#                          _    _  _ ___ ___  ___
#         __ _ _ __ _ ____| |_ | \| |_ _|   \/ __|
#        / _` | '_/ _` / _| ' \| .` || || |) \__ \
#        \__,_|_| \__,_\__|_||_|_|\_|___|___/|___/
#=====[ arachNIDS event signatures export for SNORT ]====
#
# These signatures have been generated dynamically and exported
# from arachNIDS (Advanced Reference Archive of Current Heuristics
# for Network Intrusion Detection Systems).  This file can be used
# as a configuration file with the SNORT IDS to detect attacks or
# suspicious activity on your network.
#
# Please see http://whitehats.com/ids/ for signature details/credit.
#
# vision@whitehats.com
#
######### Export date: Fri Oct  6 01:18:23 PDT 2000

# Change these next lines to match your network!
var INTERNAL 10.0.0.0/24
var EXTERNAL !10.0.0.0/24

preprocessor http_decode: 80 443 8080
preprocessor minfrag: 128
preprocessor portscan: $INTERNAL 3 5 /var/log/snort/portscan

alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS116/SourceRoute-ICMP-lssr"; ipopts: lsrr ;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS117/SourceRoute-ICMP-lssre"; ipopts: lsrre ;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS118/Traceroute-ICMP"; ttl: 1; itype: 8;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS135/icmp-redirect_host"; itype: 5; icode: 1;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS151/Ping BeOS 4.x"; itype: 8; content: "|00000000000000000000000008090a0b|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS152/Ping BSDtype"; itype: 8; content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS153/Ping Cisco IOS 9.x"; itype: 8; content: "|abcdabcdabcdabcdabcdabcdabcdabcd|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS154/ping-CyberKit 2.2 Windows"; itype: 8; content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS155/Ping Delphi-Piette Windows"; itype: 8; content: "|50696e67696e672066726f6d2044656c|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS156/Ping Flowpoint 2200 DSL Router"; itype: 8; content: "|0102030405060708090a0b0c0d0e0f10|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS157/Ping IPNetMonitor Macintosh"; itype: 8; content: "|a9205375737461696e61626c6520536f|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS158/Ping ISS Pinger"; itype: 8; content: "ISSPNGRQ"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS159/Ping Microsoft Windows"; itype: 8; content: "|6162636465666768696a6b6c6d6e6f70|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS161/Ping NetworkToolbox3 Windows"; itype: 8; content: "|3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS162/Ping Nmap 2.36BETA"; dsize: 0; itype: 8;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS163/Ping OpenBSD-Linux"; itype: 8; content: "|101112131415161718191a1b1c1d1e1f|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS164/Ping Ping-O-Meter Windows"; itype: 8; content: "|4f4d657465724f6265736541726d6164|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS165/Ping Pinger Windows"; itype: 8; content: "|44617461000000000000000000000000|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS166/Ping Seer Windows"; itype: 8; content: "|88042020202020202020202020202020|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS167/Ping TJPingPro 1.1 Build 2 Windows"; itype: 8; content: "|544a50696e6750726f206279204a696d|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS168/Ping Whatsup Gold Windows"; itype: 8; content: "|57686174735570202d2041204e657477|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS169/ping Win2000"; itype: 8; content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS171/ping zeros"; itype: 8; content: "|00000000000000000000000000000000|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS173/IRDP_router_advertisement"; itype: 9;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS174/IRDP_router_selection"; itype: 10;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS178/Ping CyberCop55"; itype: 8; icmp_seq: 18467; content: "|00 00 20 20 20 20 20 20 20 20 20|"; depth: 18; offset: 7;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS183/tfn-client-command-le"; itype: 0; icmp_id: 51201; icmp_seq: 0;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS184/tfn-client-command-be"; itype: 0; icmp_id: 456; icmp_seq: 0;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS190/stacheldraht client-check"; itype: 0; icmp_id: 666; content: "skillz";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS192/stacheldraht client-spoofworks"; itype: 0; icmp_id: 1000; content: "spoofworks";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS194/stacheldraht client-check-gag"; itype: 0; icmp_id: 39938; content: "gesundheit!";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS199/icmp-redirect_net"; itype: 5; icode: 0;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS216/icmp-subnet_mask_request"; itype: 17;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS238/Traceroute IPOPTS"; ipopts: rr ; itype: 0;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS246/large-icmp"; dsize: >800;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS264/dos-ath0"; itype: 8; content: "+++ath0"; nocase;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS281/PING Sniffer Pro NAI Windows NT"; itype: 8; content: "|43696e636f30313233343536373839|"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS307/ping-webtrends-scanner"; itype: 8; icode: 0; content: "|00 00 00 00 45 45 45 45 45 45 45 45 45 45 45 45|";)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS311/scanner-L3retriever-ping"; itype: 8; icode: 0; content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth: 32;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS416/icmp-timestamp_request"; itype: 13;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS417/icmp-inorfmation_request"; itype: 15;)
alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS424/SourceRoute-ICMP-ssrr"; ipopts: ssrr ;)
alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "IDS182/tfn-server-response"; itype: 0; icmp_id: 123; icmp_seq: 0; content: "shell bound to port";)
alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "IDS191/stacheldraht server-response"; itype: 0; icmp_id: 667; content: "ficken";)
alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "IDS195/stacheldraht server-response-gag"; itype: 0; icmp_id: 669; content: "sicken";)
alert ICMP 255.255.255.255/32 any -> $INTERNAL any (msg: "IDS202/backdoor-Q-icmp"; dsize: >1; itype: 0;)
alert ICMP any any -> any any (msg: "IDS193/stacheldraht server-spoof"; itype: 8; icmp_id: 666;)
alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS139/SMTP-exploit869a"; flags: AP; content: "|0a|C|3a|daemon|0a|R";)
alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS140/SMTP-exploit869b"; flags: AP; content: "|0a|D/";)
alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS141/SMTP-exploit869c"; flags: AP; content: "|0a|Croot|0d0a|Mprog";)
alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS142/SMTP-exploit869d"; flags: AP; content: "|0a|Croot|0a|Mprog";)
alert TCP $EXTERNAL 20 -> $INTERNAL 0:1023 (msg: "IDS6/SourcePortTraffic-20-tcp"; flags: S;)
alert TCP $EXTERNAL 27374 -> $INTERNAL any (msg: "IDS279/trojan-active-subseven21"; flags: SA;)
alert TCP $EXTERNAL 53 -> $INTERNAL 0:1023 (msg: "IDS7/SourcePortTraffic-53-tcp"; flags: S;)
alert TCP $EXTERNAL 6000:6005 -> $INTERNAL any (msg: "IDS126/Outgoing_Xterm"; flags: SA;)
alert TCP $EXTERNAL 80 -> $INTERNAL any (msg: "IDS215/client-netscape47-overflow-retrieved"; flags: AP; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|";)
alert TCP $EXTERNAL 80 -> $INTERNAL any (msg: "IDS294/trojan-netscape-java-serversocket"; flags: AP; content: "java/net/ServerSocket|00|"; nocase;)
alert TCP $EXTERNAL :1024 -> $INTERNAL any (msg: "IDS252/ddos-shaft-synflood-incoming"; seq: 674711609; flags: S;)
alert TCP $EXTERNAL any -> $INTERNAL 1080 (msg: "IDS175/socks-probe"; ack: 0; flags: S;)
alert TCP $EXTERNAL any -> $INTERNAL 113 (msg: "IDS303/ident-version-probe"; flags: AP; content: "VERSION|0A|"; depth: 16; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 119 (msg: "IDS274/nntp-overflow-cassandra"; dsize: >512; flags: AP; content: "AUTHINFO USER"; depth: 16; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 12345 (msg: "IDS403/trojan-netbus-getinfo-12345"; flags: AP; content: "GetInfo|0d|";)
alert TCP $EXTERNAL any -> $INTERNAL 12346 (msg: "IDS404/Netbus-getinfo-12346"; flags: AP; content: "GetInfo|0d|";)
alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS204/NT_NULL_session"; flags: AP; content: "|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|";)
alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS334/NETBIOS-SMB-IPC$access"; flags: AP; content: "|5c00|I|00|P|00|C|00|$|000000|IPC|00|";)
alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS335/NETBIOS-SMB-IPC$access-alternate"; flags: AP; content: "\IPC$|00 41 3a 00|";)
alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS336/NETBIOS-SMB-D$access"; flags: AP; content: "\D$|00 41 3a 00|";)
alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS337/NETBIOS-SMB-CD..."; flags: AP; content: "\...|00 00 00|";)
alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS338/NETBIOS-SMB-CD.."; flags: AP; content: "\..|2f 00 00 00|";)
alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS339/NETBIOS-SMB-C$access"; flags: AP; content: "\C$|00 41 3a 00|";)
alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS340/NETBIOS-SMB-ADMIN$access"; flags: AP; content: "\ADMIN$|00 41 3a 00|";)
alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS341/NETBIOS-Samba-clientaccess"; flags: AP; content: "|00|Unix|00|Samba";)
alert TCP $EXTERNAL any -> $INTERNAL 1417 (msg: "IDS229/insecure-timbuktu-password"; flags: AP; content: "|05 00 3E|"; depth: 16;)
alert TCP $EXTERNAL any -> $INTERNAL 143 (msg: "IDS147/imap-x86-linux-buffer-overflow"; dsize: >100; flags: AP; content: "|e8 c0ff ffff|/bin/sh";)
alert TCP $EXTERNAL any -> $INTERNAL 16660 (msg: "IDS179/stacheldraht client"; flags: S;)
alert TCP $EXTERNAL any -> $INTERNAL 20432 (msg: "IDS254/ddos-shaft-client-to-handler"; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS1/ADMw0rm-ftp-retrieval"; flags: AP; content: "USER w0rm|0D0A|"; depth: 32;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS134/ftp-tar-parameters"; flags: AP; content: "RETR --use-compress-program"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS2/mworm-ftp-retrieval"; flags: AP; content: "USER mw|0D0A|"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS213/ftp-passwd-retrieval"; flags: AP; content: "passwd";)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS257/dos-aix-ftpd"; dsize: >1300; flags: AP; content: "CEL"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS285/ftp-wuftp260-siteexec-probe"; flags: AP; content: "SITE EXEC %p"; depth: 16; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS286/ftp-wuftp260-siteexec"; flags: AP; content: "|66 25 2E 66 25 2E 66 25 2E 66 25 2E 66 25 2E|"; depth: 32;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS287/ftp-wuftp260-venglin-linux"; flags: AP; content: "|31c031db 31c9b046 cd80 31c031db|";)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS288/ftp-wuftp260-venglin-bsd"; flags: AP; content: "|31c0 50 50 50 b07e cd80 31db 31c0|"; depth: 32;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS317/ftp-site-exec"; flags: AP; content: "site exec"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS318/ftp-cwd~root"; flags: AP; content: "cwd ~root"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS319/ftp-forward"; flags: AP; content: ".forward";)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS320/ftp-linux-nullpass"; flags: AP; content: "pass null|0d|"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS321/ftp-linux-nulluser"; flags: AP; content: "user null|0d|"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS322/ftp-nopassword"; flags: AP; content: "pass |0d|"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS323/ftp-pass-h0tb0x"; flags: AP; content: "pass h0tb0x"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS324/ftp-pass-wh00t"; flags: AP; content: "pass wh00t"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS325/ftp-shosts"; flags: AP; content: ".shosts"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS326/ftp-user-root"; flags: AP; content: "user root"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS327/ftp-user-warez"; flags: AP; content: "user warez"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS328/ftp-rhosts"; flags: AP; content: ".rhosts"; nocase; content: "put"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS329/SCAN-SATAN-FTPcheck"; flags: AP; content: "pass -satan";)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS330/SCAN-SAINT-FTPcheck"; flags: AP; content: "pass -saint";)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS331/SCAN-ISS-FTPcheck"; flags: AP; content: "pass -iss@iss";)
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS332/SCAN-ADM-FTPcheck"; flags: AP; content: "PASS ddd@|0a|";)
alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS304/SGI telnetd format bug"; flags: AP; content: "_RLD"; content: "/bin/sh";)
alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS367/telnet-ld_preload"; flags: AP; content: "ld_preload";)
alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS368/TELNET - ld_library_path"; flags: AP; content: "ld_library_path"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS369/telnet-resolv_host_conf"; flags: AP; content: "resolv_host_conf";)
alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS370/TELNET - Livingston-DoS"; flags: AP; content: "|fff3 fff3 fff3 fff3 fff3|";)
alert TCP $EXTERNAL any -> $INTERNAL 2301 (msg: "IDS244/web-compaq-insight-dot-dot"; content: "../";)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS119/SMTP-exploit555"; flags: AP; content: "mail from|3a20227c|";)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS120/SMTP-exploit41"; flags: AP; content: "rcpt to|3a 20 7c 20 73 65 64 20 27 31 2C 2F 5E 24 2F 64 27 7c|";)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS121/SMTP-exploit564"; flags: AP; content: "rcpt to|3a| decode";)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS122/SMTP-exploit565"; flags: AP; content: "MAIL FROM|3a207c|/usr/ucb/tail";)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS123/SMTP-exploit8610"; flags: AP; content: "Croot|0d0a|Mprog, P=/bin/";)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS124/SMTP-exploit8610ha"; flags: AP; content: "Croot|09090909090909|Mprog, P=/bin";)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS143/SMTP-MajordomoIFS"; flags: AP; content: "${IFS}";)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS172/SMTP-exploit558"; flags: AP; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|";)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS245/smtp-cmail-buffer-overflow"; dsize: >500; flags: AP; content: "VRFY AAAAAAAAAAA";)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS266/smtp-chameleon-overflow"; dsize: >500; flags: AP; content: "HELP "; depth: 5; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS273/sniffit-overflow-linux"; dsize: >512; flags: AP; content: "from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS31/SMTP-expn-root"; flags: AP; content: "expn root"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS32/SMTP-expn-decode"; flags: AP; content: "expn decode"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS371/SCAN-Cybercop-SMTPexpn"; flags: AP; content: "expn cybercop"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS372/SCAN-Cybercop-SMTPehlo"; flags: AP; content: "ehlo cybercop|0a|quit|0a|"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS373/SMTP-vrfy-decode"; flags: AP; content: "vrfy decode"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS374/SCAN-Cybercop-WEB"; flags: AP; content: "get /cybercop"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 261 (msg: "IDS410/fw1-authentication"; flags: AP; content: "220 FW-1 Session Authentication";)
alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS196/trin00-attacker-to-master"; flags: AP; content: "betaalmostdone";)
alert TCP $EXTERNAL any -> $INTERNAL 32771: (msg: "IDS26/nfs-showmount"; flags: AP; content: "|00 01 86 A5 00 00 00 01 00 00 00 05 00 00 00 01|"; depth: 32; offset: 16;)
alert TCP $EXTERNAL any -> $INTERNAL 32771:34000 (msg: "IDS241/rpc.ttdbserv-solaris-kill"; flags: AP; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth: 32; offset: 16;)
alert TCP $EXTERNAL any -> $INTERNAL 32771:34000 (msg: "IDS242/rpc.ttdbserv-solaris-overflow"; dsize: >999; flags: AP; content: "|C0 22 3F FC A2 02 20 09 C0 2C 7F FF E2 22 3F F4|";)
alert TCP $EXTERNAL any -> $INTERNAL 457 (msg: "IDS180/web-netscape-overflow-unixware"; flags: AP; content: "|eb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d|";)
alert TCP $EXTERNAL any -> $INTERNAL 513 (msg: "IDS384/RSH-bin"; flags: AP; content: "bin|00|bin|00|";)
alert TCP $EXTERNAL any -> $INTERNAL 513 (msg: "IDS385/RSH-echo++"; flags: AP; content: "echo |22|+ +|22|";)
alert TCP $EXTERNAL any -> $INTERNAL 513 (msg: "IDS386/RSH-froot"; flags: AP; content: "-froot|00|";)
alert TCP $EXTERNAL any -> $INTERNAL 513 (msg: "IDS389/RSH-root"; flags: AP; content: "root|00|root|00|";)
alert TCP $EXTERNAL any -> $INTERNAL 513 (msg: "IDS392/RSH-LoginFailure"; flags: AP; content: "|01|rlogind|3a| Permission denied.";)
alert TCP $EXTERNAL any -> $INTERNAL 513 (msg: "IDS393/RSH-LoginFailure2"; flags: AP; content: "login incorrect";)
alert TCP $EXTERNAL any -> $INTERNAL 514 (msg: "IDS387/rlogin-froot"; flags: AP; content: "-froot|00|";)
alert TCP $EXTERNAL any -> $INTERNAL 514 (msg: "IDS388/rlogin-echo++"; flags: AP; content: "echo |22|+ +|22|";)
alert TCP $EXTERNAL any -> $INTERNAL 514 (msg: "IDS390/rlogin-bin"; flags: AP; content: "bin|00|bin|00|";)
alert TCP $EXTERNAL any -> $INTERNAL 514 (msg: "IDS391/rlogin-root"; flags: AP; content: "root|00|root|00|";)
alert TCP $EXTERNAL any -> $INTERNAL 514 (msg: "IDS394/RLOGIN-LoginFailure"; flags: AP; content: "|01|rlogind|3a| Permission denied.";)
alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns-zone-transfer"; flags: AP; content: "|FC|"; offset: 13;)
alert TCP $EXTERNAL any -> $INTERNAL 6000 (msg: "IDS395/X-xopen"; flags: AP; content: "|6c00 0b00 0000 0000 0000 0000|";)
alert TCP $EXTERNAL any -> $INTERNAL 6000 (msg: "IDS396/X-MITcookie"; flags: AP; content: "MIT-MAGIC-COOKIE-1";)
alert TCP $EXTERNAL any -> $INTERNAL 617 (msg: "IDS261/dos-arkiea-backup"; dsize: >1445; flags: AP;)
alert TCP $EXTERNAL any -> $INTERNAL 634:1400 (msg: "IDS217/rpc-amd-overflow"; flags: AP; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|"; depth: 32;)
alert TCP $EXTERNAL any -> $INTERNAL 70 (msg: "IDS409/gopher-proxy"; flags: AP; content: "ftp|72|"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 7070 (msg: "IDS411/Realaudio-DoS"; flags: AP; content: "|fff4 fffd 06|";)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS11/finger-cybercop-redirection"; dsize: 11; flags: AP; content: "|40 6C 6F 63 61 6C 68 6F 73 74 0A|"; depth: 11;)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS130/finger-.@host"; dsize: 6; flags: AP; content: "|2E 0A 20 20 20 20|"; depth: 6;)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS131/finger-0@host"; dsize: 6; flags: AP; content: "|30 0A 20 20 20 20|"; depth: 6;)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS132/finger-cybercop-query"; flags: AP; content: "|0A 20 20 20 20 20|"; depth: 10;)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS251/finger-redirection"; flags: AP; content: "@";)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS263/backdoor-cdk"; flags: AP; content: "ypi0ca"; depth: 15; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS375/finger-search"; flags: AP; content: "search"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS376/finger-root"; flags: AP; content: "root"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS377/finger-probe-null"; flags: AP; content: "|00|";)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS378/finger-probe-0"; flags: AP; content: "0";)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS379/finger-pipe-w"; flags: AP; content: "/W|3b|";)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS380/finger-pipe"; flags: AP; content: "|7c|";)
alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS381/FINGER-Bomb"; flags: AP; content: "@@";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS128/web-cgi-phf"; flags: AP; content: "phf";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS145/cybercop-os-probe-sfp"; ack: 0; flags: SFP; content: "AAAAAAAAAAAAAAAA"; depth: 16;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS146/cybercop-os-probe-sf12"; dsize: 0; flags: SF12;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS200/web-IIS_encoding"; flags: AP; content: "|25 31 75|";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS205/web-phorum-admin"; flags: AP; content: "admin.php3";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS206/web-phorum-auth"; flags: AP; content: "PHP_AUTH_USER=boogieman";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS207/web-phorum-code"; flags: AP; content: "code.php3";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS208/web-phorum-read"; flags: AP; content: "read.php3";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS209/web-phorum-violation"; flags: AP; content: "violation.php3";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS210/web-cgi-w3-msql"; flags: AP; content: "w3-msql";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS211/web-cgi-w3-msql-solx86"; flags: AP; content: "/bin/shA-cA/usr/openwin";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS218/web-cgi-test-cgi"; flags: AP; content: "test-cgi";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS219/web-cgi-perl-exe"; flags: AP; content: "perl.exe"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS220/web-cgi-snork"; flags: AP; content: "snork.bat"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS221/web-cgi-finger"; flags: AP; content: "finger";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS224/web-cgi-nph-test-cgi"; flags: AP; content: "nph-test-cgi";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS225/web-cgi-anyform"; flags: AP; content: "anyform"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS226/web-cgi-formmail"; flags: AP; content: "formmail";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS227/web-cgi-scriptalias"; flags: AP; content: "///";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS228/web-cgi-guestbook"; flags: AP; content: "guestbook"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS230/web-cgi-space-wildcard"; flags: AP; content: "|2A 20|";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS231/web-cgi-win-c-sample"; flags: AP; content: "win-c-sample.exe"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS232/web-cgi-php-slash"; flags: AP; content: "php.cgi?/"; depth: 32; offset: 5;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS234/web-cgi-wrap"; flags: AP; content: "wrap?/";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS235/web-cgi-handler"; flags: AP; content: "handler";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS237/web-webhits"; dsize: >400; flags: AP; content: ".htw"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS243/web-cgi-pipe"; flags: AP; content: "|7C|";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS248/web-frontpage-pws-fourdots"; flags: AP; content: "..../";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS250/web-coldfusion-openfile"; flags: AP; content: "openfile.cfm";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS258/web-cgi-get32.exe"; flags: AP; content: "get32.exe"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS259/web-http-alibaba-overflow"; dsize: >1400; flags: AP; content: "POST";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS260/dos-annex-terminal"; dsize: >1400; flags: AP; content: "ping?query"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS265/web-cgi-cgitest"; flags: AP; content: "cgitest.exe|0d0a|user"; offset: 4; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS268/web-coldfusion-application.cfm"; flags: AP; content: "application.cfm";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS269/web-coldfusion-onrequestend.cfm"; flags: AP; content: "onrequestend.cfm";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS270/web-netscape-dir-index-wp"; flags: AP; content: "?wp-"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS271/web-iis-dvwssr"; flags: AP; content: "dvwssr.dll"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS272/web-piranha-passwd.php3"; flags: AP; content: "passwd.php3"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS275/http-cisco-crash"; flags: AP; content: "|20 2F 25 25|"; depth: 16;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS290/http-cgi-infosearch-fname"; flags: AP; content: "fname=|7c|";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS292/http-frontpage-shtml.dll"; flags: AP; content: "_vti_bin/shtml.dll"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS296/http-whisker-splicing-attack-space"; dsize: <5; flags: AP; content: "|20|";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS297/http-directory-traversal1"; flags: AP; content: "../";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS298/http-directory-traversal2"; flags: AP; content: "..\";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS300/PCCS-Mysql Database Admin Tool"; flags: AP; content: "pccsmysqladm/incs/dbconnect.inc"; depth: 36; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS301/nessus-404-check"; flags: AP; content: "GET /nessus_is_probing_you_"; depth: 32;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS305/web-IIS_Translate_F"; flags: AP; content: "Translate|3a| F"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS309/scanner-webtrends-HTTP Probe"; flags: AP; content: "User-Agent|3a| Webtrends Security Analyzer|0d0a|";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS310/scanner-L3retriever-HTTP Probe"; flags: AP; content: "User-Agent|3a| Java1.2.1|0d0a|";)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS412/web-cgi-imagemap-overflow"; dsize: >1000; flags: A; content: "imagemap.exe?"; depth: 32; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS413/web-cgi-imagemap-overflow-psh"; dsize: >1000; flags: AP; content: "imagemap.exe?"; depth: 32; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS415/http-whisker-splicing-attack-tab"; dsize: <5; flags: AP; content: "|09|";)
alert TCP $EXTERNAL any -> $INTERNAL 8080 (msg: "IDS267/delegate-proxy-overflow"; dsize: >1000; flags: A; content: "whois|3a|//"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 8080 (msg: "IDS414/delegate-proxy-overflow-psh"; dsize: >1000; flags: AP; content: "whois|3a|//"; nocase;)
alert TCP $EXTERNAL any -> $INTERNAL 9001 (msg: "IDS302/printer-hp-display-hack"; flags: AP; content: "@PJL RDYMSG DISPLAY = "; depth: 32;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS144/probe-full_xmas_scan"; ack: 0; flags: SFAPUR;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS149/cybercop-os-probe-pa12"; flags: AP12; content: "AAAAAAAAAAAAAAAA"; depth: 16;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS150/cybercop-os-probe-sfu12"; ack: 0; flags: SFU12; content: "AAAAAAAAAAAAAAAA"; depth: 16;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS181/shellcode-x86-nops"; flags: AP; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS198/SYN FIN Scan"; flags: SF;)
alert TCP 255.255.255.255/32 any -> $INTERNAL any (msg: "IDS203/backdoor-Q-tcp"; dsize: >1; flags: A;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS236/ipeye-syn-scan"; seq: 1958810375; flags: S;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS27/probe-fin_scan"; flags: F;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS28/probe-nmap_tcp_ping"; ack: 0; flags: A;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS282/shellcode-sparc-setuid0"; flags: AP; content: "|82102017 91d02008|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS283/shellcode-x86-setuid0"; flags: AP; content: "|b017 cd80|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS284/shellcode-x86-setgid0"; flags: AP; content: "|b0b5 cd80|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS29/probe-Queso Fingerprint attempt"; flags: S12;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS291/shellcode-x86-stealth-nop"; content: "|eb 02 eb 02 eb 02|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS3/Traceroute TCP"; ttl: 1;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS30/probe-xmas-scan"; ack: 0; flags: FPU;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS342/OVERFLOW-LinuxCommonTCP"; flags: AP; content: "|90 90 90 e8 c0 ff ff ff|/bin/sh";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS353/OVERFLOW-NOOP-Solaris-tcp"; flags: AP; content: "|801c 4011 801c 4011 801c 4011 801c 4011|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS354/OVERFLOW-NOOP-Sparc-tcp"; flags: AP; content: "|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS355/OVERFLOW-NOOP-Sparc-tcp2"; flags: AP; content: "|a61c c013 a61c c013 a61c c013 a61c c013|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS356/OVERFLOW-NOOP-SGI-tcp"; flags: AP; content: "|03e0 f825 03e0 f825 03e0 f825 03e0 f825|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS357/OVERFLOW-NOOP-SGI-tcp2"; flags: AP; content: "|240f 1234 240f 1234 240f 1234 240f 1234|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS358/OVERFLOW-NOOP-HP-tcp"; flags: AP; content: "|0821 0280 0821 0280 0821 0280 08210 0280|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS359/OVERFLOW-NOOP-HP-tcp2"; flags: AP; content: "|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS360/OVERFLOW-NOOP-AIX-tcp"; flags: AP; content: "|4fff fb82 4fff fb82 4fff fb82 4fff fb82|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS361/OVERFLOW-NOOP-Digital-tcp"; flags: AP; content: "|47 ff 04 1f 47 ff 04 1f 47 ff 04 1f 47 ff 04 1f|";)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS4/probe-null_scan"; seq: 0; ack: 0; flags: 0;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS419/SourceRoute-TCP-lssr"; ipopts: lsrr ;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS421/SourceRoute-TCP-lssre"; ipopts: lsrre ;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS423/SourceRoute-TCP-ssrr"; ipopts: ssrr ;)
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS5/probe-nmap_fingerprint_attempt"; flags: SFPU;)
alert TCP $INTERNAL 1001 -> $EXTERNAL any (msg: "IDS58/trojan-active-silencer-webex-doly"; flags: SA;)
alert TCP $INTERNAL 1033 -> $EXTERNAL any (msg: "IDS75/trojan-active-netspy"; flags: SA;)
alert TCP $INTERNAL 1042 -> $EXTERNAL any (msg: "IDS109/trojan-active-blah11"; flags: SA;)
alert TCP $INTERNAL 10607 -> $EXTERNAL any (msg: "IDS107/trojan-active-coma"; flags: SA;)
alert TCP $INTERNAL 10666 -> $EXTERNAL any (msg: "IDS113/trojan-active-ambush"; flags: SA;)
alert TCP $INTERNAL 1080 -> $EXTERNAL any (msg: "IDS176/socks4-active"; flags: AP; content: "|04 5A|"; depth: 2;)
alert TCP $INTERNAL 11000 -> $EXTERNAL any (msg: "IDS61/trojan-active-sennaspy"; flags: SA;)
alert TCP $INTERNAL 11223 -> $EXTERNAL any (msg: "IDS68/trojan-active-progenic"; flags: SA;)
alert TCP $INTERNAL 1170 -> $EXTERNAL any (msg: "IDS52/trojan-active-streamingaudio"; flags: SA;)
alert TCP $INTERNAL 1207 -> $EXTERNAL any (msg: "IDS56/trojan-active-softwar"; flags: SA;)
alert TCP $INTERNAL 12076 -> $EXTERNAL any (msg: "IDS97/trojan-active-gjamer"; flags: SA;)
alert TCP $INTERNAL 12223 -> $EXTERNAL any (msg: "IDS96/trojan-active-hack99keylogger"; flags: SA;)
alert TCP $INTERNAL 12345 -> $EXTERNAL any (msg: "IDS401/Netbus-active-12345"; flags: AP; content: "NetBus";)
alert TCP $INTERNAL 12346 -> $EXTERNAL any (msg: "IDS402/Netbus-active-12346"; flags: AP; content: "NetBus";)
alert TCP $INTERNAL 12346 -> $EXTERNAL any (msg: "IDS81/trojan-active-netbus10"; flags: SA;)
alert TCP $INTERNAL 1243 -> $EXTERNAL any (msg: "IDS50/trojan-active-subseven"; flags: SA;)
alert TCP $INTERNAL 1245 -> $EXTERNAL any (msg: "IDS38/trojan-active-vodoo"; flags: SA;)
alert TCP $INTERNAL 1269 -> $EXTERNAL any (msg: "IDS223/backdoor-matrix_1.x-2.0"; flags: SA;)
alert TCP $INTERNAL 1269 -> $EXTERNAL any (msg: "IDS83/trojan-active-matrix"; flags: SA;)
alert TCP $INTERNAL 12701 -> $EXTERNAL any (msg: "IDS103/trojan-active-eclipse2000"; flags: SA;)
alert TCP $INTERNAL 146 -> $EXTERNAL 1024: (msg: "IDS315/Backdoor.Infector.1.x"; flags: AP; content: "WHATISIT";)
alert TCP $INTERNAL 1492 -> $EXTERNAL any (msg: "IDS100/trojan-active-ftp99cmp"; flags: SA;)
alert TCP $INTERNAL 1509 -> $EXTERNAL any (msg: "IDS66/trojan-active-psyberstream"; flags: SA;)
alert TCP $INTERNAL 1600 -> $EXTERNAL any (msg: "IDS60/trojan-active-shiveburka"; flags: SA;)
alert TCP $INTERNAL 16969 -> $EXTERNAL any (msg: "IDS69/trojan-active-priority"; flags: SA;)
alert TCP $INTERNAL 17300 -> $EXTERNAL any (msg: "IDS85/trojan-active-kuang2"; flags: SA;)
alert TCP $INTERNAL 1807 -> $EXTERNAL any (msg: "IDS54/trojan-active-spysender"; flags: SA;)
alert TCP $INTERNAL 1966 -> $EXTERNAL any (msg: "IDS222/Backdoor-FakeFTP"; flags: SA;)
alert TCP $INTERNAL 1981 -> $EXTERNAL any (msg: "IDS59/trojan-active-shockrave"; flags: SA;)
alert TCP $INTERNAL 1999 -> $EXTERNAL any (msg: "IDS41/trojan-active-transcout"; flags: SA;)
alert TCP $INTERNAL 20000 -> $EXTERNAL any (msg: "IDS82/trojan-active-millenium"; flags: SA;)
alert TCP $INTERNAL 2001 -> $EXTERNAL any (msg: "IDS40/trojan-active-trojancow"; flags: SA;)
alert TCP $INTERNAL 20034 -> $EXTERNAL any (msg: "IDS80/trojan-active-netbuspro"; flags: SA;)
alert TCP $INTERNAL 20203 -> $EXTERNAL any (msg: "IDS108/trojan-active-chupacabra"; flags: SA;)
alert TCP $INTERNAL 2023 -> $EXTERNAL any (msg: "IDS72/trojan-active-passripper"; flags: SA;)
alert TCP $INTERNAL 20331 -> $EXTERNAL any (msg: "IDS111/trojan-active-bla"; flags: SA;)
alert TCP $INTERNAL 21 -> $EXTERNAL any (msg: "IDS364/FTP-bad-login"; flags: AP; content: "530 Login incorrect";)
alert TCP $INTERNAL 21 -> $EXTERNAL any (msg: "IDS406/trojan-active-deepthroat_ftpd"; flags: AP; content: "220 Deep Throat FTP Server Ready";)
alert TCP $INTERNAL 2140 -> $EXTERNAL any (msg: "IDS87/trojan-active-invasor"; flags: SA;)
alert TCP $INTERNAL 21554 -> $EXTERNAL any (msg: "IDS98/trojan-active-girlfriend"; flags: SA;)
alert TCP $INTERNAL 22222 -> $EXTERNAL any (msg: "IDS67/trojan-active-prosiak"; flags: SA;)
alert TCP $INTERNAL 2283 -> $EXTERNAL any (msg: "IDS93/trojan-active-hvlrat5"; flags: SA;)
alert TCP $INTERNAL 23 -> $EXTERNAL any (msg: "IDS127/telnet-login-incorrect"; flags: AP; content: "Login incorrect"; depth: 16; nocase;)
alert TCP $INTERNAL 23 -> $EXTERNAL any (msg: "IDS313/Possbile Xperl RootShell"; flags: AP; content: "|7E 21 62 69 67 68 6F 6C 65|";)
alert TCP $INTERNAL 23 -> $EXTERNAL any (msg: "IDS365/telnet-NotOnConsole"; flags: AP; content: "not on system console"; nocase;)
alert TCP $INTERNAL 23 -> $EXTERNAL any (msg: "IDS366/TELNET - WinGate-Active"; flags: AP; content: "WinGate>";)
alert TCP $INTERNAL 23 -> $EXTERNAL any (msg: "IDS8/telnet-daemon-active"; flags: AP; content: "|ff|"; depth: 1;)
alert TCP $INTERNAL 23456 -> $EXTERNAL any (msg: "IDS37/trojan-active-whackjob"; flags: SA;)
alert TCP $INTERNAL 25 -> $EXTERNAL any (msg: "IDS249/smtp-relay-denied"; flags: AP; content: "5.7.1"; depth: 70;)
alert TCP $INTERNAL 2565 -> $EXTERNAL any (msg: "IDS51/trojan-active-striker"; flags: SA;)
alert TCP $INTERNAL 2583 -> $EXTERNAL any (msg: "IDS35/trojan-active-wincrash2"; flags: SA;)
alert TCP $INTERNAL 2716 -> $EXTERNAL any (msg: "IDS47/trojan-active-theprayer2"; flags: SA;)
alert TCP $INTERNAL 2801 -> $EXTERNAL any (msg: "IDS71/trojan-active-phineas"; flags: SA;)
alert TCP $INTERNAL 29891 -> $EXTERNAL any (msg: "IDS44/trojan-active-theunexplained"; flags: SA;)
alert TCP $INTERNAL 30100 -> $EXTERNAL any (msg: "IDS76/trojan-active-netsphere"; flags: SA;)
alert TCP $INTERNAL 30303 -> $EXTERNAL any (msg: "IDS57/trojan-active-socket23"; flags: SA;)
alert TCP $INTERNAL 30999 -> $EXTERNAL any (msg: "IDS86/trojan-active-kuang"; flags: SA;)
alert TCP $INTERNAL 31 -> $EXTERNAL any (msg: "IDS84/trojan-active-masterparadise"; flags: SA;)
alert TCP $INTERNAL 31339 -> $EXTERNAL any (msg: "IDS74/trojan-active-netspydk"; flags: SA;)
alert TCP $INTERNAL 31554 -> $EXTERNAL any (msg: "IDS62/trojan-active-schwindler"; flags: SA;)
alert TCP $INTERNAL 31787 -> $EXTERNAL any (msg: "IDS95/trojan-active-hackatak"; flags: SA;)
alert TCP $INTERNAL 33911 -> $EXTERNAL any (msg: "IDS55/trojan-active-spirit2001"; flags: SA;)
alert TCP $INTERNAL 34324 -> $EXTERNAL any (msg: "IDS43/trojan-active-tinytelnet"; flags: SA;)
alert TCP $INTERNAL 37651 -> $EXTERNAL any (msg: "IDS33/trojan-active-yetanother"; flags: SA;)
alert TCP $INTERNAL 3791 -> $EXTERNAL any (msg: "IDS42/trojan-active-totaleclipse"; flags: SA;)
alert TCP $INTERNAL 40412 -> $EXTERNAL any (msg: "IDS46/trojan-active-thespy"; flags: SA;)
alert TCP $INTERNAL 456 -> $EXTERNAL any (msg: "IDS94/trojan-active-hackersparadise"; flags: SA;)
alert TCP $INTERNAL 4567 -> $EXTERNAL any (msg: "IDS102/trojan-active-filenail"; flags: SA;)
alert TCP $INTERNAL 4950 -> $EXTERNAL any (msg: "IDS92/trojan-active-icq"; flags: SA;)
alert TCP $INTERNAL 5011 -> $EXTERNAL any (msg: "IDS73/trojan-active-ootlt"; flags: SA;)
alert TCP $INTERNAL 5031 -> $EXTERNAL any (msg: "IDS79/trojan-active-netmetro"; flags: SA;)
alert TCP $INTERNAL 50766 -> $EXTERNAL any (msg: "IDS101/trojan-active-fore-schwindler"; flags: SA;)
alert TCP $INTERNAL 51966 -> $EXTERNAL 1010:1100 (msg: "IDS293/backdoor.CAFEini0.9"; flags: AP; content: "CAFEiNi 0.9 (cafeini@vi";)
alert TCP $INTERNAL 53001 -> $EXTERNAL any (msg: "IDS65/trojan-active-remoteshutdown"; flags: SA;)
alert TCP $INTERNAL 5400 -> $EXTERNAL any (msg: "IDS110/trojan-active-bladerunner"; flags: SA;)
alert TCP $INTERNAL 54321 -> $EXTERNAL any (msg: "IDS63/trojan-active-schoolbus"; flags: SA;)
alert TCP $INTERNAL 5521 -> $EXTERNAL any (msg: "IDS91/trojan-active-illusionmailer"; flags: SA;)
alert TCP $INTERNAL 555 -> $EXTERNAL any (msg: "IDS53/trojan-active-stealthspy-phase0-netadmin"; flags: SA;)
alert TCP $INTERNAL 5550 -> $EXTERNAL any (msg: "IDS34/trojan-active-xtcp2"; flags: SA;)
alert TCP $INTERNAL 5556 -> $EXTERNAL any (msg: "IDS299/trojan-h0rtiga"; flags: AP; content: "Win9x.h0rtiga";)
alert TCP $INTERNAL 5569 -> $EXTERNAL any (msg: "IDS64/trojan-active-robohack"; flags: SA;)
alert TCP $INTERNAL 5632 -> $EXTERNAL any (msg: "IDS240/pcanywhere-failed"; flags: AP; content: "Invalid login"; depth: 16;)
alert TCP $INTERNAL 57341 -> $EXTERNAL any (msg: "IDS77/trojan-active-netraider"; flags: SA;)
alert TCP $INTERNAL 5742 -> $EXTERNAL any (msg: "IDS36/trojan-active-wincrash"; flags: SA;)
alert TCP $INTERNAL 61466 -> $EXTERNAL any (msg: "IDS49/trojan-active-telecommando"; flags: SA;)
alert TCP $INTERNAL 6400 -> $EXTERNAL any (msg: "IDS45/trojan-active-thething"; flags: SA;)
alert TCP $INTERNAL 65000 -> $EXTERNAL any (msg: "IDS104/trojan-active-devil103"; flags: SA;)
alert TCP $INTERNAL 666 -> $EXTERNAL 1024: (msg: "IDS316/Backdoor.SatansBackdoor.2.0.Beta"; flags: AP; content: "Remote|3A| You are connected to me.";)
alert TCP $INTERNAL 666 -> $EXTERNAL any (msg: "IDS112/trojan-active-attackftp"; flags: SA;)
alert TCP $INTERNAL 6669 -> $EXTERNAL any (msg: "IDS39/trojan-active-vampire"; flags: SA;)
alert TCP $INTERNAL 6670 -> $EXTERNAL any (msg: "IDS106/trojan-active-deepthroat"; flags: SA;)
alert TCP $INTERNAL 6789 -> $EXTERNAL any (msg: "IDS312/trojan-active-Doly2.0"; flags: AP; content: "|57 74 7a 75 70 20 55 73 65|"; depth: 32;)
alert TCP $INTERNAL 6883 -> $EXTERNAL any (msg: "IDS105/trojan-active-deltasource"; flags: SA;)
alert TCP $INTERNAL 6939 -> $EXTERNAL any (msg: "IDS89/trojan-active-indoctrination"; flags: SA;)
alert TCP $INTERNAL 6969 -> $EXTERNAL any (msg: "IDS99/trojan-active-gatecrasher"; flags: SA;)
alert TCP $INTERNAL 7161 -> $EXTERNAL any (msg: "IDS129/cisco-catalyst-remote-access"; flags: SA;)
alert TCP $INTERNAL 722 -> $EXTERNAL any (msg: "IDS280/ssh-freebsd40-port"; dsize: <40; flags: AP; content: "SSH-"; depth: 5;)
alert TCP $INTERNAL 7306 -> $EXTERNAL any (msg: "IDS78/trojan-active-netmonitor"; flags: SA;)
alert TCP $INTERNAL 777 -> $EXTERNAL any (msg: "IDS114/trojan-active-aimspy"; flags: SA;)
alert TCP $INTERNAL 80 -> $EXTERNAL any (msg: "IDS233/web-cgi-php-version"; flags: AP; content: "PHP/FI Version 2.0b";)
alert TCP $INTERNAL 80 -> $EXTERNAL any (msg: "IDS276/http-cgi-bugzilla-exploit"; flags: AP; content: "blaat@blaat.com"; nocase; content: "process_bug.cgi"; offset: 5; depth: 64; nocase;)
alert TCP $INTERNAL 80 -> $EXTERNAL any (msg: "IDS400/BackOrifice1-web"; flags: AP; content: "server|3a| BO|2f|";)
alert TCP $INTERNAL 9400 -> $EXTERNAL any (msg: "IDS90/trojan-active-incommand"; flags: SA;)
alert TCP $INTERNAL 9872 -> $EXTERNAL any (msg: "IDS70/trojan-active-portalofdoom"; flags: SA;)
alert TCP $INTERNAL 9889 -> $EXTERNAL any (msg: "IDS88/trojan-active-inikiller"; flags: SA;)
alert TCP $INTERNAL 9999 -> $EXTERNAL any (msg: "IDS48/trojan-active-theprayer1"; flags: SA;)
alert TCP $INTERNAL :1024 -> $EXTERNAL any (msg: "IDS253/ddos-shaft-synflood-outgoing"; seq: 674711609; flags: S;)
alert TCP $INTERNAL any -> $EXTERNAL 80 (msg: "IDS214/client-netscape47-overflow-unsucessful"; flags: AP; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|";)
alert TCP $INTERNAL any -> $EXTERNAL any (msg: "IDS295/trojan-netscape-java-brownorifice"; flags: AP; content: "/BrownOrifice/BOHTTPD.css";)
alert UDP $EXTERNAL 31790 -> $INTERNAL 31789 (msg: "IDS314/trojan-probe-hack-a-tack"; content: "A"; depth: 1;)
alert UDP $EXTERNAL 5881 -> $INTERNAL 5882 (msg: "IDS306/trojan-Y3K-Rat-1.3"; content: "Y3K"; depth: 3;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS10/portmap-request-rstatd"; content: "|01 86 A0 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS12/portmap-request-ypserv"; content: "|01 86 A4 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS125/portmap-request-ypupdated"; content: "|01 86 BC 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS13/portmap-request-mountd"; content: "|01 86 A5 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS133/portmap-request-rusers"; content: "|01 86 A2 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS14/portmap-request-yppasswd"; content: "|01 86 A9 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS15/portmap-request-status"; content: "|01 86 B8 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS16/portmap-request-bootparam"; content: "|01 86 BA 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS17/portmap-request-cmsd"; content: "|01 86 E4 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS18/portmap-request-admind"; content: "|01 86 F7 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS19/portmap-request-amountd"; content: "|01 87 03 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS20/portmap-request-sadmind"; content: "|01 87 88 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS21/portmap-request-nisd"; content: "|01 87 cc 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS22/portmap-request-pcnfsd"; content: "|02 49 f1 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS23/portmap-request-rexd"; content: "|01 86 B1 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS24/portmap-request-ttdbserv"; content: "|01 86 F3 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS25/portmap-request-selection_svc"; content: "|01 86 AF 00 00|"; depth: 8; offset: 40;)
alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS407/portmap-request-nlockmgr"; rpc: 100021,*,*;)
alert UDP $EXTERNAL any -> $INTERNAL 137 (msg: "IDS177/netbios-name-query"; content: "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|00 00|";)
alert UDP $EXTERNAL any -> $INTERNAL 161 (msg: "IDS333/SNMP-NT-UserList"; content: "|2b 06 10 40 14 d1 02 19|";)
alert UDP $EXTERNAL any -> $INTERNAL 18753 (msg: "IDS255/ddos-shaft-handler-to-agent"; content: "alive tijgu";)
alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS186/trin00-master-to-daemon-png"; content: "png l44";)
alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS197/trin00-master-to-daemon"; content: "l44adsl";)
alert UDP $EXTERNAL any -> $INTERNAL 31335 (msg: "IDS185/trin00-daemon-to-master"; content: "*HELLO*";)
alert UDP $EXTERNAL any -> $INTERNAL 31337 (msg: "IDS188/probe-back-orifice";)
alert UDP $EXTERNAL any -> $INTERNAL 31337 (msg: "IDS397/BackOrifice1-scan"; content: "|ce63 d1d2 16e7 13cf 38a5 a586|";)
alert UDP $EXTERNAL any -> $INTERNAL 31337 (msg: "IDS398/BackOrifice1-dir"; content: "|ce63 d1d2 16e7 13cf 3ca5 a586|";)
alert UDP $EXTERNAL any -> $INTERNAL 31337 (msg: "IDS399/BackOrifice1-info"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|";)
alert UDP $EXTERNAL any -> $INTERNAL 32770: (msg: "IDS136/rpc-rusers-query"; content: "|00 00 00 00 00 00 00 02 00 01 86 A2|";)
alert UDP $EXTERNAL any -> $INTERNAL 32770: (msg: "IDS9/rpc-rstatd-query"; content: "|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset: 5;)
alert UDP $EXTERNAL any -> $INTERNAL 49 (msg: "IDS408/XTACACS-logout"; content: "|8007 0000 0700 0004 0000 0000 00|";)
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS277/named-probe-iquery"; content: "|0980 0000 0001 0000 0000|"; depth: 16; offset: 2;)
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278/named-probe-version"; content: "|07|version|04|bind"; depth: 32; offset: 12; nocase;)
alert UDP $EXTERNAL any -> $INTERNAL 5632 (msg: "IDS239/pcanywhere-start"; content: "ST"; depth: 2;)
alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS137/TFTP-parent_directory"; content: "..";)
alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS138/TFTP-root_directory"; content: "|00 01|/";)
alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS148/TFTP write"; content: "|00 02|"; depth: 2;)
alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS382/TFTP-passwd"; content: "|0001|/etc/passwd";)
alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS383/TFTP-group"; content: "|0001|/etc/group";)
alert UDP $EXTERNAL any -> $INTERNAL 7 (msg: "IDS363/SCAN-Cybercop-UDP-bomb"; content: "cybercop";)
alert UDP $EXTERNAL any -> $INTERNAL 9 (msg: "IDS262/dos-ascend-reboot"; content: "|4e414d454e414d45|"; depth: 50; offset: 25;)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS115/Traceroute UDP"; ttl: 1;)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS247/large-udp"; dsize: >800;)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS308/Webtrends Scanner UDP Probe"; content: "|0A 68 65 6C 70 0A 71 75 69 74 0A|";)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS343/OVERFLOW-LinuxCommonUDP"; content: "|90 90 90 e8 c0 ff ff ff|/bin/sh";)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS344/OVERFLOW-NOOP-Solaris-udp"; content: "|801c 4011 801c 4011 801c 4011 801c 4011|";)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS345/OVERFLOW-NOOP-Sparc-udp"; content: "|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS346/OVERFLOW-NOOP-Sparc-udp2"; content: "|a61c c013 a61c c013 a61c c013 a61c c013|";)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS347/OVERFLOW-NOOP-SGI-udp"; content: "|240f 1234 240f 1234 240f 1234 240f 1234|";)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS348/OVERFLOW-NOOP-SGI-udp2"; content: "|03e0 f825 03e0 f825 03e0 f825 03e0 f825|";)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS349/OVERFLOW-NOOP-HP-udp"; content: "|0821 0280 0821 0280 0821 0280 0821 0280|";)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS350/OVERFLOW-NOOP-HP-udp2"; content: "|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS351/OVERFLOW-NOOP-AIX-udp"; content: "|4fff fb82 4fff fb82 4fff fb82 4fff fb82|";)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS352/OVERFLOW-NOOP-Digital-udp"; content: "|47 ff  04 1f 47 ff  04 1f 47 ff  04 1f 47 ff 04 1f|";)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS362/shellcode-x86-nops-udp"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|";)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS418/SourceRoute-UDP-lssr"; ipopts: lsrr ;)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS420/SourceRoute-UDP-lssre"; ipopts: lsrre ;)
alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS422/SourceRoute-UDP-ssrr"; ipopts: ssrr ;)
alert UDP $INTERNAL 2140 -> $EXTERNAL any (msg: "IDS405/DeepThroat-ACTIVE"; content: "--Ahhhhhhhhhh";)
alert UDP $INTERNAL 28431 -> $EXTERNAL 28432 (msg: "IDS289/trojan-active-hack-a-tack-2000"; content: "H"; depth: 1;)
alert UDP $INTERNAL 31337 -> $EXTERNAL any (msg: "IDS189/trojan-active-back-orifice";)
alert UDP $INTERNAL any -> $EXTERNAL 20433 (msg: "IDS256/ddos-shaft-agent-to-handler"; content: "alive";)
alert UDP 255.255.255.255/32 any -> $INTERNAL any (msg: "IDS201/backdoor-Q-udp"; dsize: >1;)
alert UDP any any -> any 31335 (msg: "IDS187/trin00-daemon-to-master-pong"; content: "PONG";)
#end arachNIDS export