --log-prefix " SID1421 "	# "SNMP AgentX/tcp request" cve,CAN-2002-0012 cve,CAN-2002-0013 sid:1421 classtype:attempted-recon
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "Content-Disposition:" --string "name="ÌÌÌÌÌ" -j LOG --log-prefix " SID1423 "	# "EXPERIMENTAL php content-disposition memchr overlfow" bugtraq,4183 classtype:web-application-attack sid:1423
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "Content-Disposition:" --string "form-data -j LOG --log-prefix " SID1425 "	#Cannot convert: "	 "EXPERIMENTAL php content-disposition" classtype:web-application-attack bugtraq,4183 sid:1425
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161 -m string --string "0&public 00+" -j LOG --log-prefix " SID1426 "	# "EXPERIMENTAL PROTOS test-suite-req-app attempt" classtype:misc-attack sid:1426
iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 162 -m string --string "08public¤+" -j LOG --log-prefix " SID1427 "	# "EXPERIMENTAL PROTOS test-suite-trap-app attempt" classtype:misc-attack sid:1427
iptables -A SnortRules -p tcp -s $HOME_NET -d 64.245.58.0/23 -m string --string "E_" --tcp-flags ACK ACK -j LOG --log-prefix " SID1428 "	# "EXPERIMENTAL audio galaxy keepalive" classtype:misc-activity sid:1428
iptables -A SnortRules -s 63.251.224.177 -d $HOME_NET -j LOG --log-prefix " SID1429 "	# "EXPERIMENTAL poll.gotomypc.com access" url,www.gotomypc.com/help2.tmpl classtype:misc-activity sid:1429
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 23 --tcp-flags ACK ACK -m string --string " # ®#€î#¿ì‚àÖ%à" -j LOG --log-prefix " SID1430 "	# "EXPERIMENTAL TELNET solaris memory mismanagement exploit attempt" classtype:shellcode-detect sid:1430
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 3389 -m string --string "à" --tcp-flags ACK ACK -j LOG --log-prefix " SID1447 "	# "EXPERIMENTAL MS Terminal server request (RDP)" cve,CAN-2001-0540 classtype:protocol-command-decode sid:1447
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 3389 -m string --string "" --string "à" --tcp-flags ACK ACK -j LOG --log-prefix " SID1448 "	# "EXPERIMENTAL MS Terminal server request" cve,CAN-2001-0540 classtype:protocol-command-decode sid:1448
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "<SCRIPT>" -j LOG --log-prefix " SID1497 "	# "EXPERIMENTAL cross site scripting attempt" nocase-ignored classtype:web-application-attack sid:1497
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8181 --tcp-flags ACK ACK -m string --string "/../../" -j LOG --log-prefix " SID1498 "	# "EXPERIMENTAL WEB-MISC PIX firewall manager directory traversal attempt" classtype:web-application-attack sid:1498
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8888 --tcp-flags ACK ACK -m string --string "/SiteScope/cgi/go.exe/SiteScope" -j LOG --log-prefix " SID1499 "	# "EXPERIMENTAL WEB-MISC SiteScope Service access" classtype:web-application-activity sid:1499
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/exair/search/" -j LOG --log-prefix " SID1500 "	# "EXPERIMENTAL WEB-MISC ExAir access" cve,CVE-1999-0449 classtype:web-application-activity sid:1500
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7001 --tcp-flags ACK ACK -m string --string "çe" -j LOG --log-prefix " SID1504 "	# "EXPERIMENTAL MISC AFS access" classtype:misc-activity sid:1504
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8000 --tcp-flags ACK ACK -m string --string "/nstelemetry.adp" -j LOG --log-prefix " SID1518 "	# "EXPERIMENTAL WEB-MISC nstelemetry.adp access" classtype:web-application-activity sid:1518
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/?M=A" -j LOG --log-prefix " SID1519 "	# "EXPERIMENTAL WEB-MISC apache ?M=A directory list attempt" classtype:web-application-activity cve,CAN-2001-0731 sid:1519
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/server-info" -j LOG --log-prefix " SID1520 "	# "EXPERIMENTAL WEB-MISC server-info access" classtype:web-application-activity sid:1520
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/server-status" -j LOG --log-prefix " SID1521 "	# "EXPERIMENTAL WEB-MISC server-status access" classtype:web-application-activity sid:1521
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/ans.pl?p=../../" -j LOG --log-prefix " SID1522 "	# "EXPERIMENTAL WEB-MISC ans.pl attempt" classtype:web-application-attack bugtraq,4147 bugtraq,4149 sid:1522
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/ans.pl" -j LOG --log-prefix " SID1523 "	# "EXPERIMENTAL WEB-MISC ans.pl access" classtype:web-application-activity bugtraq,4147 bugtraq,4149 sid:1523
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/cd/../config/html/cnf_gi.htm" -j LOG --log-prefix " SID1524 "	# "EXPERIMENTAL WEB-MISC Axis Storpoint CD attempt" classtype:web-application-attack cve,CAN-2000-0191 sid:1524
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/config/html/cnf_gi.htm" -j LOG --log-prefix " SID1525 "	# "EXPERIMENTAL WEB-MISC Axis Storpoint CD access" classtype:web-application-activity cve,CAN-2000-0191 sid:1525
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/inc/sendmail.inc" -j LOG --log-prefix " SID1526 "	# "EXPERIMENTAL WEB-MISC basilix sendmail.inc access" classtype:web-application-activity sid:1526
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/class/mysql.class" -j LOG --log-prefix " SID1527 "	# "EXPERIMENTAL WEB-MISC basilix mysql.class access" classtype:web-application-activity sid:1527
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/servlet/sunexamples.BBoardServlet" -j LOG --log-prefix " SID1528 "	# "EXPERIMENTAL WEB-MISC BBoard access" classtype:web-application-activity cve,CAN-2000-0629 sid:1528
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CMD " -j LOG --log-prefix " SID1621 "	#Cannot convert: dsize:>150	 "EXPERIMENTAL FTP EXPLOIT CMD overflow" nocase-ignored classtype:attempted-admin sid:1621
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "SITE CHOWN " -j LOG --log-prefix " SID1529 "	#Cannot convert: dsize:>500	 "EXPERIMENTAL FTP EXPLOIT SITE CHOWN overflow" nocase-ignored cve,CAN-2001-0065 classtype:attempted-admin sid:1529
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "RNFR " --string " ././" -j LOG --log-prefix " SID1622 "	# "EXPERIMENTAL FTP RNFR ././ attempt" nocase-ignored nocase-ignored classtype:misc-attack sid:1622
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "MODE " --string !"A" --string !"S" --string !"C" -j LOG --log-prefix " SID1623 "	# "EXPERIMENTAL FTP invalid MODE" nocase-ignored nocase-ignored nocase-ignored nocase-ignored classtype:protocol-command-decode sid:1623
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "PWD" -j LOG --log-prefix " SID1624 "	#Cannot convert: dsize:10	 "EXPERIMENTAL FTP large PWD command" nocase-ignored classtype:protocol-command-decode sid:1624
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "SYST" -j LOG --log-prefix " SID1625 "	#Cannot convert: dsize:10	 "EXPERIMENTAL FTP large SYST command" nocase-ignored classtype:protocol-command-decode sid:1625
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "%p" -j LOG --log-prefix " SID1530 "	# "EXPERIMENTAL FTP format string attempt" nocase-ignored classtype:attempted-admin sid:1530
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 119 --tcp-flags ACK ACK -m string --string "AUTHINFO USER " -j LOG --log-prefix " SID1538 "	#Cannot convert: dsize:>500	 "EXPERIMENTAL NNTP AUTHINFO USER overflow attempt" nocase-ignored cve,CAN-2000-0341 classtype:attempted-admin sid:1538
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "?Mode=debug" -j LOG --log-prefix " SID1540 "	# "EXPERIMENTAL WEB-COLDFUSION ?Mode=debug attempt" nocase-ignored classtype:web-application-activity sid:1540
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 --tcp-flags ACK ACK -m string --string "version" -j LOG --log-prefix " SID1541 "	# "EXPERIMENTAL FINGER version query" classtype:attempted-recon sid:1541
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/exec/show/config/cr" -j LOG --log-prefix " SID1544 "	# "EXPERIMENTAL WEB-MISC Cisco Catalyst command execution attempt" nocase-ignored cve,CAN-2000-0945 classtype:web-application-activity sid:1544
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " SID1545 "	#Cannot convert: dsize:1	 "EXPERIMENTAL DOS cisco attempt" classtype:misc-attack sid:1545
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/%%" -j LOG --log-prefix " SID1546 "	# "EXPERIMENTAL WEB-MISC cisco /%% DOS attempt" classtype:web-application-attack sid:1546
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "HELO " -j LOG --log-prefix " SID1549 "	#Cannot convert: dsize:>500	 "EXPERIMENTAL SMTP HELO overflow attempt" cve,CVE-2000-0042 classtype:attempted-admin sid:1549
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "ETRN " -j LOG --log-prefix " SID1550 "	#Cannot convert: dsize:>500	 "EXPERIMENTAL SMTP ETRN overflow attempt" cve,CAN-2000-0490 classtype:attempted-admin sid:1550
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/CVS/Entries" -j LOG --log-prefix " SID1551 "	# "EXPERIMENTAL WEB-MISC /CVS/Entries access" classtype:web-application-activity sid:1551
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/cvsweb/version" -j LOG --log-prefix " SID1552 "	# "EXPERIMENTAL WEB-MISC cvsweb version access" cve,CAN-2000-0670 classtype:web-application-activity sid:1552
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 --tcp-flags ACK ACK -m string --string "whois://" -j LOG --log-prefix " SID1558 "	# "EXPERIMENTAL WEB-MISC Delegate whois overflow attempt" nocase-ignored cve,CVE-2000-0165 classtype:web-application-activity sid:1558
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/doc/packages" -j LOG --log-prefix " SID1559 "	# "EXPERIMENTAL WEB-MISC /doc/packages access" nocase-ignored classtype:web-application-activity sid:1559
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/doc/" -j LOG --log-prefix " SID1560 "	# "EXPERIMENTAL WEB-MISC /doc/ access" nocase-ignored cve,CVE-1999-0678 bugtraq,318 classtype:web-application-activity sid:1560
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "?open" -j LOG --log-prefix " SID1561 "	# "EXPERIMENTAL WEB-MISC ?open access" nocase-ignored classtype:web-application-activity sid:1561
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "USER " -j LOG --log-prefix " SID1562 "	#Cannot convert: dsize:>500	 "EXPERIMENTAL FTP SITE CHOWN overflow attempt" nocase-ignored cve,CAN-2000-0479 classtype:attempted-admin sid:1562
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/login.htm?password=" -j LOG --log-prefix " SID1563 "	# "EXPERIMENTAL WEB-MISC login.htm attempt" nocase-ignored cve,CAN-1999-1533 classtype:web-application-activity sid:1563
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/login.htm" -j LOG --log-prefix " SID1564 "	# "EXPERIMENTAL WEB-MISC login.htm access" nocase-ignored cve,CAN-1999-1533 classtype:web-application-activity sid:1564
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/exchange/root.asp?acs=anon" -j LOG --log-prefix " SID1567 "	# "EXPERIMENTAL WEB-MISC /exchange/root.asp attempt" nocase-ignored classtype:web-application-attack sid:1567
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/exchange/root.asp" -j LOG --log-prefix " SID1568 "	# "EXPERIMENTAL WEB-MISC /exchange/root.asp access" nocase-ignored classtype:web-application-activity sid:1568
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CWD " --string "~root" -j LOG --log-prefix " SID1596 "	# "EXPERIMENTAL FTP CWD ~root attempt" nocase-ignored classtype:attempted-recon sid:1596
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "DELETE " -j LOG --log-prefix " SID1603 "	# "EXPERIMENTAL WEB-MISC DELETE attempt" nocase-ignored classtype:web-application-activity sid:1603
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 4080 --tcp-flags ACK ACK -m string --string "/../../" -j LOG --log-prefix " SID1604 "	# "EXPERIMENTAL WEB-MISC iChat directory traversal attempt" classtype:web-application-activity cve,CAN-1999-0897 sid:1604
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6004 --tcp-flags ACK ACK -m string --string "ÿÿÿÿÿÿ" -j LOG --log-prefix " SID1605 "	# "EXPERIMENTAL MISC iParty DOS attempt" classtype:misc-attack cve,CAN-1999-1566 sid:1605
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string ".asp" --string "Transfer-Encoding: " --string " chunked" -j LOG --log-prefix " SID1618 "	# "EXPERIMENTAL WEB-IIS Transfer-Encoding: chunked" nocase-ignored nocase-ignored nocase-ignored classtype:web-application-attack bugtraq,4474 cve,CAN-2002-0079 sid:1618
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ACK ACK -m string --string "/StoreCSVS/InstantOrder.asmx" -j LOG --log-prefix " SID1626 "	# "EXPERIMENTAL WEB-IIS /StoreCSVS/InstantOrder.asmx request" nocase-ignored classtype:web-application-activity sid:1626
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "g" -m state --state ESTABLISHED --tcp-flags ACK ACK -j LOG --log-prefix " SID1629 "	# "EXPERIMENTAL MISC SecureNetPro traffic" classtype:bad-unknown sid:1629
iptables -A SnortRules -p tcp -s $HOME_NET -d [64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] --tcp-flags ACK ACK -m string --string "*" -j LOG --log-prefix " SID1631 "	# "MISC AIM login" classtype:policy-violation sid:1631
iptables -A SnortRules -p tcp -s $HOME_NET -d [64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] --tcp-flags ACK ACK -m string --string "*" --string "" -j LOG --log-prefix " SID1632 "	# "MISC AIM send message" classtype:policy-violation sid:1632
iptables -A SnortRules -p tcp -s [64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] -d $HOME_NET -m string --string "*" --string "" -j LOG --log-prefix " SID1633 "	# "MISC AIM recieve message" classtype:policy-violation sid:1633
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "PASS " -j LOG --log-prefix " SID1634 "	#Cannot convert: dsize:>500	 "EXPERIMENTAL POP3 PASS overflow attempt" nocase-ignored cve,CAN-1999-1511 classtype:attempted-admin sid:1634
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 110 --tcp-flags ACK ACK -m string --string "APOP " -j LOG --log-prefix " SID1635 "	#Cannot convert: dsize:>500	 "EXPERIMENTAL POP3 APOP overflow attempt" nocase-ignored cve,CAN-2000-0841 classtype:attempted-admin sid:1635
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32000 --tcp-flags ACK ACK -m string --string "Username: " -j LOG --log-prefix " SID1636 "	#Cannot convert: dsize:>500	 "MISC Xtramail Username overflow attempt" nocase-ignored cve,CAN-1999-1511 bugtraq,791 classtype:attempted-admin sid:1636
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 --tcp-flags ACK ACK -m string --string "CWD " -j LOG --log-prefix " SID1630 "	#Cannot convert: dsize:>200	 "EXPERIMENTAL FTP EXPLOIT CWD overflow" nocase-ignored classtype:attempted-admin sid:1630
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 1863 --tcp-flags ACK ACK -m string --string "text/plain" -j LOG --log-prefix " SID540 "	# "INFO MSN chat access" classtype:misc-activity sid:540
#iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "User-Agent:ICQ" -j LOG --log-prefix " SID541 "	#Cannot convert: Sid 541 has unspecified ports and a flow:to_server	 "INFO ICQ access" classtype:misc-activity sid:541
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 6666:7000 --tcp-flags ACK ACK -m string --string "NICK " -j LOG --log-prefix " SID542 "	# "INFO Possible IRC Access" classtype:misc-activity sid:542
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 6666:7000 --tcp-flags ACK ACK -m string --string "PRIVMSG " -j LOG --log-prefix " SID1463 "	# "INFO IRC message" nocase-ignored classtype:misc-activity sid:1463
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 80 --tcp-flags ACK ACK -m string --string "User-Agent: Quicktime" -j LOG --log-prefix " SID1436 "	# "MULTIMEDIA Quicktime User Agent access" classtype:policy-violation sid:1436
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET --tcp-flags ACK ACK -m string --string "Content-type: audio/x-ms-wmarn" -j LOG --log-prefix " SID1437 "	# "MULTIMEDIA Windows Media audio download" classtype:policy-violation sid:1437
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET --tcp-flags ACK ACK -m string --string "Content-type: video/x-ms-asfrn" -j LOG --log-prefix " SID1438 "	# "MULTIMEDIA Windows Media Video download" classtype:policy-violation sid:1438
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET --tcp-flags ACK ACK -m string --string "Content-type: audio/x-scplsrn" -j LOG --log-prefix " SID1439 "	# "MULTIMEDIA Shoutcast playlist redirection" classtype:policy-violation sid:1439
iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET --tcp-flags ACK ACK -m string --string "Content-type: audio/x-mpegurlrn" -j LOG --log-prefix " SID1440 "	# "MULTIMEDIA Icecast playlist redirection" classtype:policy-violation sid:1440
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 8888 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " SID549 "	# "P2P napster login" classtype:misc-activity sid:549
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 8888 --tcp-flags ACK ACK -m string --string "" -j LOG --log-prefix " SID550 "	# "P2P napster new user login" classtype:misc-activity sid:550
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8888 --tcp-flags ACK ACK -m string --string "Ë" -j LOG --log-prefix " SID551 "	# "P2P napster download attempt" classtype:misc-activity sid:551
#iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 8888 -d $HOME_NET --tcp-flags ACK ACK -m string --string "_" -j LOG --log-prefix " SID552 "	#Cannot convert: Sid 552 is too vague for a flow:from_server	 "P2P napster upload request" classtype:misc-activity sid:552
#iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport ! 80 --tcp-flags ACK ACK -m string --string "GET " -j LOG --log-prefix " SID1432 "	#Cannot convert: Sid 1432 has unspecified ports and a flow:to_server	 "P2P GNUTella GET" classtype:misc-activity sid:1432
#iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "GNUTELLA CONNECT" -j LOG --log-prefix " SID556 "	#Cannot convert: Sid 556 has unspecified ports and a flow:to_server	 "P2P Outbound GNUTella client request" classtype:misc-activity sid:556
#iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --tcp-flags ACK ACK -m string --string "GNUTELLA OK" -j LOG --log-prefix " SID557 "	#Cannot convert: Sid 557 has unspecified ports and a flow:to_server	 "P2P GNUTella client request" classtype:misc-activity sid:557
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 6699 --tcp-flags ACK ACK -m state --state ESTABLISHED -m string --string ".mp3" -j LOG --log-prefix " SID561 "	# "P2P Napster Client Data" nocase-ignored classtype:misc-activity sid:561
iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 6699 --tcp-flags ACK ACK -m state --state ESTABLISHED -m string --string ".mp3" -j LOG --log-prefix " SID561 "	# "P2P Napster Client Data" nocase-ignored classtype:misc-activity sid:561
#iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 7777 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG --log-prefix " SID562 "	#Cannot convert: Sid 562 has unspecified ports and a flow:to_server	 "P2P Napster Client Data" nocase-ignored classtype:misc-activity sid:562
#iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 7777 --tcp-flags ACK ACK -m string --string ".mp3" -j LOG --log-prefix " SID562 "	#Cannot convert: Sid 562 has unspecified ports and a flow:to_server	 "P2P Napster Client Data" nocase-ignored classtype:misc-activity sid:562
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 6666 --tcp-flags ACK ACK -m state --state ESTABLISHED -m string --string ".mp3" -j LOG --log-prefix " SID563 "	# "P2P Napster Client Data" nocase-ignored classtype:misc-activity sid:563
iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 6666 --tcp-flags ACK ACK -m state --state ESTABLISHED -m string --string ".mp3" -j LOG --log-prefix " SID563 "	# "P2P Napster Client Data" nocase-ignored classtype:misc-activity sid:563
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 5555 --tcp-flags ACK ACK -m state --state ESTABLISHED -m string --string ".mp3" -j LOG --log-prefix " SID564 "	# "P2P Napster Client Data" nocase-ignored classtype:misc-activity sid:564
iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 5555 --tcp-flags ACK ACK -m state --state ESTABLISHED -m string --string ".mp3" -j LOG --log-prefix " SID564 "	# "P2P Napster Client Data" nocase-ignored classtype:misc-activity sid:564
iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 8875 --tcp-flags ACK ACK -m state --state ESTABLISHED -m string --string "anon@napster.com" -j LOG --log-prefix " SID565 "	# "P2P Napster Server Login" classtype:misc-activity sid:565
iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --sport 8875 --tcp-flags ACK ACK -m state --state ESTABLISHED -m string --string "anon@napster.com" -j LOG --log-prefix " SID565 "	# "P2P Napster Server Login" classtype:misc-activity sid:565
iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 1214 --tcp-flags ACK ACK -m string --string "GET " -j LOG --log-prefix " SID1383 "	# "P2P Fastrack (kazaa/morpheus) GET request" url,www.musiccity.com/technology.htm url,www.kazaa.com classtype:protocol-command-decode sid:1383