]>
Commit | Line | Data |
---|---|---|
3914b6b8 MP |
1 | alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS1/ADMw0rm-ftp-retrieval"; content: "USER w0rm|0D0A|"; flags: AP;) |
2 | alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS263/backdoor-cdk"; content: "ypi0ca"; nocase; flags: AP; depth: 15;) | |
3 | alert TCP $EXTERNAL any -> $INTERNAL 1966 (msg: "IDS222/Backdoor-FakeFTP"; flags: S;) | |
4 | alert TCP $EXTERNAL any -> $INTERNAL 1269 (msg: "IDS223/Backdoor-Matrix 1.x-2.0"; flags: S;) | |
5 | alert ICMP 255.255.255.0/24 any -> $INTERNAL any (msg: "IDS202/backdoor-Q-icmp"; itype: 0; dsize: >1;) | |
6 | alert TCP 255.255.255.0/24 any -> $INTERNAL any (msg: "IDS203/backdoor-Q-tcp"; flags: A; dsize: >1;) | |
7 | alert UDP 255.255.255.0/24 any -> $INTERNAL any (msg: "IDS201/backdoor-Q-udp"; dsize: >1;) | |
8 | alert TCP $INTERNAL 7161 -> $EXTERNAL any (msg: "IDS129/cisco-catalyst-remote-access"; flags: SA;) | |
9 | alert TCP $EXTERNAL 80 -> $INTERNAL any (msg: "IDS215/client-netscape47-overflow-retrieved"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags: AP;) | |
10 | alert TCP $INTERNAL any -> $EXTERNAL 80 (msg: "IDS214/client-netscape47-overflow-unsucessful"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags: AP;) | |
11 | alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS149/cybercop-os-probe-pa12"; content: "AAAAAAAAAAAAAAAA"; flags: AP12; depth: 16;) | |
12 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS146/cybercop-os-probe-sf12"; flags: SF12; dsize: 0;) | |
13 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS145/cybercop-os-probe-sfp"; content: "AAAAAAAAAAAAAAAA"; flags: SFP; ack: 0; depth: 16;) | |
14 | alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS150/cybercop-os-probe-sfu12"; content: "AAAAAAAAAAAAAAAA"; flags: SFU12; ack: 0; depth: 16;) | |
15 | alert UDP $INTERNAL any -> $EXTERNAL 20433 (msg: "IDS256/ddos-shaft-agent-to-handler"; content: "alive";) | |
16 | alert TCP $EXTERNAL any -> $INTERNAL 20432 (msg: "IDS254/ddos-shaft-client-to-handler"; flags: AP;) | |
17 | alert UDP $EXTERNAL any -> $INTERNAL 18753 (msg: "IDS255/ddos-shaft-handler-to-agent"; content: "alive tijgu";) | |
18 | alert TCP $EXTERNAL :1024 -> $INTERNAL any (msg: "IDS252/ddos-shaft-synflood-incoming"; flags: S; seq: 674711609;) | |
19 | alert TCP $INTERNAL :1024 -> $EXTERNAL any (msg: "IDS253/ddos-shaft-synflood-outgoing"; flags: S; seq: 674711609;) | |
20 | alert TCP $EXTERNAL any -> $INTERNAL 8080 (msg: "IDS267/delegate-proxy-overflow"; content: "whois|3a|//"; nocase; flags: AP; dsize: >1000;) | |
21 | alert TCP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS212/dns-zone-transfer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP; offset: 2; depth: 16;) | |
22 | alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS257/dos-aix-ftpd"; content: "CEL"; flags: AP; dsize: >1300;) | |
23 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS260/dos-annex-terminal"; content: "ping?query"; flags: AP; dsize: >1400;) | |
24 | alert TCP $EXTERNAL any -> $INTERNAL 617 (msg: "IDS261/dos-arkiea-backup"; flags: AP; dsize: >1445;) | |
25 | alert UDP $EXTERNAL any -> $INTERNAL 9 (msg: "IDS262/dos-ascend-reboot"; content: "|4e414d454e414d45|"; offset: 25; depth: 50;) | |
26 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS264/dos-ath0"; content: "+++ath0"; nocase; itype: 8;) | |
27 | alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS27/FIN Scan"; flags: F;) | |
28 | alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS130/finger-.@host"; content: "|2E 0A 20 20 20 20|"; flags: AP; dsize: 6; depth: 6;) | |
29 | alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS131/finger-0@host"; content: "|30 0A 20 20 20 20|"; flags: AP; dsize: 6; depth: 6;) | |
30 | alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS132/finger-cybercop-query"; content: "|0A 20 20 20 20 20|"; flags: AP; depth: 10;) | |
31 | alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS11/finger-cybercop-redirection"; content: "|40 6C 6F 63 61 6C 68 6F 73 74 0A|"; flags: AP; dsize: 11; depth: 11;) | |
32 | alert TCP $EXTERNAL any -> $INTERNAL 79 (msg: "IDS251/finger-redirection"; content: "@"; flags: AP;) | |
33 | alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS134/FTP tar parameters"; content: "RETR --use-compress-program"; flags: AP;) | |
34 | alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS213/ftp-passwd-retrieval"; content: "passwd"; flags: AP;) | |
35 | alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS144/Full XMAS Scan"; flags: SFAPUR; ack: 0;) | |
36 | alert TCP $INTERNAL 80 -> $EXTERNAL any (msg: "IDS276/http-cgi-bugzilla-exploit"; content: "blaat@blaat.com"; nocase; flags: AP; content: "process_bug.cgi"; offset: 5; depth: 64; nocase;) | |
37 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS275/http-cisco-crash"; content: "|20 2F 25 25|"; flags: AP; depth: 16;) | |
38 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS135/ICMP Redirect Host"; itype: 5; icode: 1;) | |
39 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS199/ICMP Redirect Net"; itype: 5; icode: 0;) | |
40 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS216/ICMP subnet mask request"; itype: 17;) | |
41 | alert TCP $EXTERNAL any -> $INTERNAL 143 (msg: "IDS147/IMAP-x86-linux-buffer-overflow"; content: "|e8 c0ff ffff|/bin/sh"; flags: AP; dsize: >100;) | |
42 | alert TCP $EXTERNAL any -> $INTERNAL 1417 (msg: "IDS229/insecure-timbuktu-password"; content: "|05 00 3E|"; flags: AP; depth: 16;) | |
43 | alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS236/ipeye-syn-scan"; flags: S; seq: 1958810375;) | |
44 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS173/IRDP Router Advertisement"; itype: 9;) | |
45 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS174/IRDP Router Selection"; itype: 10;) | |
46 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS246/large-icmp"; dsize: >800;) | |
47 | alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS247/large-udp"; dsize: >800;) | |
48 | alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS2/mworm-ftp-retrieval"; content: "USER mw|0D0A|"; flags: AP;) | |
49 | alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS277/named-probe-iquery"; content: "|0980 0000 0001 0000 0000|"; offset: 2; depth: 16;) | |
50 | alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS278/named-probe-version"; content: "|07|version|04|bind|00 0010 0008|"; nocase; offset: 13; depth: 32;) | |
51 | alert UDP $EXTERNAL any -> $INTERNAL 137 (msg: "IDS177/netbios-name-query"; content: "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|00 00|";) | |
52 | alert TCP $EXTERNAL any -> $INTERNAL 32771: (msg: "IDS26/nfs-showmount"; content: "|00 01 86 A5 00 00 00 01 00 00 00 05 00 00 00 01|"; flags: AP; offset: 16; depth: 32;) | |
53 | alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS5/NMAP Fingerprint attempt"; flags: SFPU;) | |
54 | alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS28/NMAP TCP ping"; flags: A; ack: 0;) | |
55 | alert TCP $EXTERNAL any -> $INTERNAL 119 (msg: "IDS274/nntp-overflow-cassandra"; content: "AUTHINFO USER"; nocase; flags: AP; dsize: >512; depth: 16;) | |
56 | alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS181/nops-x86"; content: "|90 90 90 90 90 90 90 90 90 90 90 90|"; flags: AP;) | |
57 | alert TCP $EXTERNAL any -> $INTERNAL 139 (msg: "IDS204/NT NULL session"; content: "|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|"; flags: AP;) | |
58 | alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS4/NULL Scan"; flags: 0; seq: 0; ack: 0;) | |
59 | alert TCP $EXTERNAL 6000:6005 -> $INTERNAL any (msg: "IDS126/Outgoing Xterm"; flags: SA;) | |
60 | alert TCP $INTERNAL 5632 -> $EXTERNAL any (msg: "IDS240/pcanywhere-failed"; content: "Invalid login"; flags: AP; depth: 16;) | |
61 | alert UDP $EXTERNAL any -> $INTERNAL 5632 (msg: "IDS239/pcanywhere-start"; content: "ST"; depth: 2;) | |
62 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS151/Ping BeOS 4.x"; content: "|00000000000000000000000008090a0b|"; itype: 8; depth: 32;) | |
63 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS152/Ping BSDtype"; content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; itype: 8; depth: 32;) | |
64 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS153/Ping Cisco IOS 9.x"; content: "|abcdabcdabcdabcdabcdabcdabcdabcd|"; itype: 8; depth: 32;) | |
65 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS178/Ping CyberCop55"; content: "|00 00 20 20 20 20 20 20 20 20 20|"; itype: 8; icmp_seq: 18467; offset: 7; depth: 18;) | |
66 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS154/Ping CyberKit 2.2 Windows"; content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; itype: 8; depth: 32;) | |
67 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS155/Ping Delphi-Piette Windows"; content: "|50696e67696e672066726f6d2044656c|"; itype: 8; depth: 32;) | |
68 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS156/Ping Flowpoint 2200 DSL Router"; content: "|0102030405060708090a0b0c0d0e0f10|"; itype: 8; depth: 32;) | |
69 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS157/Ping IPNetMonitor Macintosh"; content: "|a9205375737461696e61626c6520536f|"; itype: 8; depth: 32;) | |
70 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS158/Ping ISS Pinger"; content: "ISSPNGRQ"; itype: 8; depth: 32;) | |
71 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS159/Ping Microsoft Windows"; content: "|6162636465666768696a6b6c6d6e6f70|"; itype: 8; depth: 32;) | |
72 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS161/Ping NetworkToolbox3 Windows"; content: "|3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d|"; itype: 8; depth: 32;) | |
73 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS162/Ping Nmap 2.36BETA"; itype: 8; dsize: 0;) | |
74 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS163/Ping OpenBSD-Linux"; content: "|101112131415161718191a1b1c1d1e1f|"; itype: 8; depth: 32;) | |
75 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS164/Ping Ping-O-Meter Windows"; content: "|4f4d657465724f6265736541726d6164|"; itype: 8; depth: 32;) | |
76 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS165/Ping Pinger Windows"; content: "|44617461000000000000000000000000|"; itype: 8; depth: 32;) | |
77 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS166/Ping Seer Windows"; content: "|88042020202020202020202020202020|"; itype: 8; depth: 32;) | |
78 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS167/Ping TJPingPro 1.1 Build 2 Windows"; content: "|544a50696e6750726f206279204a696d|"; itype: 8; depth: 32;) | |
79 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS168/Ping Whatsup Gold Windows"; content: "|57686174735570202d2041204e657477|"; itype: 8; depth: 32;) | |
80 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS169/Ping Win2000"; content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"; itype: 8; depth: 32;) | |
81 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS171/Ping zeros"; content: "|00000000000000000000000000000000|"; itype: 8; depth: 32;) | |
82 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS18/portmap-request-admind"; content: "|01 86 F7 00 00|"; offset: 40; depth: 8;) | |
83 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS19/portmap-request-amountd"; content: "|01 87 03 00 00|"; offset: 40; depth: 8;) | |
84 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS16/portmap-request-bootparam"; content: "|01 86 BA 00 00|"; offset: 40; depth: 8;) | |
85 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS17/portmap-request-cmsd"; content: "|01 86 E4 00 00|"; offset: 40; depth: 8;) | |
86 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS13/portmap-request-mountd"; content: "|01 86 A5 00 00|"; offset: 40; depth: 8;) | |
87 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS21/portmap-request-nisd"; content: "|01 87 cc 00 00|"; offset: 40; depth: 8;) | |
88 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS22/portmap-request-pcnfsd"; content: "|02 49 f1 00 00|"; offset: 40; depth: 8;) | |
89 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS23/portmap-request-rexd"; content: "|01 86 B1 00 00|"; offset: 40; depth: 8;) | |
90 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS10/portmap-request-rstatd"; content: "|01 86 A1 00 00|"; offset: 40; depth: 8;) | |
91 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS133/portmap-request-rusers"; content: "|01 86 A2 00 00|"; offset: 40; depth: 8;) | |
92 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS20/portmap-request-sadmind"; content: "|01 87 88 00 00|"; offset: 40; depth: 8;) | |
93 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS25/portmap-request-selection_svc"; content: "|01 86 AF 00 00|"; offset: 40; depth: 8;) | |
94 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS15/portmap-request-status"; content: "|01 86 B8 00 00|"; offset: 40; depth: 8;) | |
95 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS24/portmap-request-ttdbserv"; content: "|01 86 F3 00 00|"; offset: 40; depth: 8;) | |
96 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS14/portmap-request-yppasswd"; content: "|01 86 A9 00 00|"; offset: 40; depth: 8;) | |
97 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS12/portmap-request-ypserv"; content: "|01 86 A4 00 00|"; offset: 40; depth: 8;) | |
98 | alert UDP $EXTERNAL any -> $INTERNAL 111 (msg: "IDS125/portmap-request-ypupdated"; content: "|01 86 BC 00 00|"; offset: 40; depth: 8;) | |
99 | alert UDP $EXTERNAL any -> $INTERNAL 31337 (msg: "IDS188/probe-back-orifice";) | |
100 | alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS29/Queso Fingerprint attempt"; flags: S12;) | |
101 | alert TCP $EXTERNAL any -> $INTERNAL 634:1400 (msg: "IDS217/rpc-amd-overflow"; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|"; flags: AP; depth: 32;) | |
102 | alert UDP $EXTERNAL any -> $INTERNAL 32770: (msg: "IDS9/rpc-rstatd-query"; content: "|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset: 5;) | |
103 | alert UDP $EXTERNAL any -> $INTERNAL 32770: (msg: "IDS136/rpc-rusers-query"; content: "|00 00 00 00 00 00 00 02 00 01 86 A2|";) | |
104 | alert TCP $EXTERNAL any -> $INTERNAL 32771:34000 (msg: "IDS241/rpc.ttdbserv-solaris-kill"; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; flags: AP; offset: 16; depth: 32;) | |
105 | alert TCP $EXTERNAL any -> $INTERNAL 32771:34000 (msg: "IDS242/rpc.ttdbserv-solaris-overflow"; content: "|C0 22 3F FC A2 02 20 09 C0 2C 7F FF E2 22 3F F4|"; flags: AP; dsize: >999;) | |
106 | alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS266/smtp-chameleon-overflow"; content: "HELP"; nocase; flags: AP; dsize: >500; depth: 10;) | |
107 | alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS245/smtp-cmail-buffer-overflow"; content: "VRFY AAAAAAAAAAA"; flags: AP; dsize: >500;) | |
108 | alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS120/SMTP-exploit41"; content: "rcpt to|3a 20 7c 20 73 65 64 20 27 31 2C 2F 5E 24 2F 64 27 7c|"; flags: AP;) | |
109 | alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS119/SMTP-exploit555"; content: "mail from|3a20227c|"; flags: AP;) | |
110 | alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS172/SMTP-exploit558"; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|"; flags: AP;) | |
111 | alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS121/SMTP-exploit564"; content: "rcpt to|3a| decode"; flags: AP;) | |
112 | alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS122/SMTP-exploit565"; content: "MAIL FROM|3a207c|/usr/ucb/tail"; flags: AP;) | |
113 | alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS123/SMTP-exploit8610"; content: "Croot|0d0a|Mprog, P=/bin/"; flags: AP;) | |
114 | alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS124/SMTP-exploit8610ha"; content: "Croot|09090909090909|Mprog, P=/bin"; flags: AP;) | |
115 | alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS139/SMTP-exploit869a"; content: "|0a|C|3a|daemon|0a|R"; flags: AP;) | |
116 | alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS140/SMTP-exploit869b"; content: "|0a|D/"; flags: AP;) | |
117 | alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS141/SMTP-exploit869c"; content: "|0a|Croot|0d0a|Mprog"; flags: AP;) | |
118 | alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS142/SMTP-exploit869d"; content: "|0a|Croot|0a|Mprog"; flags: AP;) | |
119 | alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS32/SMTP-expn-decode"; content: "expn decode"; flags: AP;) | |
120 | alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS31/SMTP-expn-root"; content: "expn root"; flags: AP;) | |
121 | alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS143/SMTP-MajordomoIFS"; content: "${IFS}"; flags: AP;) | |
122 | alert TCP $INTERNAL 25 -> $EXTERNAL any (msg: "IDS249/smtp-relay-denied"; content: "5.7.1"; flags: AP; depth: 70;) | |
123 | alert TCP $EXTERNAL any -> $INTERNAL 25 (msg: "IDS273/sniffit-overflow-linux"; content: "from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; flags: AP; dsize: >512;) | |
124 | alert TCP $EXTERNAL any -> $INTERNAL 1080 (msg: "IDS175/socks-probe"; flags: S; ack: 0;) | |
125 | alert TCP $INTERNAL 1080 -> $EXTERNAL any (msg: "IDS176/socks4-active"; content: "|04 5A|"; flags: AP; depth: 2;) | |
126 | alert TCP $EXTERNAL 20 -> $INTERNAL 0:1023 (msg: "IDS6/SourcePortTraffic-20-tcp"; flags: S;) | |
127 | alert TCP $EXTERNAL 53 -> $INTERNAL 0:1023 (msg: "IDS7/SourcePortTraffic-53-tcp"; flags: S;) | |
128 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS116/SourceRoute-ICMP-lssr"; ipopts: lsrr ;) | |
129 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS117/SourceRoute-ICMP-lssre"; ipopts: lsrre ;) | |
130 | alert TCP $INTERNAL 722 -> $EXTERNAL any (msg: "IDS280/ssh-freebsd40-port"; content: "SSH-"; flags: AP; dsize: <40; depth: 5;) | |
131 | alert TCP $EXTERNAL any -> $INTERNAL 16660 (msg: "IDS179/stacheldraht client"; flags: S;) | |
132 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS190/stacheldraht client-check"; content: "skillz"; itype: 0; icmp_id: 666;) | |
133 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS194/stacheldraht client-check-gag"; content: "gesundheit!"; itype: 0; icmp_id: 39938;) | |
134 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS192/stacheldraht client-spoofworks"; content: "spoofworks"; itype: 0; icmp_id: 1000;) | |
135 | alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "IDS191/stacheldraht server-response"; content: "ficken"; itype: 0; icmp_id: 667;) | |
136 | alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "IDS195/stacheldraht server-response-gag"; content: "sicken"; itype: 0; icmp_id: 669;) | |
137 | alert ICMP 3.3.3.3/32 any -> any any (msg: "IDS193/stacheldraht server-spoof"; itype: 8; icmp_id: 666;) | |
138 | alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS198/SYN FIN Scan"; flags: SF;) | |
139 | alert TCP $INTERNAL 23 -> $EXTERNAL any (msg: "IDS8/telnet-daemon-active"; content: "|FF FD 18 FF FD 1F FF FD 23 FF FD 27 FF FD 24|"; flags: AP;) | |
140 | alert TCP $INTERNAL 23 -> $EXTERNAL any (msg: "IDS127/telnet-login-incorrect"; content: "Login incorrect"; flags: AP; depth: 16;) | |
141 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS184/tfn-client-command-be"; itype: 0; icmp_id: 456; icmp_seq: 0;) | |
142 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS183/tfn-client-command-le"; itype: 0; icmp_id: 51201; icmp_seq: 0;) | |
143 | alert ICMP $INTERNAL any -> $EXTERNAL any (msg: "IDS182/tfn-server-response"; content: "shell bound to port"; itype: 0; icmp_id: 123; icmp_seq: 0;) | |
144 | alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS137/TFTP parent directory"; content: "..";) | |
145 | alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS138/TFTP root directory"; content: "|00 01|/";) | |
146 | alert UDP $EXTERNAL any -> $INTERNAL 69 (msg: "IDS148/TFTP write"; content: "|00 02|"; depth: 2;) | |
147 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS118/Traceroute ICMP"; ttl: 1; itype: 8;) | |
148 | alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS238/Traceroute IPOPTS"; ipopts: rr ; itype: 0;) | |
149 | alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS3/Traceroute TCP"; ttl: 1;) | |
150 | alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS115/Traceroute UDP"; ttl: 1;) | |
151 | alert TCP $EXTERNAL any -> $INTERNAL 27665 (msg: "IDS196/trin00-attacker-to-master"; content: "betaalmostdone"; flags: AP;) | |
152 | alert UDP $EXTERNAL any -> $INTERNAL 31335 (msg: "IDS185/trin00-daemon-to-master"; content: "*HELLO*";) | |
153 | alert UDP any any -> any 31335 (msg: "IDS187/trin00-daemon-to-master-pong"; content: "PONG";) | |
154 | alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS197/trin00-master-to-daemon"; content: "l44adsl";) | |
155 | alert UDP $EXTERNAL any -> $INTERNAL 27444 (msg: "IDS186/trin00-master-to-daemon-png"; content: "png l44";) | |
156 | alert TCP $INTERNAL 777 -> $EXTERNAL any (msg: "IDS114/trojan-active-aimspy"; flags: SA;) | |
157 | alert TCP $INTERNAL 10666 -> $EXTERNAL any (msg: "IDS113/trojan-active-ambush"; flags: SA;) | |
158 | alert TCP $INTERNAL 666 -> $EXTERNAL any (msg: "IDS112/trojan-active-attackftp"; flags: SA;) | |
159 | alert UDP $INTERNAL 31337 -> $EXTERNAL any (msg: "IDS189/trojan-active-back-orifice";) | |
160 | alert TCP $INTERNAL 20331 -> $EXTERNAL any (msg: "IDS111/trojan-active-bla"; flags: SA;) | |
161 | alert TCP $INTERNAL 5400 -> $EXTERNAL any (msg: "IDS110/trojan-active-bladerunner"; flags: SA;) | |
162 | alert TCP $INTERNAL 1042 -> $EXTERNAL any (msg: "IDS109/trojan-active-blah11"; flags: SA;) | |
163 | alert TCP $INTERNAL 20203 -> $EXTERNAL any (msg: "IDS108/trojan-active-chupacabra"; flags: SA;) | |
164 | alert TCP $INTERNAL 10607 -> $EXTERNAL any (msg: "IDS107/trojan-active-coma"; flags: SA;) | |
165 | alert TCP $INTERNAL 6670 -> $EXTERNAL any (msg: "IDS106/trojan-active-deepthroat"; flags: SA;) | |
166 | alert TCP $INTERNAL 6883 -> $EXTERNAL any (msg: "IDS105/trojan-active-deltasource"; flags: SA;) | |
167 | alert TCP $INTERNAL 65000 -> $EXTERNAL any (msg: "IDS104/trojan-active-devil103"; flags: SA;) | |
168 | alert TCP $INTERNAL 12701 -> $EXTERNAL any (msg: "IDS103/trojan-active-eclipse2000"; flags: SA;) | |
169 | alert TCP $INTERNAL 4567 -> $EXTERNAL any (msg: "IDS102/trojan-active-filenail"; flags: SA;) | |
170 | alert TCP $INTERNAL 50766 -> $EXTERNAL any (msg: "IDS101/trojan-active-fore-schwindler"; flags: SA;) | |
171 | alert TCP $INTERNAL 1492 -> $EXTERNAL any (msg: "IDS100/trojan-active-ftp99cmp"; flags: SA;) | |
172 | alert TCP $INTERNAL 6969 -> $EXTERNAL any (msg: "IDS99/trojan-active-gatecrasher"; flags: SA;) | |
173 | alert TCP $INTERNAL 21554 -> $EXTERNAL any (msg: "IDS98/trojan-active-girlfriend"; flags: SA;) | |
174 | alert TCP $INTERNAL 12076 -> $EXTERNAL any (msg: "IDS97/trojan-active-gjamer"; flags: SA;) | |
175 | alert TCP $INTERNAL 12223 -> $EXTERNAL any (msg: "IDS96/trojan-active-hack99keylogger"; flags: SA;) | |
176 | alert TCP $INTERNAL 31787 -> $EXTERNAL any (msg: "IDS95/trojan-active-hackatak"; flags: SA;) | |
177 | alert TCP $INTERNAL 456 -> $EXTERNAL any (msg: "IDS94/trojan-active-hackersparadise"; flags: SA;) | |
178 | alert TCP $INTERNAL 2283 -> $EXTERNAL any (msg: "IDS93/trojan-active-hvlrat5"; flags: SA;) | |
179 | alert TCP $INTERNAL 4950 -> $EXTERNAL any (msg: "IDS92/trojan-active-icq"; flags: SA;) | |
180 | alert TCP $INTERNAL 5521 -> $EXTERNAL any (msg: "IDS91/trojan-active-illusionmailer"; flags: SA;) | |
181 | alert TCP $INTERNAL 9400 -> $EXTERNAL any (msg: "IDS90/trojan-active-incommand"; flags: SA;) | |
182 | alert TCP $INTERNAL 6939 -> $EXTERNAL any (msg: "IDS89/trojan-active-indoctrination"; flags: SA;) | |
183 | alert TCP $INTERNAL 9889 -> $EXTERNAL any (msg: "IDS88/trojan-active-inikiller"; flags: SA;) | |
184 | alert TCP $INTERNAL 2140 -> $EXTERNAL any (msg: "IDS87/trojan-active-invasor"; flags: SA;) | |
185 | alert TCP $INTERNAL 30999 -> $EXTERNAL any (msg: "IDS86/trojan-active-kuang"; flags: SA;) | |
186 | alert TCP $INTERNAL 17300 -> $EXTERNAL any (msg: "IDS85/trojan-active-kuang2"; flags: SA;) | |
187 | alert TCP $INTERNAL 31 -> $EXTERNAL any (msg: "IDS84/trojan-active-masterparadise"; flags: SA;) | |
188 | alert TCP $INTERNAL 1269 -> $EXTERNAL any (msg: "IDS83/trojan-active-matrix"; flags: SA;) | |
189 | alert TCP $INTERNAL 20000 -> $EXTERNAL any (msg: "IDS82/trojan-active-millenium"; flags: SA;) | |
190 | alert TCP $INTERNAL 12346 -> $EXTERNAL any (msg: "IDS81/trojan-active-netbus10"; flags: SA;) | |
191 | alert TCP $INTERNAL 20034 -> $EXTERNAL any (msg: "IDS80/trojan-active-netbuspro"; flags: SA;) | |
192 | alert TCP $INTERNAL 5031 -> $EXTERNAL any (msg: "IDS79/trojan-active-netmetro"; flags: SA;) | |
193 | alert TCP $INTERNAL 7306 -> $EXTERNAL any (msg: "IDS78/trojan-active-netmonitor"; flags: SA;) | |
194 | alert TCP $INTERNAL 57341 -> $EXTERNAL any (msg: "IDS77/trojan-active-netraider"; flags: SA;) | |
195 | alert TCP $INTERNAL 30100 -> $EXTERNAL any (msg: "IDS76/trojan-active-netsphere"; flags: SA;) | |
196 | alert TCP $INTERNAL 1033 -> $EXTERNAL any (msg: "IDS75/trojan-active-netspy"; flags: SA;) | |
197 | alert TCP $INTERNAL 31339 -> $EXTERNAL any (msg: "IDS74/trojan-active-netspydk"; flags: SA;) | |
198 | alert TCP $INTERNAL 5011 -> $EXTERNAL any (msg: "IDS73/trojan-active-ootlt"; flags: SA;) | |
199 | alert TCP $INTERNAL 2023 -> $EXTERNAL any (msg: "IDS72/trojan-active-passripper"; flags: SA;) | |
200 | alert TCP $INTERNAL 2801 -> $EXTERNAL any (msg: "IDS71/trojan-active-phineas"; flags: SA;) | |
201 | alert TCP $INTERNAL 9872 -> $EXTERNAL any (msg: "IDS70/trojan-active-portalofdoom"; flags: SA;) | |
202 | alert TCP $INTERNAL 16969 -> $EXTERNAL any (msg: "IDS69/trojan-active-priority"; flags: SA;) | |
203 | alert TCP $INTERNAL 11223 -> $EXTERNAL any (msg: "IDS68/trojan-active-progenic"; flags: SA;) | |
204 | alert TCP $INTERNAL 22222 -> $EXTERNAL any (msg: "IDS67/trojan-active-prosiak"; flags: SA;) | |
205 | alert TCP $INTERNAL 1509 -> $EXTERNAL any (msg: "IDS66/trojan-active-psyberstream"; flags: SA;) | |
206 | alert TCP $INTERNAL 53001 -> $EXTERNAL any (msg: "IDS65/trojan-active-remoteshutdown"; flags: SA;) | |
207 | alert TCP $INTERNAL 5569 -> $EXTERNAL any (msg: "IDS64/trojan-active-robohack"; flags: SA;) | |
208 | alert TCP $INTERNAL 54321 -> $EXTERNAL any (msg: "IDS63/trojan-active-schoolbus"; flags: SA;) | |
209 | alert TCP $INTERNAL 31554 -> $EXTERNAL any (msg: "IDS62/trojan-active-schwindler"; flags: SA;) | |
210 | alert TCP $INTERNAL 11000 -> $EXTERNAL any (msg: "IDS61/trojan-active-sennaspy"; flags: SA;) | |
211 | alert TCP $INTERNAL 1600 -> $EXTERNAL any (msg: "IDS60/trojan-active-shiveburka"; flags: SA;) | |
212 | alert TCP $INTERNAL 1981 -> $EXTERNAL any (msg: "IDS59/trojan-active-shockrave"; flags: SA;) | |
213 | alert TCP $INTERNAL 1001 -> $EXTERNAL any (msg: "IDS58/trojan-active-silencer-webex-doly"; flags: SA;) | |
214 | alert TCP $INTERNAL 30303 -> $EXTERNAL any (msg: "IDS57/trojan-active-socket23"; flags: SA;) | |
215 | alert TCP $INTERNAL 1207 -> $EXTERNAL any (msg: "IDS56/trojan-active-softwar"; flags: SA;) | |
216 | alert TCP $INTERNAL 33911 -> $EXTERNAL any (msg: "IDS55/trojan-active-spirit2001"; flags: SA;) | |
217 | alert TCP $INTERNAL 1807 -> $EXTERNAL any (msg: "IDS54/trojan-active-spysender"; flags: SA;) | |
218 | alert TCP $INTERNAL 555 -> $EXTERNAL any (msg: "IDS53/trojan-active-stealthspy-phase0-netadmin"; flags: SA;) | |
219 | alert TCP $INTERNAL 1170 -> $EXTERNAL any (msg: "IDS52/trojan-active-streamingaudio"; flags: SA;) | |
220 | alert TCP $INTERNAL 2565 -> $EXTERNAL any (msg: "IDS51/trojan-active-striker"; flags: SA;) | |
221 | alert TCP $INTERNAL 1243 -> $EXTERNAL any (msg: "IDS50/trojan-active-subseven"; flags: SA;) | |
222 | alert TCP $EXTERNAL 27374 -> $INTERNAL any (msg: "IDS279/trojan-active-subseven21"; flags: SA;) | |
223 | alert TCP $INTERNAL 61466 -> $EXTERNAL any (msg: "IDS49/trojan-active-telecommando"; flags: SA;) | |
224 | alert TCP $INTERNAL 9999 -> $EXTERNAL any (msg: "IDS48/trojan-active-theprayer1"; flags: SA;) | |
225 | alert TCP $INTERNAL 2716 -> $EXTERNAL any (msg: "IDS47/trojan-active-theprayer2"; flags: SA;) | |
226 | alert TCP $INTERNAL 40412 -> $EXTERNAL any (msg: "IDS46/trojan-active-thespy"; flags: SA;) | |
227 | alert TCP $INTERNAL 6400 -> $EXTERNAL any (msg: "IDS45/trojan-active-thething"; flags: SA;) | |
228 | alert TCP $INTERNAL 29891 -> $EXTERNAL any (msg: "IDS44/trojan-active-theunexplained"; flags: SA;) | |
229 | alert TCP $INTERNAL 34324 -> $EXTERNAL any (msg: "IDS43/trojan-active-tinytelnet"; flags: SA;) | |
230 | alert TCP $INTERNAL 3791 -> $EXTERNAL any (msg: "IDS42/trojan-active-totaleclipse"; flags: SA;) | |
231 | alert TCP $INTERNAL 1999 -> $EXTERNAL any (msg: "IDS41/trojan-active-transcout"; flags: SA;) | |
232 | alert TCP $INTERNAL 2001 -> $EXTERNAL any (msg: "IDS40/trojan-active-trojancow"; flags: SA;) | |
233 | alert TCP $INTERNAL 6669 -> $EXTERNAL any (msg: "IDS39/trojan-active-vampire"; flags: SA;) | |
234 | alert TCP $INTERNAL 1245 -> $EXTERNAL any (msg: "IDS38/trojan-active-vodoo"; flags: SA;) | |
235 | alert TCP $INTERNAL 23456 -> $EXTERNAL any (msg: "IDS37/trojan-active-whackjob"; flags: SA;) | |
236 | alert TCP $INTERNAL 5742 -> $EXTERNAL any (msg: "IDS36/trojan-active-wincrash"; flags: SA;) | |
237 | alert TCP $INTERNAL 2583 -> $EXTERNAL any (msg: "IDS35/trojan-active-wincrash2"; flags: SA;) | |
238 | alert TCP $INTERNAL 5550 -> $EXTERNAL any (msg: "IDS34/trojan-active-xtcp2"; flags: SA;) | |
239 | alert TCP $INTERNAL 37651 -> $EXTERNAL any (msg: "IDS33/trojan-active-yetanother"; flags: SA;) | |
240 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS225/web-cgi-anyform"; content: "anyform"; flags: AP;) | |
241 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS265/web-cgi-cgitest"; content: "cgitest.exe|0d0a|user"; nocase; flags: AP; offset: 4;) | |
242 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS221/web-cgi-finger"; content: "finger"; flags: AP;) | |
243 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS226/web-cgi-formmail"; content: "formmail"; flags: AP;) | |
244 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS258/web-cgi-get32.exe"; content: "get32.exe"; flags: AP;) | |
245 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS228/web-cgi-guestbook"; content: "guestbook"; flags: AP;) | |
246 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS235/web-cgi-handler"; content: "handler"; flags: AP;) | |
247 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS224/web-cgi-nph-test-cgi"; content: "nph-test-cgi"; flags: AP;) | |
248 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS219/web-cgi-perl-exe"; content: "perl.exe"; flags: AP;) | |
249 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS128/web-cgi-phf"; content: "phf"; flags: AP;) | |
250 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS232/web-cgi-php-slash"; content: "php.cgi?/"; flags: AP; offset: 5; depth: 32;) | |
251 | alert TCP $INTERNAL 80 -> $EXTERNAL any (msg: "IDS233/web-cgi-php-version"; content: "PHP/FI Version 2.0b"; flags: AP;) | |
252 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS243/web-cgi-pipe"; content: "|7C|"; flags: AP;) | |
253 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS227/web-cgi-scriptalias"; content: "///"; flags: AP;) | |
254 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS220/web-cgi-snork"; content: "snork.bat"; flags: AP;) | |
255 | alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS230/web-cgi-space-wildcard"; content: "|2A 20|"; flags: AP;) |