# _ _ _ ___ ___ ___ # __ _ _ __ _ ____| |_ | \| |_ _| \/ __| # / _` | '_/ _` / _| ' \| .` || || |) \__ \ # \__,_|_| \__,_\__|_||_|_|\_|___|___/|___/ #=====[ arachNIDS event signatures export for SNORT ]==== # # These signatures have been generated dynamically and exported # from arachNIDS (Advanced Reference Archive of Current Heuristics # for Network Intrusion Detection Systems). This file can be used # as a configuration file with the SNORT IDS to detect attacks or # suspicious activity on your network. # # TERMS: These signatures are provided as dynamically constructed # exported data from the arachNIDS database. You may use # these signatures in your own IDS systems (private or # commercial) but they may not be used in a commercial # product, nor offered for sale as a part of another product # without express permission (contact us). You may repost # these signatures ONLY if you credit arachNIDS or the # signature author as the source so that users who have # questions know where to look for more information. # # Please see http://whitehats.com/ids/ for signature details/credit. # # Contact: vision@whitehats.com # ######### Export date: 20010628.1006 # This file contains a sample configuration that you should customize # before using on your network. Set $INTERNAL to the IP address range # that an intruder may access from the Internet. You may use multiple # network ranges, such as the following examples: # (single host) var INTERNAL 23.23.23.23/32 # (class c network) var INTERNAL 23.23.23.0/24 # (two networks) var INTERNAL [23.23.1.0/24,23.23.2.0/24] var INTERNAL any var EXTERNAL !$INTERNAL # add preprocessors here preprocessor defrag preprocessor stream2: timeout 23, ports 21 23 25 80 110 143, maxbytes 16384 preprocessor telnet_decode preprocessor http_decode: 80 2301 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor portscan: $INTERNAL 5 5 portscan # classification for use with a management interface # low risk config classification: not-suspicious,policy traffic that is not suspicious,0 config classification: suspicious,suspicious miscellaneous traffic,1 config classification: info-failed,failed information gathering attempt,2 config classification: relay-failed,failed relay attempt,3 config classification: data-failed,failed data integrity attempt,4 config classification: system-failed,failed system integrity attempt,5 config classification: client-failed,failed client integrity attempt,6 # med risk config classification: denialofservice,denial of service,7 config classification: info-attempt,information gathering attempt,8 config classification: relay-attempt,relay attempt,9 config classification: data-attempt,data integrity attempt,10 config classification: system-attempt,system integrity attempt,11 config classification: client-attempt,client integrity attempt,12 config classification: data-or-info-attempt,data integrity or information gathering attempt,13 config classification: system-or-info-attempt,system integrity or information gathering attempt,14 config classification: relay-or-info-attempt,relay of information gathering attempt,15 # high risk config classification: info-success,successful information gathering attempt,16 config classification: relay-success,successful relay attempt,17 config classification: data-success,successful data integrity attempt,18 config classification: system-success,successful system integrity attempt,19 config classification: client-success,successful client integrity attempt,20 # uncomment output options if you need them, or use snort command line # output alert_syslog: LOG_AUTH LOG_ALERT # output log_tcpdump: snort.log # output database: log, mysql, user=root password=test dbname=snort18 host=localhost # output database: log, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output xml: log, file=/var/log/snortxml ### EXPLOIT-SPECIFIC WITH CONTENT CHECK # These signatures are very specific to a particular exploit or # tool. It is unlikely that they will detect other exploits or # tools that act against the same vulnerability. They are # considered first because they also match for packet contents. ########### (total: 175) alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS525/ddos_ddos-trin00-attacker-to-master-gOrave"; flags: A+; content: "gOrave"; classtype: system-success; reference: arachnids,525;) alert TCP $INTERNAL 80 -> $EXTERNAL any (msg: "IDS400/trojan_trojan-active-BackOrifice1-web"; flags: A+; content: "server|3a| BO|2f|"; classtype: system-success; reference: arachnids,400;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS296/web-misc_http-whisker-splicing-attack-space"; dsize: <5; flags: A+; content: "|20|"; classtype: suspicious; reference: arachnids,296;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS451/ftp_ftp-solaris28-formatstring"; flags: A+; content: "|901BC00F 82102017 91D02008|"; classtype: system-attempt; reference: arachnids,451;) alert TCP $EXTERNAL any -> $INTERNAL 515 (msg: "IDS456/lpr_LPRng-redhat7-overflow-rdC"; flags: A+; content: "|43 07 89 5B 08 8D 4B 08 89 43 0C B0 0B CD 80 31 C0 FE C0 CD 80 E8 94 FF FF FF 2F 62 69 6E 2F 73 68 0A|"; classtype: system-attempt; reference: arachnids,456;) alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "IDS195/ddos_ddos-stacheldraht server-response-gag"; itype: 0; icmp_id: 669; content: "sicken"; classtype: system-success; reference: arachnids,195;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS430/web-cgi_http-php_strings_exploit-portal-tf8"; flags: A+; content: "?STRENGUR "; classtype: system-attempt; reference: arachnids,430;) alert ICMP any any -> any any (msg: "IDS425/ddos_ddos-tfn2k-icmp_possible_communication"; itype: 0; icmp_id: 0; content: "AAAAAAAAAA"; classtype: system-success; reference: arachnids,425;) alert TCP $INTERNAL 666 -> $EXTERNAL any (msg: "IDS508/trojan_trojan-active-BackConstruction 2.1 ftp open reply"; flags: A+; content: "FTP Port open"; classtype: system-success; reference: arachnids,508;) alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS132/finger_finger-cybercop-query"; flags: A+; content: "|0A 20 20 20 20 20|"; depth: 10; classtype: info-attempt; reference: arachnids,132;) alert TCP $EXTERNAL 1024: -> $INTERNAL 2589 (msg: "IDS483/trojan_trojan-dagger_1.4.0_client_connect"; flags: A+; content: "|0b 00 00 00 07 00 00 00|Connect"; depth: 16; classtype: system-attempt; reference: arachnids,483;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS164/icmp_Ping Ping-O-Meter Windows"; itype: 8; content: "|4f4d657465724f6265736541726d6164|"; depth: 32; classtype: info-attempt; reference: arachnids,164;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS446/ftp_ftp-openbsd-teso"; flags: A+; content: " |90 31 C0 99 52 52 B017 CD80 68 CC 73 68|"; classtype: system-attempt; reference: arachnids,446;) alert TCP $INTERNAL 12346 -> $EXTERNAL any (msg: "IDS402/trojan_trojan-active-netbus-12346"; flags: A+; content: "NetBus"; classtype: system-success; reference: arachnids,402;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS372/scan_scanner-cybercop-smtp-ehlo"; flags: A+; content: "ehlo cybercop|0a|quit|0a|"; nocase; classtype: info-attempt; reference: arachnids,372;) alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS197/ddos_ddos-trin00-master-to-daemon"; content: "l44adsl"; classtype: system-success; reference: arachnids,197;) alert TCP $INTERNAL 1024: -> $EXTERNAL 25 (msg: "IDS499/trojan_worm-QAZ calling home"; flags: A+; content: "nongmin_cn"; classtype: system-success; reference: arachnids,499;) alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS140/smtp_smtp-exploit869b"; flags: A+; content: "|0a|D/"; classtype: system-attempt; reference: arachnids,140;) alert UDP $EXTERNAL any -> $INTERNAL 31337 (msg: "IDS397/trojan_trojan-BackOrifice1-scan"; content: "|ce63 d1d2 16e7 13cf 38a5 a586|"; classtype: system-or-info-attempt; reference: arachnids,397;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS285/ftp_ftp-wuftp260-siteexec-probe"; flags: A+; content: "SITE EXEC %p"; depth: 16; nocase; classtype: info-attempt; reference: arachnids,285;) alert TCP $INTERNAL 80 -> $EXTERNAL any (msg: "IDS233/web-cgi_http-cgi-php-version"; flags: A+; content: "PHP|2f|FI Version 2.0b"; classtype: not-suspicious; reference: arachnids,233;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS288/ftp_ftp-wuftp260-venglin-bsd"; flags: A+; content: "|31c0 50 50 50 b07e cd80 31db 31c0|"; depth: 32; classtype: system-attempt; reference: arachnids,288;) alert UDP any any -> any 31335 (msg: "IDS187/ddos_ddos-trin00-daemon-to-master-pong"; content: "PONG"; classtype: system-success; reference: arachnids,187;) alert UDP $EXTERNAL any -> $INTERNAL 7 (msg: "IDS363/scan_scanner-cybercop-udpbomb"; content: "cybercop"; classtype: info-attempt; reference: arachnids,363;) alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS489/dns_named-exploit-tsig-lsd"; content: "|3F 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F20|"; classtype: system-attempt; reference: arachnids,489;) alert TCP $INTERNAL any -> $EXTERNAL 80 (msg: "IDS214/client_client-netscape47-overflow-unsuccessful"; flags: A+; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; classtype: client-failed; reference: arachnids,214;) alert UDP any any -> any 6838 (msg: "IDS532/ddos_ddos-mstream-agent_pong_to_handler"; content: "pong"; classtype: system-success; reference: arachnids,532;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS1/ftp_worm-ADMw0rm_ftp_retrieval"; flags: A+; content: "USER w0rm|0D0A|"; depth: 32; classtype: system-success; reference: arachnids,1;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS526/telnet_telnet-backdoor-solaris-StoogR"; flags: A+; content: "StoogR"; classtype: system-attempt; reference: arachnids,526;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS171/icmp_ping zeros"; itype: 8; content: "|00000000000000000000000000000000|"; depth: 32; classtype: info-attempt; reference: arachnids,171;) alert UDP $INTERNAL 28431 -> $EXTERNAL 28432 (msg: "IDS289/trojan_trojan-active-hack-a-tack-2000"; content: "H"; depth: 1; classtype: system-success; reference: arachnids,289;) alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS490/dns_named-exploit-tsig-lucysoft"; content: "|5e 29c0 894610 40 89c3 89460c 40 894608 8d4e08 b066 cd80|"; classtype: system-attempt; reference: arachnids,490;) alert TCP $INTERNAL 5556 -> $EXTERNAL any (msg: "IDS299/trojan_trojan-h0rtiga"; flags: A+; content: "Win9x.h0rtiga"; classtype: system-success; reference: arachnids,299;) alert UDP $INTERNAL any -> $EXTERNAL 20433 (msg: "IDS256/ddos_ddos-shaft-agent-to-handler"; content: "alive"; classtype: system-success; reference: arachnids,256;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS168/icmp_Ping Whatsup Gold Windows"; itype: 8; content: "|57686174735570202d2041204e657477|"; depth: 32; classtype: info-attempt; reference: arachnids,168;) alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS139/smtp_smtp-exploit869a"; flags: A+; content: "|0a|C|3a|daemon|0a|R"; classtype: system-attempt; reference: arachnids,139;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS329/scan_scan-satan-ftpcheck"; flags: A+; content: "pass -satan"; classtype: info-attempt; reference: arachnids,329;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS281/icmp_ping from Sniffer Pro NAI WinNT"; itype: 8; content: "|43696e636f30313233343536373839|"; depth: 32; classtype: info-attempt; reference: arachnids,281;) alert TCP $INTERNAL 12345 -> $EXTERNAL any (msg: "IDS401/trojan_trojan-active-netbus-12345"; flags: A+; content: "NetBus"; classtype: system-success; reference: arachnids,401;) alert TCP $INTERNAL 16484 -> $EXTERNAL any (msg: "IDS478/trojan_trojan-active-mosucker11"; flags: A+; content: "KEY|3d|"; depth: 5; classtype: system-success; reference: arachnids,478;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS518/telnet_telnet-backdoor-linux-ohara"; flags: A+; content: "gkfkqo79"; classtype: system-attempt; reference: arachnids,518;) alert TCP $INTERNAL 146 -> $EXTERNAL 1024: (msg: "IDS315/trojan_trojan-active-Infector.1.x"; flags: A+; content: "WHATISIT"; classtype: system-success; reference: arachnids,315;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS157/icmp_Ping IPNetMonitor Macintosh"; itype: 8; content: "|a9205375737461696e61626c6520536f|"; depth: 32; classtype: info-attempt; reference: arachnids,157;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS309/scan_scanner-webtrends-HTTP Probe"; flags: A+; content: "User-Agent|3a| Webtrends Security Analyzer|0d0a|"; classtype: info-attempt; reference: arachnids,309;) alert TCP $EXTERNAL any -> $INTERNAL 7597 (msg: "IDS501/trojan_worm-QAZ client login"; flags: A+; content: "qazwsx.hsq"; classtype: system-attempt; reference: arachnids,501;) alert UDP $INTERNAL 2140 -> $EXTERNAL any (msg: "IDS405/trojan_trojan-active-DeepThroat"; content: "--Ahhhhhhhhhh"; classtype: system-success; reference: arachnids,405;) alert TCP $EXTERNAL any -> $INTERNAL 457 (msg: "IDS180/web-misc_http-netscape-overflow-unixware"; flags: A+; content: "|eb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d|"; classtype: system-attempt; reference: arachnids,180;) alert TCP $EXTERNAL any -> $INTERNAL 666 (msg: "IDS507/trojan_trojan-active-BackConstruction 2.1 ftp open request"; flags: A+; content: "FTPON"; classtype: system-attempt; reference: arachnids,507;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS178/scan_Ping CyberCop55"; itype: 8; icmp_seq: 18467; content: "|00 00 20 20 20 20 20 20 20 20 20|"; depth: 18; offset: 7; classtype: info-attempt; reference: arachnids,178;) alert TCP $EXTERNAL any -> $INTERNAL 143 (msg: "IDS147/imap_imap-x86-linux-buffer-overflow"; dsize: >100; flags: A+; content: "|e8 c0ff ffff|/bin/sh"; classtype: system-attempt; reference: arachnids,147;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS510/telnet_telnet-backdoor-w00w00"; flags: A+; content: "w00w00"; classtype: system-attempt; reference: arachnids,510;) alert TCP $EXTERNAL 16959 -> $INTERNAL any (msg: "IDS500/trojan_trojan-subseven defcon8 2.1 access"; flags: A+; content: "PWD"; content: "acidphreak"; nocase; classtype: system-success; reference: arachnids,500;) alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS263/trojan_trojan-active-cdk"; flags: A+; content: "ypi0ca"; depth: 15; nocase; classtype: system-success; reference: arachnids,263;) alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS491/dns_named-exploit-tsig-tsig0wn"; content: "|eb3b 5e 31c0 31db b0a0 893406 8d4e07 8819 41 b0a4 890c06|"; classtype: system-attempt; reference: arachnids,491;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS527/telnet_telnet-backdoor-freebsd-h0tb0x"; flags: A+; content: "h0tb0x"; classtype: system-attempt; reference: arachnids,527;) alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS142/smtp_smtp-exploit869d"; flags: A+; content: "|0a|Croot|0a|Mprog"; classtype: system-attempt; reference: arachnids,142;) alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS528/ddos_ddos-trin00-attacker-to-master-killme"; flags: A+; content: "killme"; classtype: system-success; reference: arachnids,528;) alert TCP $INTERNAL 31785 -> $EXTERNAL any (msg: "IDS504/trojan_trojan-active-HackAttack 1.20"; flags: A+; content: "host"; classtype: system-success; reference: arachnids,504;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS166/icmp_Ping Seer Windows"; itype: 8; content: "|88042020202020202020202020202020|"; depth: 32; classtype: info-attempt; reference: arachnids,166;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS192/ddos_ddos-stacheldraht client-spoofworks"; itype: 0; icmp_id: 1000; content: "spoofworks"; classtype: system-success; reference: arachnids,192;) alert TCP $EXTERNAL any -> $INTERNAL 7070 (msg: "IDS411/dos_dos-realaudio"; flags: A+; content: "|fff4 fffd 06|"; classtype: denialofservice; reference: arachnids,411;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS211/web-cgi_http-cgi-w3-msql-solx86"; flags: A+; content: "/bin/shA-cA/usr/openwin"; classtype: system-attempt; reference: arachnids,211;) alert TCP $INTERNAL 16484 -> $EXTERNAL any (msg: "IDS477/trojan_trojan-active-mosucker11-badlogin"; flags: A+; content: "Wrong Password"; depth: 16; classtype: system-success; reference: arachnids,477;) alert TCP $EXTERNAL 113 -> $INTERNAL :1024 (msg: "IDS123/smtp_smtp-exploit8610"; flags: A+; content: "Croot|0d0a|Mprog, P=/bin/"; classtype: system-attempt; reference: arachnids,123;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS517/telnet_telnet-backdoor-solaris-fasune"; flags: A+; content: "fasune"; classtype: system-attempt; reference: arachnids,517;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS172/smtp_smtp-exploit558"; flags: A+; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|"; classtype: system-attempt; reference: arachnids,172;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS151/icmp_Ping BeOS 4.x"; itype: 8; content: "|00000000000000000000000008090a0b|"; depth: 32; classtype: info-attempt; reference: arachnids,151;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS190/ddos_ddos-stacheldraht client-check"; itype: 0; icmp_id: 666; content: "skillz"; classtype: info-attempt; reference: arachnids,190;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS431/web-cgi_http-php_strings_exploit-atstake"; flags: A+; content: "|ba49feffff f7d2 b9bfffffff f7d1|"; classtype: system-attempt; reference: arachnids,431;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS145/scan_cybercop-os-probe-sfp"; ack: 0; flags: SFP; content: "AAAAAAAAAAAAAAAA"; depth: 16; classtype: info-attempt; reference: arachnids,145;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS371/scan_scanner-cybercop-smtp-expn"; flags: A+; content: "expn cybercop"; nocase; classtype: info-attempt; reference: arachnids,371;) alert UDP $EXTERNAL 31790 -> $INTERNAL 31789 (msg: "IDS314/trojan_trojan-probe-hack-a-tack"; content: "A"; depth: 1; classtype: info-attempt; reference: arachnids,314;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS310/scan_scanner-L3retriever-HTTP Probe"; flags: A+; content: "User-Agent|3a| Java1.2.1|0d0a|"; classtype: info-attempt; reference: arachnids,310;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS449/icmp_ping-Nemesis v1.1 Echo"; dsize: 20; itype: 8; icmp_id: 0; icmp_seq: 0; content: "|0000000000000000000000000000000000000000|"; classtype: info-attempt; reference: arachnids,449;) alert TCP $INTERNAL 6789 -> $EXTERNAL any (msg: "IDS312/trojan_trojan-active-Doly2.0"; flags: A+; content: "|57 74 7a 75 70 20 55 73 65|"; depth: 32; classtype: system-success; reference: arachnids,312;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS122/smtp_smtp-exploit565"; flags: A+; content: "MAIL FROM|3a207c|/usr/ucb/tail"; classtype: system-attempt; reference: arachnids,122;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS149/scan_cybercop-os-probe-pa12"; flags: AP12; content: "AAAAAAAAAAAAAAAA"; depth: 16; classtype: info-attempt; reference: arachnids,149;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS156/icmp_Ping from Flowpoint2200 or Network Management Software"; itype: 8; content: "|0102030405060708090a0b0c0d0e0f10|"; depth: 32; classtype: info-attempt; reference: arachnids,156;) alert TCP $EXTERNAL any -> $INTERNAL 515 (msg: "IDS457/lpr_LPRng-redhat7-overflow-security.is"; flags: A+; content: "|31DB 31C9 31C0 B046 CD80 89E5 31D2 B266 89D0 31C9 89CB|"; nocase; classtype: system-attempt; reference: arachnids,457;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS257/ftp_dos-aix-ftpd"; dsize: >1300; flags: A+; content: "CEL"; nocase; classtype: denialofservice; reference: arachnids,257;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS458/ftp_ftp-wuftp260-tf8"; flags: A+; content: "|31C0 31DB 31C9 B046 CD80 31C0 31DB 43 89D941 B03F CD80|"; classtype: system-attempt; reference: arachnids,458;) alert TCP $EXTERNAL any -> $INTERNAL 9001 (msg: "IDS302/misc_printer-hp-display-hack"; flags: A+; content: "@PJL RDYMSG DISPLAY = "; depth: 32; classtype: data-attempt; reference: arachnids,302;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS163/icmp_Ping OpenBSD-Linux"; itype: 8; content: "|101112131415161718191a1b1c1d1e1f|"; depth: 32; classtype: info-attempt; reference: arachnids,163;) alert UDP $EXTERNAL any -> $INTERNAL 100:2000 (msg: "IDS543/rpc_rpc.yppasswdd-solaris-mray"; rpc: 100009,*,*; content: "|801c4011 20bfffff 20bfffff 7fffffff 9003e050|"; classtype: system-attempt; reference: arachnids,543;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS245/smtp_smtp-cmail-buffer-overflow"; dsize: >500; flags: A+; content: "VRFY AAAAAAAAAAA"; classtype: system-attempt; reference: arachnids,245;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS121/smtp_smtp-exploit564"; flags: A+; content: "rcpt to|3a| decode"; classtype: system-attempt; reference: arachnids,121;) alert UDP any any -> any 10498 (msg: "IDS530/ddos_ddos-mstream-handler_to_agent"; content: "stream/"; classtype: system-success; reference: arachnids,530;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS152/icmp_Ping BSDtype"; itype: 8; content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; depth: 32; classtype: info-attempt; reference: arachnids,152;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS161/icmp_Ping NetworkToolbox3 Windows"; itype: 8; content: "|3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d|"; depth: 32; classtype: info-attempt; reference: arachnids,161;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS331/scan_scanner-ISS-FTPcheck"; flags: A+; content: "pass -iss@iss"; classtype: info-attempt; reference: arachnids,331;) alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "IDS191/ddos_ddos-stacheldraht server-response"; itype: 0; icmp_id: 667; content: "ficken"; classtype: system-success; reference: arachnids,191;) alert UDP $EXTERNAL any -> $INTERNAL 177 (msg: "IDS476/x11_xdmcp-query"; content: "|00 01 00 03 00 01 00|"; classtype: info-attempt; reference: arachnids,476;) alert UDP $EXTERNAL any -> $INTERNAL 9 (msg: "IDS262/dos_dos-ascend-reboot"; content: "|4e414d454e414d45|"; depth: 50; offset: 25; classtype: denialofservice; reference: arachnids,262;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS307/scan_ping-webtrends-scanner"; itype: 8; icode: 0; content: "|00 00 00 00 45 45 45 45 45 45 45 45 45 45 45 45|"; classtype: info-attempt; reference: arachnids,307;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS194/ddos_ddos-stacheldraht client-check-gag"; itype: 0; icmp_id: 39938; content: "gesundheit!"; classtype: info-attempt; reference: arachnids,194;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS119/smtp_smtp-exploit555"; flags: A+; content: "mail from|3a20227c|"; classtype: system-attempt; reference: arachnids,119;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS444/icmp_ping-router"; itype: 8; icode: 0; content: "|0102030405060708090a0b0c0d0e0f|"; depth: 32; classtype: info-attempt; reference: arachnids,444;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS453/ftp_ftp-6350wu-formatstring-check"; flags: A+; content: "SITE EXEC |25 30 32 30 64 7C 25 2E 66 25 2E 66 7C 0A|"; depth: 32; nocase; classtype: system-attempt; reference: arachnids,453;) alert TCP $EXTERNAL 555 -> $INTERNAL any (msg: "IDS509/trojan_trojan-active-PhaseZero server"; flags: A+; content: "phAse"; classtype: system-success; reference: arachnids,509;) alert TCP $EXTERNAL 80 -> $INTERNAL any (msg: "IDS215/client_client-netscape47-overflow-retrieved"; flags: A+; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; classtype: client-attempt; reference: arachnids,215;) alert TCP $EXTERNAL any -> $INTERNAL 1080 (msg: "IDS481/misc_socks-overflow-x86linux"; flags: A+; content: "|eb29 5e 897630 89f0 83c008 894634|"; classtype: system-attempt; reference: arachnids,481;) alert TCP $EXTERNAL any -> $INTERNAL 32771:34000 (msg: "IDS241/rpc_rpc.ttdbserv-solaris-kill"; flags: A+; rpc: 100083,*,*; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth: 32; offset: 16; classtype: system-attempt; reference: arachnids,241;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS511/telnet_telnet-backdoor-r00t"; flags: A+; content: "r00t"; classtype: system-attempt; reference: arachnids,511;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS286/ftp_ftp-wuftp260-siteexec"; flags: A+; content: "|66 25 2E 66 25 2E 66 25 2E 66 25 2E 66 25 2E|"; depth: 32; classtype: system-attempt; reference: arachnids,286;) alert UDP $EXTERNAL any -> $INTERNAL 32771:34000 (msg: "IDS546/rpc_rpc.sadmind-overflow"; dsize: >999; rpc: 100232,*,*; content: "|9003e05c 92222010 941bc00f ec023ff0|"; classtype: system-attempt; reference: arachnids,546;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS273/client_client-sniffit-overflow-linux"; dsize: >512; flags: A+; content: "from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; classtype: client-attempt; reference: arachnids,273;) alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS196/ddos_ddos-trin00-attacker-to-master"; flags: A+; content: "betaalmostdone"; classtype: system-success; reference: arachnids,196;) alert TCP $INTERNAL 146 -> $EXTERNAL 1000:1300 (msg: "IDS502/trojan_trojan-active-Infector 1.6 server to client"; flags: A+; content: "WHATISIT"; classtype: system-success; reference: arachnids,502;) alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS11/finger_finger-cybercop-redirection"; dsize: 11; flags: A+; content: "|40 6C 6F 63 61 6C 68 6F 73 74 0A|"; depth: 11; classtype: relay-attempt; reference: arachnids,11;) alert TCP $INTERNAL 80 -> $EXTERNAL any (msg: "IDS276/web-cgi_http-cgi-bugzilla-exploit"; flags: A+; uricontent: "process_bug.cgi"; nocase; content: "blaat@blaat.com"; nocase; classtype: system-attempt; reference: arachnids,276;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS415/web-misc_http-whisker-splicing-attack-tab"; dsize: <5; flags: A+; content: "|09|"; classtype: suspicious; reference: arachnids,415;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS154/icmp_ping-CyberKit 2.2 Windows"; itype: 8; content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; depth: 32; classtype: info-attempt; reference: arachnids,154;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS370/telnet_telnet-Livingston-DoS"; flags: A+; content: "|fff3 fff3 fff3 fff3 fff3|"; classtype: denialofservice; reference: arachnids,370;) alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS277/dns_named-probe-iquery"; content: "|0980 0000 0001 0000 0000|"; depth: 16; offset: 2; classtype: info-attempt; reference: arachnids,277;) alert TCP $INTERNAL 21 -> $EXTERNAL any (msg: "IDS406/trojan_trojan-active-deepthroat_ftpd"; flags: A+; content: "220 Deep Throat FTP Server Ready"; classtype: system-success; reference: arachnids,406;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS535/web-iis_http-iis5-printer-beavuh"; flags: A+; content: "|33 C0 B0 90 03 D8 8B 03 8B 40 60 33 DB B3 24 03 C3|"; classtype: system-attempt; reference: arachnids,535;) alert UDP $EXTERNAL any -> $INTERNAL 31335 (msg: "IDS185/ddos_ddos-trin00-daemon-to-master"; content: "*HELLO*"; classtype: system-success; reference: arachnids,185;) alert TCP $INTERNAL 51966 -> $EXTERNAL 1010:1100 (msg: "IDS293/trojan_trojan-active-CAFEini0.9"; flags: A+; content: "CAFEiNi 0.9 (cafeini@vi"; classtype: system-success; reference: arachnids,293;) alert TCP $EXTERNAL any -> $INTERNAL 12346 (msg: "IDS404/trojan_trojan-netbus-getinfo-12346"; flags: A+; content: "GetInfo|0d|"; classtype: system-success; reference: arachnids,404;) alert UDP any any -> any 6838 (msg: "IDS529/ddos_ddos-mstream-handler_to_agent_newserver"; content: "newserver"; classtype: system-success; reference: arachnids,529;) alert TCP $EXTERNAL 1000:1300 -> $INTERNAL 146 (msg: "IDS503/trojan_trojan-active-Infector 1.6 client to server"; flags: A+; content: "FC "; classtype: system-attempt; reference: arachnids,503;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS513/telnet_telnet-backdoor-linux-wh00t!"; flags: A+; content: "wh00t!"; classtype: system-attempt; reference: arachnids,513;) alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS482/dns_named-exploit-infoleak-lsd"; content: "|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; classtype: system-attempt; reference: arachnids,482;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS514/telnet_telnet-backdoor-linux-lrkr0x"; flags: A+; content: "lrkr0x"; classtype: system-attempt; reference: arachnids,514;) alert TCP $INTERNAL any -> $EXTERNAL 27374 (msg: "IDS461/misc_worm-ramen-asp-retrieval-outgoing"; flags: A+; content: "GET "; depth: 8; nocase; classtype: system-success; reference: arachnids,461;) alert TCP $INTERNAL 23476 -> $EXTERNAL any (msg: "IDS506/trojan_trojan-active-DonaldDick 1.53"; flags: A+; content: "pINg"; classtype: system-success; reference: arachnids,506;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS308/scan_scanner-webtrends-udp-probe"; content: "|0A 68 65 6C 70 0A 71 75 69 74 0A|"; classtype: info-attempt; reference: arachnids,308;) alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS498/trojan_worm-QAZ infection"; flags: A+; content: "qazwsx.hsq"; classtype: system-success; reference: arachnids,498;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS167/icmp_Ping TJPingPro 1.1 Build 2 Windows"; itype: 8; content: "|544a50696e6750726f206279204a696d|"; depth: 32; classtype: info-attempt; reference: arachnids,167;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS515/telnet_telnet-backdoor-solaris-d13hh"; flags: A+; content: "d13hh["; classtype: system-attempt; reference: arachnids,515;) alert TCP $EXTERNAL 27374 -> $INTERNAL any (msg: "IDS485/trojan_trojan-active-subseven22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; classtype: system-success; reference: arachnids,485;) alert TCP $INTERNAL any -> $EXTERNAL any (msg: "IDS295/client_client-netscape-java-brownorifice"; flags: A+; content: "|2f|BrownOrifice|2f|BOHTTPD.css"; classtype: client-success; reference: arachnids,295;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS155/icmp_Ping Delphi-Piette Windows"; itype: 8; content: "|50696e67696e672066726f6d2044656c|"; depth: 32; classtype: info-attempt; reference: arachnids,155;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS323/ftp_ftp-pass-h0tb0x"; flags: A+; content: "pass h0tb0x"; nocase; classtype: system-attempt; reference: arachnids,323;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS440/ftp_ftp-wuftp260-linux-venglin-parbobek"; flags: A+; content: "|2e2e3131|venglin@"; classtype: system-attempt; reference: arachnids,440;) alert TCP $INTERNAL any -> $EXTERNAL 1024:65535 (msg: "IDS479/trojan_trojan-active-mosucker21"; flags: A+; content: "MoSucker 2.1 server on"; classtype: system-success; reference: arachnids,479;) alert TCP $INTERNAL 5401:5402 -> $EXTERNAL any (msg: "IDS505/trojan_trojan-active-BackConstruction 2.1"; flags: A+; content: "c|3A|\\"; classtype: system-success; reference: arachnids,505;) alert TCP $EXTERNAL any -> $INTERNAL 27374 (msg: "IDS460/misc_worm-ramen-asp-retrieval-incoming"; flags: A+; content: "GET "; depth: 8; nocase; classtype: system-success; reference: arachnids,460;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS124/smtp_smtp-exploit8610ha"; flags: A+; content: "Croot|09090909090909|Mprog, P=/bin"; classtype: system-attempt; reference: arachnids,124;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS311/scan_ping-scanner-L3retriever"; itype: 8; icode: 0; content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth: 32; classtype: info-attempt; reference: arachnids,311;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS442/rpc_rpc-statdx-exploit"; flags: A+; rpc: 100024,*,*; content: "/bin|c74604|/sh"; classtype: system-attempt; reference: arachnids,442;) alert TCP $EXTERNAL any -> $INTERNAL 2301 (msg: "IDS497/web-misc_http-compaq-webadmin-overflow"; flags: A+; uricontent: "/Proxy/LoginResponse"; nocase; content: "|c1ec08 c1ed08 31c9 81c141414152 c1e918 e2f9 8d4502 50|"; classtype: system-attempt; reference: arachnids,497;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS520/telnet_telnet-backdoor-sm4ck-hax0r"; flags: A+; content: "hax0r"; classtype: system-attempt; reference: arachnids,520;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS324/ftp_ftp-pass-wh00t"; flags: A+; content: "pass wh00t"; nocase; classtype: system-attempt; reference: arachnids,324;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS165/icmp_Ping Pinger Windows"; itype: 8; content: "|44617461000000000000000000000000|"; depth: 32; classtype: info-attempt; reference: arachnids,165;) alert TCP $INTERNAL 666 -> $EXTERNAL 1024: (msg: "IDS316/trojan_trojan-active-SatansBackdoor.2.0.Beta"; flags: A+; content: "Remote|3A| You are connected to me."; classtype: system-success; reference: arachnids,316;) alert UDP $EXTERNAL any -> $INTERNAL 18753 (msg: "IDS255/ddos_ddos-shaft-handler-to-agent"; content: "alive tijgu"; classtype: system-success; reference: arachnids,255;) alert UDP $EXTERNAL any -> $INTERNAL 31337 (msg: "IDS398/trojan_trojan-active-BackOrifice1-dir"; content: "|ce63 d1d2 16e7 13cf 3ca5 a586|"; classtype: system-success; reference: arachnids,398;) alert TCP $INTERNAL 2589 -> $EXTERNAL 1024: (msg: "IDS484/trojan_trojan-active-dagger_1.4.0"; flags: A+; content: "|3200000006000000|Drives|2400|"; depth: 16; classtype: system-success; reference: arachnids,484;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS330/scan_scanner-saint-ftpcheck"; flags: A+; content: "pass -saint"; classtype: info-attempt; reference: arachnids,330;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS374/scan_scanner-cybercop-web"; flags: A+; content: "get /cybercop"; nocase; classtype: info-attempt; reference: arachnids,374;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS158/scan_Ping ISS Pinger"; itype: 8; content: "ISSPNGRQ"; depth: 32; classtype: info-attempt; reference: arachnids,158;) alert UDP $EXTERNAL 5881 -> $INTERNAL 5882 (msg: "IDS306/trojan_trojan-Y3K-Rat-1.3"; content: "Y3K"; depth: 3; classtype: system-success; reference: arachnids,306;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS150/scan_cybercop-os-probe-sfu12"; ack: 0; flags: SFU12; content: "AAAAAAAAAAAAAAAA"; depth: 16; classtype: info-attempt; reference: arachnids,150;) alert TCP $EXTERNAL any -> $INTERNAL 634:1400 (msg: "IDS217/rpc_rpc-amd-overflow"; flags: A+; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|"; depth: 32; classtype: system-attempt; reference: arachnids,217;) alert TCP $EXTERNAL any -> $INTERNAL 12345 (msg: "IDS403/trojan_trojan-netbus-getinfo-12345"; flags: A+; content: "GetInfo|0d|"; classtype: system-success; reference: arachnids,403;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS534/web-iis_http-iis5-printer-eeye"; flags: A+; content: "|8B C4 83 C0 11 33 C9 66 B9 20 01 80 30 03|"; classtype: system-attempt; reference: arachnids,534;) alert UDP $EXTERNAL any -> $INTERNAL 31337 (msg: "IDS399/trojan_trojan-active-BackOrifice1-info"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|"; classtype: system-success; reference: arachnids,399;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS332/scan_scanner-adm-ftpcheck"; flags: A+; content: "PASS ddd@|0a|"; classtype: info-attempt; reference: arachnids,332;) alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "IDS182/ddos_ddos-tfn-server-response"; itype: 0; icmp_id: 123; icmp_seq: 0; content: "shell bound to port"; classtype: system-success; reference: arachnids,182;) alert TCP $EXTERNAL any -> $INTERNAL 32771:34000 (msg: "IDS242/rpc_rpc.ttdbserv-solaris-overflow"; dsize: >999; flags: A+; content: "|C0 22 3F FC A2 02 20 09 C0 2C 7F FF E2 22 3F F4|"; classtype: system-attempt; reference: arachnids,242;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS301/web-misc_http-nessus-404-check"; flags: A+; uricontent: "/nessus_is_probing_you_"; depth: 32; classtype: info-attempt; reference: arachnids,301;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS169/icmp_ping-windows9x2000"; dsize: 32; itype: 8; content: "abcdefghijklmnopqrstuvwabcdefghi"; depth: 32; classtype: info-attempt; reference: arachnids,169;) alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS141/smtp_smtp-exploit869c"; flags: A+; content: "|0a|Croot|0d0a|Mprog"; classtype: system-attempt; reference: arachnids,141;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS153/icmp_Ping Cisco IOS 9.x"; itype: 8; content: "|abcdabcdabcdabcdabcdabcdabcdabcd|"; depth: 32; classtype: info-attempt; reference: arachnids,153;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS120/smtp_smtp-exploit41"; flags: A+; content: "rcpt to|3a 20 7c 20 73 65 64 20 27 31 2C 2F 5E 24 2F 64 27 7c|"; classtype: system-attempt; reference: arachnids,120;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS159/icmp_ping-microsoft_windows"; dsize: 50; itype: 8; content: "0123456789abcdefghijklmnopqrstuvwxyz|21402324255E262A28295F3D3031|"; depth: 50; classtype: info-attempt; reference: arachnids,159;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS519/telnet_telnet-backdoor-freebsd-3x4x"; flags: A+; content: "LoUSUCKS"; classtype: system-attempt; reference: arachnids,519;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS516/telnet_telnet-backdoor-linux-satori"; flags: A+; content: "satori"; classtype: system-attempt; reference: arachnids,516;) alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS454/dos_dos-RFPoison"; flags: A+; content: "|5C 00 5C 00 2A 00 53 00 4D 00 42 00 53 00 45 00 52 00 56 00 45 00 52 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; classtype: denialofservice; reference: arachnids,454;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS287/ftp_ftp-wuftp260-venglin-linux"; flags: A+; content: "|31c031db 31c9b046 cd80 31c031db|"; classtype: system-attempt; reference: arachnids,287;) alert UDP any any -> any 10498 (msg: "IDS531/ddos_ddos-mstream-handler_to_agent_ping"; content: "ping"; classtype: info-attempt; reference: arachnids,531;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS2/ftp_mworm-ftp-retrieval"; flags: A+; content: "USER mw|0D0A|"; nocase; classtype: system-success; reference: arachnids,2;) alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS186/ddos_ddos-trin00-master-to-daemon-png"; content: "png l44"; classtype: system-success; reference: arachnids,186;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS512/telnet_telnet-backdoor-rewt"; flags: A+; content: "rewt"; classtype: system-attempt; reference: arachnids,512;) ### EXPLOIT-SPECIFIC WITHOUT CONTENT CHECK # These signatures are very specific to a particular exploit or # tool. It is unlikely that they will detect other exploits or # tools that act against the same vulnerability. They are # considered second because they do not check packet contents. ########### (total: 114) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS521/scan_probe-Synscan-Portscan-ID-19104"; id: 19104; flags: S; classtype: info-attempt; reference: arachnids,521;) alert TCP $INTERNAL 6883 -> $EXTERNAL 1024: (msg: "IDS105/trojan_trojan-active-deltasource"; flags: SA; classtype: system-success; reference: arachnids,105;) alert TCP $INTERNAL 57341 -> $EXTERNAL 1024: (msg: "IDS77/trojan_trojan-active-netraider"; flags: SA; classtype: system-success; reference: arachnids,77;) alert TCP $INTERNAL 12346 -> $EXTERNAL 1024: (msg: "IDS81/trojan_trojan-active-netbus10"; flags: SA; classtype: system-success; reference: arachnids,81;) alert TCP $INTERNAL 20000 -> $EXTERNAL 1024: (msg: "IDS82/trojan_trojan-active-millenium"; flags: SA; classtype: system-success; reference: arachnids,82;) alert TCP $INTERNAL 4950 -> $EXTERNAL 1024: (msg: "IDS92/trojan_trojan-active-icq"; flags: SA; classtype: system-success; reference: arachnids,92;) alert TCP $INTERNAL 34324 -> $EXTERNAL 1024: (msg: "IDS43/trojan_trojan-active-tinytelnet"; flags: SA; classtype: system-success; reference: arachnids,43;) alert TCP $INTERNAL 20203 -> $EXTERNAL 1024: (msg: "IDS108/trojan_trojan-active-chupacabra"; flags: SA; classtype: system-success; reference: arachnids,108;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS184/ddos_ddos-tfn-client-command-be"; itype: 0; icmp_id: 456; icmp_seq: 0; classtype: system-success; reference: arachnids,184;) alert TCP $INTERNAL 1269 -> $EXTERNAL 1024: (msg: "IDS83/trojan_trojan-active-matrix"; flags: SA; classtype: system-success; reference: arachnids,83;) alert TCP $INTERNAL 2801 -> $EXTERNAL 1024: (msg: "IDS71/trojan_trojan-active-phineas"; flags: SA; classtype: system-success; reference: arachnids,71;) alert TCP $INTERNAL 4567 -> $EXTERNAL 1024: (msg: "IDS102/trojan_trojan-active-filenail"; flags: SA; classtype: system-success; reference: arachnids,102;) alert TCP $INTERNAL 6939 -> $EXTERNAL 1024: (msg: "IDS89/trojan_trojan-active-indoctrination"; flags: SA; classtype: system-success; reference: arachnids,89;) alert UDP 255.255.255.255/32 any -> $INTERNAL any (msg: "IDS201/trojan_trojan-active-Q-udp"; dsize: >1; classtype: system-success; reference: arachnids,201;) alert TCP $INTERNAL 17300 -> $EXTERNAL 1024: (msg: "IDS85/trojan_trojan-active-kuang2"; flags: SA; classtype: system-success; reference: arachnids,85;) alert TCP $INTERNAL 20331 -> $EXTERNAL 1024: (msg: "IDS111/trojan_trojan-active-bla"; flags: SA; classtype: system-success; reference: arachnids,111;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS28/scan_probe-nmap_tcp_ping"; ack: 0; flags: A; classtype: info-attempt; reference: arachnids,28;) alert TCP $INTERNAL 31337 -> $EXTERNAL 80 (msg: "IDS459/scan_probe-Synscan-microsoft"; id: 39426; flags: SF; classtype: info-attempt; reference: arachnids,459;) alert TCP $EXTERNAL any -> $INTERNAL 20432 (msg: "IDS254/ddos_ddos-shaft-client-to-handler"; flags: A+; classtype: system-success; reference: arachnids,254;) alert TCP $INTERNAL 777 -> $EXTERNAL 1024: (msg: "IDS114/trojan_trojan-active-aimspy"; flags: SA; classtype: system-success; reference: arachnids,114;) alert TCP $INTERNAL 1245 -> $EXTERNAL 1024: (msg: "IDS38/trojan_trojan-active-vodoo"; flags: SA; classtype: system-success; reference: arachnids,38;) alert TCP $INTERNAL 1999 -> $EXTERNAL 1024: (msg: "IDS41/trojan_trojan-active-transcout"; flags: SA; classtype: system-success; reference: arachnids,41;) alert TCP $INTERNAL 5521 -> $EXTERNAL 1024: (msg: "IDS91/trojan_trojan-active-illusionmailer"; flags: SA; classtype: system-success; reference: arachnids,91;) alert TCP $INTERNAL 6400 -> $EXTERNAL 1024: (msg: "IDS45/trojan_trojan-active-thething"; flags: SA; classtype: system-success; reference: arachnids,45;) alert TCP $INTERNAL 3791 -> $EXTERNAL 1024: (msg: "IDS42/trojan_trojan-active-totaleclipse"; flags: SA; classtype: system-success; reference: arachnids,42;) alert TCP $INTERNAL 1243 -> $EXTERNAL 1024: (msg: "IDS50/trojan_trojan-active-subseven"; flags: SA; classtype: system-success; reference: arachnids,50;) alert TCP $INTERNAL 2565 -> $EXTERNAL 1024: (msg: "IDS51/trojan_trojan-active-striker"; flags: SA; classtype: system-success; reference: arachnids,51;) alert TCP $INTERNAL 50766 -> $EXTERNAL 1024: (msg: "IDS101/trojan_trojan-active-fore-schwindler"; flags: SA; classtype: system-success; reference: arachnids,101;) alert TCP $INTERNAL 1001 -> $EXTERNAL 1024: (msg: "IDS58/trojan_trojan-active-silencer-webex-doly"; flags: SA; classtype: system-success; reference: arachnids,58;) alert TCP $INTERNAL 30100 -> $EXTERNAL 1024: (msg: "IDS76/trojan_trojan-active-netsphere"; flags: SA; classtype: system-success; reference: arachnids,76;) alert TCP $INTERNAL 1269 -> $EXTERNAL 1024: (msg: "IDS223/trojan_trojan-active-matrix_1.x-2.0"; flags: SA; classtype: system-success; reference: arachnids,223;) alert TCP $INTERNAL 456 -> $EXTERNAL 1024: (msg: "IDS94/trojan_trojan-active-hackersparadise"; flags: SA; classtype: system-success; reference: arachnids,94;) alert TCP $INTERNAL 11223 -> $EXTERNAL 1024: (msg: "IDS68/trojan_trojan-active-progenic"; flags: SA; classtype: system-success; reference: arachnids,68;) alert TCP $INTERNAL 10607 -> $EXTERNAL 1024: (msg: "IDS107/trojan_trojan-active-coma"; flags: SA; classtype: system-success; reference: arachnids,107;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS486/icmp_ping-Sentinel Etherping"; itype: 8; icode: 0; icmp_id: 31337; classtype: info-attempt; reference: arachnids,486;) alert TCP $EXTERNAL 10101 -> $INTERNAL any (msg: "IDS439/scan_probe-myscan"; ttl: >220; ack: 0; flags: S; classtype: info-attempt; reference: arachnids,439;) alert TCP $INTERNAL 53001 -> $EXTERNAL 1024: (msg: "IDS65/trojan_trojan-active-remoteshutdown"; flags: SA; classtype: system-success; reference: arachnids,65;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS448/icmp_ping-SING Echo from Sun Solaris"; dsize: 8; itype: 8; classtype: info-attempt; reference: arachnids,448;) alert TCP $INTERNAL 30999 -> $EXTERNAL 1024: (msg: "IDS86/trojan_trojan-active-kuang"; flags: SA; classtype: system-success; reference: arachnids,86;) alert TCP $INTERNAL 5550 -> $EXTERNAL 1024: (msg: "IDS34/trojan_trojan-active-xtcp2"; flags: SA; classtype: system-success; reference: arachnids,34;) alert TCP $INTERNAL 30303 -> $EXTERNAL 1024: (msg: "IDS57/trojan_trojan-active-socket23"; flags: SA; classtype: system-success; reference: arachnids,57;) alert ICMP 255.255.255.255/32 any -> $INTERNAL any (msg: "IDS202/trojan_trojan-active-Q-icmp"; dsize: >1; itype: 0; classtype: system-success; reference: arachnids,202;) alert TCP $INTERNAL 5031 -> $EXTERNAL 1024: (msg: "IDS79/trojan_trojan-active-netmetro"; flags: SA; classtype: system-success; reference: arachnids,79;) alert TCP $INTERNAL 11000 -> $EXTERNAL 1024: (msg: "IDS61/trojan_trojan-active-sennaspy"; flags: SA; classtype: system-success; reference: arachnids,61;) alert TCP $INTERNAL 2583 -> $EXTERNAL 1024: (msg: "IDS35/trojan_trojan-active-wincrash2"; flags: SA; classtype: system-success; reference: arachnids,35;) alert TCP $INTERNAL 61466 -> $EXTERNAL 1024: (msg: "IDS49/trojan_trojan-active-telecommando"; flags: SA; classtype: system-success; reference: arachnids,49;) alert TCP $INTERNAL 1033 -> $EXTERNAL 1024: (msg: "IDS75/trojan_trojan-active-netspy"; flags: SA; classtype: system-success; reference: arachnids,75;) alert TCP $INTERNAL 31339 -> $EXTERNAL 1024: (msg: "IDS74/trojan_trojan-active-netspydk"; flags: SA; classtype: system-success; reference: arachnids,74;) alert TCP $INTERNAL 1024: -> $EXTERNAL any (msg: "IDS253/ddos_ddos-shaft-synflood-outgoing"; seq: 674711609; flags: S; classtype: system-success; reference: arachnids,253;) alert TCP $INTERNAL 20034 -> $EXTERNAL 1024: (msg: "IDS80/trojan_trojan-active-netbuspro"; flags: SA; classtype: system-success; reference: arachnids,80;) alert TCP $INTERNAL 9872 -> $EXTERNAL 1024: (msg: "IDS70/trojan_trojan-active-portalofdoom"; flags: SA; classtype: system-success; reference: arachnids,70;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS447/icmp_ping-SING Echo from LINUX/*BSD"; id: 13170; dsize: 8; itype: 8; classtype: info-attempt; reference: arachnids,447;) alert TCP $EXTERNAL 27374 -> $INTERNAL any (msg: "IDS279/trojan_trojan-active-subseven21"; flags: SA; classtype: system-success; reference: arachnids,279;) alert TCP $INTERNAL 6670 -> $EXTERNAL 1024: (msg: "IDS106/trojan_trojan-active-deepthroat"; flags: SA; classtype: system-success; reference: arachnids,106;) alert TCP $INTERNAL 1042 -> $EXTERNAL 1024: (msg: "IDS109/trojan_trojan-active-blah11"; flags: SA; classtype: system-success; reference: arachnids,109;) alert TCP $INTERNAL 37651 -> $EXTERNAL 1024: (msg: "IDS33/trojan_trojan-active-yetanother"; flags: SA; classtype: system-success; reference: arachnids,33;) alert TCP $INTERNAL 1966 -> $EXTERNAL 1024: (msg: "IDS222/trojan_trojan-active-fakeftp"; flags: SA; classtype: system-success; reference: arachnids,222;) alert TCP $INTERNAL 1207 -> $EXTERNAL 1024: (msg: "IDS56/trojan_trojan-active-softwar"; flags: SA; classtype: system-success; reference: arachnids,56;) alert TCP $INTERNAL 5011 -> $EXTERNAL 1024: (msg: "IDS73/trojan_trojan-active-ootlt"; flags: SA; classtype: system-success; reference: arachnids,73;) alert TCP $INTERNAL 1807 -> $EXTERNAL 1024: (msg: "IDS54/trojan_trojan-active-spysender"; flags: SA; classtype: system-success; reference: arachnids,54;) alert TCP $INTERNAL 65000 -> $EXTERNAL 1024: (msg: "IDS104/trojan_trojan-active-devil103"; flags: SA; classtype: system-success; reference: arachnids,104;) alert TCP $INTERNAL 1600 -> $EXTERNAL 1024: (msg: "IDS60/trojan_trojan-active-shiveburka"; flags: SA; classtype: system-success; reference: arachnids,60;) alert TCP $INTERNAL 9400 -> $EXTERNAL 1024: (msg: "IDS90/trojan_trojan-active-incommand"; flags: SA; classtype: system-success; reference: arachnids,90;) alert TCP $INTERNAL 1170 -> $EXTERNAL 1024: (msg: "IDS52/trojan_trojan-active-streamingaudio"; flags: SA; classtype: system-success; reference: arachnids,52;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS236/scan_ipeye-syn-scan"; seq: 1958810375; flags: S; classtype: info-attempt; reference: arachnids,236;) alert TCP $INTERNAL 12076 -> $EXTERNAL 1024: (msg: "IDS97/trojan_trojan-active-gjamer"; flags: SA; classtype: system-success; reference: arachnids,97;) alert TCP $INTERNAL 40412 -> $EXTERNAL 1024: (msg: "IDS46/trojan_trojan-active-thespy"; flags: SA; classtype: system-success; reference: arachnids,46;) alert TCP $INTERNAL 54321 -> $EXTERNAL 1024: (msg: "IDS63/trojan_trojan-active-schoolbus"; flags: SA; classtype: system-success; reference: arachnids,63;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS443/ddos_ddos-tfn-probe"; itype: 8; icmp_id: 678; content: "1234"; classtype: info-attempt; reference: arachnids,443;) alert TCP $EXTERNAL 1024: -> $INTERNAL any (msg: "IDS252/ddos_ddos-shaft-synflood-incoming"; seq: 674711609; flags: S; classtype: denialofservice; reference: arachnids,252;) alert TCP $INTERNAL 12701 -> $EXTERNAL 1024: (msg: "IDS103/trojan_trojan-active-eclipse2000"; flags: SA; classtype: system-success; reference: arachnids,103;) alert UDP $INTERNAL 31337 -> $EXTERNAL 1024: (msg: "IDS189/trojan_trojan-active-back-orifice"; classtype: system-success; reference: arachnids,189;) alert TCP $INTERNAL 6969 -> $EXTERNAL 1024: (msg: "IDS99/trojan_trojan-active-gatecrasher"; flags: SA; classtype: system-success; reference: arachnids,99;) alert TCP $INTERNAL 21554 -> $EXTERNAL 1024: (msg: "IDS98/trojan_trojan-active-girlfriend"; flags: SA; classtype: system-success; reference: arachnids,98;) alert TCP $INTERNAL 2023 -> $EXTERNAL 1024: (msg: "IDS72/trojan_trojan-active-passripper"; flags: SA; classtype: system-success; reference: arachnids,72;) alert UDP $EXTERNAL any -> $INTERNAL 31337 (msg: "IDS188/trojan_trojan-probe-back-orifice"; classtype: info-attempt; reference: arachnids,188;) alert TCP $INTERNAL 1509 -> $EXTERNAL 1024: (msg: "IDS66/trojan_trojan-active-psyberstream"; flags: SA; classtype: system-success; reference: arachnids,66;) alert ICMP 3.3.3.3/32 any -> any any (msg: "IDS193/ddos_ddos-stacheldraht server-spoof"; dsize: >32; itype: 8; icmp_id: 666; classtype: system-success; reference: arachnids,193;) alert TCP $INTERNAL 5400 -> $EXTERNAL 1024: (msg: "IDS110/trojan_trojan-active-bladerunner"; flags: SA; classtype: system-success; reference: arachnids,110;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS548/dos_dos-bubonic"; ttl: >225; tos: 201; window: 65535; classtype: denialofservice; reference: arachnids,548;) alert TCP $INTERNAL 10666 -> $EXTERNAL 1024: (msg: "IDS113/trojan_trojan-active-ambush"; flags: SA; classtype: system-success; reference: arachnids,113;) alert TCP 255.255.255.255/32 any -> $INTERNAL any (msg: "IDS203/trojan_trojan-active-Q-tcp"; dsize: >1; flags: A; classtype: system-success; reference: arachnids,203;) alert TCP $INTERNAL 12223 -> $EXTERNAL 1024: (msg: "IDS96/trojan_trojan-active-hack99keylogger"; flags: SA; classtype: system-success; reference: arachnids,96;) alert TCP $INTERNAL 2140 -> $EXTERNAL 1024: (msg: "IDS87/trojan_trojan-active-invasor"; flags: SA; classtype: system-success; reference: arachnids,87;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS5/scan_probe-nmap_fingerprint_attempt"; flags: SFUP; classtype: info-attempt; reference: arachnids,5;) alert TCP $INTERNAL 9999 -> $EXTERNAL 1024: (msg: "IDS48/trojan_trojan-active-theprayer1"; flags: SA; classtype: system-success; reference: arachnids,48;) alert TCP $INTERNAL 2283 -> $EXTERNAL 1024: (msg: "IDS93/trojan_trojan-active-hvlrat5"; flags: SA; classtype: system-success; reference: arachnids,93;) alert TCP $INTERNAL 555 -> $EXTERNAL 1024: (msg: "IDS53/trojan_trojan-active-stealthspy-phase0-netadmin"; flags: SA; classtype: system-success; reference: arachnids,53;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS162/scan_ping-nmap-icmp"; dsize: 0; itype: 8; classtype: info-attempt; reference: arachnids,162;) alert TCP $INTERNAL 23456 -> $EXTERNAL 1024: (msg: "IDS37/trojan_trojan-active-whackjob"; flags: SA; classtype: system-success; reference: arachnids,37;) alert TCP $EXTERNAL any -> $INTERNAL 16660 (msg: "IDS179/ddos_ddos-stacheldraht client"; flags: S; classtype: system-or-info-attempt; reference: arachnids,179;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS441/scan_probe-Synscan-Portscan"; id: 39426; flags: SF; classtype: info-attempt; reference: arachnids,441;) alert TCP $INTERNAL 2716 -> $EXTERNAL 1024: (msg: "IDS47/trojan_trojan-active-theprayer2"; flags: SA; classtype: system-success; reference: arachnids,47;) alert TCP $INTERNAL 31787 -> $EXTERNAL 1024: (msg: "IDS95/trojan_trojan-active-hackatak"; flags: SA; classtype: system-success; reference: arachnids,95;) alert TCP $INTERNAL 1492 -> $EXTERNAL 1024: (msg: "IDS100/trojan_trojan-active-ftp99cmp"; flags: SA; classtype: system-success; reference: arachnids,100;) alert TCP $INTERNAL 29891 -> $EXTERNAL 1024: (msg: "IDS44/trojan_trojan-active-theunexplained"; flags: SA; classtype: system-success; reference: arachnids,44;) alert TCP $INTERNAL 5742 -> $EXTERNAL 1024: (msg: "IDS36/trojan_trojan-active-wincrash"; flags: SA; classtype: system-success; reference: arachnids,36;) alert TCP $INTERNAL 31554 -> $EXTERNAL 1024: (msg: "IDS62/trojan_trojan-active-schwindler"; flags: SA; classtype: system-success; reference: arachnids,62;) alert TCP $INTERNAL 5569 -> $EXTERNAL 1024: (msg: "IDS64/trojan_trojan-active-robohack"; flags: SA; classtype: system-success; reference: arachnids,64;) alert TCP $INTERNAL 31 -> $EXTERNAL 1024: (msg: "IDS84/trojan_trojan-active-masterparadise"; flags: SA; classtype: system-success; reference: arachnids,84;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS146/scan_cybercop-os-probe-sf12"; dsize: 0; flags: SF12; classtype: info-attempt; reference: arachnids,146;) alert TCP $INTERNAL 6669 -> $EXTERNAL 1024: (msg: "IDS39/trojan_trojan-active-vampire"; flags: SA; classtype: system-success; reference: arachnids,39;) alert TCP $INTERNAL 1981 -> $EXTERNAL 1024: (msg: "IDS59/trojan_trojan-active-shockrave"; flags: SA; classtype: system-success; reference: arachnids,59;) alert TCP $INTERNAL 9889 -> $EXTERNAL 1024: (msg: "IDS88/trojan_trojan-active-inikiller"; flags: SA; classtype: system-success; reference: arachnids,88;) alert TCP $EXTERNAL 80 -> $INTERNAL 1054 (msg: "IDS445/trojan_trojan-ACKcmdC-probe"; seq: 101058054; ack: 101058054; flags: A; classtype: system-attempt; reference: arachnids,445;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS450/icmp_ping-icmpenum v1.1.1"; id: 666; dsize: 0; itype: 8; icmp_id: 666; icmp_seq: 0; classtype: info-attempt; reference: arachnids,450;) alert TCP $INTERNAL 33911 -> $EXTERNAL 1024: (msg: "IDS55/trojan_trojan-active-spirit2001"; flags: SA; classtype: system-success; reference: arachnids,55;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS183/ddos_ddos-tfn-client-command-le"; itype: 0; icmp_id: 51201; icmp_seq: 0; classtype: system-success; reference: arachnids,183;) alert TCP $INTERNAL 16969 -> $EXTERNAL 1024: (msg: "IDS69/trojan_trojan-active-priority"; flags: SA; classtype: system-success; reference: arachnids,69;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS29/scan_probe-Queso Fingerprint attempt"; ttl: >225; flags: S12; classtype: info-attempt; reference: arachnids,29;) alert TCP $INTERNAL 22222 -> $EXTERNAL 1024: (msg: "IDS67/trojan_trojan-active-prosiak"; flags: SA; classtype: system-success; reference: arachnids,67;) alert TCP $INTERNAL 666 -> $EXTERNAL 1024: (msg: "IDS112/trojan_trojan-active-attackftp"; flags: SA; classtype: system-success; reference: arachnids,112;) alert TCP $INTERNAL 7306 -> $EXTERNAL 1024: (msg: "IDS78/trojan_trojan-active-netmonitor"; flags: SA; classtype: system-success; reference: arachnids,78;) alert TCP $INTERNAL 2001 -> $EXTERNAL 1024: (msg: "IDS40/trojan_trojan-active-trojancow"; flags: SA; classtype: system-success; reference: arachnids,40;) ### VULNERABILITY WITH CONTENT CHECK # These signatures are particular to a certain vulnerability, # but may be triggered by more than one exploit or tool. Although # these signatures are not specific to only one exploit, they # do check packet contents. ########### (total: 197) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS319/ftp_ftp-forward"; flags: A+; content: ".forward"; classtype: system-attempt; reference: arachnids,319;) alert TCP $EXTERNAL any -> $INTERNAL 2301 (msg: "IDS244/web-misc_http-compaq-insight-dot-dot"; content: "../"; classtype: info-attempt; reference: arachnids,244;) alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS382/tftp_TFTP-passwd"; content: "|0001|/etc/passwd"; classtype: info-attempt; reference: arachnids,382;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS269/web-coldfusion_http-coldfusion-onrequestend.cfm"; flags: A+; uricontent: "onrequestend.cfm"; classtype: info-attempt; reference: arachnids,269;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS342/shellcode_shellcode-LinuxCommonTCP"; flags: A+; content: "|90 90 90 e8 c0 ff ff ff|/bin/sh"; classtype: system-attempt; reference: arachnids,342;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS537/dos_http-iis-propfind-colons"; flags: A+; content: "|3c|a|3a|propfind"; nocase; content: "|3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a|"; classtype: denialofservice; reference: arachnids,537;) alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS383/tftp_TFTP-group"; content: "|0001|/etc/group"; classtype: info-attempt; reference: arachnids,383;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS343/shellcode_shellcode-LinuxCommonUDP"; content: "|90 90 90 e8 c0 ff ff ff|/bin/sh"; classtype: system-attempt; reference: arachnids,343;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS474/web-iis_web-webdav-search"; flags: A+; content: "SEARCH "; depth: 8; nocase; classtype: info-attempt; reference: arachnids,474;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS465/web-cgi_web-cgi-windmail"; flags: A+; uricontent: "windmail.exe?"; nocase; uricontent: "-n"; nocase; classtype: system-or-info-attempt; reference: arachnids,465;) alert TCP $EXTERNAL any -> $INTERNAL 32771: (msg: "IDS26/rpc_nfs-showmount"; flags: A+; rpc: 100005,*,*; content: "|00 01 86 A5 00 00 00 01 00 00 00 05 00 00 00 01|"; depth: 32; offset: 16; classtype: info-attempt; reference: arachnids,26;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS549/dos_dos-3com_sml3com"; flags: A+; uricontent: "sml3com|25 73 25 73 25 73 25 73 25 73 25 73 25 73 25 73|"; classtype: denialofservice; reference: arachnids,549;) alert TCP $EXTERNAL any -> $INTERNAL 32771: (msg: "IDS545/rpc_rpc_tcp_traffic_contains_bin_sh"; flags: A+; content: "/bin/sh"; classtype: system-attempt; reference: arachnids,545;) alert TCP $EXTERNAL any -> $INTERNAL 513 (msg: "IDS393/rservice_RSH-LoginFailure2"; flags: A+; content: "login incorrect"; classtype: system-failed; reference: arachnids,393;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS475/web-iis_web-webdav-propfind"; flags: A+; content: "PROPFIND "; nocase; classtype: info-attempt; reference: arachnids,475;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS143/smtp_smtp-majordomo-ifs"; flags: A+; content: "${IFS}"; classtype: system-attempt; reference: arachnids,143;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS352/shellcode_shellcode-NOOP-Digital-udp"; content: "|47 ff 04 1f 47 ff 04 1f 47 ff 04 1f 47 ff 04 1f|"; classtype: system-attempt; reference: arachnids,352;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS358/shellcode_shellcode-NOOP-HP-tcp"; flags: A+; content: "|0821 0280 0821 0280 0821 0280 0821 0280|"; classtype: system-attempt; reference: arachnids,358;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS207/web-cgi_http-phorum-code"; flags: A+; uricontent: "code.php3"; classtype: system-or-info-attempt; reference: arachnids,207;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS552/web-iis_IIS ISAPI Overflow ida"; dsize: >239; flags: A+; uricontent: ".ida?"; classtype: system-or-info-attempt; reference: arachnids,552;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS134/ftp_ftp-tar-parameters"; flags: A+; content: "RETR --use-compress-program"; nocase; classtype: system-attempt; reference: arachnids,134;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS354/shellcode_shellcode-NOOP-Sparc-tcp"; flags: A+; content: "|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|"; classtype: system-attempt; reference: arachnids,354;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS554/web-misc_squid cachemgr.cgi connection"; flags: A+; uricontent: "cachemgr.cgi"; classtype: relay-or-info-attempt; reference: arachnids,554;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS353/shellcode_shellcode-NOOP-Solaris-tcp"; flags: A+; content: "|801c 4011 801c 4011 801c 4011 801c 4011|"; classtype: system-attempt; reference: arachnids,353;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS326/ftp_ftp-user-root"; flags: A+; content: "user root"; nocase; classtype: system-attempt; reference: arachnids,326;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS213/ftp_ftp-passwd-retrieval-retr"; flags: A+; content: "RETR"; nocase; content: " passwd"; classtype: info-attempt; reference: arachnids,213;) alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS251/finger_finger-redirection"; flags: A+; content: "@"; classtype: relay-attempt; reference: arachnids,251;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS437/shellcode_shellcode-x86-setgid0-udp"; content: "|b0b5 cd80|"; classtype: system-attempt; reference: arachnids,437;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS373/smtp_smtp-vrfy-decode"; flags: A+; content: "vrfy decode"; nocase; classtype: info-attempt; reference: arachnids,373;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS555/web-iis_FrontPage_Visual_Studio_RAD_Overflow"; dsize: >258; flags: A; uricontent: "fp30reg.dll"; nocase; classtype: system-attempt; reference: arachnids,555;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS452/web-iis_http-iis-unicode-binary"; flags: A+; uricontent: "..|c0af|"; nocase; classtype: system-attempt; reference: arachnids,452;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS367/telnet_telnet-ld_preload"; flags: A+; content: "ld_preload"; classtype: system-attempt; reference: arachnids,367;) alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS336/netbios_NETBIOS-SMB-D$access"; flags: A+; content: "|5c|D$|00 41 3a 00|"; classtype: system-attempt; reference: arachnids,336;) alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS376/finger_finger-root"; flags: A+; content: "root"; nocase; classtype: info-attempt; reference: arachnids,376;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS224/web-cgi_http-cgi-nph-test-cgi"; flags: A+; uricontent: "nph-test-cgi"; classtype: info-attempt; reference: arachnids,224;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS230/web-misc_http-cgi-space-wildcard"; flags: A+; content: "|2A 20|"; classtype: info-attempt; reference: arachnids,230;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS351/shellcode_shellcode-NOOP-AIX-udp"; content: "|4fff fb82 4fff fb82 4fff fb82 4fff fb82|"; classtype: system-attempt; reference: arachnids,351;) alert TCP $EXTERNAL any -> $INTERNAL 513 (msg: "IDS392/rservice_RSH-LoginFailure"; flags: A+; content: "|01|rlogind|3a| Permission denied."; classtype: system-failed; reference: arachnids,392;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS300/web-cgi_http-PCCS-Mysql Database Admin Tool"; flags: A+; uricontent: "pccsmysqladm/incs/dbconnect.inc"; depth: 36; nocase; classtype: info-attempt; reference: arachnids,300;) alert UDP $EXTERNAL any -> $INTERNAL 161 (msg: "IDS547/snmp_snmp-cisco-ilmi"; content: "|04|ILMI"; classtype: data-or-info-attempt; reference: arachnids,547;) alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS380/finger_finger-pipe"; flags: A+; content: "|7c|"; classtype: system-attempt; reference: arachnids,380;) alert UDP $EXTERNAL any -> $INTERNAL 5632 (msg: "IDS239/misc_pcanywhere-start"; content: "ST"; depth: 2; classtype: system-attempt; reference: arachnids,239;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS248/web-frontpage_http-frontpage-pws-fourdots"; flags: A+; content: "..../"; classtype: info-attempt; reference: arachnids,248;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS472/web-cgi_web-cgi-webgais"; flags: A+; uricontent: "/webgais"; nocase; classtype: system-or-info-attempt; reference: arachnids,472;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS283/shellcode_shellcode-x86-setuid0"; flags: A+; content: "|b017 cd80|"; classtype: system-attempt; reference: arachnids,283;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS321/ftp_ftp-linux-nulluser"; flags: A+; content: "user null|0d|"; nocase; classtype: system-attempt; reference: arachnids,321;) alert TCP $EXTERNAL any -> $INTERNAL 113 (msg: "IDS303/misc_ident-version-probe"; flags: A+; content: "VERSION|0A|"; depth: 16; nocase; classtype: info-attempt; reference: arachnids,303;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS219/web-cgi_http-cgi-perl-exe"; flags: A+; uricontent: "perl.exe"; nocase; classtype: system-or-info-attempt; reference: arachnids,219;) alert TCP $EXTERNAL 80 -> $INTERNAL any (msg: "IDS294/client_client-netscape-java-serversocket"; flags: A+; content: "java/net/ServerSocket|00|"; nocase; classtype: client-success; reference: arachnids,294;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS471/web-cgi_web-cgi-webplus"; flags: A+; uricontent: "/webplus?script"; nocase; classtype: info-attempt; reference: arachnids,471;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS206/web-cgi_http-phorum-auth"; flags: A+; content: "PHP_AUTH_USER=boogieman"; classtype: system-attempt; reference: arachnids,206;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS250/web-coldfusion_http-coldfusion-openfile.cfm"; flags: A+; uricontent: "openfile.cfm"; classtype: system-or-info-attempt; reference: arachnids,250;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS495/web-misc_http-oracle-shared-lib-overflow"; dsize: >2000; flags: P+; uricontent: "/jsp/"; nocase; classtype: system-attempt; reference: arachnids,495;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS181/shellcode_shellcode-x86-nops"; flags: A+; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; classtype: system-attempt; reference: arachnids,181;) alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS379/finger_finger-pipe-w"; flags: A+; content: "/W|3b|"; classtype: system-attempt; reference: arachnids,379;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS227/web-cgi_http-cgi-scriptalias"; flags: A+; content: "///"; classtype: info-attempt; reference: arachnids,227;) alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns_dns-zone-transfer"; flags: A+; content: "|FC|"; offset: 13; classtype: info-attempt; reference: arachnids,212;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS344/shellcode_shellcode-NOOP-Solaris-udp"; content: "|801c 4011 801c 4011 801c 4011 801c 4011|"; classtype: system-attempt; reference: arachnids,344;) alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS375/finger_finger-search"; flags: A+; content: "search"; nocase; classtype: info-attempt; reference: arachnids,375;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS533/web-iis_http-iis5-printer-isapi"; flags: A+; uricontent: ".printer"; nocase; classtype: system-attempt; reference: arachnids,533;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS522/ftp_ftp-passwd-stor"; flags: A+; content: "STOR"; nocase; content: " passwd"; classtype: system-attempt; reference: arachnids,522;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS266/smtp_smtp-chameleon-overflow"; dsize: >500; flags: A+; content: "HELP "; depth: 5; nocase; classtype: system-attempt; reference: arachnids,266;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS231/web-cgi_http-cgi-win-c-sample"; flags: A+; uricontent: "win-c-sample.exe"; nocase; classtype: system-or-info-attempt; reference: arachnids,231;) alert TCP $INTERNAL 23 -> $EXTERNAL any (msg: "IDS365/telnet_telnet-NotOnConsole"; flags: A+; content: "not on system console"; nocase; classtype: system-failed; reference: arachnids,365;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS412/web-cgi_http-cgi-imagemap-overflow"; dsize: >1000; flags: A+; uricontent: "imagemap.exe?"; depth: 32; nocase; classtype: system-or-info-attempt; reference: arachnids,412;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS325/ftp_ftp-shosts"; flags: A+; content: ".shosts"; nocase; classtype: system-attempt; reference: arachnids,325;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS259/web-misc_http-alibaba-overflow"; dsize: >1400; flags: A+; content: "POST"; classtype: system-attempt; reference: arachnids,259;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS327/ftp_ftp-user-warez"; flags: A+; content: "user warez"; nocase; classtype: system-attempt; reference: arachnids,327;) alert UDP $EXTERNAL any -> $INTERNAL 32770: (msg: "IDS9/rpc_rpc-rstatd-query"; rpc: 100001,*,*; classtype: info-attempt; reference: arachnids,9;) alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS130/finger_finger-.@host"; dsize: 6; flags: A+; content: "|2E 0A 20 20 20 20|"; depth: 6; classtype: info-attempt; reference: arachnids,130;) alert UDP $EXTERNAL any -> $INTERNAL 32771: (msg: "IDS544/rpc_rpc_udp_traffic_contains_bin_sh"; content: "/bin/sh"; classtype: system-attempt; reference: arachnids,544;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS268/web-coldfusion_http-coldfusion-application.cfm"; flags: A+; uricontent: "application.cfm"; classtype: info-attempt; reference: arachnids,268;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS328/ftp_ftp-rhosts"; flags: A+; content: "STOR .rhosts"; nocase; classtype: system-attempt; reference: arachnids,328;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS270/web-misc_http-netscape-dir-index-wp"; flags: A+; uricontent: "?wp-"; nocase; classtype: info-attempt; reference: arachnids,270;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS538/ftp_ftp-passwd-retrieval-retr-path"; flags: A+; content: "RETR"; nocase; content: "/passwd"; classtype: info-attempt; reference: arachnids,538;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS210/web-cgi_http-cgi-w3-msql"; flags: A+; uricontent: "w3-msql"; classtype: system-or-info-attempt; reference: arachnids,210;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS348/shellcode_shellcode-NOOP-SGI-udp2"; content: "|03e0 f825 03e0 f825 03e0 f825 03e0 f825|"; classtype: system-attempt; reference: arachnids,348;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS524/ftp_ftp-passwd-rnto"; flags: A+; content: "RNTO"; nocase; content: " passwd"; classtype: system-attempt; reference: arachnids,524;) alert TCP $INTERNAL 5632 -> $EXTERNAL any (msg: "IDS240/misc_pcanywhere-failed"; flags: A+; content: "Invalid login"; depth: 16; offset: 5; classtype: system-failed; reference: arachnids,240;) alert TCP $EXTERNAL any -> $INTERNAL 1417 (msg: "IDS229/misc_insecure-timbuktu-password"; flags: A+; content: "|05 00 3E|"; depth: 16; classtype: not-suspicious; reference: arachnids,229;) alert TCP $EXTERNAL any -> $INTERNAL 514 (msg: "IDS387/rservice_rlogin-froot"; flags: A+; content: "-froot|00|"; classtype: system-attempt; reference: arachnids,387;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS462/web-cgi_web-cgi-yabb"; flags: A+; uricontent: "YaBB.pl"; classtype: system-or-info-attempt; reference: arachnids,462;) alert UDP $EXTERNAL any -> $INTERNAL 161 (msg: "IDS333/snmp_snmp-nt_userlist"; content: "|2b 06 10 40 14 d1 02 19|"; classtype: info-attempt; reference: arachnids,333;) alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS131/finger_finger-0@host"; dsize: 6; flags: A+; content: "|30 0A 20 20 20 20|"; depth: 6; classtype: info-attempt; reference: arachnids,131;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS435/shellcode_shellcode-x86-stealth-nop-udp"; content: "|eb 02 eb 02 eb 02|"; classtype: system-attempt; reference: arachnids,435;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS432/web-iis_http-iis-unicode-traversal"; flags: A+; uricontent: "..|25|c1|25|1c"; nocase; classtype: system-attempt; reference: arachnids,432;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS467/web-cgi_web-cgi-webspeed"; flags: A+; uricontent: "wsisa.dll/WService="; nocase; classtype: system-or-info-attempt; reference: arachnids,467;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS282/shellcode_shellcode-sparc-setuid0"; flags: A+; content: "|82102017 91d02008|"; classtype: system-attempt; reference: arachnids,282;) alert TCP $EXTERNAL 80 -> $INTERNAL :1024 (msg: "IDS496/client_client-netscape-gif-comment"; flags: P+; content: "GIF89a|0a|"; content: "parent.frames"; nocase; content: "form"; nocase; classtype: client-attempt; reference: arachnids,496;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS243/web-cgi_http-cgi-pipe"; flags: A+; content: "|7C|"; classtype: system-attempt; reference: arachnids,243;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS487/ftp_dos-ftpd-globbing"; flags: A+; content: "|2f2a|"; classtype: denialofservice; reference: arachnids,487;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS523/ftp_ftp-passwd-appe"; flags: A+; content: "APPE"; nocase; content: " passwd"; classtype: system-attempt; reference: arachnids,523;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS258/web-cgi_http-cgi-get32.exe"; flags: A+; uricontent: "get32.exe"; nocase; classtype: system-or-info-attempt; reference: arachnids,258;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS553/web-iis_IIS ISAPI Overflow idq"; dsize: >239; flags: A+; uricontent: ".idq?"; classtype: system-or-info-attempt; reference: arachnids,553;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS205/web-cgi_http-phorum-admin"; flags: A+; uricontent: "admin.php3"; classtype: system-or-info-attempt; reference: arachnids,205;) alert TCP $EXTERNAL any -> $INTERNAL 70 (msg: "IDS409/misc_gopher-proxy"; flags: A+; content: "ftp|3a|"; depth: 4; nocase; content: "@/"; classtype: relay-attempt; reference: arachnids,409;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS469/web-cgi_web-cgi-websendmail"; flags: A+; uricontent: "/websendmail"; nocase; classtype: system-or-info-attempt; reference: arachnids,469;) alert TCP $EXTERNAL any -> $INTERNAL 6000 (msg: "IDS395/x11_X-xopen"; flags: A+; content: "|6c00 0b00 0000 0000 0000 0000|"; classtype: system-attempt; reference: arachnids,395;) alert UDP $EXTERNAL any -> $INTERNAL 49 (msg: "IDS408/misc_XTACACS-logout"; content: "|8007 0000 0700 0004 0000 0000 00|"; classtype: suspicious; reference: arachnids,408;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS271/web-frontpage_http-iis-dvwssr"; flags: A+; uricontent: "dvwssr.dll"; nocase; classtype: system-attempt; reference: arachnids,271;) alert TCP $EXTERNAL any -> $EXTERNAL 80 (msg: "IDS551/web-cgi_CVSWeb.cgi_access"; flags: A+; uricontent: "/cvsweb.cgi"; nocase; classtype: system-or-info-attempt; reference: arachnids,551;) alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS335/netbios_NETBIOS-SMB-IPC$access-alternate"; flags: A+; content: "|5c|IPC$|00 41 3a 00|"; classtype: info-attempt; reference: arachnids,335;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS265/web-cgi_http-cgi-cgitest"; flags: A+; uricontent: "cgitest.exe"; nocase; content: "user|3a|"; classtype: system-or-info-attempt; reference: arachnids,265;) alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS480/dns_named-probe-authors"; content: "|07|authors"; offset: 12; nocase; content: "|04|bind"; offset: 12; nocase; classtype: info-attempt; reference: arachnids,480;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS434/web-iis_http-iis-unicode-traversal-backslash"; flags: A+; uricontent: "..|25|c1|25|9c"; nocase; classtype: system-attempt; reference: arachnids,434;) alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS341/netbios_NETBIOS-Samba-clientaccess"; flags: A+; content: "|00|Unix|00|Samba"; classtype: suspicious; reference: arachnids,341;) alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS137/tftp_TFTP-parent_directory"; content: ".."; classtype: system-attempt; reference: arachnids,137;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS350/shellcode_shellcode-NOOP-HP-udp2"; content: "|0b39 0280 0b39 0280 0b39 0280 0b39 0280|"; classtype: system-attempt; reference: arachnids,350;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS237/web-iis_http-webhits"; dsize: >400; flags: A+; uricontent: ".htw"; nocase; classtype: info-attempt; reference: arachnids,237;) alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS378/finger_finger-probe-0"; flags: A+; content: "0"; classtype: info-attempt; reference: arachnids,378;) alert TCP $INTERNAL 23 -> $EXTERNAL any (msg: "IDS366/telnet_telnet-wingate-active"; flags: A+; content: "WinGate>"; classtype: relay-success; reference: arachnids,366;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS455/web-misc_web-domino_.nsf_dir_traversal"; flags: A+; uricontent: "/.nsf/"; nocase; classtype: info-attempt; reference: arachnids,455;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS31/smtp_smtp-expn-root"; flags: A+; content: "expn root"; nocase; classtype: info-attempt; reference: arachnids,31;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS433/web-iis_http-iis-unicode-traversal-optyx"; flags: A+; uricontent: "..|25|c0|25|af"; nocase; classtype: system-attempt; reference: arachnids,433;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS304/telnet_SGI telnetd format bug"; flags: A+; content: "_RLD"; classtype: system-attempt; reference: arachnids,304;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS360/shellcode_shellcode-NOOP-AIX-tcp"; flags: A+; content: "|4fff fb82 4fff fb82 4fff fb82 4fff fb82|"; classtype: system-attempt; reference: arachnids,360;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS345/shellcode_shellcode-NOOP-Sparc-udp"; content: "|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|"; classtype: system-attempt; reference: arachnids,345;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS297/web-misc_http-directory-traversal1"; flags: A+; content: "../"; classtype: system-attempt; reference: arachnids,297;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS298/web-misc_http-directory-traversal2"; flags: P+; content: "..|5c|"; classtype: system-attempt; reference: arachnids,298;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS260/dos_dos-annex-terminal"; dsize: >1400; flags: A+; content: "ping?query"; nocase; classtype: denialofservice; reference: arachnids,260;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS234/web-cgi_http-cgi-wrap"; flags: A+; uricontent: "wrap?/"; classtype: info-attempt; reference: arachnids,234;) alert TCP $EXTERNAL any -> $INTERNAL 513 (msg: "IDS389/rservice_rsh-root_login"; flags: A+; content: "root|00|root|00|"; classtype: system-attempt; reference: arachnids,389;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS208/web-cgi_http-phorum-read"; flags: A+; uricontent: "read.php3"; classtype: system-or-info-attempt; reference: arachnids,208;) alert TCP $INTERNAL 21 -> $EXTERNAL any (msg: "IDS364/ftp_ftp-bad-login"; flags: A+; content: "530 Login "; classtype: system-failed; reference: arachnids,364;) alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS338/netbios_NETBIOS-SMB-CD.."; flags: A+; content: "|5c|..|2f 00 00 00|"; classtype: system-attempt; reference: arachnids,338;) alert TCP $EXTERNAL any -> $INTERNAL 514 (msg: "IDS388/rservice_rlogin-echo++"; flags: A+; content: "echo |22|+ +|22|"; classtype: system-attempt; reference: arachnids,388;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS550/web-cgi_ASPSeek_s.cgi_access"; dsize: >500; flags: A+; uricontent: "/s.cgi"; nocase; content: "tmpl="; classtype: system-or-info-attempt; reference: arachnids,550;) alert UDP $EXTERNAL any -> $INTERNAL 137 (msg: "IDS177/netbios_netbios-name-query"; content: "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|00 00|"; classtype: info-attempt; reference: arachnids,177;) alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS337/netbios_NETBIOS-SMB-CD..."; flags: A+; content: "|5c|...|00 00 00|"; classtype: system-attempt; reference: arachnids,337;) alert TCP $EXTERNAL any -> $INTERNAL 6000 (msg: "IDS396/x11_X-MITcookie"; flags: A+; content: "MIT-MAGIC-COOKIE-1"; classtype: system-attempt; reference: arachnids,396;) alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS138/tftp_TFTP-root_directory"; content: "|00 01|/"; classtype: system-attempt; reference: arachnids,138;) alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS340/netbios_NETBIOS-SMB-ADMIN$access"; flags: A+; content: "|5c|ADMIN$|00 41 3a 00|"; classtype: system-attempt; reference: arachnids,340;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS220/web-cgi_http-cgi-snork"; flags: A+; uricontent: "snork.bat"; nocase; classtype: system-or-info-attempt; reference: arachnids,220;) alert TCP $EXTERNAL any -> $INTERNAL 261 (msg: "IDS410/misc_fw1-authentication"; flags: A+; content: "220 FW-1 Session Authentication"; classtype: system-attempt; reference: arachnids,410;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS317/ftp_ftp-site-exec"; flags: A+; content: "site exec"; nocase; classtype: system-attempt; reference: arachnids,317;) alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS204/netbios_netbios-nt-null-session"; flags: A+; content: "|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|"; classtype: info-attempt; reference: arachnids,204;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS463/web-cgi_web-cgi-wwwboard-passwd"; flags: A+; uricontent: "/wwwboard/passwd.txt"; classtype: info-attempt; reference: arachnids,463;) alert TCP $EXTERNAL any -> $INTERNAL 8080 (msg: "IDS267/misc_delegate-proxy-overflow"; dsize: >1000; flags: A+; content: "whois|3a|//"; nocase; classtype: system-attempt; reference: arachnids,267;) alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS377/finger_finger-probe-null"; flags: A+; content: "|00|"; classtype: info-attempt; reference: arachnids,377;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS128/web-cgi_http-cgi-phf"; flags: A+; uricontent: "phf"; classtype: system-or-info-attempt; reference: arachnids,128;) alert TCP $EXTERNAL any -> $INTERNAL 513 (msg: "IDS384/rservice_RSH-bin"; flags: A+; content: "bin|00|bin|00|"; classtype: system-attempt; reference: arachnids,384;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS470/web-cgi_web-cgi-webplus-version"; flags: A+; uricontent: "/webplus?about"; nocase; classtype: system-or-info-attempt; reference: arachnids,470;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS264/misc_dos-ath0-modem-disconnect"; itype: 8; content: "+++ath0"; nocase; classtype: denialofservice; reference: arachnids,264;) alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS334/netbios_NETBIOS-SMB-IPC$access"; flags: A+; content: "|5c00|I|00|P|00|C|00|$|000000|IPC|00|"; classtype: info-attempt; reference: arachnids,334;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS355/shellcode_shellcode-NOOP-Sparc-tcp2"; flags: A+; content: "|a61c c013 a61c c013 a61c c013 a61c c013|"; classtype: system-attempt; reference: arachnids,355;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS346/shellcode_shellcode-NOOP-Sparc-udp2"; content: "|a61c c013 a61c c013 a61c c013 a61c c013|"; classtype: system-attempt; reference: arachnids,346;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS369/telnet_telnet-resolv_host_conf"; flags: A+; content: "resolv_host_conf"; classtype: system-attempt; reference: arachnids,369;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS468/web-cgi_web-cgi-websitepro-path"; flags: A+; uricontent: " /HTTP1."; nocase; classtype: info-attempt; reference: arachnids,468;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS290/web-misc_http-cgi-infosearch-fname"; flags: A+; uricontent: "infosrch.cgi?"; uricontent: "fname=|7c|"; classtype: system-or-info-attempt; reference: arachnids,290;) alert TCP $INTERNAL 23 -> $EXTERNAL any (msg: "IDS8/telnet_telnet-daemon-active"; flags: A+; content: "|ff|"; depth: 1; classtype: not-suspicious; reference: arachnids,8;) alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS339/netbios_NETBIOS-SMB-C$access"; flags: A+; content: "|5c|C$|00 41 3a 00|"; classtype: system-attempt; reference: arachnids,339;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS225/web-cgi_http-cgi-anyform"; flags: A+; uricontent: "anyform"; nocase; classtype: system-or-info-attempt; reference: arachnids,225;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS200/web-iis_http-iis_encoding"; flags: A+; uricontent: "|25 31 75|"; classtype: suspicious; reference: arachnids,200;) alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278/dns_named-probe-version"; content: "|07|version"; offset: 12; nocase; content: "|04|bind"; offset: 12; nocase; classtype: info-attempt; reference: arachnids,278;) alert TCP $EXTERNAL any -> $INTERNAL 514 (msg: "IDS391/rservice_rlogin-root"; flags: A+; content: "root|00|root|00|"; classtype: system-attempt; reference: arachnids,391;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS232/web-cgi_http-cgi-php-slash"; flags: A+; uricontent: "php.cgi?/"; depth: 32; offset: 5; classtype: info-attempt; reference: arachnids,232;) alert TCP $INTERNAL 722 -> $EXTERNAL any (msg: "IDS280/ssh_ssh-freebsd40-port"; dsize: <40; flags: A+; content: "SSH-"; depth: 5; classtype: suspicious; reference: arachnids,280;) alert TCP $EXTERNAL any -> $INTERNAL 513 (msg: "IDS385/rservice_RSH-echo++"; flags: A+; content: "echo |22|+ +|22|"; classtype: system-attempt; reference: arachnids,385;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS466/web-cgi_web-cgi-whoisraw"; flags: A+; uricontent: "whois_raw.cgi?"; classtype: system-or-info-attempt; reference: arachnids,466;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS357/shellcode_shellcode-NOOP-SGI-tcp2"; flags: A+; content: "|240f 1234 240f 1234 240f 1234 240f 1234|"; classtype: system-attempt; reference: arachnids,357;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS275/dos_dos-http-cisco-crash"; flags: A+; content: "|20 2F 25 25|"; depth: 16; classtype: denialofservice; reference: arachnids,275;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS209/web-cgi_http-phorum-violation"; flags: A+; uricontent: "violation.php3"; classtype: relay-or-info-attempt; reference: arachnids,209;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS473/web-misc_web-cgi-webdriver"; flags: A+; uricontent: "/webdriver"; nocase; classtype: system-or-info-attempt; reference: arachnids,473;) alert TCP $INTERNAL 1080 -> $EXTERNAL any (msg: "IDS176/misc_socks4-active"; flags: A+; content: "|04 5A|"; depth: 2; classtype: relay-success; reference: arachnids,176;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS291/shellcode_shellcode-x86-stealth-nop"; content: "|eb 02 eb 02 eb 02|"; classtype: system-attempt; reference: arachnids,291;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS218/web-cgi_http-cgi-test-cgi"; flags: A+; uricontent: "test-cgi"; classtype: info-attempt; reference: arachnids,218;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS540/ftp_ftp-passwd-rnto-path"; flags: A+; content: "RNTO"; nocase; content: "/passwd"; classtype: system-attempt; reference: arachnids,540;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS228/web-cgi_http-cgi-guestbook"; flags: A+; uricontent: "guestbook"; nocase; classtype: system-or-info-attempt; reference: arachnids,228;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS226/web-cgi_http-cgi-formmail"; flags: A+; uricontent: "formmail"; classtype: system-or-info-attempt; reference: arachnids,226;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS362/shellcode_shellcode-x86-nops-udp"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; classtype: system-attempt; reference: arachnids,362;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS349/shellcode_shellcode-NOOP-HP-udp"; content: "|0821 0280 0821 0280 0821 0280 0821 0280|"; classtype: system-attempt; reference: arachnids,349;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS318/ftp_ftp-cwd~root"; flags: A+; content: "cwd ~root"; nocase; classtype: system-attempt; reference: arachnids,318;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS320/ftp_ftp-linux-nullpass"; flags: A+; content: "pass null|0d|"; nocase; classtype: system-attempt; reference: arachnids,320;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS359/shellcode_shellcode-NOOP-HP-tcp2"; flags: A+; content: "|0b39 0280 0b39 0280 0b39 0280 0b39 0280|"; classtype: system-attempt; reference: arachnids,359;) alert TCP $EXTERNAL any -> $INTERNAL 514 (msg: "IDS394/rservice_rlogin-LoginFailure"; flags: A+; content: "|01|rlogind|3a| Permission denied."; classtype: system-failed; reference: arachnids,394;) alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS148/tftp_TFTP write"; content: "|00 02|"; depth: 2; classtype: data-attempt; reference: arachnids,148;) alert TCP $EXTERNAL any -> $INTERNAL 119 (msg: "IDS274/misc_nntp-overflow-cassandra"; dsize: >512; flags: A+; content: "AUTHINFO USER"; depth: 16; nocase; classtype: system-attempt; reference: arachnids,274;) alert TCP $EXTERNAL any -> $INTERNAL 23 (msg: "IDS368/telnet_telnet-ld_library_path"; flags: A+; content: "ld_library_path"; nocase; classtype: system-attempt; reference: arachnids,368;) alert UDP $EXTERNAL any -> $INTERNAL 32770: (msg: "IDS136/rpc_rpc-rusers-query"; rpc: 100002,*,*; content: "|00 00 00 00 00 00 00 02 00 01 86 A2|"; classtype: info-attempt; reference: arachnids,136;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS541/ftp_ftp-passwd-appe-path"; flags: A+; content: "APPE"; nocase; content: "/passwd"; classtype: system-attempt; reference: arachnids,541;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS272/web-cgi_http-piranha-passwd.php3"; flags: A+; uricontent: "passwd.php3"; nocase; classtype: system-or-info-attempt; reference: arachnids,272;) alert TCP $INTERNAL 25 -> $EXTERNAL any (msg: "IDS249/smtp_smtp-relay-denied"; flags: A+; content: "5.7.1"; depth: 70; classtype: relay-failed; reference: arachnids,249;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS292/web-frontpage_http-frontpage-shtml.dll"; flags: A+; uricontent: "_vti_bin/shtml.dll"; nocase; classtype: info-attempt; reference: arachnids,292;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS235/web-cgi_http-cgi-handler"; flags: A+; uricontent: "handler"; classtype: system-or-info-attempt; reference: arachnids,235;) alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS32/smtp_smtp-expn-decode"; flags: A+; content: "expn decode"; nocase; classtype: info-attempt; reference: arachnids,32;) alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS381/finger_finger-bomb"; flags: A+; content: "@@"; classtype: denialofservice; reference: arachnids,381;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS322/ftp_ftp-nopassword"; flags: A+; content: "pass |0d|"; nocase; classtype: system-attempt; reference: arachnids,322;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS305/web-iis_http-iis_translate_f"; flags: A+; content: "Translate|3a| F"; nocase; classtype: info-attempt; reference: arachnids,305;) alert TCP $INTERNAL 23 -> $EXTERNAL any (msg: "IDS127/telnet_telnet-login-incorrect"; flags: A+; content: "Login incorrect"; depth: 16; nocase; classtype: system-failed; reference: arachnids,127;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS347/shellcode_shellcode-NOOP-SGI-udp"; content: "|240f 1234 240f 1234 240f 1234 240f 1234|"; classtype: system-attempt; reference: arachnids,347;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS284/shellcode_shellcode-x86-setgid0"; flags: A+; content: "|b0b5 cd80|"; classtype: system-attempt; reference: arachnids,284;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS539/ftp_ftp-passwd-stor-path"; flags: A+; content: "STOR"; nocase; content: "/passwd"; classtype: system-attempt; reference: arachnids,539;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS436/shellcode_shellcode-x86-setuid0-udp"; content: "|b017 cd80|"; classtype: system-attempt; reference: arachnids,436;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS361/shellcode_shellcode-NOOP-Digital-tcp"; flags: A+; content: "|47 ff 04 1f 47 ff 04 1f 47 ff 04 1f 47 ff 04 1f|"; classtype: system-attempt; reference: arachnids,361;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS221/web-cgi_http-cgi-finger"; flags: A+; uricontent: "finger"; classtype: info-attempt; reference: arachnids,221;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS356/shellcode_shellcode-NOOP-SGI-tcp"; flags: A+; content: "|03e0 f825 03e0 f825 03e0 f825 03e0 f825|"; classtype: system-attempt; reference: arachnids,356;) alert TCP $EXTERNAL any -> $INTERNAL 514 (msg: "IDS390/rservice_rlogin-bin"; flags: A+; content: "bin|00|bin|00|"; classtype: system-attempt; reference: arachnids,390;) ### VULNERABILITY WITHOUT CONTENT CHECK # These signatures are particular to a certain vulnerability, # but may be triggered by more than one exploit or tool. These # signatures are not specific to only one exploit, and do not # check packet contents. ########### (total: 59) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS20/rpc_portmap-request-sadmind"; rpc: 100232,*,*; content: "|018788|"; classtype: info-attempt; reference: arachnids,20;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS118/scan_Traceroute ICMP"; ttl: 1; itype: 8; classtype: info-attempt; reference: arachnids,118;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS419/misc_source_route_tcp_lsrr"; ipopts: lsrr; classtype: suspicious; reference: arachnids,419;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS24/rpc_portmap-request-ttdbserv"; rpc: 100083,*,*; content: "|0186f3|"; classtype: info-attempt; reference: arachnids,24;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS174/icmp_IRDP_router_selection"; itype: 10; classtype: suspicious; reference: arachnids,174;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS416/icmp_icmp-timestamp_request"; itype: 13; classtype: info-attempt; reference: arachnids,416;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS423/misc_source_route_tcp_ssrr"; ipopts: ssrr; classtype: suspicious; reference: arachnids,423;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS173/icmp_IRDP_router_advertisement"; itype: 9; classtype: suspicious; reference: arachnids,173;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS4/scan_probe-null_scan"; seq: 0; ack: 0; flags: 0; classtype: info-attempt; reference: arachnids,4;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS21/rpc_portmap-request-nisd"; rpc: 100300,*,*; content: "|0187cc|"; classtype: info-attempt; reference: arachnids,21;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS3/scan_Traceroute TCP"; ttl: 1; classtype: info-attempt; reference: arachnids,3;) alert TCP $EXTERNAL any -> $INTERNAL 1347 (msg: "IDS494/dos_dos-symantec-ghost-config-server"; dsize: >16000; flags: A+; classtype: denialofservice; reference: arachnids,494;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS198/scan_SYN FIN Scan"; flags: SF; classtype: info-attempt; reference: arachnids,198;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS19/rpc_portmap-request-autofsd"; rpc: 100099,*,*; content: "|018703|"; classtype: info-attempt; reference: arachnids,19;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS417/icmp_icmp-information_request"; itype: 15; classtype: info-attempt; reference: arachnids,417;) alert TCP $EXTERNAL 53 -> $INTERNAL 0:1023 (msg: "IDS7/misc_SourcePortTraffic-53-tcp"; flags: S; classtype: suspicious; reference: arachnids,7;) alert TCP $INTERNAL 7161 -> $EXTERNAL any (msg: "IDS129/dos_dos-cisco-catalyst-remote-access"; flags: SA; classtype: denialofservice; reference: arachnids,129;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS16/rpc_portmap-request-bootparam"; rpc: 100026,*,*; content: "|0186ba|"; classtype: info-attempt; reference: arachnids,16;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS10/rpc_portmap-request-rstatd"; rpc: 100001,*,*; content: "|0186a1|"; classtype: info-attempt; reference: arachnids,10;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS14/rpc_portmap-request-yppasswd"; rpc: 100009,*,*; content: "|0186a9|"; classtype: info-attempt; reference: arachnids,14;) alert TCP $EXTERNAL 6000:6005 -> $INTERNAL any (msg: "IDS126/x11_Outgoing_Xterm"; flags: SA; classtype: system-success; reference: arachnids,126;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS25/rpc_portmap-request-selection_svc"; rpc: 100015,*,*; content: "|0186af|"; classtype: info-attempt; reference: arachnids,25;) alert TCP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS428/rpc_portmap-listing-111"; flags: A+; rpc: 100000,*,*; content: "|0186a0|"; classtype: info-attempt; reference: arachnids,428;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS199/icmp_icmp-redirect_net"; itype: 5; icode: 0; classtype: denialofservice; reference: arachnids,199;) alert UDP $EXTERNAL any -> $INTERNAL 123 (msg: "IDS492/misc_ntpdx-buffer-overflow"; dsize: >128; classtype: system-attempt; reference: arachnids,492;) alert TCP $EXTERNAL any -> $INTERNAL 617 (msg: "IDS261/dos_dos-arkiea-backup"; dsize: >1445; flags: A+; classtype: denialofservice; reference: arachnids,261;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS420/misc_source_route_udp_lsrre"; ipopts: lsrre; classtype: suspicious; reference: arachnids,420;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS135/icmp_icmp-redirect_host"; itype: 5; icode: 1; classtype: suspicious; reference: arachnids,135;) alert TCP $EXTERNAL any -> $INTERNAL 1080 (msg: "IDS175/misc_socks-probe"; ack: 0; flags: S; classtype: relay-attempt; reference: arachnids,175;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS216/icmp_icmp-subnet_mask_request"; itype: 17; classtype: info-attempt; reference: arachnids,216;) alert TCP $EXTERNAL 20 -> $INTERNAL 0:1023 (msg: "IDS6/misc_SourcePortTraffic-20-tcp"; flags: S; classtype: suspicious; reference: arachnids,6;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS23/rpc_portmap-request-rexd"; rpc: 100017,*,*; content: "|0186b1|"; classtype: info-attempt; reference: arachnids,23;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS247/dos_dos-large-udp"; dsize: >4000; classtype: denialofservice; reference: arachnids,247;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS542/rpc_portmap-request-espd"; rpc: 391029,*,*; content: "|05f775|"; classtype: info-attempt; reference: arachnids,542;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS116/icmp_source_route_icmp_lsrr"; ipopts: lsrr; classtype: suspicious; reference: arachnids,116;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS27/scan_probe-fin_scan"; flags: F; classtype: info-attempt; reference: arachnids,27;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS125/rpc_portmap-request-ypupdated"; rpc: 100028,*,*; content: "|0186bc|"; classtype: info-attempt; reference: arachnids,125;) alert TCP $EXTERNAL any -> $INTERNAL 113 (msg: "IDS488/misc_identd-overflow_SuSE"; dsize: >1400; flags: A+; classtype: system-attempt; reference: arachnids,488;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS115/scan_Traceroute UDP"; ttl: 1; classtype: info-attempt; reference: arachnids,115;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS424/icmp_source_route_icmp_ssrr"; ipopts: ssrr; classtype: suspicious; reference: arachnids,424;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS418/misc_source_route_udp_lsrr"; ipopts: lsrr; classtype: suspicious; reference: arachnids,418;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS30/scan_probe-xmas-scan"; ack: 0; flags: FUP; classtype: info-attempt; reference: arachnids,30;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS18/rpc_portmap-request-admind"; rpc: 100087,*,*; content: "|0186f7|"; classtype: info-attempt; reference: arachnids,18;) alert UDP $EXTERNAL any -> $INTERNAL 161 (msg: "IDS536/dos_dos-cisco_null_snmp"; dsize: 0; classtype: denialofservice; reference: arachnids,536;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS238/scan_Traceroute IPOPTS"; ipopts: rr; itype: 0; classtype: info-attempt; reference: arachnids,238;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS246/dos_dos-large-icmp"; dsize: >800; classtype: denialofservice; reference: arachnids,246;) alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS422/misc_source_route_udp_ssrr"; ipopts: ssrr; classtype: suspicious; reference: arachnids,422;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS133/rpc_portmap-request-rusers"; rpc: 100002,*,*; content: "|0186a2|"; classtype: info-attempt; reference: arachnids,133;) alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS117/icmp_source_route_icmp_lsrre"; ipopts: lsrre; classtype: suspicious; reference: arachnids,117;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS407/rpc_portmap-request-nlockmgr"; rpc: 100021,*,*; content: "|0186b5|"; classtype: info-attempt; reference: arachnids,407;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS421/misc_source_route_tcp_lsrre"; ipopts: lsrre; classtype: suspicious; reference: arachnids,421;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS22/rpc_portmap-request-pcnfsd"; rpc: 150001,*,*; content: "|0249f1|"; classtype: info-attempt; reference: arachnids,22;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS13/rpc_portmap-request-mountd"; rpc: 100005,*,*; content: "|0186a5|"; classtype: info-attempt; reference: arachnids,13;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS12/rpc_portmap-request-ypserv"; rpc: 100004,*,*; content: "|0186a4|"; classtype: info-attempt; reference: arachnids,12;) alert TCP $EXTERNAL any -> $INTERNAL 32771 (msg: "IDS429/rpc_portmap-listing-32771"; flags: A+; rpc: 100000,*,*; content: "|0186a0|"; classtype: info-attempt; reference: arachnids,429;) alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS144/scan_probe-full_xmas_scan"; ack: 0; flags: SFAUPR; classtype: info-attempt; reference: arachnids,144;) alert TCP $EXTERNAL any -> $INTERNAL 2638 (msg: "IDS493/dos_dos-symantec-ghost-database"; dsize: >16000; flags: A+; classtype: denialofservice; reference: arachnids,493;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS15/rpc_portmap-request-status"; rpc: 100024,*,*; content: "|0186b8|"; classtype: info-attempt; reference: arachnids,15;) alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS17/rpc_portmap-request-cmsd"; rpc: 100068,*,*; content: "|0186e5|"; classtype: info-attempt; reference: arachnids,17;) ### OTHER # These signatures are not particular to a single exploit, tool, # nor vulnerability. They detect multiple vulnerabilities. ########### (total: none yet!) #end arachNIDS export [20010628.1006]