HOME_NET=0/0 EXTERNAL_NET=0/0 DNS_SERVERS=$HOME_NET SMTP_SERVERS=$HOME_NET HTTP_SERVERS=$HOME_NET SQL_SERVERS=$HOME_NET TELNET_SERVERS=$HOME_NET SNMP_SERVERS=$HOME_NET HTTP_PORTS=80 SHELLCODE_PORTS='! 80' ORACLE_PORTS=1521 AIM_SERVERS=[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 0 -j LOG --log-prefix " SID524 " # "BAD-TRAFFIC tcp port 0 traffic" classtype:misc-activity sid:524 iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --sport 0 -j LOG --log-prefix " SID524 " # "BAD-TRAFFIC tcp port 0 traffic" classtype:misc-activity sid:524 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 0 -j LOG --log-prefix " SID525 " # "BAD-TRAFFIC udp port 0 traffic" cve,CVE-1999-0675 nessus,10074 classtype:misc-activity sid:525 iptables -A SnortRules -p udp -d $EXTERNAL_NET -s $HOME_NET --sport 0 -j LOG --log-prefix " SID525 " # "BAD-TRAFFIC udp port 0 traffic" cve,CVE-1999-0675 nessus,10074 classtype:misc-activity sid:525 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID526 " #Cannot convert: Flag1 Flag2 dsize:>6 "BAD-TRAFFIC data in TCP SYN packet" url,www.cert.org/incident_notes/IN-99-07.html sid:526 classtype:misc-activity iptables -A SnortRules -d 127.0.0.0/8 -j LOG --log-prefix " SID528 " # "BAD-TRAFFIC loopback traffic" classtype:bad-unknown url,rr.sans.org/firewall/egress.php sid:528 iptables -A SnortRules -s 127.0.0.0/8 -j LOG --log-prefix " SID528 " # "BAD-TRAFFIC loopback traffic" classtype:bad-unknown url,rr.sans.org/firewall/egress.php sid:528 #iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID523 " #Cannot convert: fragbits:R "BAD-TRAFFIC ip reserved bit set" sid:523 classtype:misc-activity #iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m ttl --ttl-eq 0 -j LOG --log-prefix " SID1321 " #Cannot convert: EN-US q138268 "BAD-TRAFFIC 0 ttl" url,www.isi.edu/in-notes/rfc1122.txt url,support.microsoft.com/default.aspx?scid=kb sid:1321 classtype:misc-activity #iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID1322 " #Cannot convert: fragbits:MD "BAD-TRAFFIC bad frag bits" sid:1322 classtype:misc-activity iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET --proto ip_proto:>134 -j LOG --log-prefix " SID1627 " # "BAD-TRAFFIC Unassigned/Reserved IP protocol" url,www.iana.org/assignments/protocol-numbers classtype:non-standard-protocol sid:1627 iptables -A SnortRules -p tcp -d 232.0.0.0/8 --tcp-flags SYN SYN -j LOG --log-prefix " SID1431 " # "BAD-TRAFFIC syn to multicast address" classtype:bad-unknown sid:1431 iptables -A SnortRules -p tcp -d 233.0.0.0/8 --tcp-flags SYN SYN -j LOG --log-prefix " SID1431 " # "BAD-TRAFFIC syn to multicast address" classtype:bad-unknown sid:1431 iptables -A SnortRules -p tcp -d 239.0.0.0/8 --tcp-flags SYN SYN -j LOG --log-prefix " SID1431 " # "BAD-TRAFFIC syn to multicast address" classtype:bad-unknown sid:1431 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 -m string --string "/bin/sh" -j LOG --log-prefix " SID1324 " # "EXPLOIT ssh CRC32 overflow /bin/sh" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1324 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 -m string --string "" -j LOG --log-prefix " SID1326 " # "EXPLOIT ssh CRC32 overflow NOOP" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1326 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 -m string --string "W" --string "ÿÿÿÿ" -j LOG --log-prefix " SID1327 " # "EXPLOIT ssh CRC32 overflow" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1327 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 80 -d $HOME_NET -m string --string "3ɱ?éQ<úG3ÀP÷ÐP" -j LOG --log-prefix " SID283 " # "EXPLOIT Netscape 4.7 client overflow" cve,CVE-2000-1187 bugtraq,822 arachnids,215 classtype:attempted-user sid:283 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2766 -m string --string "ë#^3ÀˆFú‰Fõ‰6" -j LOG --log-prefix " SID300 " # "EXPLOIT nlps x86 Solaris overflow" classtype:attempted-admin sid:300 bugtraq,2319 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 515 -m string --string "C‰[K‰C ° Í€1ÀþÀÍ€è”ÿÿÿ/bin/sh" -j LOG --log-prefix " SID301 " # "EXPLOIT LPRng overflow" cve,CVE-2000-0917 bugtraq,1712 classtype:attempted-admin sid:301 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 515 -m string --string "XXXX%.172u%300\$n" -j LOG --log-prefix " SID302 " # "EXPLOIT Redhat 7.0 lprd overflow" classtype:attempted-admin sid:302 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6373 -m string --string "ë]UþM˜þM›" -j LOG --log-prefix " SID304 " # "EXPLOIT SCO calserver overflow" cve,CVE-2000-0306 bugtraq,2353 classtype:attempted-admin sid:304 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 -m string --string "whois://" -j LOG --log-prefix " SID305 " #Cannot convert: dsize: >1000 "EXPLOIT delegate proxy overflow" nocase-ignored arachnids,267 classtype:attempted-admin sid:305 bugtraq,808 cve,CVE-2000-0165 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 9090 -m string --string "GET / HTTP/1.1" -j LOG --log-prefix " SID306 " # "EXPLOIT VQServer admin" nocase-ignored bugtraq,1610 url,www.vqsoft.com/vq/server/docs/other/control.html cve,CAN-2000-0766 classtype:attempted-admin sid:306 iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 21 -d $HOME_NET -m string --string "´ ´‹Ìƒé‹3Éf¹" -j LOG --log-prefix " SID308 " # "EXPLOIT NextFTP client overflow" bugtraq,572 cve,CVE-1999-0671 classtype:attempted-user sid:308 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP_SERVERS --dport 25 --tcp-flags ACK ACK -m string --string "from:" -j LOG --log-prefix " SID309 " #Cannot convert: dsize: >512 "EXPLOIT sniffit overflow" nocase-ignored bugtraq,1158 cve,CAN-2000-0343 arachnids,273 classtype:attempted-admin sid:309 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $SMTP_SERVERS --dport 25 -m string --string "ëEë [ü3ɱ‚‹ó€+" -j LOG --log-prefix " SID310 " # "EXPLOIT x86 windows MailMax overflow" bugtraq,2312 cve,CVE-1999-0404 classtype:attempted-admin sid:310 iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --dport 80 -m string --string "3ɱ?éQ<úG3ÀP÷ÐP" -j LOG --log-prefix " SID311 " # "EXPLOIT Netscape 4.7 unsucessful overflow" cve,CVE-2000-1187 bugtraq,822 arachnids,214 classtype:unsuccessful-user sid:311 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 123 -j LOG --log-prefix " SID312 " #Cannot convert: dsize: >128 "EXPLOIT ntpdx overflow attempt" arachnids,492 bugtraq,2540 classtype:attempted-admin sid:312 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 518 -m string --string "è" -j LOG --log-prefix " SID313 " # "EXPLOIT ntalkd x86 Linux overflow" bugtraq,210 classtype:attempted-admin sid:313 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "^°‰þȉF°‰F" -j LOG --log-prefix " SID315 " # "EXPLOIT x86 Linux mountd overflow" cve,CVE-1999-0002 bugtraq,121 classtype:attempted-admin sid:315 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "ëV^VVV1ÒˆV ˆV" -j LOG --log-prefix " SID316 " # "EXPLOIT x86 Linux mountd overflow" cve,CVE-1999-0002 bugtraq,121 classtype:attempted-admin sid:316 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 635 -m string --string "ë@^1À@‰F‰Ã@‰" -j LOG --log-prefix " SID317 " # "EXPLOIT x86 Linux mountd overflow" cve,CVE-1999-0002 bugtraq,121 classtype:attempted-admin sid:317 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 2224 -m string --string "1ÛÍ€è[ÿÿÿ" -j LOG --log-prefix " SID1240 " # "EXPLOIT MDBMS overflow" bugtraq,1252 cve,CVE-2000-0446 classtype:attempted-admin sid:1240 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 4242 -m string --string "ÿûxÿûxÿûxÿûx" --string "@ŠÿÈ@‚ÿØ;6þ;vþ" -j LOG --log-prefix " SID1261 " #Cannot convert: dsize:>1000 "EXPLOIT AIX pdnsd overflow" cve,CVE-1999-0745 bugtraq,3237 classtype:attempted-user sid:1261 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 4321 -m string --string "-soa %p" -j LOG --log-prefix " SID1323 " # "EXPLOIT rwhoisd format string attempt" cve,CAN-2001-0838 bugtraq,3474 classtype:misc-attack sid:1323 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6112 -m string --string "1" --string !"000" -j LOG --log-prefix " SID1398 " # "EXPLOIT CDE dtspcd exploit attempt" cve,CAN-2001-0803 url,www.cert.org/advisories/CA-2002-01.html classtype:misc-attack sid:1398 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32772:34000 -m string --string "‡†" -j LOG --log-prefix " SID1751 " #Cannot convert: dsize:>720 "EXPLOIT cachefsd buffer overflow attempt" classtype:misc-attack cve,CAN-2002-0084 bugtraq,4631 sid:1751 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 749 -m string --string "ÀÀÀÀ" -j LOG --log-prefix " SID1894 " # "EXPLOIT kadmind buffer overflow attempt" cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1894 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 751 -m string --string "ÀÀÀÀ" -j LOG --log-prefix " SID1895 " # "EXPLOIT kadmind buffer overflow attempt" cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1895 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 749 -m string --string "ÿÿKADM0.0Aû" -j LOG --log-prefix " SID1896 " # "EXPLOIT kadmind buffer overflow attempt" cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1896 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 751 -m string --string "ÿÿKADM0.0Aû" -j LOG --log-prefix " SID1897 " # "EXPLOIT kadmind buffer overflow attempt" cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1897 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 749 -m string --string "/shh//bi" -j LOG --log-prefix " SID1898 " # "EXPLOIT kadmind buffer overflow attempt" cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1898 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 751 -m string --string "/shh//bi" -j LOG --log-prefix " SID1899 " # "EXPLOIT kadmind buffer overflow attempt" cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1899 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 -m string --string "GOBBLES" -j LOG --log-prefix " SID1812 " # "EXPLOIT gobbles SSH exploit attempt" bugtraq,5093 classtype:misc-attack sid:1812 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 515 -m string --string "psfile=\"\`" -j LOG --log-prefix " SID1821 " # "EXPLOIT LPD dvips remote command execution attempt" cve,CVE-2001-1002 nessus,11023 classtype:system-call-detect sid:1821 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 22 -d $HOME_NET -m string --string "SSH-" -j LOG --log-prefix " SID1838 " #Cannot convert: isdataat:200,relative pcre:"/^SSH-s[^n]{200}/ism" "EXPLOIT SSH server banner overflow" nocase-ignored bugtraq,5287 classtype:misc-attack sid:1838 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6666:7000 -m string --string "ëK[S2äƒÃ Kˆ#¸Pw" -j LOG --log-prefix " SID307 " # "EXPLOIT CHAT IRC topic overflow" cve,CVE-1999-0672 bugtraq,573 classtype:attempted-user sid:307 #iptables -A SnortRules -p tcp --dport 6666:7000 -m string --string "PRIVMSG" --string "nickserv" --string "IDENTIFY" -j LOG --log-prefix " SID1382 " #Cannot convert: isdataat:100,relative pcre:"/^PRIVMSGs+nickservs+IDENTIFYs[^n]{100}/smi" "EXPLOIT CHAT IRC Ettercap parse overflow attempt" nocase-ignored nocase-ignored nocase-ignored url,www.bugtraq.org/dev/GOBBLES-12.txt classtype:misc-attack sid:1382 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 139 -m string --string "ë/_ëJ^‰û‰>‰ò" -j LOG --log-prefix " SID292 " # "EXPLOIT x86 Linux samba overflow" bugtraq,1816 cve,CVE-1999-0811 cve,CVE-1999-0182 classtype:attempted-admin sid:292 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET --sport 10101 -d $HOME_NET -m ttl --ttl-gt 220 --tcp-flags ALL SYN -j LOG --log-prefix " SID613 " #Cannot convert: ack: 0 "SCAN myscan" arachnids,439 classtype:attempted-recon sid:613 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 113 -m string --string "VERSION" -j LOG --log-prefix " SID616 " # "SCAN ident version request" arachnids,303 classtype:attempted-recon sid:616 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 80 --tcp-flags ALL FIN,SYN -j LOG --log-prefix " SID619 " #Cannot convert: Flag1 Flag2 dsize: 0 "SCAN cybercop os probe" arachnids,146 classtype:attempted-recon sid:619 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 3128 --tcp-flags ALL SYN -j LOG --log-prefix " SID618 " #Cannot convert: Flag1 Flag2 "SCAN Squid Proxy attempt" classtype:attempted-recon sid:618 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 1080 --tcp-flags ALL SYN -j LOG --log-prefix " SID615 " #Cannot convert: Flag1 Flag2 "SCAN SOCKS Proxy attempt" url,help.undernet.org/proxyscan/ classtype:attempted-recon sid:615 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 --tcp-flags ALL SYN -j LOG --log-prefix " SID620 " #Cannot convert: Flag1 Flag2 "SCAN Proxy Port 8080 attempt" classtype:attempted-recon sid:620 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN -j LOG --log-prefix " SID621 " #Cannot convert: Flag1 Flag2 "SCAN FIN" arachnids,27 classtype:attempted-recon sid:621 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID622 " #Cannot convert: seq:1958810375 "SCAN ipEye SYN scan" arachnids,236 classtype:attempted-recon sid:622 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL NONE -j LOG --log-prefix " SID623 " #Cannot convert: seq:0 ack:0 "SCAN NULL" arachnids,4 classtype:attempted-recon sid:623 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,SYN -j LOG --log-prefix " SID624 " #Cannot convert: Flag1 Flag2 "SCAN SYN FIN" arachnids,198 classtype:attempted-recon sid:624 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL ACK,FIN,PSH,SYN,RST,URG -j LOG --log-prefix " SID625 " #Cannot convert: Flag1 Flag2 "SCAN XMAS" arachnids,144 classtype:attempted-recon sid:625 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,PSH,URG -j LOG --log-prefix " SID1228 " #Cannot convert: Flag1 Flag2 "SCAN nmap XMAS" arachnids,30 classtype:attempted-recon sid:1228 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL ACK -j LOG --log-prefix " SID628 " #Cannot convert: Flag1 Flag2 ack:0 "SCAN nmap TCP" arachnids,28 classtype:attempted-recon sid:628 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,PSH,SYN,URG -j LOG --log-prefix " SID629 " # "SCAN nmap fingerprint attempt" arachnids,05 classtype:attempted-recon sid:629 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL FIN,SYN -j LOG --log-prefix " SID630 " #Cannot convert: id: 39426 "SCAN synscan portscan" arachnids,441 classtype:attempted-recon sid:630 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL ACK,PSH -j LOG --log-prefix " SID626 " #Cannot convert: Flag1 Flag2 "SCAN cybercop os PA12 attempt" arachnids,149 classtype:attempted-recon sid:626 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL FIN,SYN,URG -j LOG --log-prefix " SID627 " #Cannot convert: Flag1 Flag2 ack: 0 "SCAN cybercop os SFU12 probe" arachnids,150 classtype:attempted-recon sid:627 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10080:10081 -m string --string "Amanda" -j LOG --log-prefix " SID634 " # "SCAN Amanda client version request" nocase-ignored classtype:attempted-recon sid:634 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 49 -m string --string "€" -j LOG --log-prefix " SID635 " # "SCAN XTACACS logout" arachnids,408 classtype:bad-unknown sid:635 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 7 -m string --string "cybercop" -j LOG --log-prefix " SID636 " # "SCAN cybercop udp bomb" arachnids,363 classtype:bad-unknown sid:636 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "helpquite" -j LOG --log-prefix " SID637 " # "SCAN Webtrends Scanner UDP Probe" arachnids,308 classtype:attempted-recon sid:637 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 22 -m string --string "Version_Mapper" -j LOG --log-prefix " SID1638 " # "SCAN SSH Version map attempt" nocase-ignored classtype:network-scan sid:1638 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 1900 -m string --string "M-SEARCH " --string "ssdp:discover" -j LOG --log-prefix " SID1917 " # "SCAN UPnP service discover attempt" classtype:network-scan sid:1917 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "SolarWinds.Net" --icmp-type 8/0 -j LOG --log-prefix " SID1918 " # "SCAN SolarWinds IP scan attempt" classtype:network-scan sid:1918 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "AAAAAAAAAAAAAAAA" --tcp-flags ALL FIN,PSH,SYN -j LOG --log-prefix " SID1133 " #Cannot convert: ack: 0 "SCAN cybercop os probe" arachnids,145 classtype:attempted-recon sid:1133 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "cmd_rootsh" -j LOG --log-prefix " SID320 " # "FINGER cmd_rootsh backdoor attempt" classtype:attempted-admin nessus,10070 cve,CAN-1999-0660 url,www.sans.org/y2k/TFN_toolkit.htm url,www.sans.org/y2k/fingerd.htm sid:320 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "a b c d e f" -j LOG --log-prefix " SID321 " # "FINGER account enumeration attempt" nocase-ignored nessus,10788 classtype:attempted-recon sid:321 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "search" -j LOG --log-prefix " SID322 " # "FINGER search query" cve,CVE-1999-0259 arachnids,375 classtype:attempted-recon sid:322 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "root" -j LOG --log-prefix " SID323 " # "FINGER root query" arachnids,376 classtype:attempted-recon sid:323 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "" -j LOG --log-prefix " SID324 " # "FINGER null request" arachnids,377 classtype:attempted-recon sid:324 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string ";" -j LOG --log-prefix " SID326 " #Cannot convert: Can't handle escaped semicolon correctly "FINGER remote command execution attempt" cve,CVE-1999-0150 bugtraq,974 arachnids,379 classtype:attempted-user sid:326 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "|" -j LOG --log-prefix " SID327 " # "FINGER remote command pipe execution attempt" cve,CVE-1999-0152 bugtraq,2220 arachnids,380 classtype:attempted-user sid:327 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "@@" -j LOG --log-prefix " SID328 " # "FINGER bomb attempt" arachnids,381 cve,CAN-1999-0106 classtype:attempted-dos sid:328 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "@" -j LOG --log-prefix " SID330 " # "FINGER redirection attempt" nessus,10073 arachnids,251 cve,CAN-1999-0105 classtype:attempted-recon sid:330 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string " " -j LOG --log-prefix " SID331 " # "FINGER cybercop query" arachnids,132 cve,CVE-1999-0612 classtype:attempted-recon sid:331 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "0" -j LOG --log-prefix " SID332 " # "FINGER 0 query" nessus,10069 arachnids,378 arachnids,131 cve,CAN-1999-0197 classtype:attempted-recon sid:332 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "." -j LOG --log-prefix " SID333 " # "FINGER . query" nessus,10072 arachnids,130 cve,CAN-1999-0198 classtype:attempted-recon sid:333 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 79 -m string --string "version" -j LOG --log-prefix " SID1541 " # "FINGER version query" classtype:attempted-recon sid:1541 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "CEL" -j LOG --log-prefix " SID337 " #Cannot convert: isdataat:100,relative pcre:"/^CELs[^n]{100}/smi" "FTP CEL overflow attempt" nocase-ignored bugtraq,679 cve,CVE-1999-0789 arachnids,257 classtype:attempted-admin sid:337 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "CWD" -j LOG --log-prefix " SID1919 " #Cannot convert: isdataat:100,relative pcre:"/^CWDs[^n]{100}/smi" "FTP CWD overflow attempt" nocase-ignored cve,CAN-2000-1035 cve,CAN-2000-1194 cve,CAN-2002-0126 classtype:attempted-admin sid:1919 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "CMD" -j LOG --log-prefix " SID1621 " #Cannot convert: isdataat:100,relative pcre:"/^CMDs[^n]{100}/smi" "FTP CMD overflow attempt" nocase-ignored classtype:attempted-admin sid:1621 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "STAT" -j LOG --log-prefix " SID1379 " #Cannot convert: isdataat:100,relative pcre:"/^STATs[^n]{100}/smi" "FTP STAT overflow attempt" nocase-ignored url,labs.defcom.com/adv/2001/def-2001-31.txt classtype:attempted-admin sid:1379 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "SITE" --string "CHOWN" -j LOG --log-prefix " SID1562 " #Cannot convert: isdataat:100,relative pcre:"/^SITEs+CHOWNs[^n]{100}/smi" "FTP SITE CHOWN overflow attempt" nocase-ignored nocase-ignored cve,CAN-2001-0065 classtype:attempted-admin sid:1562 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "SITE" --string "NEWER" -j LOG --log-prefix " SID1920 " #Cannot convert: isdataat:100,relative pcre:"/^SITEs+NEWERs[^n]{100}/smi" "FTP SITE NEWER overflow attempt" nocase-ignored nocase-ignored cve,CVE-1999-0800 classtype:attempted-admin sid:1920 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "SITE" --string "CPWD" -j LOG --log-prefix " SID1888 " #Cannot convert: isdataat:100,relative pcre:"/^SITEs+CPWDs[^n]{100}/smi" "FTP SITE CPWD overflow attempt" nocase-ignored nocase-ignored bugtraq,5427 cve,CAN-2002-0826 classtype:misc-attack sid:1888 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "SITE" --string "EXEC" --string "%" --string "%" -j LOG --log-prefix " SID1971 " # "FTP SITE EXEC format string attempt" nocase-ignored nocase-ignored classtype:bad-unknown sid:1971 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "SITE" -j LOG --log-prefix " SID1529 " #Cannot convert: isdataat:100,relative pcre:"/^SITEs[^n]{100}/smi" "FTP SITE overflow attempt" nocase-ignored cve,CAN-2001-0755 cve,CAN-2001-0770 cve,CVE-1999-0838 classtype:attempted-admin sid:1529 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "USER" -j LOG --log-prefix " SID1734 " #Cannot convert: Unrecognized flow type to_server,established,no_stream isdataat:100,relative pcre:"/^USERs[^n]{100}/smi" "FTP USER overflow attempt" nocase-ignored bugtraq,4638 cve,CAN-2000-0479 cve,CAN-2000-0656 cve,CAN-2000-1035 cve,CAN-2000-1194 cve,CAN-2001-0794 cve,CAN-2001-0826 cve,CAN-2002-0126 cve,CVE-2000-0943 classtype:attempted-admin sid:1734 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "PASS" -j LOG --log-prefix " SID1972 " #Cannot convert: Unrecognized flow type to_server,established,no_stream isdataat:100,relative pcre:"/^PASSs[^n]{100}/smi" "FTP PASS overflow attempt" nocase-ignored cve,CAN-2000-1035 cve,CAN-2002-0126 classtype:attempted-admin sid:1972 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "RMDIR" -j LOG --log-prefix " SID1942 " #Cannot convert: isdataat:100,relative pcre:"/^RMDIRs[^n]{100}/smi" "FTP RMDIR overflow attempt" nocase-ignored classtype:attempted-admin sid:1942 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "MKD" -j LOG --log-prefix " SID1973 " #Cannot convert: isdataat:100,relative pcre:"/^MKDs[^n]{100}/smi" "FTP MKD overflow attempt" nocase-ignored cve,CAN-1999-0911 bugtraq,612 classtype:attempted-admin sid:1973 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "REST" -j LOG --log-prefix " SID1974 " #Cannot convert: isdataat:100,relative pcre:"/^RESTs[^n]{100}/smi" "FTP REST overflow attempt" nocase-ignored cve,CAN-2001-0826 classtype:attempted-admin sid:1974 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "DELE" -j LOG --log-prefix " SID1975 " #Cannot convert: isdataat:100,relative pcre:"/^DELEs[^n]{100}/smi" "FTP DELE overflow attempt" nocase-ignored cve,CAN-2001-0826 classtype:attempted-admin sid:1975 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "RMD" -j LOG --log-prefix " SID1976 " #Cannot convert: isdataat:100,relative pcre:"/^RMDs[^n]{100}/smi" "FTP RMD overflow attempt" nocase-ignored cve,CAN-2001-0826 classtype:attempted-admin sid:1976 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "MODE" -j LOG --log-prefix " SID1623 " #Cannot convert: pcre:"/^MODEs+[^ABSC]{1}/msi" "FTP invalid MODE" nocase-ignored classtype:protocol-command-decode sid:1623 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "PWD" -j LOG --log-prefix " SID1624 " #Cannot convert: dsize:10 "FTP large PWD command" nocase-ignored classtype:protocol-command-decode sid:1624 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "SYST" -j LOG --log-prefix " SID1625 " #Cannot convert: dsize:10 "FTP large SYST command" nocase-ignored classtype:protocol-command-decode sid:1625 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "CWD" --string "C:\" -j LOG --log-prefix " SID2125 " # "FTP CWD Root directory transversal attempt" nocase-ignored nessus,11677 bugtraq,7674 classtype:protocol-command-decode sid:2125 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "SITE" --string "ZIPCHK" -j LOG --log-prefix " SID1921 " #Cannot convert: isdataat:100,relative pcre:"/^SITEs+ZIPCHKs[^n]{100}/smi" "FTP SITE ZIPCHK overflow attempt" nocase-ignored nocase-ignored cve,CVE-2000-0040 classtype:attempted-admin sid:1921 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "SITE" --string "NEWER" -j LOG --log-prefix " SID1864 " #Cannot convert: pcre:"/^SITEs+NEWER/smi" "FTP SITE NEWER attempt" nocase-ignored nocase-ignored cve,CVE-1999-0880 nessus,10319 classtype:attempted-dos sid:1864 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "SITE" --string "EXEC" -j LOG --log-prefix " SID361 " #Cannot convert: pcre:"/^SITEs+EXEC/smi" "FTP SITE EXEC attempt" nocase-ignored nocase-ignored bugtraq,2241 arachnids,317 classtype:bad-unknown sid:361 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "STAT" --string "*" -j LOG --log-prefix " SID1777 " # "FTP EXPLOIT STAT Makefile.am attack-responses.rules backdoor.rules bad-traffic.rules cgi-bin.list chat.rules ddos.rules deleted.rules dns.rules dos.rules experimental.rules exploit.rules finger.rules ftp.rules icmp-info.rules icmp.rules imap.rules info.rules iptables.cvs.20031124.v0.2.1 local.rules misc.rules multimedia.rules mysql.rules netbios.rules nntp.rules oracle.rules other-ids.rules p2p.rules policy.rules pop2.rules pop3.rules porn.rules rpc.rules rservices.rules scan.rules shellcode.rules smtp.rules snmp.rules snort.conf snort.conf.pristine sql.rules telnet.rules tftp.rules virus.rules web-attacks.rules web-cgi.rules web-client.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-php.rules x11.rules dos attempt" nocase-ignored bugtraq,4482 classtype:attempted-dos sid:1777 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "STAT" --string "?" -j LOG --log-prefix " SID1778 " # "FTP EXPLOIT STAT ? dos attempt" nocase-ignored bugtraq,4482 classtype:attempted-dos sid:1778 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string " --use-compress-program" -j LOG --log-prefix " SID362 " # "FTP tar parameters" nocase-ignored bugtraq,2240 arachnids,134 cve,CVE-1999-0202 classtype:bad-unknown sid:362 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "CWD" --string "~root" -j LOG --log-prefix " SID336 " #Cannot convert: pcre:"/^CWDs+~root/smi" "FTP CWD ~root attempt" nocase-ignored nocase-ignored cve,CVE-1999-0082 arachnids,318 classtype:bad-unknown sid:336 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "CWD" --string "..." -j LOG --log-prefix " SID1229 " # "FTP CWD ..." nocase-ignored classtype:bad-unknown sid:1229 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "CWD" -j LOG --log-prefix " SID1672 " #Cannot convert: pcre:"/^CWDs+~/smi" "FTP CWD ~ attempt" cve,CAN-2001-0421 bugtraq,2601 classtype:denial-of-service sid:1672 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string ".%20." -j LOG --log-prefix " SID360 " # "FTP serv-u directory transversal" nocase-ignored bugtraq,2052 cve,CVE-2001-0054 classtype:bad-unknown sid:360 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "~" --string "[" -j LOG --log-prefix " SID1377 " # "FTP wu-ftp bad file completion attempt [" cve,CVE-2001-0550 cve,CAN-2001-0886 bugtraq,3581 classtype:misc-attack sid:1377 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "~" --string "{" -j LOG --log-prefix " SID1378 " # "FTP wu-ftp bad file completion attempt {" cve,CVE-2001-0550 cve,CAN-2001-0886 bugtraq,3581 classtype:misc-attack sid:1378 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "%p" -j LOG --log-prefix " SID1530 " # "FTP format string attempt" nocase-ignored classtype:attempted-admin sid:1530 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "RNFR " --string " ././" -j LOG --log-prefix " SID1622 " # "FTP RNFR ././ attempt" nocase-ignored nocase-ignored classtype:misc-attack sid:1622 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -j LOG --log-prefix " SID1748 " #Cannot convert: Unrecognized flow type to_server,established,no_stream dsize:>100 "FTP command overflow attempt" bugtraq,4638 classtype:protocol-command-decode sid:1748 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "LIST" --string ".." --string ".." -j LOG --log-prefix " SID1992 " # "FTP LIST directory traversal attempt" cve,CVE-2001-0680 bugtraq,2618 nessus,11112 classtype:protocol-command-decode sid:1992 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string ".forward" -j LOG --log-prefix " SID334 " # "FTP .forward" arachnids,319 classtype:suspicious-filename-detect sid:334 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string ".rhosts" -j LOG --log-prefix " SID335 " # "FTP .rhosts" arachnids,328 classtype:suspicious-filename-detect sid:335 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "authorized_keys" -j LOG --log-prefix " SID1927 " # "FTP authorized_keys" classtype:suspicious-filename-detect sid:1927 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "RETR" --string "passwd" -j LOG --log-prefix " SID356 " # "FTP passwd retrieval attempt" nocase-ignored arachnids,213 classtype:suspicious-filename-detect sid:356 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "RETR" --string "shadow" -j LOG --log-prefix " SID1928 " # "FTP shadow retrieval attempt" nocase-ignored classtype:suspicious-filename-detect sid:1928 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "USER" --string "w0rm" -j LOG --log-prefix " SID144 " #Cannot convert: pcre:"/^USERs+w0rm/smi" "FTP ADMw0rm ftp login attempt" nocase-ignored nocase-ignored arachnids,01 sid:144 classtype:suspicious-login iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "PASS ddd@" -j LOG --log-prefix " SID353 " # "FTP adm scan" arachnids,332 classtype:suspicious-login sid:353 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "pass -iss@iss" -j LOG --log-prefix " SID354 " # "FTP iss scan" arachnids,331 classtype:suspicious-login sid:354 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "pass wh00t" -j LOG --log-prefix " SID355 " # "FTP pass wh00t" nocase-ignored arachnids,324 classtype:suspicious-login sid:355 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "pass -cklaus" -j LOG --log-prefix " SID357 " # "FTP piss scan" classtype:suspicious-login sid:357 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "pass -saint" -j LOG --log-prefix " SID358 " # "FTP saint scan" arachnids,330 classtype:suspicious-login sid:358 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "pass -satan" -j LOG --log-prefix " SID359 " # "FTP satan scan" arachnids,329 classtype:suspicious-login sid:359 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "USER" --string "%" --string "%" -j LOG --log-prefix " SID2178 " # "FTP USER format string attempt" nocase-ignored bugtraq,7474 classtype:misc-attack sid:2178 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 21 -m string --string "PASS" --string "%" --string "%" -j LOG --log-prefix " SID2179 " # "FTP PASS format string attempt" nocase-ignored bugtraq,7474 classtype:misc-attack sid:2179 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $TELNET_SERVERS --dport 23 -m string --string " # ®#€î#¿ì‚àÖ%à" -j LOG --log-prefix " SID1430 " # "TELNET Solaris memory mismanagement exploit attempt" classtype:shellcode-detect sid:1430 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $TELNET_SERVERS --dport 23 -m string --string "_RLD" --string "bin/sh" -j LOG --log-prefix " SID711 " # "TELNET SGI telnetd format bug" arachnids,304 classtype:attempted-admin sid:711 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $TELNET_SERVERS --dport 23 -m string --string "ld_library_path" -j LOG --log-prefix " SID712 " # "TELNET ld_library_path" cve,CVE-1999-0073 arachnids,367 classtype:attempted-admin sid:712 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $TELNET_SERVERS --dport 23 -m string --string "ÿóÿóÿóÿóÿó" -j LOG --log-prefix " SID713 " # "TELNET livingston DOS" arachnids,370 classtype:attempted-dos sid:713 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $TELNET_SERVERS --dport 23 -m string --string "resolv_host_conf" -j LOG --log-prefix " SID714 " # "TELNET resolv_host_conf" arachnids,369 classtype:attempted-admin sid:714 iptables -A SnortRules -p tcp -s $TELNET_SERVERS --sport 23 -d $EXTERNAL_NET -m string --string "to su root" -j LOG --log-prefix " SID715 " # "TELNET Attempted SU from wrong group" nocase-ignored classtype:attempted-admin sid:715 iptables -A SnortRules -p tcp -s $TELNET_SERVERS --sport 23 -d $EXTERNAL_NET -m string --string "not on system console" -j LOG --log-prefix " SID717 " # "TELNET not on console" nocase-ignored arachnids,365 classtype:bad-unknown sid:717 iptables -A SnortRules -p tcp -s $TELNET_SERVERS --sport 23 -d $EXTERNAL_NET -m string --string "Login incorrect" -j LOG --log-prefix " SID718 " # "TELNET login incorrect" arachnids,127 classtype:bad-unknown sid:718 iptables -A SnortRules -p tcp -s $TELNET_SERVERS --sport 23 -d $EXTERNAL_NET -m string --string "login: root" -j LOG --log-prefix " SID719 " # "TELNET root login" classtype:suspicious-login sid:719 iptables -A SnortRules -p tcp -s $TELNET_SERVERS --sport 23 -d $EXTERNAL_NET -m string --string " [Yes] ÿþÿý&" -j LOG --log-prefix " SID1252 " # "TELNET bsd telnet exploit response" classtype: attempted-admin bugtraq,3064 cve,CAN-2001-0554 sid:1252 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $TELNET_SERVERS --dport 23 -m string --string "ÿöÿöÿûÿö" -j LOG --log-prefix " SID1253 " #Cannot convert: dsize:>200 "TELNET bsd exploit client finishing" classtype:successful-admin sid:1253 bugtraq,3064 cve,CAN-2001-0554 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $TELNET_SERVERS --dport 23 -m string --string "4Dgifts" -j LOG --log-prefix " SID709 " # "TELNET 4Dgifts SGI account attempt" cve,CAN-1999-0501 classtype:suspicious-login sid:709 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $TELNET_SERVERS --dport 23 -m string --string "OutOfBox" -j LOG --log-prefix " SID710 " # "TELNET EZsetup account attempt" cve,CAN-1999-0501 classtype:suspicious-login sid:710 iptables -A SnortRules -p tcp -s $TELNET_SERVERS --sport 23 -d $EXTERNAL_NET -m string --string "ÿýÿýÿý#ÿý'ÿý\$" -j LOG --log-prefix " SID716 " # "TELNET access" arachnids,08 cve,CAN-1999-0619 classtype:not-suspicious sid:716 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "" -j LOG --log-prefix " SID2093 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,2048,12,relative "RPC portmap proxy integer overflow attempt TCP" cve,CAN-2003-0028 bugtraq,7123 classtype:rpc-portmap-decode sid:2093 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "" -j LOG --log-prefix " SID2092 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,2048,12,relative "RPC portmap proxy integer overflow attempt UDP" classtype:rpc-portmap-decode cve,CAN-2003-0028 bugtraq,7123 sid:2092 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "" -j LOG --log-prefix " SID1922 " # "RPC portmap proxy attempt TCP" classtype:rpc-portmap-decode sid:1922 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "" -j LOG --log-prefix " SID1923 " # "RPC portmap proxy attempt UDP" classtype:rpc-portmap-decode sid:1923 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "" -j LOG --log-prefix " SID1280 " # "RPC portmap listing UDP 111" arachnids,428 classtype:rpc-portmap-decode sid:1280 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "" -j LOG --log-prefix " SID598 " # "RPC portmap listing TCP 111" arachnids,428 classtype:rpc-portmap-decode sid:598 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "" -j LOG --log-prefix " SID1949 " # "RPC portmap SET attempt TCP 111" classtype:rpc-portmap-decode sid:1949 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "" -j LOG --log-prefix " SID1950 " # "RPC portmap SET attempt UDP 111" classtype:rpc-portmap-decode sid:1950 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "" -j LOG --log-prefix " SID2014 " # "RPC portmap UNSET attempt TCP 111" bugtraq,1892 classtype:rpc-portmap-decode sid:2014 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "" -j LOG --log-prefix " SID2015 " # "RPC portmap UNSET attempt UDP 111" bugtraq,1892 classtype:rpc-portmap-decode sid:2015 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 -m string --string "† " --string "" --string "" -j LOG --log-prefix " SID599 " # "RPC portmap listing TCP 32771" arachnids,429 classtype:rpc-portmap-decode sid:599 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 32771 -m string --string "† " --string "" --string "" -j LOG --log-prefix " SID1281 " # "RPC portmap listing UDP 32771" arachnids,429 classtype:rpc-portmap-decode sid:1281 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "‡‹" --string "" -j LOG --log-prefix " SID1746 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap cachefsd request UDP" cve,CAN-2002-0084 bugtraq,4674 classtype:rpc-portmap-decode sid:1746 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "‡‹" --string "" -j LOG --log-prefix " SID1747 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap cachefsd request TCP" cve,CAN-2002-0084 bugtraq,4674 classtype:rpc-portmap-decode sid:1747 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¨" --string "" -j LOG --log-prefix " SID1732 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rwalld request UDP" classtype:rpc-portmap-decode sid:1732 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¨" --string "" -j LOG --log-prefix " SID1733 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rwalld request TCP" classtype:rpc-portmap-decode sid:1733 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†÷" --string "" -j LOG --log-prefix " SID575 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap admind request UDP" arachnids,18 classtype:rpc-portmap-decode sid:575 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†÷" --string "" -j LOG --log-prefix " SID1262 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap admind request TCP" arachnids,18 classtype:rpc-portmap-decode sid:1262 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "‡" --string "" -j LOG --log-prefix " SID576 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap amountd request UDP" arachnids,19 classtype:rpc-portmap-decode sid:576 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "‡" --string "" -j LOG --log-prefix " SID1263 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap amountd request TCP" arachnids,19 classtype:rpc-portmap-decode sid:1263 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†º" --string "" -j LOG --log-prefix " SID577 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap bootparam request UDP" cve,CAN-1999-0647 arachnids,16 classtype:rpc-portmap-decode sid:577 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†º" --string "" -j LOG --log-prefix " SID1264 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap bootparam request TCP" cve,CAN-1999-0647 arachnids,16 classtype:rpc-portmap-decode sid:1264 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "‡Ì" --string "" -j LOG --log-prefix " SID580 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap nisd request UDP" arachnids,21 classtype:rpc-portmap-decode sid:580 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "‡Ì" --string "" -j LOG --log-prefix " SID1267 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap nisd request TCP" arachnids,21 classtype:rpc-portmap-decode sid:1267 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "Iñ" --string "" -j LOG --log-prefix " SID581 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap pcnfsd request UDP" arachnids,22 classtype:rpc-portmap-decode sid:581 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "Iñ" --string "" -j LOG --log-prefix " SID1268 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap pcnfsd request TCP" arachnids,22 classtype:rpc-portmap-decode sid:1268 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†±" --string "" -j LOG --log-prefix " SID582 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rexd request UDP" arachnids,23 classtype:rpc-portmap-decode sid:582 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†±" --string "" -j LOG --log-prefix " SID1269 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rexd request TCP" arachnids,23 classtype:rpc-portmap-decode sid:1269 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¢" --string "" -j LOG --log-prefix " SID584 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rusers request UDP" cve,CVE-1999-0626 arachnids,133 classtype:rpc-portmap-decode sid:584 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¢" --string "" -j LOG --log-prefix " SID1271 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rusers request TCP" cve,CVE-1999-0626 arachnids,133 classtype:rpc-portmap-decode sid:1271 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¢" --string "" --string "" -j LOG --log-prefix " SID612 " # "RPC rusers query UDP" cve,CVE-1999-0626 classtype:attempted-recon sid:612 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¯" --string "" -j LOG --log-prefix " SID586 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap selection_svc request UDP" arachnids,25 classtype:rpc-portmap-decode sid:586 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¯" --string "" -j LOG --log-prefix " SID1273 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap selection_svc request TCP" arachnids,25 classtype:rpc-portmap-decode sid:1273 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¸" --string "" -j LOG --log-prefix " SID587 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap status request UDP" arachnids,15 classtype:rpc-portmap-decode sid:587 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¸" --string "" -j LOG --log-prefix " SID2016 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap status request TCP" arachnids,15 classtype:rpc-portmap-decode sid:2016 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "‡™" --string "" -j LOG --log-prefix " SID593 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap snmpXdmi request TCP" cve,CAN-2001-0236 url,www.cert.org/advisories/CA-2001-05.html bugtraq,2417 classtype:rpc-portmap-decode sid:593 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "‡™" --string "" -j LOG --log-prefix " SID1279 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap snmpXdmi request UDP" cve,CAN-2001-0236 url,www.cert.org/advisories/CA-2001-05.html bugtraq,2417 classtype:rpc-portmap-decode sid:1279 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "‡™" --string "" --string "" -j LOG --log-prefix " SID569 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1024,20,relative "RPC snmpXdmi overflow attempt TCP" bugtraq,2417 cve,CAN-2001-0236 url,www.cert.org/advisories/CA-2001-05.html classtype:attempted-admin sid:569 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "‡™" --string "" --string "" -j LOG --log-prefix " SID2045 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1024,20,relative "RPC snmpXdmi overflow attempt UDP" bugtraq,2417 cve,CAN-2001-0236 url,www.cert.org/advisories/CA-2001-05.html classtype:attempted-admin sid:2045 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "÷u" --string "" -j LOG --log-prefix " SID2017 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap espd request UDP" cve,CAN-2001-0331 classtype:rpc-portmap-decode sid:2017 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "÷u" --string "" -j LOG --log-prefix " SID595 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap espd request TCP" cve,CAN-2001-0331 classtype:rpc-portmap-decode sid:595 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 1024: -m string --string "†¸" --string "" --string "%x %x" --string "" -j LOG --log-prefix " SID1890 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC status GHBN format string attack" bugtraq,1480 cve,CVE-2000-0666 classtype:misc-attack sid:1890 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 1024: -m string --string "†¸" --string "" --string "%x %x" --string "" -j LOG --log-prefix " SID1891 " #Cannot convert: Unrecognized flow type to_server, established byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC status GHBN format string attack" bugtraq,1480 cve,CVE-2000-0666 classtype: misc-attack sid:1891 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¥" --string "" -j LOG --log-prefix " SID579 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap mountd request UDP" arachnids,13 classtype:rpc-portmap-decode sid:579 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¥" --string "" -j LOG --log-prefix " SID1266 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap mountd request TCP" arachnids,13 classtype:rpc-portmap-decode sid:1266 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID574 " # "RPC mountd TCP export request" arachnids,26 classtype:attempted-recon sid:574 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID1924 " # "RPC mountd UDP export request" arachnids,26 classtype:attempted-recon sid:1924 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID1925 " # "RPC mountd TCP exportall request" arachnids,26 classtype:attempted-recon sid:1925 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID1926 " # "RPC mountd UDP exportall request" arachnids,26 classtype:attempted-recon sid:1926 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID2184 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1023,0,relative "RPC mountd TCP mount path overflow attempt" sid:2184 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID2185 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1023,0,relative "RPC mountd UDP mount path overflow attempt" classtype:misc-attack sid:2185 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID1951 " # "RPC mountd TCP mount request" classtype:attempted-recon sid:1951 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID1952 " # "RPC mountd UDP mount request" classtype:attempted-recon sid:1952 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID2018 " # "RPC mountd TCP dump request" classtype:attempted-recon sid:2018 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID2019 " # "RPC mountd UDP dump request" classtype:attempted-recon sid:2019 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID2020 " # "RPC mountd TCP unmount request" classtype:attempted-recon sid:2020 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID2021 " # "RPC mountd UDP unmount request" classtype:attempted-recon sid:2021 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID2022 " # "RPC mountd TCP unmountall request" classtype:attempted-recon sid:2022 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¥" --string "" --string "" -j LOG --log-prefix " SID2023 " # "RPC mountd UDP unmountall request" classtype:attempted-recon sid:2023 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 500: -m string --string "“ó" --string "" --string "" -j LOG --log-prefix " SID1905 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,512,0,relative "RPC AMD UDP amqproc_mount plog overflow attempt" cve,CVE-1999-0704 bugtraq,614 classtype:misc-attack sid:1905 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 500: -m string --string "“ó" --string "" --string "" -j LOG --log-prefix " SID1906 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,512,0,relative "RPC AMD TCP amqproc_mount plog overflow attempt" cve,CVE-1999-0704 bugtraq,614 classtype:misc-attack sid:1906 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 500: -m string --string "“ó" --string " " --string "" -j LOG --log-prefix " SID1953 " # "RPC AMD TCP pid request" classtype:rpc-portmap-decode sid:1953 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 500: -m string --string "“ó" --string " " --string "" -j LOG --log-prefix " SID1954 " # "RPC AMD UDP pid request" classtype:rpc-portmap-decode sid:1954 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 500: -m string --string "“ó" --string "" --string "" -j LOG --log-prefix " SID1955 " # "RPC AMD TCP version request" classtype:rpc-portmap-decode sid:1955 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 500: -m string --string "“ó" --string "" --string "" -j LOG --log-prefix " SID1956 " # "RPC AMD UDP version request" classtype:rpc-portmap-decode sid:1956 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†ä" --string "" -j LOG --log-prefix " SID578 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap cmsd request UDP" arachnids,17 classtype:rpc-portmap-decode sid:578 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†ä" --string "" -j LOG --log-prefix " SID1265 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap cmsd request TCP" arachnids,17 classtype:rpc-portmap-decode sid:1265 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†ä" --string "" --string "" -j LOG --log-prefix " SID1907 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1024,0,relative "RPC CMSD UDP CMSD_CREATE buffer overflow attempt" cve,CVE-1999-0696 bugtraq,524 classtype:attempted-admin sid:1907 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†ä" --string "" --string "" -j LOG --log-prefix " SID1908 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1024,0,relative "RPC CMSD TCP CMSD_CREATE buffer overflow attempt" cve,CVE-1999-0696 bugtraq,524 classtype:attempted-admin sid:1908 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†ä" --string "" --string "" -j LOG --log-prefix " SID2094 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1024,20,relative "RPC CMSD UDP CMSD_CREATE array buffer overflow attempt" cve,CAN-2002-0391 bugtraq,5356 classtype:attempted-admin sid:2094 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†ä" --string "" --string "" -j LOG --log-prefix " SID2095 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1024,20,relative "RPC CMSD TCP CMSD_CREATE array buffer overflow attempt" cve,CAN-2002-0391 bugtraq,5356 classtype:attempted-admin sid:2095 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†ä" --string "" --string "" -j LOG --log-prefix " SID1909 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,0,relative,align byte_test:4,>,1000,28,relative "RPC CMSD TCP CMSD_INSERT buffer overflow attempt" cve,CVE-1999-0696 url,www.cert.org/advisories/CA-99-08-cmsd.html classtype:misc-attack sid:1909 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†ä" --string "" --string "" -j LOG --log-prefix " SID1910 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,0,relative,align byte_test:4,>,1000,28,relative "RPC CMSD udp CMSD_INSERT buffer overflow attempt" cve,CVE-1999-0696 url,www.cert.org/advisories/CA-99-08-cmsd.html classtype:misc-attack sid:1910 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "‡ˆ" --string "" -j LOG --log-prefix " SID1272 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap sadmind request TCP" arachnids,20 classtype:rpc-portmap-decode sid:1272 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "‡ˆ" --string "" -j LOG --log-prefix " SID585 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap sadmind request UDP" arachnids,20 classtype:rpc-portmap-decode sid:585 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "‡ˆ" --string "" --string "" -j LOG --log-prefix " SID1911 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,124,relative,align byte_jump:4,20,relative,align byte_test:4,>,512,4,relative "RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt" cve,CVE-1999-0977 bugtraq,866 classtype:attempted-admin sid:1911 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "‡ˆ" --string "" --string "" -j LOG --log-prefix " SID1912 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,124,relative,align byte_jump:4,20,relative,align byte_test:4,>,512,4,relative "RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt" cve,CVE-1999-0977 bugtraq,866 classtype:attempted-admin sid:1912 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "‡ˆ" --string "" --string "" -j LOG --log-prefix " SID1957 " # "RPC sadmind UDP PING" bugtraq,866 classtype:attempted-admin sid:1957 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "‡ˆ" --string "" --string "" -j LOG --log-prefix " SID1958 " # "RPC sadmind TCP PING" bugtraq,866 classtype:attempted-admin sid:1958 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¡" --string "" -j LOG --log-prefix " SID583 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rstatd request UDP" arachnids,10 classtype:rpc-portmap-decode sid:583 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¡" --string "" -j LOG --log-prefix " SID1270 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rstatd request TCP" arachnids,10 classtype:rpc-portmap-decode sid:1270 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¸" --string "" --string "" -j LOG --log-prefix " SID1913 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,100,0,relative "RPC STATD UDP stat mon_name format string exploit attempt" cve,CVE-2000-0666 bugtraq,1480 classtype:attempted-admin sid:1913 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¸" --string "" --string "" -j LOG --log-prefix " SID1914 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,100,0,relative "RPC STATD TCP stat mon_name format string exploit attempt" cve,CVE-2000-0666 bugtraq,1480 classtype:attempted-admin sid:1914 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¸" --string "" --string "" -j LOG --log-prefix " SID1915 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,100,0,relative "RPC STATD UDP monitor mon_name format string exploit attempt" cve,CVE-2000-0666 bugtraq,1480 classtype:attempted-admin sid:1915 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¸" --string "" --string "" -j LOG --log-prefix " SID1916 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,100,0,relative "RPC STATD TCP monitor mon_name format string exploit attempt" cve,CVE-2000-0666 bugtraq,1480 classtype:attempted-admin sid:1916 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¼" --string "" -j LOG --log-prefix " SID1277 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap ypupdated request UDP" arachnids,125 classtype:rpc-portmap-decode sid:1277 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¼" --string "" -j LOG --log-prefix " SID591 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap ypupdated request TCP" arachnids,125 classtype:rpc-portmap-decode sid:591 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¼" --string "" --string " --string "" -j LOG --log-prefix " SID2088 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC ypupdated arbitrary command attempt UDP" classtype:misc-attack sid:2088 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¼" --string "" --string " --string "" -j LOG --log-prefix " SID2089 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC ypupdated arbitrary command attempt TCP" classtype:misc-attack sid:2089 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†£" --string "" -j LOG --log-prefix " SID1959 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap NFS request UDP" classtype:rpc-portmap-decode sid:1959 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†£" --string "" -j LOG --log-prefix " SID1960 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap NFS request TCP" classtype:rpc-portmap-decode sid:1960 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†«" --string "" -j LOG --log-prefix " SID1961 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap RQUOTA request UDP" classtype:rpc-portmap-decode sid:1961 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†«" --string "" -j LOG --log-prefix " SID1962 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap RQUOTA request TCP" classtype:rpc-portmap-decode sid:1962 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†«" --string "" --string "" -j LOG --log-prefix " SID1963 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,128,0,relative "RPC RQUOTA getquota overflow attempt UDP" cve,CVE-1999-0974 bugtraq,864 classtype:misc-attack sid:1963 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†«" --string "" --string "" -j LOG --log-prefix " SID2024 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,128,0,relative "RPC RQUOTA getquota overflow attempt TCP" cve,CVE-1999-0974 bugtraq,864 classtype:misc-attack sid:2024 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†ó" --string "" -j LOG --log-prefix " SID588 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap ttdbserv request UDP" bugtraq,122 arachnids,24 cve,CAN-2001-0717 cve,CVE-1999-0003 cve,CVE-1999-0687 cve,CAN-1999-1075 url,www.cert.org/advisories/CA-2001-05.html classtype:rpc-portmap-decode sid:588 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†ó" --string "" -j LOG --log-prefix " SID1274 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap ttdbserv request TCP" bugtraq,122 arachnids,24 cve,CAN-2001-0717 cve,CVE-1999-0003 cve,CVE-1999-0687 cve,CAN-1999-1075 url,www.cert.org/advisories/CA-2001-05.html classtype:rpc-portmap-decode sid:1274 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†ó" --string "" --string "" -j LOG --log-prefix " SID1964 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,128,0,relative "RPC tooltalk UDP overflow attempt" cve,CVE-1999-0003 bugtraq,122 classtype:misc-attack sid:1964 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†ó" --string "" --string "" -j LOG --log-prefix " SID1965 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,128,0,relative "RPC tooltalk TCP overflow attempt" cve,CVE-1999-0003 bugtraq,122 classtype:misc-attack sid:1965 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†©" --string "" -j LOG --log-prefix " SID589 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap yppasswd request UDP" arachnids,14 classtype:rpc-portmap-decode sid:589 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†©" --string "" -j LOG --log-prefix " SID1275 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap yppasswd request TCP" arachnids,14 classtype:rpc-portmap-decode sid:1275 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†©" --string "" --string "" -j LOG --log-prefix " SID2027 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,64,0,relative "RPC yppasswd old password overflow attempt UDP" classtype:rpc-portmap-decode sid:2027 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†©" --string "" --string "" -j LOG --log-prefix " SID2028 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,64,0,relative "RPC yppasswd old password overflow attempt TCP" classtype:rpc-portmap-decode sid:2028 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†©" --string "" --string "" -j LOG --log-prefix " SID2025 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,0,relative,align byte_test:4,>,64,0,relative "RPC yppasswd username overflow attempt UDP" classtype:rpc-portmap-decode cve,CVE-2001-0779 bugtraq,2763 sid:2025 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†©" --string "" --string "" -j LOG --log-prefix " SID2026 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,0,relative,align byte_test:4,>,64,0,relative "RPC yppasswd username overflow attempt TCP" classtype:rpc-portmap-decode cve,CVE-2001-0779 bugtraq,2763 sid:2026 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†©" --string "" --string "" -j LOG --log-prefix " SID2029 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,0,relative,align byte_jump:4,0,relative,align byte_test:4,>,64,0,relative "RPC yppasswd new password overflow attempt UDP" classtype:rpc-portmap-decode sid:2029 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†©" --string "" --string "" -j LOG --log-prefix " SID2030 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,0,relative,align byte_jump:4,0,relative,align byte_test:4,>,64,0,relative "RPC yppasswd new password overflow attempt TCP" classtype:rpc-portmap-decode sid:2030 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†©" --string "" --string "" -j LOG --log-prefix " SID2031 " # "RPC yppasswd user update UDP" classtype:rpc-portmap-decode sid:2031 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†©" --string "" --string "" -j LOG --log-prefix " SID2032 " # "RPC yppasswd user update TCP" classtype:rpc-portmap-decode sid:2032 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¤" --string "" -j LOG --log-prefix " SID590 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap ypserv request UDP" bugtraq,6016 bugtraq,5914 cve,CAN-2002-1232 cve,CVE-2000-1042 cve,CVE-2000-1043 arachnids,12 classtype:rpc-portmap-decode sid:590 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†¤" --string "" -j LOG --log-prefix " SID1276 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap ypserv request TCP" bugtraq,6016 bugtraq,5914 cve,CAN-2002-1232 cve,CVE-2000-1042 cve,CVE-2000-1043 arachnids,12 classtype:rpc-portmap-decode sid:1276 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¤" --string " " --string "" -j LOG --log-prefix " SID2033 " # "RPC ypserv maplist request UDP" bugtraq,6016 bugtraq,5914 cve,CAN-2002-1232 classtype:rpc-portmap-decode sid:2033 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "†¤" --string " " --string "" -j LOG --log-prefix " SID2034 " # "RPC ypserv maplist request TCP" bugtraq,6016 bugtraq,5914 Cve,CAN-2002-1232 classtype:rpc-portmap-decode sid:2034 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string " p" --string "" -j LOG --log-prefix " SID2035 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap network-status-monitor request UDP" classtype:rpc-portmap-decode sid:2035 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string " p" --string "" -j LOG --log-prefix " SID2036 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap network-status-monitor request TCP" classtype:rpc-portmap-decode sid:2036 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string " p" --string "" --string "" -j LOG --log-prefix " SID2037 " # "RPC network-status-monitor mon-callback request UDP" classtype:rpc-portmap-decode sid:2037 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string " p" --string "" --string "" -j LOG --log-prefix " SID2038 " # "RPC network-status-monitor mon-callback request TCP" classtype:rpc-portmap-decode sid:2038 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†µ" --string "" -j LOG --log-prefix " SID2079 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap nlockmgr request UDP" cve,CVE-2000-0508 bugtraq,1372 classtype:rpc-portmap-decode sid:2079 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "†µ" --string "" -j LOG --log-prefix " SID2080 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap nlockmgr request TCP" cve,CVE-2000-0508 bugtraq,1372 classtype:rpc-portmap-decode sid:2080 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "÷h" --string "" -j LOG --log-prefix " SID2081 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rpc.xfsmd request UDP" cve,CAN-2002-0359 bugtraq,5075 classtype:rpc-portmap-decode sid:2081 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "÷h" --string "" -j LOG --log-prefix " SID2082 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rpc.xfsmd request TCP" cve,CAN-2002-0359 bugtraq,5075 classtype:rpc-portmap-decode sid:2082 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "÷h" --string " " --string "" -j LOG --log-prefix " SID2083 " # "RPC rpc.xfsmd xfs_export attempt UDP" cve,CAN-2002-0359 bugtraq,5075 classtype:rpc-portmap-decode sid:2083 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "÷h" --string " " --string "" -j LOG --log-prefix " SID2084 " # "RPC rpc.xfsmd xfs_export attempt TCP" cve,CAN-2002-0359 bugtraq,5075 classtype:rpc-portmap-decode sid:2084 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "‡}" --string "" -j LOG --log-prefix " SID2005 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap kcms_server request UDP" cve,CAN-2003-0027 url,www.kb.cert.org/vuls/id/850785 classtype:rpc-portmap-decode sid:2005 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 111 -m string --string "† " --string "" --string "‡}" --string "" -j LOG --log-prefix " SID2006 " #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap kcms_server request TCP" cve,CAN-2003-0027 url,www.kb.cert.org/vuls/id/850785 classtype:rpc-portmap-decode sid:2006 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 32771:34000 -m string --string "‡}" --string "/../" --string "" -j LOG --log-prefix " SID2007 " #Cannot convert: byte_jump:4,20,relative,align byte_jump:4,4,relative,align "RPC kcms_server directory traversal attempt" cve,CAN-2003-0027 url,www.kb.cert.org/vuls/id/850785 classtype:misc-attack sid:2007 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET -m string --string "‡ˆ" --string "" --string "" -j LOG --log-prefix " SID2255 " #Cannot convert: byte_jump:4,8,relative,align "RPC sadmind query with root credentials attempt TCP" classtype:misc-attack sid:2255 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -m string --string "‡ˆ" --string "" --string "" -j LOG --log-prefix " SID2256 " #Cannot convert: byte_jump:4,8,relative,align "RPC sadmind query with root credentials attempt UDP" classtype:misc-attack sid:2256 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 -m string --string "::::::::::::::::" -j LOG --log-prefix " SID601 " # "RSERVICES rlogin LinuxNIS" classtype:bad-unknown sid:601 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 -m string --string "binbin" -j LOG --log-prefix " SID602 " # "RSERVICES rlogin bin" arachnids,384 classtype:attempted-user sid:602 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 -m string --string "echo \" + + \"" -j LOG --log-prefix " SID603 " # "RSERVICES rlogin echo++" arachnids,385 classtype:bad-unknown sid:603 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 -m string --string "-froot" -j LOG --log-prefix " SID604 " # "RSERVICES rsh froot" arachnids,387 classtype:attempted-admin sid:604 iptables -A SnortRules -p tcp -s $HOME_NET --sport 513 -d $EXTERNAL_NET -m string --string "rlogind: Permission denied." -j LOG --log-prefix " SID611 " # "RSERVICES rlogin login failure" arachnids,392 classtype:unsuccessful-user sid:611 iptables -A SnortRules -p tcp -s $HOME_NET --sport 513 -d $EXTERNAL_NET -m string --string "login incorrect" -j LOG --log-prefix " SID605 " # "RSERVICES rlogin login failure" arachnids,393 classtype:unsuccessful-user sid:605 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 513 -m string --string "rootroot" -j LOG --log-prefix " SID606 " # "RSERVICES rlogin root" arachnids,389 classtype:attempted-admin sid:606 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 -m string --string "binbin" -j LOG --log-prefix " SID607 " # "RSERVICES rsh bin" arachnids,390 classtype:attempted-user sid:607 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 -m string --string "echo \"+ +\"" -j LOG --log-prefix " SID608 " # "RSERVICES rsh echo + +" arachnids,388 classtype:attempted-user sid:608 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 -m string --string "-froot" -j LOG --log-prefix " SID609 " # "RSERVICES rsh froot" arachnids,387 classtype:attempted-admin sid:609 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 514 -m string --string "rootroot" -j LOG --log-prefix " SID610 " # "RSERVICES rsh root" arachnids,391 classtype:attempted-admin sid:610 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 512 -m string --string "" --string "" --string "" -j LOG --log-prefix " SID2113 " # "RSERVICES rexec username overflow attempt" classtype:attempted-admin sid:2113 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 512 -m string --string "" --string "" --string "" -j LOG --log-prefix " SID2114 " # "RSERVICES rexec password overflow attempt" classtype:attempted-admin sid:2114 #iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID268 " #Cannot convert: fragbits: M dsize:408 "DOS Jolt attack" cve,CAN-1999-0345 classtype:attempted-dos sid:268 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET -j LOG --log-prefix " SID270 " #Cannot convert: id:242 fragbits:M "DOS Teardrop attack" cve,CAN-1999-0015 url,www.cert.org/advisories/CA-1997-28.html bugtraq,124 classtype:attempted-dos sid:270 iptables -A SnortRules -p udp --sport 19 --dport 7 -j LOG --log-prefix " SID271 " # "DOS UDP echo+chargen bomb" cve,CAN-1999-0635 cve,CVE-1999-0103 classtype:attempted-dos sid:271 iptables -A SnortRules -p udp --dport 19 --sport 7 -j LOG --log-prefix " SID271 " # "DOS UDP echo+chargen bomb" cve,CAN-1999-0635 cve,CVE-1999-0103 classtype:attempted-dos sid:271 #iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --proto ip_proto: 2 -j LOG --log-prefix " SID272 " #Cannot convert: fragbits: M+ "DOS IGMP dos attack" cve,CVE-1999-0918 classtype:attempted-dos sid:272 #iptables -A SnortRules -s $EXTERNAL_NET -d $HOME_NET -m string --string "" --proto ip_proto:2 -j LOG --log-prefix " SID273 " #Cannot convert: fragbits:M+ "DOS IGMP dos attack" cve,CVE-1999-0918 classtype:attempted-dos sid:273 iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "+++ath" --icmp-type 8 -j LOG --log-prefix " SID274 " # "DOS ath" nocase-ignored cve,CAN-1999-1228 arachnids,264 classtype:attempted-dos sid:274 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID275 " #Cannot convert: seq: 6060842 id: 413 "DOS NAPTHA" cve,CAN-2000-1039 url,www.microsoft.com/technet/security/bulletin/MS00-091.asp url,www.cert.org/advisories/CA-2000-21.html url,razor.bindview.com/publish/advisories/adv_NAPTHA.html bugtraq,2022 classtype:attempted-dos sid:275 #iptables -A SnortRules -p tcp -d $EXTERNAL_NET -s $HOME_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID275 " #Cannot convert: seq: 6060842 id: 413 "DOS NAPTHA" cve,CAN-2000-1039 url,www.microsoft.com/technet/security/bulletin/MS00-091.asp url,www.cert.org/advisories/CA-2000-21.html url,razor.bindview.com/publish/advisories/adv_NAPTHA.html bugtraq,2022 classtype:attempted-dos sid:275 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7070 -m string --string "ÿôÿý" -j LOG --log-prefix " SID276 " # "DOS Real Audio Server" bugtraq,1288 cve,CVE-2000-0474 arachnids,411 classtype:attempted-dos sid:276 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 7070 -m string --string "/viewsource/template.html?" -j LOG --log-prefix " SID277 " # "DOS Real Server template.html" nocase-ignored cve,CVE-2000-0474 bugtraq,1288 classtype:attempted-dos sid:277 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 8080 -m string --string "/viewsource/template.html?" -j LOG --log-prefix " SID278 " # "DOS Real Server template.html" nocase-ignored cve,CVE-2000-0474 bugtraq,1288 classtype:attempted-dos sid:278 #iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 161 -j LOG --log-prefix " SID279 " #Cannot convert: dsize:0 "DOS Bay/Nortel Nautica Marlin" bugtraq,1009 cve,CVE-2000-0221 classtype:attempted-dos sid:279 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 9 -m string --string "NAMENAME" -j LOG --log-prefix " SID281 " # "DOS Ascend Route" bugtraq,714 cve,CVE-1999-0060 arachnids,262 classtype:attempted-dos sid:281 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 617 -j LOG --log-prefix " SID282 " #Cannot convert: dsize:>1445 "DOS arkiea backup" bugtraq,662 cve,CVE-1999-0788 arachnids,261 classtype:attempted-dos sid:282 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 135:139 --tcp-flags URG URG -j LOG --log-prefix " SID1257 " # "DOS Winnuke attack" bugtraq,2010 cve,CVE-1999-0153 classtype: attempted-dos sid:1257 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 3372 -j LOG --log-prefix " SID1408 " #Cannot convert: dsize:>1023 "DOS MSDTC attempt" bugtraq,4006 classtype:attempted-dos sid:1408 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6004 -m string --string "ÿÿÿÿÿÿ" -j LOG --log-prefix " SID1605 " # "DOS iParty DOS attempt" classtype:misc-attack cve,CAN-1999-1566 sid:1605 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 6789:6790 -j LOG --log-prefix " SID1641 " #Cannot convert: dsize:1 "DOS DB2 dos attempt" classtype:denial-of-service sid:1641 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport 80 -m string --string "" -j LOG --log-prefix " SID1545 " #Cannot convert: dsize:1 "DOS Cisco attempt" classtype:web-application-attack sid:1545 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 8 -m string --string "1234" -j LOG --log-prefix " SID221 " #Cannot convert: id: 678 "DDOS TFN Probe" arachnids,443 classtype:attempted-recon sid:221 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0 -m string --string "AAAAAAAAAA" -j LOG --log-prefix " SID222 " #Cannot convert: icmp_id: 0 "DDOS tfn2k icmp possible communication" arachnids,425 classtype:attempted-dos sid:222 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "PONG" -j LOG --log-prefix " SID223 " # "DDOS Trin00 Daemon to Master PONG message detected" arachnids,187 classtype:attempted-recon sid:223 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0 -j LOG --log-prefix " SID228 " #Cannot convert: icmp_id: 456 icmp_seq: 0 "DDOS TFN client command BE" arachnids,184 classtype:attempted-dos sid:228 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 20432 -m state --state ESTABLISHED -j LOG --log-prefix " SID230 " # "DDOS shaft client to handler" arachnids,254 classtype:attempted-dos sid:230 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "l44" -j LOG --log-prefix " SID231 " # "DDOS Trin00 Daemon to Master message detected" arachnids,186 classtype:attempted-dos sid:231 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 31335 -m string --string "*HELLO*" -j LOG --log-prefix " SID232 " # "DDOS Trin00 Daemon to Master *HELLO* message detected" arachnids,185 url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm classtype:attempted-dos sid:232 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 -m string --string "betaalmostdone" -j LOG --log-prefix " SID233 " # "DDOS Trin00 Attacker to Master default startup password" arachnids,197 classtype:attempted-dos sid:233 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 -m string --string "gOrave" -j LOG --log-prefix " SID234 " # "DDOS Trin00 Attacker to Master default password" classtype:attempted-dos sid:234 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 27665 -m string --string "killme" -j LOG --log-prefix " SID235 " # "DDOS Trin00 Attacker to Master default mdie password" classtype:bad-unknown sid:235 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 27444 -m string --string "l44adsl" -j LOG --log-prefix " SID237 " # "DDOS Trin00 Master to Daemon default password attempt" arachnids,197 classtype:attempted-dos sid:237 #iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET --icmp-type 0 -m string --string "shell bound to port" -j LOG --log-prefix " SID238 " #Cannot convert: icmp_id:123 icmp_seq:0 "DDOS TFN server response" arachnids,182 classtype:attempted-dos sid:238 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 18753 -m string --string "alive tijgu" -j LOG --log-prefix " SID239 " # "DDOS shaft handler to agent" arachnids,255 classtype:attempted-dos sid:239 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 20433 -m string --string "alive" -j LOG --log-prefix " SID240 " # "DDOS shaft agent to handler" arachnids,256 classtype:attempted-dos sid:240 #iptables -A SnortRules -p tcp -s $HOME_NET -d $EXTERNAL_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID241 " #Cannot convert: Flag1 Flag2 seq: 674711609 "DDOS shaft synflood" arachnids,253 classtype:attempted-dos sid:241 #iptables -A SnortRules -p tcp -d $HOME_NET -s $EXTERNAL_NET --tcp-flags ALL SYN -j LOG --log-prefix " SID241 " #Cannot convert: Flag1 Flag2 seq: 674711609 "DDOS shaft synflood" arachnids,253 classtype:attempted-dos sid:241 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 6838 -m string --string "newserver" -j LOG --log-prefix " SID243 " # "DDOS mstream agent to handler" classtype:attempted-dos sid:243 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "stream/" -j LOG --log-prefix " SID244 " # "DDOS mstream handler to agent" cve,CAN-2000-0138 classtype:attempted-dos sid:244 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "ping" -j LOG --log-prefix " SID245 " # "DDOS mstream handler ping to agent" cve,CAN-2000-0138 classtype:attempted-dos sid:245 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 10498 -m string --string "pong" -j LOG --log-prefix " SID246 " # "DDOS mstream agent pong to handler" classtype:attempted-dos sid:246 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 12754 -m string --string ">" -j LOG --log-prefix " SID247 " # "DDOS mstream client to handler" cve,CAN-2000-0138 classtype:attempted-dos sid:247 iptables -A SnortRules -p tcp -s $HOME_NET --sport 12754 -d $EXTERNAL_NET -m string --string ">" -j LOG --log-prefix " SID248 " # "DDOS mstream handler to client" cve,CAN-2000-0138 classtype:attempted-dos sid:248 #iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 15104 --tcp-flags ALL SYN -j LOG --log-prefix " SID249 " #Cannot convert: Flag1 Flag2 "DDOS mstream client to handler" arachnids,111 cve,CAN-2000-0138 classtype:attempted-dos sid:249 iptables -A SnortRules -p tcp -s $HOME_NET --sport 15104 -d $EXTERNAL_NET -m string --string ">" -j LOG --log-prefix " SID250 " # "DDOS mstream handler to client" cve,CAN-2000-0138 classtype:attempted-dos sid:250 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET --icmp-type 0 -j LOG --log-prefix " SID251 " #Cannot convert: icmp_id: 51201 icmp_seq: 0 "DDOS - TFN client command LE" arachnids,183 classtype:attempted-dos sid:251 #iptables -A SnortRules -p icmp -s 3.3.3.3/32 -d $EXTERNAL_NET --icmp-type 0 -j LOG --log-prefix " SID224 " #Cannot convert: icmp_id: 666 "DDOS Stacheldraht server spoof" arachnids,193 classtype:attempted-dos sid:224 #iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET -m string --string "sicken" --icmp-type 0 -j LOG --log-prefix " SID225 " #Cannot convert: icmp_id: 669 "DDOS Stacheldraht gag server response" arachnids,195 classtype:attempted-dos sid:225 #iptables -A SnortRules -p icmp -s $HOME_NET -d $EXTERNAL_NET -m string --string "ficken" --icmp-type 0 -j LOG --log-prefix " SID226 " #Cannot convert: icmp_id: 667 "DDOS Stacheldraht server response" arachnids,191 classtype:attempted-dos sid:226 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "spoofworks" --icmp-type 0 -j LOG --log-prefix " SID227 " #Cannot convert: icmp_id: 1000 "DDOS Stacheldraht client spoofworks" arachnids,192 classtype:attempted-dos sid:227 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "gesundheit!" --icmp-type 0 -j LOG --log-prefix " SID236 " #Cannot convert: icmp_id: 668 "DDOS Stacheldraht client check gag" arachnids,194 classtype:attempted-dos sid:236 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "skillz" --icmp-type 0 -j LOG --log-prefix " SID229 " #Cannot convert: icmp_id: 666 "DDOS Stacheldraht client check skillz" arachnids,190 classtype:attempted-dos sid:229 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "niggahbitch" --icmp-type 0 -j LOG --log-prefix " SID1854 " #Cannot convert: icmp_id:9015 "DDOS Stacheldraht handler->agent (niggahbitch)" url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1854 #iptables -A SnortRules -p icmp -d $EXTERNAL_NET -s $HOME_NET -m string --string "niggahbitch" --icmp-type 0 -j LOG --log-prefix " SID1854 " #Cannot convert: icmp_id:9015 "DDOS Stacheldraht handler->agent (niggahbitch)" url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1854 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "skillz" --icmp-type 0 -j LOG --log-prefix " SID1855 " #Cannot convert: icmp_id:6666 "DDOS Stacheldraht agent->handler (skillz)" url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1855 #iptables -A SnortRules -p icmp -d $EXTERNAL_NET -s $HOME_NET -m string --string "skillz" --icmp-type 0 -j LOG --log-prefix " SID1855 " #Cannot convert: icmp_id:6666 "DDOS Stacheldraht agent->handler (skillz)" url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1855 #iptables -A SnortRules -p icmp -s $EXTERNAL_NET -d $HOME_NET -m string --string "ficken" --icmp-type 0 -j LOG --log-prefix " SID1856 " #Cannot convert: icmp_id:6667 "DDOS Stacheldraht handler->agent (ficken)" url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1856 #iptables -A SnortRules -p icmp -d $EXTERNAL_NET -s $HOME_NET -m string --string "ficken" --icmp-type 0 -j LOG --log-prefix " SID1856 " #Cannot convert: icmp_id:6667 "DDOS Stacheldraht handler->agent (ficken)" url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1856 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "ü" -j LOG --log-prefix " SID255 " # "DNS zone transfer TCP" cve,CAN-1999-0532 arachnids,212 classtype:attempted-recon sid:255 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "ü" -j LOG --log-prefix " SID1948 " # "DNS zone transfer UDP" cve,CAN-1999-0532 arachnids,212 classtype:attempted-recon sid:1948 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "authors" --string "bind" -j LOG --log-prefix " SID1435 " # "DNS named authors attempt" nocase-ignored nocase-ignored nessus,10728 arachnids,480 classtype:attempted-recon sid:1435 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "authors" --string "bind" -j LOG --log-prefix " SID256 " # "DNS named authors attempt" nocase-ignored nocase-ignored nessus,10728 arachnids,480 classtype:attempted-recon sid:256 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "version" --string "bind" -j LOG --log-prefix " SID257 " # "DNS named version attempt" nocase-ignored nocase-ignored nocase-ignored nessus,10028 arachnids,278 classtype:attempted-recon sid:257 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "version" --string "bind" -j LOG --log-prefix " SID1616 " # "DNS named version attempt" nocase-ignored nocase-ignored nessus,10028 arachnids,278 classtype:attempted-recon sid:1616 iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 53 -d $HOME_NET -m string --string "…€" --string "À <" -j LOG --log-prefix " SID253 " # "DNS SPOOF query response PTR with TTL of 1 min. and no authority" classtype:bad-unknown sid:253 iptables -A SnortRules -p udp -s $EXTERNAL_NET --sport 53 -d $HOME_NET -m string --string "€" --string "À <" -j LOG --log-prefix " SID254 " # "DNS SPOOF query response with TTL of 1 min. and no authority" classtype:bad-unknown sid:254 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "../../../" -j LOG --log-prefix " SID258 " # "DNS EXPLOIT named 8.2->8.2.1" cve,CVE-1999-0833 bugtraq,788 classtype:attempted-admin sid:258 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "«Í € a" -j LOG --log-prefix " SID303 " # "DNS EXPLOIT named tsig overflow attempt" cve,CVE-2001-0010 bugtraq,2302 arachnids,482 classtype:attempted-admin sid:303 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "€?" -j LOG --log-prefix " SID314 " # "DNS EXPLOIT named tsig overflow attempt" classtype:attempted-admin sid:314 cve,CVE-2001-0010 bugtraq,2303 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool" -j LOG --log-prefix " SID259 " # "DNS EXPLOIT named overflow (ADM)" cve,CVE-1999-0833 bugtraq,788 classtype:attempted-admin sid:259 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "ADMROCKS" -j LOG --log-prefix " SID260 " # "DNS EXPLOIT named overflow (ADMROCKS)" cve,CVE-1999-0833 url,www.cert.org/advisories/CA-1999-14.html bugtraq,788 classtype:attempted-admin sid:260 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "Í€è×ÿÿÿ/bin/sh" -j LOG --log-prefix " SID261 " # "DNS EXPLOIT named overflow attempt" url,www.cert.org/advisories/CA-1998-05.html classtype:attempted-admin sid:261 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "1À°?1Û³ÿ1ÉÍ€1À" -j LOG --log-prefix " SID262 " # "DNS EXPLOIT x86 Linux overflow attempt" classtype:attempted-admin sid:262 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "1À°Í€…ÀuLëL^°" -j LOG --log-prefix " SID264 " # "DNS EXPLOIT x86 Linux overflow attempt" classtype:attempted-admin sid:264 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "‰÷)ljó‰ù‰ò¬<þ" -j LOG --log-prefix " SID265 " # "DNS EXPLOIT x86 Linux overflow attempt (ADMv2)" classtype:attempted-admin sid:265 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "ën^Æš1ɉNÆF" -j LOG --log-prefix " SID266 " # "DNS EXPLOIT x86 FreeBSD overflow attempt" classtype:attempted-admin sid:266 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HOME_NET --dport 53 -m string --string "À ’ Ð#¿ø" -j LOG --log-prefix " SID267 " # "DNS EXPLOIT sparc overflow attempt" classtype:attempted-admin sid:267 iptables -A SnortRules -p udp --dport 69 -m string --string "" --string !"" -j LOG --log-prefix " SID1941 " # "TFTP filename overflow attempt" cve,CAN-2002-0813 bugtraq,5328 classtype:bad-unknown sid:1941 iptables -A SnortRules -p udp --dport 69 -m string --string "" --string "admin.dll" -j LOG --log-prefix " SID1289 " # "TFTP GET Admin.dll" nocase-ignored classtype:successful-admin url,www.cert.org/advisories/CA-2001-26.html sid:1289 iptables -A SnortRules -p udp --dport 69 -m string --string "" --string "nc.exe" -j LOG --log-prefix " SID1441 " # "TFTP GET nc.exe" nocase-ignored classtype:successful-admin sid:1441 iptables -A SnortRules -p udp --dport 69 -m string --string "" --string "shadow" -j LOG --log-prefix " SID1442 " # "TFTP GET shadow" nocase-ignored classtype:successful-admin sid:1442 iptables -A SnortRules -p udp --dport 69 -m string --string "" --string "passwd" -j LOG --log-prefix " SID1443 " # "TFTP GET passwd" nocase-ignored classtype:successful-admin sid:1443 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string ".." -j LOG --log-prefix " SID519 " # "TFTP parent directory" cve,CAN-2002-1209 arachnids,137 cve,CVE-1999-0183 classtype:bad-unknown sid:519 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "/" -j LOG --log-prefix " SID520 " # "TFTP root directory" arachnids,138 cve,CVE-1999-0183 classtype:bad-unknown sid:520 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "" -j LOG --log-prefix " SID518 " # "TFTP Put" cve,CVE-1999-0183 arachnids,148 classtype:bad-unknown sid:518 iptables -A SnortRules -p udp -s $EXTERNAL_NET -d $HOME_NET --dport 69 -m string --string "" -j LOG --log-prefix " SID1444 " # "TFTP Get" classtype:bad-unknown sid:1444 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/hsx.cgi" --string "../../" --string "%00" -j LOG --log-prefix " SID803 " # "WEB-CGI HyperSeek hsx.cgi directory traversal attempt" bugtraq,2314 cve,CAN-2001-0253 classtype:web-application-attack sid:803 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/hsx.cgi" -j LOG --log-prefix " SID1607 " # "WEB-CGI HyperSeek hsx.cgi access" bugtraq,2314 cve,CAN-2001-0253 classtype:web-application-activity sid:1607 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/s.cgi" --string "tmpl=" -j LOG --log-prefix " SID804 " # "WEB-CGI SWSoft ASPSeek Overflow attempt" nocase-ignored cve,CAN-2001-0476 bugtraq,2492 classtype:web-application-attack sid:804 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/wsisa.dll/WService=" --string "WSMadmin" -j LOG --log-prefix " SID805 " # "WEB-CGI webspeed access" nocase-ignored nocase-ignored arachnids,467 cve,CVE-2000-0127 nessus,10304 classtype:attempted-user sid:805 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/YaBB" --string "../" -j LOG --log-prefix " SID806 " # "WEB-CGI yabb directory traversal attempt" nocase-ignored cve,CVE-2000-0853 arachnids,462 bugtraq,1668 classtype:attempted-recon sid:806 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/YaBB" -j LOG --log-prefix " SID1637 " # "WEB-CGI yabb access" nocase-ignored cve,CVE-2000-0853 arachnids,462 bugtraq,1668 classtype:attempted-recon sid:1637 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/wwwboard/passwd.txt" -j LOG --log-prefix " SID807 " # "WEB-CGI /wwwboard/passwd.txt access" nocase-ignored arachnids,463 cve,CVE-1999-0953 nessus,10321 bugtraq,649 classtype:attempted-recon sid:807 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/webdriver" -j LOG --log-prefix " SID808 " # "WEB-CGI webdriver access" nocase-ignored arachnids,473 bugtraq,2166 nessus,10592 classtype:attempted-recon sid:808 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/whois_raw.cgi?" --string "" -j LOG --log-prefix " SID809 " # "WEB-CGI whois_raw.cgi arbitrary command execution attempt" cve,CAN-1999-1063 arachnids,466 nessus,10306 classtype:web-application-attack sid:809 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/whois_raw.cgi" -j LOG --log-prefix " SID810 " # "WEB-CGI whois_raw.cgi access" cve,CAN-1999-1063 arachnids,466 nessus,10306 classtype:attempted-recon sid:810 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string " /HTTP/1." -j LOG --log-prefix " SID811 " # "WEB-CGI websitepro path access" nocase-ignored cve,CAN-2000-0066 arachnids,468 classtype:attempted-recon sid:811 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/webplus?about" -j LOG --log-prefix " SID812 " # "WEB-CGI webplus version access" nocase-ignored cve,CVE-2000-0282 arachnids,470 classtype:attempted-recon sid:812 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/webplus?script" --string "../" -j LOG --log-prefix " SID813 " # "WEB-CGI webplus directory traversal" nocase-ignored cve,CVE-2000-0282 arachnids,471 classtype:web-application-attack sid:813 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/websendmail" -j LOG --log-prefix " SID815 " # "WEB-CGI websendmail access" nocase-ignored cve,CVE-1999-0196 arachnids,469 bugtraq,2077 nessus,10301 classtype:attempted-recon sid:815 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/dcforum.cgi" --string "forum=../.." -j LOG --log-prefix " SID1571 " # "WEB-CGI dcforum.cgi directory traversal attempt" cve,CAN-2001-0436 classtype:web-application-attack sid:1571 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/dcforum.cgi" -j LOG --log-prefix " SID818 " # "WEB-CGI dcforum.cgi access" bugtraq,2728 classtype:attempted-recon sid:818 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/dcboard.cgi" --string "command=register" --string "%7cadmin" -j LOG --log-prefix " SID817 " # "WEB-CGI dcboard.cgi invalid user addition attempt" bugtraq,2728 classtype:web-application-attack sid:817 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/dcboard.cgi" -j LOG --log-prefix " SID1410 " # "WEB-CGI dcboard.cgi access" bugtraq,2728 classtype:attempted-recon sid:1410 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/mmstdod.cgi" -j LOG --log-prefix " SID819 " # "WEB-CGI mmstdod.cgi access" nocase-ignored cve,CVE-2001-0021 classtype:attempted-recon sid:819 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/apexec.pl" --string "template=../" -j LOG --log-prefix " SID820 " # "WEB-CGI anaconda directory transversal attempt" nocase-ignored cve,CVE-2000-0975 bugtraq,2388 classtype:web-application-attack sid:820 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/imagemap.exe?" -j LOG --log-prefix " SID821 " # "WEB-CGI imagemap.exe overflow attempt" nocase-ignored arachnids,412 cve,CVE-1999-0951 classtype:web-application-attack sid:821 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/imagemap.exe" -j LOG --log-prefix " SID1700 " # "WEB-CGI imagemap.exe access" nocase-ignored cve,CVE-1999-0951 arachnids,412 classtype:web-application-activity sid:1700 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/cvsweb.cgi" -j LOG --log-prefix " SID823 " # "WEB-CGI cvsweb.cgi access" nocase-ignored cve,CVE-2000-0670 bugtraq,1469 classtype:attempted-recon sid:823 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/php.cgi" -j LOG --log-prefix " SID824 " # "WEB-CGI php.cgi access" nocase-ignored cve,CAN-1999-0238 bugtraq,2250 arachnids,232 classtype:attempted-recon sid:824 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/glimpse" -j LOG --log-prefix " SID825 " # "WEB-CGI glimpse access" nocase-ignored bugtraq,2026 classtype:attempted-recon sid:825 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/htmlscript?../.." -j LOG --log-prefix " SID1608 " # "WEB-CGI htmlscript attempt" nocase-ignored bugtraq,2001 cve,CVE-1999-0264 classtype:web-application-attack sid:1608 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/htmlscript" -j LOG --log-prefix " SID826 " # "WEB-CGI htmlscript access" nocase-ignored bugtraq,2001 cve,CVE-1999-0264 classtype:attempted-recon sid:826 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/info2www" -j LOG --log-prefix " SID827 " # "WEB-CGI info2www access" nocase-ignored bugtraq,1995 cve,CVE-1999-0266 classtype:attempted-recon sid:827 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/maillist.pl" -j LOG --log-prefix " SID828 " # "WEB-CGI maillist.pl access" nocase-ignored classtype:attempted-recon sid:828 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/nph-test-cgi" -j LOG --log-prefix " SID829 " # "WEB-CGI nph-test-cgi access" nocase-ignored nessus,10165 arachnids,224 cve,CVE-1999-0045 bugtraq,686 classtype:attempted-recon sid:829 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/nph-maillist.pl" -j LOG --log-prefix " SID1451 " # "WEB-CGI NPH-publish access" nocase-ignored cve,CAN-2001-0400 classtype:attempted-recon sid:1451 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/nph-publish" -j LOG --log-prefix " SID830 " # "WEB-CGI NPH-publish access" nocase-ignored cve,CAN-1999-1177 classtype:attempted-recon sid:830 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/rguest.exe" -j LOG --log-prefix " SID833 " # "WEB-CGI rguest.exe access" nocase-ignored cve,CAN-1999-0467 bugtraq,2024 classtype:attempted-recon sid:833 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/rwwwshell.pl" -j LOG --log-prefix " SID834 " # "WEB-CGI rwwwshell.pl access" nocase-ignored url,www.itsecurity.com/papers/p37.htm classtype:attempted-recon sid:834 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/test-cgi/*?*" -j LOG --log-prefix " SID1644 " # "WEB-CGI test-cgi attempt" nocase-ignored nessus,10282 cve,CVE-1999-0070 arachnids,218 classtype:web-application-attack sid:1644 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/test-cgi" -j LOG --log-prefix " SID835 " # "WEB-CGI test-cgi access" nocase-ignored nessus,10282 cve,CVE-1999-0070 arachnids,218 classtype:attempted-recon sid:835 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/testcgi" -j LOG --log-prefix " SID1645 " # "WEB-CGI testcgi access" nocase-ignored nessus,11610 bugtraq,7214 classtype:web-application-activity sid:1645 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/test.cgi" -j LOG --log-prefix " SID1646 " # "WEB-CGI test.cgi access" nocase-ignored classtype:web-application-activity sid:1646 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/textcounter.pl" -j LOG --log-prefix " SID836 " # "WEB-CGI textcounter.pl access" nocase-ignored cve,CAN-1999-1479 classtype:attempted-recon sid:836 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/uploader.exe" -j LOG --log-prefix " SID837 " # "WEB-CGI uploader.exe access" nocase-ignored cve,CVE-1999-0177 nessus,10291 classtype:attempted-recon sid:837 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/webgais" -j LOG --log-prefix " SID838 " # "WEB-CGI webgais access" nocase-ignored arachnids,472 bugtraq,2058 cve,CVE-1999-0176 nessus,10300 classtype:attempted-recon sid:838 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/finger" -j LOG --log-prefix " SID839 " # "WEB-CGI finger access" nocase-ignored arachnids,221 cve,CVE-1999-0612 nessus,10071 classtype:attempted-recon sid:839 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/perlshop.cgi" -j LOG --log-prefix " SID840 " # "WEB-CGI perlshop.cgi access" nocase-ignored cve,CAN-1999-1374 classtype:attempted-recon sid:840 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/pfdisplay.cgi" -j LOG --log-prefix " SID841 " # "WEB-CGI pfdisplay.cgi access" nocase-ignored bugtraq,64 cve,CVE-1999-0270 classtype:attempted-recon sid:841 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/aglimpse" -j LOG --log-prefix " SID842 " # "WEB-CGI aglimpse access" nocase-ignored nessus,10095 cve,CVE-1999-0147 bugtraq,2026 classtype:attempted-recon sid:842 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/AnForm2" -j LOG --log-prefix " SID843 " # "WEB-CGI anform2 access" nocase-ignored cve,CVE-1999-0066 arachnids,225 classtype:attempted-recon sid:843 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/args.bat" -j LOG --log-prefix " SID844 " # "WEB-CGI args.bat access" nocase-ignored cve,CAN-1999-1374 classtype:attempted-recon sid:844 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/args.cmd" -j LOG --log-prefix " SID1452 " # "WEB-CGI args.cmd access" nocase-ignored cve,CAN-1999-1374 classtype:attempted-recon sid:1452 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/AT-admin.cgi" -j LOG --log-prefix " SID845 " # "WEB-CGI AT-admin.cgi access" nocase-ignored cve,CAN-1999-1072 classtype:attempted-recon sid:845 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/AT-generated.cgi" -j LOG --log-prefix " SID1453 " # "WEB-CGI AT-generated.cgi access" nocase-ignored cve,CAN-1999-1072 classtype:attempted-recon sid:1453 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/bnbform.cgi" -j LOG --log-prefix " SID846 " # "WEB-CGI bnbform.cgi access" nocase-ignored cve,CVE-1999-0937 bugtraq,1469 classtype:attempted-recon sid:846 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/campas" -j LOG --log-prefix " SID847 " # "WEB-CGI campas access" nocase-ignored cve,CVE-1999-0146 bugtraq,1975 classtype:attempted-recon sid:847 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/view-source" --string "../" -j LOG --log-prefix " SID848 " # "WEB-CGI view-source directory traversal" nocase-ignored nocase-ignored cve,CVE-1999-0174 classtype:web-application-attack sid:848 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/view-source" -j LOG --log-prefix " SID849 " # "WEB-CGI view-source access" nocase-ignored cve,CVE-1999-0174 classtype:attempted-recon sid:849 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/wais.pl" -j LOG --log-prefix " SID850 " # "WEB-CGI wais.pl access" nocase-ignored classtype:attempted-recon sid:850 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/wwwwais" -j LOG --log-prefix " SID1454 " # "WEB-CGI wwwwais access" nocase-ignored nessus,10597 cve,CAN-2001-0223 classtype:attempted-recon sid:1454 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/files.pl" -j LOG --log-prefix " SID851 " # "WEB-CGI files.pl access" nocase-ignored cve,CAN-1999-1081 classtype:attempted-recon sid:851 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/wguest.exe" -j LOG --log-prefix " SID852 " # "WEB-CGI wguest.exe access" nocase-ignored cve,CAN-1999-0467 bugtraq,2024 classtype:attempted-recon sid:852 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/wrap" -j LOG --log-prefix " SID853 " # "WEB-CGI wrap access" nessus,10317 bugtraq,373 arachnids,234 cve,CVE-1999-0149 classtype:attempted-recon sid:853 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/classifieds.cgi" -j LOG --log-prefix " SID854 " # "WEB-CGI classifieds.cgi access" nocase-ignored bugtraq,2020 cve,CVE-1999-0934 classtype:attempted-recon sid:854 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/environ.cgi" -j LOG --log-prefix " SID856 " # "WEB-CGI environ.cgi access" nocase-ignored classtype:attempted-recon sid:856 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/faxsurvey?/" -j LOG --log-prefix " SID1647 " # "WEB-CGI faxsurvey attempt (full path)" nocase-ignored cve,CVE-1999-0262 bugtraq,2056 nessus,10067 classtype:web-application-attack sid:1647 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/faxsurvey?cat%20" -j LOG --log-prefix " SID1609 " # "WEB-CGI faxsurvey arbitrary file read attempt" nocase-ignored nessus,10067 cve,CVE-1999-0262 bugtraq,2056 classtype:web-application-attack sid:1609 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/faxsurvey" -j LOG --log-prefix " SID857 " # "WEB-CGI faxsurvey access" nocase-ignored cve,CVE-1999-0262 bugtraq,2056 nessus,10067 classtype:web-application-activity sid:857 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/filemail.pl" -j LOG --log-prefix " SID858 " # "WEB-CGI filemail access" nocase-ignored cve,CAN-1999-1154 classtype:attempted-recon sid:858 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/man.sh" -j LOG --log-prefix " SID859 " # "WEB-CGI man.sh access" nocase-ignored cve,CAN-1999-1179 classtype:attempted-recon sid:859 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/snork.bat" -j LOG --log-prefix " SID860 " # "WEB-CGI snork.bat access" nocase-ignored bugtraq,1053 cve,CVE-2000-0169 arachnids,220 classtype:attempted-recon sid:860 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/w3-msql/" -j LOG --log-prefix " SID861 " # "WEB-CGI w3-msql access" nocase-ignored bugtraq,591 cve,CVE-1999-0276 arachnids,210 nessus,10296 cve,CVE-2000-0012 classtype:attempted-recon sid:861 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/day5datacopier.cgi" -j LOG --log-prefix " SID863 " # "WEB-CGI day5datacopier.cgi access" nocase-ignored cve,CAN-1999-1232 classtype:attempted-recon sid:863 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/day5datanotifier.cgi" -j LOG --log-prefix " SID864 " # "WEB-CGI day5datanotifier.cgi access" nocase-ignored cve,CAN-1999-1232 classtype:attempted-recon sid:864 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/post-query" -j LOG --log-prefix " SID866 " # "WEB-CGI post-query access" nocase-ignored cve,CAN-2001-0291 classtype:attempted-recon sid:866 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/visadmin.exe" -j LOG --log-prefix " SID867 " # "WEB-CGI visadmin.exe access" nocase-ignored bugtraq,1808 cve,CAN-1999-1970 nessus,10295 classtype:attempted-recon sid:867 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/dumpenv.pl" -j LOG --log-prefix " SID869 " # "WEB-CGI dumpenv.pl access" nocase-ignored cve,CAN-1999-1178 classtype:attempted-recon sid:869 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/calendar_admin.pl?config=|" -j LOG --log-prefix " SID1536 " # "WEB-CGI calendar_admin.pl arbitrary command execution attempt" classtype:web-application-attack cve,CVE-2000-0432 sid:1536 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/calendar_admin.pl" -j LOG --log-prefix " SID1537 " # "WEB-CGI calendar_admin.pl access" classtype:web-application-activity cve,CVE-2000-0432 sid:1537 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/calendar-admin.pl" -j LOG --log-prefix " SID1701 " # "WEB-CGI calendar-admin.pl access" nocase-ignored bugtraq,1215 classtype:web-application-activity sid:1701 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/calender.pl" -j LOG --log-prefix " SID1455 " # "WEB-CGI calender.pl access" nocase-ignored cve,CVE-2000-0432 classtype:attempted-recon sid:1455 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/calendar" -j LOG --log-prefix " SID882 " # "WEB-CGI calendar access" nocase-ignored classtype:attempted-recon sid:882 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/user_update_admin.pl" -j LOG --log-prefix " SID1457 " # "WEB-CGI user_update_admin.pl access" nocase-ignored cve,CVE-2000-0627 classtype:attempted-recon sid:1457 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/user_update_passwd.pl" -j LOG --log-prefix " SID1458 " # "WEB-CGI user_update_passwd.pl access" nocase-ignored cve,CVE-2000-0627 classtype:attempted-recon sid:1458 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/snorkerz.cmd" -j LOG --log-prefix " SID870 " # "WEB-CGI snorkerz.cmd access" nocase-ignored classtype:attempted-recon sid:870 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/survey.cgi" -j LOG --log-prefix " SID871 " # "WEB-CGI survey.cgi access" nocase-ignored bugtraq,1817 cve,CVE-1999-0936 classtype:attempted-recon sid:871 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "///" -j LOG --log-prefix " SID873 " # "WEB-CGI scriptalias access" cve,CVE-1999-0236 bugtraq,2300 arachnids,227 classtype:attempted-recon sid:873 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/win-c-sample.exe" -j LOG --log-prefix " SID875 " # "WEB-CGI win-c-sample.exe access" nocase-ignored bugtraq,2078 arachnids,231 cve,CVE-1999-0178 nessus,10008 classtype:attempted-recon sid:875 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/w3tvars.pm" -j LOG --log-prefix " SID878 " # "WEB-CGI w3tvars.pm access" nocase-ignored classtype:attempted-recon sid:878 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/admin.pl" -j LOG --log-prefix " SID879 " # "WEB-CGI admin.pl access" nocase-ignored url,online.securityfocus.com/archive/1/249355 bugtraq,3839 classtype:attempted-recon sid:879 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/LWGate" -j LOG --log-prefix " SID880 " # "WEB-CGI LWGate access" nocase-ignored url,www.netspace.org/~dwb/lwgate/lwgate-history.html url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm classtype:attempted-recon sid:880 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/archie" -j LOG --log-prefix " SID881 " # "WEB-CGI archie access" nocase-ignored classtype:attempted-recon sid:881 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/flexform" -j LOG --log-prefix " SID883 " # "WEB-CGI flexform access" nocase-ignored url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm classtype:attempted-recon sid:883 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/formmail" --string "%0a" -j LOG --log-prefix " SID1610 " # "WEB-CGI formmail arbitrary command execution attempt" nocase-ignored nocase-ignored nessus,10782 nessus,10076 bugtraq,1187 cve,CVE-1999-0172 arachnids,226 classtype:web-application-attack sid:1610 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/formmail" -j LOG --log-prefix " SID884 " # "WEB-CGI formmail access" nocase-ignored nessus,10782 nessus,10076 bugtraq,1187 cve,CVE-1999-0172 arachnids,226 classtype:web-application-activity sid:884 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/phf" --string "QALIAS" --string "%0a/" -j LOG --log-prefix " SID1762 " # "WEB-CGI phf arbitrary command execution attempt" nocase-ignored nocase-ignored bugtraq,629 arachnids,128 cve,CVE-1999-0067 classtype:web-application-attack sid:1762 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/phf" -j LOG --log-prefix " SID886 " # "WEB-CGI phf access" nocase-ignored bugtraq,629 arachnids,128 cve,CVE-1999-0067 classtype:web-application-activity sid:886 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/www-sql" -j LOG --log-prefix " SID887 " # "WEB-CGI www-sql access" nocase-ignored url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2 classtype:attempted-recon sid:887 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/wwwadmin.pl" -j LOG --log-prefix " SID888 " # "WEB-CGI wwwadmin.pl access" nocase-ignored classtype:attempted-recon sid:888 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/ppdscgi.exe" -j LOG --log-prefix " SID889 " # "WEB-CGI ppdscgi.exe access" nocase-ignored bugtraq,491 url,online.securityfocus.com/archive/1/16878 classtype:attempted-recon sid:889 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/sendform.cgi" -j LOG --log-prefix " SID890 " # "WEB-CGI sendform.cgi access" nocase-ignored cve,CAN-2002-0710 bugtraq,5286 url,www.scn.org/help/sendform.txt classtype:attempted-recon sid:890 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/upload.pl" -j LOG --log-prefix " SID891 " # "WEB-CGI upload.pl access" nocase-ignored classtype:attempted-recon sid:891 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/AnyForm2" -j LOG --log-prefix " SID892 " # "WEB-CGI AnyForm2 access" nocase-ignored bugtraq,719 cve,CVE-1999-0066 classtype:attempted-recon sid:892 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/MachineInfo" -j LOG --log-prefix " SID893 " # "WEB-CGI MachineInfo access" nocase-ignored cve,CAN-1999-1067 classtype:attempted-recon sid:893 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/bb-hist.sh?HISTFILE=../.." -j LOG --log-prefix " SID1531 " # "WEB-CGI bb-hist.sh attempt" nocase-ignored nessus,10025 cve,CAN-1999-1462 bugtraq,142 classtype:web-application-attack sid:1531 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/bb-hist.sh" -j LOG --log-prefix " SID894 " # "WEB-CGI bb-hist.sh access" nocase-ignored nessus,10025 cve,CAN-1999-1462 bugtraq,142 classtype:attempted-recon sid:894 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/bb-histlog.sh" -j LOG --log-prefix " SID1459 " # "WEB-CGI bb-histlog.sh access" nocase-ignored bugtraq,142 cve,CAN-1999-1462 classtype:attempted-recon sid:1459 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/bb-histsvc.sh" -j LOG --log-prefix " SID1460 " # "WEB-CGI bb-histsvc.sh access" nocase-ignored bugtraq,142 cve,CAN-1999-1462 classtype:attempted-recon sid:1460 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/bb-hostsvc.sh?HOSTSVC?../.." -j LOG --log-prefix " SID1532 " # "WEB-CGI bb-hostscv.sh attempt" nocase-ignored nessus,10460 cve,CVE-2000-0638 classtype:web-application-attack sid:1532 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/bb-hostsvc.sh" -j LOG --log-prefix " SID1533 " # "WEB-CGI bb-hostscv.sh access" nocase-ignored nessus,10460 cve,CVE-2000-0638 classtype:web-application-activity sid:1533 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/bb-rep.sh" -j LOG --log-prefix " SID1461 " # "WEB-CGI bb-rep.sh access" nocase-ignored bugtraq,142 cve,CAN-1999-1462 classtype:attempted-recon sid:1461 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/bb-replog.sh" -j LOG --log-prefix " SID1462 " # "WEB-CGI bb-replog.sh access" nocase-ignored bugtraq,142 cve,CAN-1999-1462 classtype:attempted-recon sid:1462 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/redirect" -j LOG --log-prefix " SID895 " # "WEB-CGI redirect access" nocase-ignored bugtraq,1179 cve,CVE-2000-0382 classtype:attempted-recon sid:895 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/way-board/way-board.cgi" --string "db=" --string "../.." -j LOG --log-prefix " SID1397 " # "WEB-CGI wayboard attempt" nocase-ignored bugtraq,2370 cve,CAN-2001-0214 classtype:web-application-attack sid:1397 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/way-board" -j LOG --log-prefix " SID896 " # "WEB-CGI way-board access" nocase-ignored bugtraq,2370 cve,CAN-2001-0214 nessus,10610 classtype:web-application-activity sid:896 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/pals-cgi" --string "documentName=" -j LOG --log-prefix " SID1222 " # "WEB-CGI pals-cgi arbitrary file access attempt" nocase-ignored classtype:web-application-attack cve,CAN-2001-0217 bugtraq,2372 nessus,10611 sid:1222 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/pals-cgi" -j LOG --log-prefix " SID897 " # "WEB-CGI pals-cgi access" nocase-ignored cve,CAN-2001-0216 cve,CAN-2001-0217 bugtraq,2372 nessus,10611 classtype:attempted-recon sid:897 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/commerce.cgi" --string "page=" --string "/../" -j LOG --log-prefix " SID1572 " # "WEB-CGI commerce.cgi arbitrary file access attempt" nocase-ignored nessus,10612 bugtraq,2361 cve,CAN-2001-0210 classtype:attempted-recon sid:1572 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/commerce.cgi" -j LOG --log-prefix " SID898 " # "WEB-CGI commerce.cgi access" nocase-ignored nessus,10612 bugtraq,2361 cve,CAN-2001-0210 classtype:attempted-recon sid:898 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/sendtemp.pl" --string "templ=" -j LOG --log-prefix " SID899 " # "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2504 cve,CAN-2001-0272 classtype:web-application-attack sid:899 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/sendtemp.pl" -j LOG --log-prefix " SID1702 " # "WEB-CGI Amaya templates sendtemp.pl access" nocase-ignored bugtraq,2504 cve,CAN-2001-0272 classtype:web-application-activity sid:1702 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/webspirs.cgi" --string "../../" -j LOG --log-prefix " SID900 " # "WEB-CGI webspirs.cgi directory traversal attempt" nocase-ignored nocase-ignored cve,CAN-2001-0211 bugtraq,2362 nessus,10616 classtype:web-application-attack sid:900 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/webspirs.cgi" -j LOG --log-prefix " SID901 " # "WEB-CGI webspirs.cgi access" nocase-ignored cve,CAN-2001-0211 bugtraq,2362 nessus,10616 classtype:attempted-recon sid:901 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "tstisapi.dll" -j LOG --log-prefix " SID902 " # "WEB-CGI tstisapi.dll access" nocase-ignored cve,CAN-2001-0302 classtype:attempted-recon sid:902 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/sendmessage.cgi" -j LOG --log-prefix " SID1308 " # "WEB-CGI sendmessage.cgi access" nocase-ignored classtype:attempted-recon sid:1308 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/lastlines.cgi" -j LOG --log-prefix " SID1392 " # "WEB-CGI lastlines.cgi access" nocase-ignored bugtraq,3755 bugtraq,3754 classtype:attempted-recon sid:1392 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/zml.cgi" --string "file=../" -j LOG --log-prefix " SID1395 " # "WEB-CGI zml.cgi attempt" cve,CAN-2001-1209 bugtraq,3759 classtype:web-application-activity sid:1395 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/zml.cgi" -j LOG --log-prefix " SID1396 " # "WEB-CGI zml.cgi access" cve,CAN-2001-1209 bugtraq,3759 classtype:web-application-activity sid:1396 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/publisher/search.cgi" --string "template=" -j LOG --log-prefix " SID1405 " # "WEB-CGI AHG search.cgi access" nocase-ignored nocase-ignored bugtraq,3985 classtype:web-application-activity sid:1405 iptables -A SnortRules -p tcp -s $EXTERNAL_NET -d $HTTP_SERVERS --dport $HTTP_PORTS -m string --string "/store/agora.cgi?cart_id=