#Keep in mind, a small focused ruleset is the best option #to keep your system from possibly dropping packets, or reporting false alarms #Current Database Updated 01/25/2000 preprocessor http_decode: 80 443 8080 preprocessor minfrag: 128 #--------------------------------------------- # CHANGE THE NEXT LINE TO REFLECT YOUR NETWORK # (Single system = your ip/32) var HOME_NET yournet/subnet #--------------------------------------------- alert udp $HOME_NET 54321 -> any !80 (msg:"BACKDOOR ACTIVITY-Possible Back Orifice 2k";) alert tcp $HOME_NET 30303 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Socket 25"; flags:SA;) alert tcp $HOME_NET 30133 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible NetSphere Final 1.31.337"; flags:SA;) alert tcp $HOME_NET 23456 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible UglyFTP or WhackJob"; flags:SA;) alert tcp $HOME_NET 20203 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Logged!"; flags:SA;) alert tcp $HOME_NET 21554 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Girlfriend / Schwindler 1.8"; flags:SA;) alert tcp $HOME_NET 16484 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Mosucker"; flags:SA;) alert tcp $HOME_NET 11000 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Senna Spy"; flags:SA;) alert tcp $HOME_NET 6666 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible TCPShell - *NIX Backdoor"; flags:SA;) alert tcp $HOME_NET 5637 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible PC-Crasher"; flags:SA;) alert tcp $HOME_NET 5011 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible OOTLT / OOTLT Cart"; flags:SA;) alert tcp $HOME_NET 5000 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Socket 23"; flags:SA;) alert tcp $HOME_NET 4567 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible FileNail"; flags:SA;) alert tcp $HOME_NET 4321 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Schoolbus 1.0"; flags:SA;) alert tcp $HOME_NET 4092 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Wincrash"; flags:SA;) alert tcp $HOME_NET 2000 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Insane Network 4"; flags:SA;) alert tcp $HOME_NET 1050 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Mini Command 1.2 Access"; flags:S;) alert tcp $HOME_NET 1029 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possibe InCommand Access"; flags:S;) alert tcp $HOME_NET 31 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible-Masters Paradise";flags:SA;) alert tcp $HOME_NET 37651 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Yet Another Trojan";flags:SA;) alert tcp $HOME_NET 5550 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible XTCP2";flags:SA;) alert tcp $HOME_NET 2583 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible WinCrash2";flags:SA;) alert tcp $HOME_NET 5742 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible WinCrash";flags:SA;) alert tcp $HOME_NET 4092 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible WinCrash";flags:SA;) alert tcp $HOME_NET 3024 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible WinCrash";flags:SA;) alert tcp $HOME_NET 23456 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Whackjob";flags:SA;) alert tcp $HOME_NET 12362 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Whack-a-mole";flags:S;) alert tcp $HOME_NET 12361 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Whack-a-mole";flags:S;) alert tcp $HOME_NET 1245 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Voodoo Doll";flags:SA;) alert tcp $HOME_NET 6669 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Vampire";flags:SA;) alert tcp $HOME_NET 2001 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible TrojanCow";flags:SA;) alert tcp $HOME_NET 1999 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Transcout";flags:SA;) alert tcp $HOME_NET 3791 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Totaleclipse";flags:SA;) alert tcp $HOME_NET 29891 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible The Unexplained";flags:SA;) alert tcp $HOME_NET 6400 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible The Thing";flags:SA;) alert tcp $HOME_NET 40412 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible The Spy";flags:SA;) alert tcp $HOME_NET 2716 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible The Prayer2";flags:SA;) alert tcp $HOME_NET 9999 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible The Prayer1";flags:SA;) alert tcp $HOME_NET 61466 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible TeleCommando";flags:SA;) alert tcp $HOME_NET 1243 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Subseven";flags:SA;) alert tcp $HOME_NET 2565 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Striker";flags:SA;) alert tcp $HOME_NET 1170 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Streaming Audio Server";flags:SA;) alert tcp $HOME_NET 555 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Stealthspy/Phase0/Netadmin/INI-Killer";flags:SA;) alert tcp $HOME_NET 1807 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible SpySender";flags:SA;) alert tcp $HOME_NET 33911 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Spirit2001";flags:SA;) alert tcp $HOME_NET 1207 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Softwar";flags:SA;) alert tcp $HOME_NET 5000 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible SocketsDeTroie";flags:SA;) alert tcp $HOME_NET 5001 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible SocketsDeTroie";flags:SA;) alert tcp $HOME_NET 50505 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible SocketsdeTroie";flags:SA;) alert tcp $HOME_NET 30303 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Socket-23";flags:SA;) alert tcp $HOME_NET 1001 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Silencer-Webex-Doly";flags:SA;) alert tcp $HOME_NET 1981 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible ShockRave";flags:SA;) alert tcp $HOME_NET 1600 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Shivka-Burka";flags:SA;) alert tcp $HOME_NET 11000 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Sennaspy";flags:SA;) alert tcp $HOME_NET 31554 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Schwindler";flags:SA;) alert tcp $HOME_NET 21554 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Schwindler 1.82 / Girlfriend";flags:SA;) alert tcp $HOME_NET 54321 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Schoolbus";flags:SA;) alert tcp $HOME_NET 666 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible SatanzBackdoor";flags: SA;) alert tcp $HOME_NET 5569 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible RoboHack";flags:SA;) alert tcp $HOME_NET 2023 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible RipperPro";flags: SA;) alert tcp $HOME_NET 53001 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Remote Windows Shutdown";flags:SA;) alert tcp $HOME_NET 1509 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible PsyberStream";flags:SA;) alert tcp $HOME_NET 22222 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Prosiak";flags:SA;) alert tcp $HOME_NET 11223 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Progenic Trojan";flags:SA;) alert tcp $HOME_NET 16969 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Priority / Portal Of Doom";flags:SA;) alert tcp $HOME_NET 9872 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Portal Of Doom";flags:SA;) alert tcp $HOME_NET 2801 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Phineas Phucker";flags:SA;) alert tcp $HOME_NET 555 -> !$HOME_NET any (msg:"BACKDOOR ACTIVITY-Possible PhaseZero Server Active on Network";content:"phAse";flags:PA;) alert tcp $HOME_NET 2023 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible PassRipper";flags:SA;) alert tcp $HOME_NET 5011 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible OOOLT";flags:SA;) alert tcp $HOME_NET 31339 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible NetSpyDK";flags:SA;) alert tcp $HOME_NET 1033 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible NetSpy";flags:SA;) alert tcp $HOME_NET 30100 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Netsphere";flags:SA;) alert tcp $HOME_NET 57341 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible netraider";flags:SA;) alert tcp $HOME_NET 7300:7309 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible NetMonitor";flags:SA;) alert tcp $HOME_NET 5031 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible NetMetro 1.0";flags:SA;) alert tcp $HOME_NET 20034 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible NetBusPro";flags:SA;) alert tcp $HOME_NET 12346 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible netbus10";flags:SA;) alert tcp $HOME_NET 12345 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Netbus/GabanBus";flags:SA;) alert tcp $HOME_NET 12346 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Netbus/GabanBus";flags:SA;) alert tcp $HOME_NET 2000 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Millennium";flags:SA;) alert tcp $HOME_NET 1269 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Mavericks Matrix";flags:SA;) alert tcp $HOME_NET 40421 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible MastersParadise";flags:SA;) alert tcp $HOME_NET 40426 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible MastersParadise";flags:SA;) alert tcp $HOME_NET 40423 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible MastersParadise";flags:SA;) alert tcp $HOME_NET 40422 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible MastersParadise";flags:SA;) alert tcp $HOME_NET 10752 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Linux mountd Backdoor";flags:SA;) alert tcp $HOME_NET 17300 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Kuang2";flags:SA;) alert tcp $HOME_NET 30999 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Kuang";flags:SA;) alert tcp $HOME_NET 2140 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Invasor";flags:SA;) alert tcp $HOME_NET 9889 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible INI-Killer";flags:SA;) alert tcp $HOME_NET 6939 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Indoctrination";flags:SA;) alert tcp $HOME_NET 9400 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible InCommand";flags:SA;) alert tcp $HOME_NET 5521 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible IllusionMailer";flags:SA;) alert tcp $HOME_NET 4950 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible ICQTrojan";flags:SA;) alert tcp $HOME_NET 7789 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible ICQ Killer"; flags:SA;)) alert tcp $HOME_NET 2283 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible HVLRat5";flags:SA;) alert tcp $HOME_NET 456 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible HackersParadise";flags:SA;) alert tcp $HOME_NET 31787 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible hackatak";flags:SA;) alert tcp $HOME_NET 12223 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible hack99keylogger";flags:SA;) alert tcp $HOME_NET 12076 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Gjamer";flags:SA;) alert tcp $HOME_NET 21554 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible GirlFriend";flags:SA;) alert tcp $HOME_NET 6969 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible gatecrasher";flags:SA;) alert tcp $HOME_NET 1492 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible FTP99CMP";flags:SA;) alert tcp $HOME_NET 50766 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible fore-schwindler";flags:SA;) alert tcp $HOME_NET 50776 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Fore / Remote Windows Shutdown";flags:SA;) alert tcp $HOME_NET 5321 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible FireHotcker"; flags:SA;) alert tcp $HOME_NET 4567 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Filenail";flags:SA;) alert tcp $HOME_NET 12701 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Eclipse 2000";flags:SA;) alert tcp $HOME_NET 1011 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Doly Trojan"; flags:SA;) alert tcp $HOME_NET 1015 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Doly Trojan 1.5"; flags:SA;) alert tcp $HOME_NET 1010 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Doly Trojan 1.35"; flags:SA;) alert tcp $HOME_NET 65000 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Devil 1.03";flags:SA;) alert tcp $HOME_NET 6883 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible DeltaSource";flags:SA;) alert tcp $HOME_NET 47262 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Delta";flags:SA;) alert tcp $HOME_NET 6670 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible DeepThroat";flags:SA;) alert tcp $HOME_NET 10607 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Coma";flags:SA;) alert tcp $HOME_NET 20203 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible chupacabra";flags:SA;) alert tcp $HOME_NET 10101 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible BrainSpy"; flags:SA;) alert tcp $HOME_NET 121 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible BO Jammer Killah V"; flags:SA;) alert tcp $HOME_NET 1042 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Blah 1.1";flags:SA;) alert tcp $HOME_NET 20331 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Bla";flags:SA;) alert tcp $HOME_NET 34324 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible BigGluck / Tiny Telnet Server";flags:SA;) alert tcp $HOME_NET 31337 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Backorifice";flags:SA;) alert tcp $HOME_NET 54321 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible BackOrifice 2000"; flags:SA;) alert tcp $HOME_NET 54320 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible BackOrifice 2000"; flags:SA;) alert tcp $HOME_NET 5400 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible BackConstruction 1.2 / BladeRunner"; flags: SA;) alert tcp $HOME_NET 666 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Attack FTP / Satans Backdoor";flags:SA;) alert tcp $HOME_NET 30029 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible AOL Trojan 1.1";flags: SA;) alert tcp $HOME_NET 10666 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Ambush";flags:SA;) alert tcp $HOME_NET 777 -> !$HOME_NET !80 (msg:"BACKDOOR ACTIVITY-Possible Aimspy";flags:SA;) alert udp !$HOME_NET !80 -> $HOME_NET 54321 (msg:"BACKDOOR ATTEMPT-Back Orifice 2k Attempt";) alert tcp !$HOME_NET !80 -> $HOME_NET 30303 (msg:"BACKDOOR ATTEMPT-Socket 25 Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 30133 (msg:"BACKDOOR ATTEMPT-NetSphere Final 1.31.337 Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 23456 (msg:"BACKDOOR ATTEMPT-UglyFTP or WhackJob Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 20203 (msg:"BACKDOOR ATTEMPT-Logged! Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR ATTEMPT-Girlfriend / Schwindler 1.8 Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 16484 (msg:"BACKDOOR ATTEMPT-Mosucker Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 11000 (msg:"BACKDOOR ATTEMPT-Senna Spy Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 6666 (msg:"BACKDOOR ATTEMPT-TCPShell - *NIX Backdoor Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5637 (msg:"BACKDOOR ATTEMPT-PC-Crasher Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5011 (msg:"BACKDOOR ATTEMPT-OOTLT / OOTLT Cart Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5000 (msg:"BACKDOOR ATTEMPT-Socket 23"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 4567 (msg:"BACKDOOR ATTEMPT-FileNail Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 4321 (msg:"BACKDOOR ATTEMPT-Schoolbus 1.0 Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 4092 (msg:"BACKDOOR ATTEMPT-Wincrash Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 2000 (msg:"BACKDOOR ATTEMPT-Insane Network Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1050 (msg:"BACKDOOR-ATTEMPT Possible Mini Command 1.2 Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1029 (msg:"BACKDOOR-ATTEMPT Possibe InCommand Attempt"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5010 (msg:"BACKDOOR ATTEMPT- Yahoo! Messenger Exploit Attempt" flags:S; ) alert tcp !$HOME_NET !80 -> $HOME_NET 244 (msg:"BACKDOOR ATTEMPT- Possible Intel InBusiness E-mail Station exploit"; flags:PA;) alert tcp !$HOME_NET !80 -> $HOME_NET 44444 (msg:"BACKDOOR ATTEMPT -Possible Prosiak"; flags:S;) # alert - Snort 1.6 ONLY icmp !$HOME_NET any -> $HOME_NET any (msg: "BACKDOOR ACTIVITY - TFN server response"; content: "|73 68 65 6C 6C 20 62 6F 75 6E 64 20 74 6F 20 70 6F 72 74|"; itype: 0; icmp_id: 123; icmp_seq: 0;) # alert - Snort 1.6 ONLY icmp !$HOME_NET any -> $HOME_NET any (msg: "BACKDOOR ACTIVITY - TFN client command LE"; itype: 0; icmp_id: 51201; icmp_seq: 0;) # alert - Snort 1.6 ONLY icmp !$HOME_NET any -> $HOME_NET any (msg: "BACKDOOR ACTIVITY - TFN client command BE"; itype: 0; icmp_id: 456; icmp_seq: 0;) # alert - Snort 1.6 ONLY icmp 3.3.3.3/32 any -> !$HOME_NET any (msg: "BACKDOOR ACTIVITY - Stacheldraht server-spoof"; itype: 0; icmp_id: 666;) # alert - Snort 1.6 ONLY icmp $HOME_NET any -> !$HOME_NET any (msg: "BACKDOOR ACTIVITY - Stacheldraht server-response-gag"; content: "|73 69 63 6B 65 6E|"; itype: 0; icmp_id: 669;) # alert - Snort 1.6 ONLY icmp $HOME_NET any -> !$HOME_NET any (msg: "BACKDOOR ACTIVITY - Stacheldraht server-response"; content: "|66 69 63 6B 65 6E|"; itype: 0; icmp_id: 667;) # alert - Snort 1.6 ONLY icmp !$HOME_NET any -> $HOME_NET any (msg: "BACKDOOR ACTIVITY - Stacheldraht client-spoofworks"; content: "|73 70 6F 6F 66 77 6F 72 6B 73|"; itype: 0; icmp_id: 1000;) # alert - Snort 1.6 ONLY icmp !$HOME_NET any -> $HOME_NET any (msg: "BACKDOOR ATTEMPT - Stacheldraht client-check-gag"; content: "|67 65 73 75 6E 64 68 65 69 74 21|"; itype: 0; icmp_id: 668;) # alert - Snort 1.6 ONLY icmp !$HOME_NET any -> $HOME_NET any (msg: "BACKDOOR ATTEMPT - Stacheldraht client-check"; content: "|73 6B 69 6C 6C 7A|"; itype: 0; icmp_id: 666;) # alert - Snort 1.6 ONLY icmp !$HOME_NET any -> $HOME_NET 16660 (msg: "BACKDOOR ACTIVITY - Stacheldraht Client";) alert tcp !$HOME_NET !80 -> $HOME_NET 1024 (msg:"BACKDOOR ATTEMPT-Psyber Streaming Server";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 4000 (msg:"BACKDOOR ATTEMPT-Psyber Streaming Server";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1509 (msg:"BACKDOOR ATTEMPT-Psyber Streaming Server";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5741 (msg:"BACKDOOR ATTEMPT-WinCrash";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5714 (msg:"BACKDOOR ATTEMPT-WinCrash";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 33911 (msg:"BACKDOOR ATTEMPT-Trojan Spirit 2001a";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 30133 (msg:"BACKDOOR ATTEMPT-Trojan Spirit 2001a";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 6000 (msg:"BACKDOOR ATTEMPT-The Thing";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 6913 (msg:"BACKDOOR ATTEMPT- Shitheep Danny";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 6912 (msg:"BACKDOOR ATTEMPT- Shitheep";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 43210 (msg:"BACKDOOR ATTEMPT-Schoolbus 1.6 / 2.0";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 4321 (msg:"BACKDOOR ATTEMPT-Schoolbus 1.0";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 49301 (msg:"BACKDOOR ATTEMPT-Online Keylogger";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5032 (msg:"BACKDOOR ATTEMPT-Net Metropolitan 1.04";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5031 (msg:"BACKDOOR ATTEMPT-Net Metropolitan 1.0 / 1.04";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 3129 (msg:"BACKDOOR ATTEMPT-Masters Paradise";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 13700 (msg:"BACKDOOR ATTEMPT-Kuang2 The Virus";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 99 (msg:"BACKDOOR ATTEMPT- Hidden Port 2.0";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 8879 (msg:"BACKDOOR ATTEMPT-Hack Office Armageddon";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 2023 (msg:"BACKDOOR ATTEMPT-Hack City Ripper Pro";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 6970 (msg:"BACKDOOR ATTEMPT-Gatecrasher";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1016 (msg:"BACKDOOR ATTEMPT-Doly Trojan 1.6";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1000 (msg:"BACKDOOR ATTEMPT-Der Spaeher 3";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1349 (msg:"BACKDOOR ATTEMPT-Back Orifice DLL";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 8787 (msg:"BACKDOOR ATTEMPT-Back Orifice 2000";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 32418 (msg:"BACKDOOR ATTEMPT-Acid Battery 1.0";flags:S;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BACKDOOR-unlg1.1 Attempt";flags:PA; content:"cgi-bin/unlg1.1";) alert tcp !$HOME_NET !80 -> $HOME_NET 1015 (msg:"BACKDOOR ATTEMPT-Doly Trojan 1.5"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1010 (msg:"BACKDOOR ATTEMPT-Doly Trojan 1.35"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1011 (msg:"BACKDOOR ATTEMPT-Doly Trojan"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 10101 (msg:"BACKDOOR ATTEMPT-BrainSpy"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 121 (msg:"BACKDOOR ATTEMPT-BO Jammer Killah V"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 54320 (msg:"BACKDOOR ATTEMPT-BackOrifice 2000"; flags:S;) alert tcp $HOME_NET 6969 -> !$HOME_NET any (msg:"BACKDOOR ACTIVITY- GateCrasheraccess"; flags:PA; content:"GateCrasher";) alert tcp !$HOME_NET !80 -> $HOME_NET 6776 (msg:"BACKDOOR ATTEMPT-SubSeven access";flags:S;) alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"BACKDOOR ACTIVITY- Trin00:DaemontoMaster(PONGdetected)"; content:"PONG";) alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"BACKDOOR ACTIVITY- Trin00:DaemontoMaster(messagedetected)"; content:"l44";) alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"BACKDOOR ACTIVITY- Trin00:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*";) alert tcp $HOME_NET 30100 -> !$HOME_NET any (msg:"BACKDOOR ACTIVITY- NetSphere access"; flags: PA; content:"NetSphere";) alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"BACKDOOR ACTIVITY- Trin00:Attacker to Master default startup pass detected!";flags:PA; content:"betaalmostdone";) alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"BACKDOOR ACTIVITY- Trin00 Attacker to Master defaultr.i.passdetected!";flags:PA; content:"gOrave";) alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"BACKDOOR ACTIVITY- Trin00 Attacker to Master-default mdie pass detected!";flags:PA; content:"killme";) alert udp !$HOME_NET any -> $HOME_NET 27444 (msg:"BACKDOOR ACTIVITY- Trin00:MastertoDaemon(defaultpassdetected!)"; content:"l44adsl";) alert tcp !$HOME_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR ATTEMPT-GirlFriendaccess"; flags:PA; content:"Girl";) alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"BACKDOOR ACTIVITY ADMw0rm-ftp-retrieval";flags:PA; content:"USERw0rm|0D0A|";) alert tcp !$HOME_NET !80 -> $HOME_NET 7789 (msg:"BACKDOOR ATTEMPT-ICQ Killer";) alert tcp !$HOME_NET !80 -> $HOME_NET 7300:7309 (msg:"BACKDOOR ATTEMPT-NetMonitor";flags:S;) alert udp !$HOME_NET !80 -> $HOME_NET 7000 (msg:"BACKDOOR ATTEMPT-RemoteGrab";) alert tcp !$HOME_NET !80 -> $HOME_NET 6711 (msg:"BACKDOOR ATTEMPT-DeepThroat/SubSeven";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5400 (msg:"BACKDOOR ATTEMPT-BackConstruction 1.2 1.5 / BladeRunner"; flags: S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5742 (msg:"BACKDOOR ATTEMPT-WinCrash";flags:S;) alert tcp $HOME_NET 555 -> !$HOME_NET any (msg:"BACKDOOR ACTIVITY-PhaseZero Server Active on Network"; flags:PA; content:"phAse";) alert tcp !$HOME_NET !80 -> $HOME_NET 5042 (msg:"BACKDOOR ATTEMPT-BladeRunner";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5401 (msg:"BACKDOOR ATTEMPT-BladeRunner"flags:S;;) alert tcp !$HOME_NET !80 -> $HOME_NET 30029 (msg:"BACKDOOR ATTEMPT-AOL Trojan 1.1";flags: S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5321 (msg:"BACKDOOR ATTEMPT-FireHotcker"; flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 50776 (msg:"BACKDOOR ATTEMPT-Fore / Remote Windows Shutdown";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 50505 (msg:"BACKDOOR ATTEMPT-SocketsdeTroie";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5001 (msg:"BACKDOOR ATTEMPT-SocketsDeTroie";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5000 (msg:"BACKDOOR ATTEMPT-SocketsDeTroie";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 4950 (msg:"BACKDOOR ATTEMPT-ICQTrojan";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 47262 (msg:"BACKDOOR ATTEMPT-Delta";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 4092 (msg:"BACKDOOR ATTEMPT-WinCrash";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 40426 (msg:"BACKDOOR ATTEMPT-MastersParadise";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 40423 (msg:"BACKDOOR ATTEMPT-MastersParadise";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 40422 (msg:"BACKDOOR ATTEMPT-MastersParadise";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 40421 (msg:"BACKDOOR ATTEMPT-MastersParadise";flags:S;) alert udp !$HOME_NET !80 -> $HOME_NET 3700 (msg:"BACKDOOR ATTEMPT-Portal Of Doom";) alert udp !$HOME_NET !80 -> $HOME_NET 33333 (msg:"BACKDOOR ATTEMPT-Prosiak";) alert tcp !$HOME_NET !80 -> $HOME_NET 31666 (msg:"BACKDOOR ATTEMPT-BOWhack";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 3150 (msg:"BACKDOOR ATTEMPT-DeepThroat/Invasor";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 31338 (msg:"BACKDOOR ATTEMPT-DeepBackOrifice";flags:S;) alert udp !$HOME_NET !80 -> $HOME_NET 31 (msg:"BACKDOOR ATTEMPT-HackersParadise";) alert tcp !$HOME_NET !80 -> $HOME_NET 3024 (msg:"BACKDOOR ATTEMPT-WinCrash";flags:S;) alert udp !$HOME_NET !80 -> $HOME_NET 2989 (msg:"BACKDOOR ATTEMPT-Ratbackdoor";) alert tcp !$HOME_NET !80 -> $HOME_NET 26274 (msg:"BACKDOOR ATTEMPT-Delta";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 2115 (msg:"BACKDOOR ATTEMPT-Bugs"; flags: S;) alert tcp !$HOME_NET !80 -> $HOME_NET 12362 (msg:"BACKDOOR ATTEMPT-Whack-a-mole";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 12361 (msg:"BACKDOOR ATTEMPT-Whack-a-mole";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 12346 (msg:"BACKDOOR ATTEMPT-Netbus/GabanBus";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 12345 (msg:"BACKDOOR ATTEMPT-Netbus/GabanBus";flags:S;) alert udp !$HOME_NET !53:80 -> $HOME_NET 1234 (msg:"BACKDOOR ATTEMPT-UltorsTrojan";) alert tcp !$HOME_NET !80 -> $HOME_NET 10752 (msg:"BACKDOOR ATTEMPT-Linux mountd Backdoor";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 65000 (msg:"BACKDOOR ATTEMPT-Devil 1.03";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 61466 (msg:"BACKDOOR ATTEMPT-TeleCommando";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 57341 (msg:"BACKDOOR ATTEMPT-netraider";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 54321 (msg:"BACKDOOR ATTEMPT-Schoolbus 1.6 / 2.0";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 53001 (msg:"BACKDOOR ATTEMPT-Remote Windows Shutdown";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 50766 (msg:"BACKDOOR ATTEMPT- fore-schwindler";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 40412 (msg:"BACKDOOR ATTEMPT-The Spy";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 37651 (msg:"BACKDOOR ATTEMPT-Yet Another Trojan";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 34324 (msg:"BACKDOOR ATTEMPT-BigGluck / Tiny Telnet Server";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 31787 (msg:"BACKDOOR ATTEMPT-hackatak";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 31554 (msg:"BACKDOOR ATTEMPT-Schwindler";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 31339 (msg:"BACKDOOR ATTEMPT-NetSpyDK";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 31337 (msg:"BACKDOOR ATTEMPT-Backorifice";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 30999 (msg:"BACKDOOR ATTEMPT-Kuang";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 30303 (msg:"BACKDOOR ATTEMPT-Socket-23";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 29891 (msg:"BACKDOOR ATTEMPT-The Unexplained";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 22222 (msg:"BACKDOOR ATTEMPT-Prosiak";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 20331 (msg:"BACKDOOR ATTEMPT-Bla";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 20203 (msg:"BACKDOOR ATTEMPT-Chupacabra";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 20034 (msg:"BACKDOOR ATTEMPT-NetBus2Pro";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 20000 (msg:"BACKDOOR ATTEMPT-millenium";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 17300 (msg:"BACKDOOR ATTEMPT-Kuang2";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 16969 (msg:"BACKDOOR ATTEMPT-Priority / Portal Of Doom";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 12701 (msg:"BACKDOOR ATTEMPT-Eclipse 2000";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 12223 (msg:"BACKDOOR ATTEMPT-hack99keylogger";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 12076 (msg:"BACKDOOR ATTEMPT-Gjamer";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 11223 (msg:"BACKDOOR ATTEMPT-Progenic Trojan";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 11000 (msg:"BACKDOOR ATTEMPT-Sennaspy";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 10666 (msg:"BACKDOOR ATTEMPT-Ambush";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 10607 (msg:"BACKDOOR ATTEMPT-Coma Danny";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 9999 (msg:"BACKDOOR ATTEMPT-The Prayer1";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 9889 (msg:"BACKDOOR ATTEMPT-INI-Killer";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 9872 (msg:"BACKDOOR ATTEMPT-Portal Of Doom";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 9400 (msg:"BACKDOOR ATTEMPT-InCommand";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 6939 (msg:"BACKDOOR ATTEMPT-Indoctrination";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 6883 (msg:"BACKDOOR ATTEMPT-DeltaSource DarkStar";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 6670 (msg:"BACKDOOR ATTEMPT-DeepThroat";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 6669 (msg:"BACKDOOR ATTEMPT-Vampire";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 6400 (msg:"BACKDOOR ATTEMPT-The Thing";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5569 (msg:"BACKDOOR ATTEMPT-RoboHack";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5550 (msg:"BACKDOOR ATTEMPT-XTCP2";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5521 (msg:"BACKDOOR ATTEMPT-IllusionMailer";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 5011 (msg:"BACKDOOR ATTEMPT-OOOLT";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 4567 (msg:"BACKDOOR ATTEMPT-Filenail Danny";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 3791 (msg:"BACKDOOR ATTEMPT-Total Eclipse 1.0";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 2801 (msg:"BACKDOOR ATTEMPT-Phineas Phucker";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 2716 (msg:"BACKDOOR ATTEMPT-The Prayer2";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 2583 (msg:"BACKDOOR ATTEMPT-WinCrash2";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 2565 (msg:"BACKDOOR ATTEMPT-Striker";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 2283 (msg:"BACKDOOR ATTEMPT-HVLRat5";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 2001 (msg:"BACKDOOR ATTEMPT-TrojanCow";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1999 (msg:"BACKDOOR ATTEMPT-Transcout";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1981 (msg:"BACKDOOR ATTEMPT-ShockRave";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1807 (msg:"BACKDOOR ATTEMPT-SpySender";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1600 (msg:"BACKDOOR ATTEMPT-Shivka-Burka";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1492 (msg:"BACKDOOR ATTEMPT-FTP99CMP";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1269 (msg:"BACKDOOR ATTEMPT-Mavericks Matrix";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1245 (msg:"BACKDOOR ATTEMPT-Voodoo Doll";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1243 (msg:"BACKDOOR ATTEMPT-Subseven";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1207 (msg:"BACKDOOR ATTEMPT-Softwar";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1170 (msg:"BACKDOOR ATTEMPT-Psyber Streaming Server / Voice";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1042 (msg:"BACKDOOR ATTEMPT-Blah 1.1";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1033 (msg:"BACKDOOR ATTEMPT-NetSpy";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 1001 (msg:"BACKDOOR ATTEMPT-PossibleSilencer-Webex-Doly";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 777 (msg:"BACKDOOR ATTEMPT-Aimspy";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 666 (msg:"BACKDOOR ATTEMPT-Attack FTP / Satans Backdoor";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 555 (msg:"BACKDOOR ATTEMPT-Stealthspy/Phase0/Netadmin/INI-Killer";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 456 (msg:"BACKDOOR ATTEMPT-HackersParadise";flags:S;) alert tcp !$HOME_NET !80 -> $HOME_NET 31 (msg:"BACKDOOR ATTEMPT-Masters Paradise";flags:S;) alert tcp $HOME_NET 5714 -> !$HOME_NET any (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- WinCrash 1.0 Server Active" ; flags:SA; content:"|B4 B4|";) alert udp !$HOME_NET 3345 -> $HOME_NET 3344 (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- Matrix 2.0 Server ACK"; content:"logged in";) alert udp !$HOME_NET 3344 -> $HOME_NET 3345 (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- Matrix 2.0 Client connect"; content:"activate";) alert tcp !$HOME_NET 5031 -> $HOME_NET any (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- NetMetwro Incoming Traffic"; flags:PA;) alert tcp $HOME_NET any -> !$HOME_NET 5032 (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- NetMetro File List"; flags:PA; content:"|2D 2D|";) alert tcp $HOME_NET any -> !$HOME_NET 5032 (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- NetMetro Outbound Data"; flags:PA;) alert tcp $HOME_NET 666 -> !$HOME_NET any (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- BackConstruction 2.1 Server FTP Open Reply"; flags:PA; content:"FTP Port open";) alert tcp !$HOME_NET any -> $HOME_NET 666 (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- BackConstruction 2.1 Client FTP Open Request"; flags:PA; content:"FTPON";) alert tcp $HOME_NET 5401:5402 -> !$HOME_NET any (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- BackConstruction 2.1 Connection"; flags:PA; content:"c|3A|\";) alert tcp any !80 -> !$HOME_NET any (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- SubSeven 2.1 FTP Enable from Client"; flags:PA; content:"FTPenable!";) alert tcp $HOME_NET !80 -> !$HOME_NET any (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- SubSeven 2.1 FTP Enabled Sent from Server!"; flags:PA; content:"FTP server enabled";) alert tcp $HOME_NET !80 -> !$HOME_NET any (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- SubSeven 2.1 Login Detected!"; flags:PA; content:"connected. time/date";) alert tcp $HOME_NET 30100:30102 -> !$HOME_NET any (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- NetSphere 1.31.337 Data"; flags:PA; content:"NetSphere";) alert tcp $HOME_NET 31785 -> !$HOME_NET any (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- HackAttack 1.20 Connect"; flags:PA; content:"host";) alert tcp $HOME_NET 23476 -> !$HOME_NET any (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- DonaldDick 1.53 Traffic"; flags:PA; content:"pINg";) alert udp any 2140 -> $HOME_NET 60000 (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- DeepThroat 1.3 Server Active on Network";) alert udp any 60000 -> $HOME_NET 2140 (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- DeepThroat 1.3 Client Sending Data to Server on Network";) alert udp any 3150 -> $HOME_NET 60000 (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- DeepThroat 1.3 Server Active on Network"; content:"|00 23|";) alert udp any 60000 -> $HOME_NET 3150 (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- DeepThroat 1.3 Client Sending Data to Server on Network"; content:"|00 23|";) alert udp $HOME_NET 2140 -> any 60000 (msg:"BETA RULE - Report falses to jforster@rapidnet.com -- DeepThroat 1.3 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-Search";flags:PA; content:"search";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-root";flags:PA; content:"root";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-ProbeNull"; flags:PA; content:"|00|";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-Probe0";flags:PA; content:"0";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-PipeW";flags:PA; content:"/W|3b|";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-Pipe"; flags:PA; content:"|7c|";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-Bomb";flags:PA; content:"@@";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-redirection";flags:PA; content:"|406C6F63616C686F73740A|";dsize:"11";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-0@host";flags:PA; content:"|300A20202020|";dsize:"6";depth:"6";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-.@host";flags:PA; content:"|2E0A20202020|";dsize:"6";depth:"6";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-user-warez";flags:PA; content:"user warez |0d|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-user-root";flags:PA; content:"user root |0d|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-site-exec";flags:PA; content:"site exec";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-shosts";flags:PA; content:".shosts";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-rhosts";flags:PA; content:".rhosts";) # alert tcp !$HOME_NET any <> $HOME_NET 21 (msg:"FTP-Password";flags:PA; content:"PASS";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-pass-wh00t";flags:PA; content:"pass wh00t";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-pass-h0tb0x";flags:PA; content:"pass h0tb0x";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-nopassword";flags:PA; content:"pass |0d|";) # alert tcp !$HOME_NET any <> $HOME_NET 21 (msg:"FTP-Login";flags:PA; content:"USER";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-linux-nulluser";flags:PA; content:"user null |0d|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-linux-nullpass";flags:PA; content:"pass null |0d|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-forward";flags:PA; content:".forward";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-cwd~root"; flags:PA; content:"cwd ~root";) alert udp !$HOME_NET any -> $HOME_NET 69 (msg:"TFTP rootdirectory"; content:"|0001|/";) alert udp !$HOME_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:"..";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP tar parameters";flags:PA; content:"RETR--use-compress-program";) alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"FTP-NT-bad-login"; content:"Login failed.";) alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"FTP-bad-login";flags:PA; content:"530 Login incorrect";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Y2K Zelu Trojan"; content: "Y2K.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible The_Fly Trojan"; content: "THE_FLY.CHM";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Word Macro - VALE"; content: "DINHEIRO.DOC";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Word Macro - VALE"; content: "MONEY.DOC";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible wscript.KakWorm"; content: "KAK.HTA";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Tune.vbs"; content: "tune.vbs";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NAIL Worm"; content:"|4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NAIL Worm"; content:"|4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NAIL Worm"; content:"|47 6F 6F 64 20 54 69 6D 65 73|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Papa Worm"; content:"XPASS.XLS";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Suppl Worm"; content:"Suppl.doc";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Freelink Worm"; content:"|4C 49 4E 4B 53 2E 56 42 53|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Triplesix Worm"; content: "666TEST.VBS";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Simbiosis Worm"; content: "SETUP.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible BADASS Worm"; content: "|6E 61 6D 65 20 3D 22 42 41 44 41 53 53 2E 45 58 45 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible ExploreZip.B Worm"; content: "|6E 61 6D 65 20 3D 22 46 69 6C 65 5F 7A 69 70 70 61 74 69 2E 65 78 65 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Video Worm"; content: "VIDEO.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Passion Worm"; content: "ICQ_GREETINGS.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Common Sense Worm"; content: "|6E 61 6D 65 20 3D 22 54 48 45 5F 46 4C 59 2E 43 48 4D 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible MyPics Worm"; content: "|6E 61 6D 65 20 3D 22 70 69 63 73 34 79 6F 75 2E 65 78 65 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Babylonia - X-MAS.exe"; content: "|6E 61 6D 65 20 3D 22 58 2D 4D 41 53 2E 45 58 45 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; content: "GADGET.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; content: "IRNGLANT.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - casper.exe"; content: "CASPER.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; content: "FBORFW.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; content: "CUPID2.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; content: "BBOY.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - baby.exe"; content: "BABY.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - goal.exe"; content: "GOAL.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; content: "THEOBBQ.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - panther.exe"; content: "PANTHER.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; content: "CHESTBURST.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - farter.exe"; content: "FARTER.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - boss.exe"; content: "BOSS.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - monica.exe"; content: "MONICA.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; content: "SADDAM.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - party.exe"; content: "PARTY.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - hog.exe"; content: "HOG.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; content: "GOAL1.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; content: "PIRATE.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - video.exe"; content: "VIDEO.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - copier.exe"; content: "COPIER.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; content: "COOLER1.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; content: "COOLER3.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; content: "G-ZILLA.EXE";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible ToadieE-mail Trojan"; content:"Toadie.exe";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible PrettyPark Trojan"; content:"\CoolProgs\";offset:300;depth:750;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Happy99 Virus"; content:"X-Spanska\:Yes";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible CheckThis Trojan"; content:"|6E 61 6D 65 20 3D 22 6C 69 6E 6B 73 2E 76 62 73 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Bubbleboy Worm"; content:"BubbleBoy is back!";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possbile Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|";) alert udp !$HOME_NET any -> $HOME_NET 53 (msg:"MISC-DNS-version-query"; content:"version|04|bind|0000 1000 03";) alert tcp !$HOME_NET !53 -> $HOME_NET 5631 (msg:"MISC-PCAnywhere Attempted Administrator Login";flags:PA; content:"ADMINISTRATOR";) alert tcp !$HOME_NET !53 -> $HOME_NET 5631 (msg:"MISC-PCAnywhere Live TCP Connection";) alert udp !$HOME_NET !53 -> $HOME_NET 5631 (msg:"MISC-PCAnywhere Live UDP Connection";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"MISC-Traceroute UDP";ttl:"1";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"MISC-Traceroute TCP";ttl:"1";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"MISC-Traceroute ICMP";ttl:1;itype:8;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"MISC-SourceRoute-ICMP-lssre";ipopts:lsrre;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"MISC-SourceRoute-ICMP-lssr";ipopts:lsrr;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"MISC-IRDP-Router-Selection(l0phtattack)";itype:10;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"MISC-IRDP-Router-Advertisement(l0phtattack)";itype:9;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"MISC-ICMP-Redirect-Net";itype:5;icode:0;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"MISC-ICMP-Redirect-Host";itype:5;icode:1;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"MISC-IRDPRouterSelection";itype:10;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"MISC-IRDPRouterAdvertisement";itype:9;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"MISC-ICMPRedirectNet";itype:5;icode:0;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"MISC-ICMPRedirectHost";itype:5;icode:1;) alert icmp !$HOME_NET any -> !$HOME_NET any (ipopts:rr;msg:"MISC-IP-OPTIONS-RR!";) alert tcp $HOME_NET any -> !$HOME_NET 6000:6023 (msg:"MISC-OutgoingXterm";flags:AP;) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"MISC-Passwd-Attempt";flags:PA; content:"passwd";) alert udp !$HOME_NET any -> $HOME_NET !520 (msg:"MISC-Traceroute-UDP";TTL:1;) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"MISC-IMAP-x86-linux-buffer-overflow";flags:PA; content:"|e8c0ffffff|/bin/sh";) alert tcp $HOME_NET any -> $HOME_NET any (msg:"MISC-Passwd-Search";flags:PA; content:"passwd";) alert tcp !$HOME_NET !53 -> $HOME_NET 8080 (msg:"MISC-WinGate-8080-Attempt";flags:S;) alert udp !$HOME_NET any -> $HOME_NET 32771 (msg:"MISC-Attempted Sun RPC high port access;) alert tcp !$HOME_NET any -> $HOME_NET 32771 (msg:"MISC-Attempted Sun RPC high port access;) alert tcp !$HOME_NET !53 -> $HOME_NET 1080 (msg:"MISC-WinGate-1080-Attempt";flags:S;) alert tcp !$HOME_NET 53 -> $HOME_NET 0:1023 (msg:"MISC-SourcePortTraffic-53-tcp";flags:S;) alert tcp !$HOME_NET 20 -> $HOME_NET 0:1023 (msg:"MISC-SourcePortTraffic-20-tcp";flags:S;) alert udp !$HOME_NET any -> $HOME_NET 161 (msg:"SNMP access, public"; content:"public";) alert udp !$HOME_NET any -> $HOME_NET 161 (msg:"NETBIOS-SNMP-NT-UserList"; content:"|2b06104014d10219|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-IPC$access";flags:PA; content:"|5c00|I|00|P|00|C|00|$|000000|IPC|00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-IPC$access";flags:PA; content:"\IPC$|00 41 3a 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-D$access";flags:PA; content:"\D$|00 41 3a 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-CD...";flags:PA; content:"\...|00 00 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-CD..";flags:PA; content:"\..|2f 00 00 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-C$access";flags:PA; content:"\C$|00 41 3a 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-ADMIN$access";flags:PA; content:"\ADMIN$|00 41 3a 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-Samba-clientaccess";flags:PA; content:"|00|Unix|00|Samba";) alert udp !$HOME_NET any -> $HOME_NET 137 (msg:"NETBIOS-SMB-Name-Wildcard"; content:"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1";flags:PA; content:"../../../../../../../../../";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1";flags:PA; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1";flags:PA; content:"ADMROCKS";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-X86";flags:PA; content:"|9090 9090 9090 9090 9090 9090 9090 9090|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-X86"; content:"|9090 9090 9090 9090 9090 9090 9090 9090|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc";flags:PA; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc"; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc";flags:PA; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc"; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Solaris";flags:PA; content:"|801c 4011 801c 4011 801c 4011 801c 4011|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Solaris"; content:"|801c 4011 801c 4011 801c 4011 801c 4011|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI";flags:PA; content:"|240f 1234 240f 1234 240f 1234 240f 1234|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI"; content:"|240f 1234 240f 1234 240f 1234 240f 1234|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI";flags:PA; content:"|03e0 f825 03e0 f825 03e0 f825 03e0 f825|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI"; content:"|03e0 f825 03e0 f825 03e0 f825 03e0 f825|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-HP";flags:PA; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-HP"; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-HP";flags:PA; content:"|0821 0280 0821 0280 0821 0280 08210 0280|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-HP"; content:"|0821 0280 0821 0280 0821 0280 0821 0280|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Digital"; content:"|47ff 041f 47ff 041f 47ff 041f 47ff 041f|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Digital";flags:PA; content:"|47ff 041f 47ff 041f 47ff 041f 47f f041f|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-AIX";flags:PA; content:"|4fff fb82 4fff fb82 4fff fb82 4fff fb82|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-AIX"; content:"|4fff fb82 4fff fb82 4fff fb82 4fff fb82|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-LinuxCommonUDP"; content:"|909090e8c0ffffff|/bin/sh";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-LinuxCommonTCP";flags:PA; content:"|909090e8c0ffffff|/bin/sh";) alert udp !$HOME_NET any -> $HOME_NET 67 (msg:"OVERFLOW-BOOTP--x86linux"; content:"|4139 30c0 a801 012f 6269 6e2f 7368 00|";) alert udp !$HOME_NET any -> $HOME_NET 67 (msg:"OVERFLOW-BOOTP-x86bsd"; content:"|6563 686f 206e 6574 726a 7320 7374 7265|";) alert tcp !$HOME_NET any -> $HOME_NET 6373 (msg:"OVERFLOW-sco-calserver";flags:PA; content:"|eb7f 5d55 fe4d 98fe 4d9b|";) alert udp !$HOME_NET any -> $HOME_NET 635 (msg: "OVERFLOW-x86-linux-mountd3"; content:"|eb40 5E31 c040 8946 0489 c340 8906|";) alert udp !$HOME_NET any -> $HOME_NET 635 (msg: "OVERFLOW-x86-linux-mountd2"; content:"|5eb0 0289 06fe c889 4604 b006 8946|";) alert udp !$HOME_NET any -> $HOME_NET 635 (msg: "OVERFLOW-x86-linux-mountd"; content:"|eb56 5E56 5656 31d2 8856 0b88 561e|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-named";flags:PA; content:"|CD80 E8D7 FFFF FF|/bin/sh";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-rotsb";flags:PA; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-generic";flags:PA; content:"|cd80 e8d7 ffff ff|/bin/sh";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-ADMv3";flags:PA; content:"|31c0b002cd8085c0754ceb4c5eb0|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-ADMv2";flags:PA; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86freebsd-rotsb";flags:PA; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-sparc";flags:PA; content:"|901ac00f 90022008 9202200f d023bff8|";) alert udp !$HOME_NET any -> $HOME_NET 518 (msg:"OVERFLOW-x86-linux-ntalkd"; content:"|0103 0000 0000 0001 0002 02e8|";) alert tcp !$HOME_NET any -> $HOME_NET 2766 (msg:"OVERFLOW-x86-solaris-nlps";flags:PA; content:"|eb235e33c08846fa8946f58936|";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"OVERFLOW-x86-windows-MailMax";flags:PA; content:"eb45eb205bfc33c9b1828bf3802b";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"OVERFLOW-x86-windows-CSMMail";flags:PA; content:"eb53eb205bfc33c9b1828bf3802b";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-wh0a";flags:PA; content:"|83ec04 5e 83c670 83c62 8d5e0c|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-smiler";flags:PA; content:"|31db 89d8 b017 cd80 eb2c|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-sekure";flags:PA; content:"MKD AAAAAA";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-duke";flags:PA; content:"|31c0 31db b017 cd80 31c0 b017 cd80|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-adm";flags:PA; content:"|31c031dbb017cd8031c0b017cd80|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-generic2";flags:PA; content:"|5858 5858 582F|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-generic1";flags:PA; content:"|5057 440A 2F69|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-2!";flags:PA; content:"|5858 5858 582F|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-1!";flags:PA; content:"|5057 440A2F69|";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd6";flags:PA; content:"|eb385e89f389d880460120804602|";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd5";flags:PA; content:"|eb35 5E80 4601 3080 4602 3080 4603 30|";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd4";flags:PA; content:"|eb34 5e8d 1E89 5e0b 31d2 8956 07|";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd3";flags:PA; content:"|eb58 5E31 db83 c308 83c3 0288 5e26|";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd2";flags:PA; content:"|89d8 40cd 80e8 c8ff ffff|/";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-IMAP";flags:PA; content:"|E8 C0FF FFFF|/bin/sh";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-86-linux-imap1";flags:PA; content:"|e8 c0ff ffff|/bin/sh";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"OVERFLOW-x86-linux-samba";flags:PA; content:"|eb2f 5feb 4a5e 89fb 893e 89f2|";) alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-QPOP";flags:PA; content:"|E8 D9FF FFFF|/bin/sh";) alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86sco";flags:PA; content:"|560e31c0b03b8d7e1289f989f9|";) alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86linux";flags:PA; content:"|d840 cd80 e8d9 ffff ff|/bin/sh";) alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86bsd2";flags:PA; content:"|5e0e31c0b03b8d7e0e89fa89f9|";) alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86bsd";flags:PA; content:"|685d 5eff d5ff d4ff f58b f590 6631|";) alert tcp !$HOME_NET any -> $HOME_NET 109 (msg:"OVERFLOW-POP2-x86linux2";flags:PA; content:"|eb2c5b89d980c10639d97c078001|";) alert tcp !$HOME_NET any -> $HOME_NET 109 (msg:"OVERFLOW-POP2-x86linux";flags:PA; content:"|ffff ff2f 4249 4e2f 5348 00|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-IRC-client-Chocoa";flags:PA; content:"|eb4b5b5332e483c30b4b8823b85077|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NextFTP-client";flags:PA; content:"|b420 b421 8bcc 83e9 048b 1933 c966 b910|";) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Message"; itype:18;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Message"; itype:17;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Message"; itype:16;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Message"; itype:15;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Message"; itype:13;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Error"; itype:12;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Error"; itype:11;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Error"; itype:4;) # alert icmp !$HOME_NET any <> !$HOME_NET any (msg:"PING-ICMP Error"; itype:3;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"PING - NMAP TCP";flags:A;ack:"0";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING Windows NT tracert"; content:"|00000000000000000000000000000000|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING Windows Type"; content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"; itype: 8; depth: "32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING WhatsupGold Windows"; content:"|57686174735570202d2041204e657477|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING TJPingPro1.1Build 2 Windows"; content:"|544a50696e6750726f206279204a696d|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING Seer Windows"; content:"|88042020202020202020202020202020|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING Ping-O-MeterWindows"; content:"|4f4d657465724f6265736541726d6164|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING Pinger Windows"; content:"|44617461000000000000000000000000|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING *NIX Type"; content:"|101112131415161718191a1b1c1d1e1f|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING Nmap2.36BETA";itype:8;dsize:"0";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING Network Toolbox 3 Windows"; content:"|3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING Netscreen Firewall Ping"; content:"|00000000000000000000000000000000|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING Microsoft Windows"; content:"|6162636465666768696a6b6c6d6e6f70|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING ISS Pinger"; content:"|495353504e475251|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING IP NetMonitor Macintosh"; content:"|a9205375737461696e61626c6520536f|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING Flowpoint 2200DSL Router"; content:"|0102030405060708090a0b0c0d0e0f10|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING Delphi-Piette Windows"; content:"|50696e67696e672066726f6d2044656c|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING CyberKit 2.2 Windows"; content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING Cisco Type.x"; content:"|abcdabcdabcdabcdabcdabcdabcdabcd|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING BSD"; content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; itype: 8; depth: "32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING BeOS4.x"; content:"|00000000000000000000000008090a0b|";itype:8;depth:"32";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-ypupdated"; content:"|0186BC000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-ypserv"; content:"|0186A4000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-yppasswd"; content:"|0186A9000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-ttdbserv"; content:"|0186F3000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-status"; content:"|0186B8000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-selection_svc"; content:"|0186AF000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-sadmind"; content:"|018788000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-rusers"; content:"|0186A2000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-rstatd"; content:"|0186A1000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-rexd";content:"|0186B1000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-pcnfsd"; content:"|0249f1000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-nlockmgr"; content:"|0186B5000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-nisd"; content:"|0187cc000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-mountd"; content:"|0186A5000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-cmsd"; content:"|0186E4000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-bootparam"; content:"|0186BA000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-amountd"; content:"|01873000|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC - portmap-request-admind"; content:"|0186F7000|";offset:"40";depth:"8";) alert tcp !$HOME_NET any -> $HOME_NET 514 (msg:"Rservices - RLOGIN-root";flags:PA; content:"root|00|root|00|";) alert tcp !$HOME_NET any -> $HOME_NET 514 (msg:"Rservices - RLOGIN-froot";flags:PA; content:"-froot|00|";) alert tcp !$HOME_NET any -> $HOME_NET 514 (msg:"Rservices - RLOGIN-bin";flags:PA; content:"bin|00|bin|00|";) alert tcp !$HOME_NET any -> $HOME_NET 513 (msg:"Rservices - RSH-root";flags:PA; content:"root|00|root|00|";) alert tcp !$HOME_NET any -> $HOME_NET 513 (msg:"Rservices - RSH-LinuxNIS";flags:PA; content:"|3a3a3a3a3a3a3a3a003a3a3a3a3a3a3a3a|";) alert tcp !$HOME_NET any -> $HOME_NET 513 (msg:"Rservices - RSH-froot";flags:PA; content:"-froot|00|";) alert tcp !$HOME_NET any -> $HOME_NET 513 (msg:"Rservices - RSH-echo++";flags:PA; content:"echo |22| + + |22|";) alert tcp !$HOME_NET any -> $HOME_NET 513 (msg:"Rservices - RSH-bin";flags:PA; content:"bin|00|bin|00|";) alert udp !$HOME_NET any -> $HOME_NET 32770: (msg:"Rservices - RPC-rusers-query"; content:"|0000000020186A2|";offset:"5";) alert udp !$HOME_NET any -> $HOME_NET 32770: (msg:"Rservices - RPC-rstatd-query"; content:"|0000000020186A1|";offset:"5";) alert tcp $HOME_NET any -> !$HOME_NET any (msg:"RLOGIN-LoginFailure";flags:PA; content:"|01|rlogind|3a| Permission denied.";) alert tcp $HOME_NET any -> !$HOME_NET any (msg:"RSH-LoginFailure";flags:PA; content:"login incorrect";) alert tcp $HOME_NET any -> !$HOME_NET any (msg:"RSH-LoginFailure";flags:PA; content:"|01|rlogind|3a| Permission denied.";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING-SCAN Sniffer Pro/NetXRay"; content:"|43696e636f30313233343536373839|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"SCAN-ICMP Sniffer Pro/NetXRay network scan"; content:"|43696e636f204e6574776f726b2c20496e632e|"; itype: 8; depth: "32";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"SCAN-SYNFIN";flags:SF;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"SCAN-Possible Queso Fingerprint attempt";flags:S12;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"SCAN-Possible NMAP Fingerprint attempt";flags:SFPU;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"SCAN-NULLScan";flags:0;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"SCAN-FullXMASScan";flags:SRAFPU;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"SCAN-FIN";flags:F;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN-Whisker!";flags:PA; content:"HEAD/./";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN-Cybercop-WEB";flags:PA; content:"get /cybercop";) alert udp !$HOME_NET any -> $HOME_NET 7 (msg:"SCAN-Cybercop-UDP-bomb"; content:"cybercop";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SCAN-Cybercop-SMTPexpn";flags:PA; content:"expn cybercop";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SCAN-Cybercop-SMTPehlo";flags:PA; content:"ehlo cybercop|0a|quit|0a|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-SATAN-FTPcheck";flags:PA; content:"pass -satan";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-SAINT-FTPcheck";flags:PA; content:"pass -saint";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-pISS-FTPcheck";flags:PA; content:"pass -cklaus";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-ISS-FTPcheck";flags:PA; content:"pass -iss@iss";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-ADM-FTPcheck";flags:PA; content:"PASS ddd@|0a|";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-vrfy-decode";flags:PA; content:"vrfy decode";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-MajordomoIFS";flags:PA; content:"eply-to|3a| a~.`/bin/";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-expn-root";flags:PA; content:"expn root";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-expn-decode";flags:PA; content:"expn decode";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-exploit565";flags:PA; content:"MAIL FROM|3a207c|/usr/ucb/tail";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-exploit564";flags:PA; content:"rcpt to|3a| decode";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-exploit555";flags:PA; content:"mail from|3a20227c|";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-exploit41";flags:PA; content:"rcpt to|3a207c| sed '1,/^$/d'|7c|";) # alert tcp !$HOME_NET any <> $HOME_NET 110 (msg:"Mail Password";flags:PA; content:"PASS";) # alert tcp !$HOME_NET any <> $HOME_NET 110 (msg:"Mail Login";flags:PA; content:"USER";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-exploit869d";flags:PA; content:"|0a|Croot|0a|Mprog";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-exploit869c";flags:PA; content:"|0a|Croot|0d0a|Mprog";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-exploit869b";flags:PA; content:"|0a|D/";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-exploit869a;flags:PA; content:"|0a|C|3a|daemon|0a|R";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-exploit8610ha";flags:PA; content:"Croot|09090909090909|Mprog,P=/bin";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-exploit8610";flags:PA; content:"Croot|0d0a|Mprog, P=/bin/";) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"TELNET - Attempted SU from wrong group"; content: "|74 6F 20 73 75 20 72 6F 6F 74 2E|";) alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"TELNET resolv_host_conf";flags:PA; content:"resolv_host_conf";) alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"TELNET Livingston-DoS";flags:PA; content:"|fff3 fff3 fff3 fff3 fff3|";) alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"TELNET ld_preload";flags:PA; content:"ld_preload";) alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"TELNET ld_library_path";flags:PA; content:"ld_library_path";) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"TELNET-WinGate-Active"; content:"WinGate>";) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"TELNET NotOnConsole"; content:"not on system console";) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"TELNET Login Incorrect"; content:"Login incorrect";) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"TELNET daemon-active";flags:PA; content:"|FFFD18FFFD1FFFFD23FFFD27FFFD24|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-tsch shell";flags:PA; content:"cgi-bin/tcsh";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-survey";flags:PA; content:"cgi-bin/survey.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-snorkerz.cmd";flags:PA; content:"cgi-bin/snorkerz.cmd";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-snorkerz.bat";flags:PA; content:"cgi-bin/snorkerz.bat";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-sh";flags:PA; content:"cgi-bin/sh";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-rsh";flags:PA; content:"cgi-bin/rsh";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-rksh";flags:PA; content:"cgi-bin/rksh";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-query";flags:PA; content:"cgi-bin/query";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-post-query";flags:PA; content:"cgi-bin/post-query";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-ksh shell";flags:PA; content:"cgi-bin/ksh";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-day5datanotifier.cgi";flags:PA; content:"cgi-bin/day5datanotifier.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-day5datacopier.cgi";flags:PA; content:"cgi-bin/day5datacopier.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-csh shell";flags:PA; content:"cgi-bin/csh";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-bash shell";flags:PA; content:"cgi-bin/bash";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-visadmin.exe";flags:PA; content:"cgi-bin/visadmin.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-dumpenv.pl";flags:PA; content:"cgi-bin/dumpenv.pl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-bb-hist.sh";flags:PA; content:"cgi-bin/bb-hist.sh";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-MachineInfo";flags:PA; content:"cgi-bin/MachineInfo";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-AnyForm2";flags:PA; content:"cgi-bin/AnyForm2";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-wwwuploader.exe";flags:PA; content:"cgi-win/wwwuploader.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-upload.pl";flags:PA; content:"cgi-bin/upload.pl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-sendform.cgi";flags:PA; content:"cgi-bin/sendform.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-ppdscgi";flags:PA; content:"cgi-bin/ppdscgi.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-wwwadmin";flags:PA; content:"cgi-bin/wwwadmin.pl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-wais";flags:PA; content:"cgi-bin/wais.pl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-w2tvars";flags:PA; content:"cgi-bin/w3tvars.pm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-w3-msql";flags:PA; content:"cgi-bin/w2-msql";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-redirectt";flags:PA; content:"cgi-bin/redirect";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-formmail";flags:PA; content:"cgi-bin/formmail";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-flexform";flags:PA; content:"cgi-bin/flexform";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-calendar";flags:PA; content:"cgi-bin/calendar";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-archie";flags:PA; content:"cgi-bin/archie";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-LWGate Attempt";flags:PA; content:"cgi-bin/LWGate";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-WWW-SQL CGI access attempt";flags:PA; content:"cgi-bin/www-sql";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-WWWboard CGI access attempt";flags:PA; content:"cgi-bin/wwwboard.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Wrap CGI access attempt";flags:PA; content:"cgi-bin/wrap";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Wguest CGI access attempt";flags:PA; content:"cgi-bin/wguest.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Websendmail CGI access attempt";flags:PA; content:"cgi-bin/websendmail";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Webgais CGI access attempt";flags:PA; content:"cgi-bin/webgais";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Webdist CGI access attempt";flags:PA; content:"cgi-bin/webdist.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Upload CGI access attempt";flags:PA; content:"cgi-win/uploader.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Textcounter CGI access attempt";flags:PA; content:"cgi-bin/textcounter.pl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-TEST-CGIprobe!"; flags:PA; content:"cgi-bin/test-cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Survey CGI access attempt";flags:PA; content:"cgi-bin/survey.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-rwwwshell CGI access attempt";flags:PA; content:"cgi-bin/rwwwshell.pl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Rguest CGI access attempt";flags:PA; content:"cgi-bin/rguest.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-PHP CGI access attempt";flags:PA; content:"cgi-bin/php.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-PHF CGI access attempt";flags:PA; content:"cgi-bin/phf";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Perlshop CGI access attempt";flags:PA; content:"cgi-bin/perlshop.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-NPH-publish CGI access attempt";flags:PA; content:"cgi-bin/nph-publish";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-NPH CGI access attempt";flags:PA; content:"cgi-bin/nph-test-cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Maillist CGI access attempt";flags:PA; content:"cgi-bin/maillist.pl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-JJ CGI access attempt";flags:PA; content:"cgi-bin/jj";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Info2 www CGI access attempt";flags:PA; content:"cgi-bin/info2www";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Htmlscript CGI access attempt";flags:PA; content:"cgi-bin/htmlscript";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-HANDLERprobe!"; flags:PA; content:"cgi-bin/handler";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Guestbook CGI access attempt";flags:PA; content:"cgi-bin/guestbook.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Glimpse CGI access attempt";flags:PA; content:"cgi-bin/glimpse";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Finger CGI access attempt";flags:PA; content:"cgi-bin/finger";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Files CGI access attempt";flags:PA; content:"cgi-bin/files.pl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Filemail CGI access attempt";flags:PA; content:"cgi-bin/filemail.pl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Faxsurvey probe"; flags:PA; content:"cgi-bin/faxsurvey";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Environ CGI access attempt";flags:PA; content:"cgi-bin/environ.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Edit CGI access attempt";flags:PA; content:"cgi-bin/edit.pl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Classifieds CGI access attempt";flags:PA; content:"cgi-bin/classifieds.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Cgiwrap CGI access attempt";flags:PA; content:"cgi-bin/cgiwrap";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Cgichk Pf display access attempt";flags:PA; content:"cgi-bin/pfdispaly.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-CGI view-source access attempt";flags:PA; content:"cgi-bin/view-source?../../../../../../../etc/passwd";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-CGI pf display access attempt";flags:PA; content:"cgi-bin/pfdisplay.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-CGI Perl access attempt";flags:PA; content:"cgi-bin/perl.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-CGI Man access attempt";flags:PA; content:"cgi-bin/man.sh";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Campas CGI access attempt";flags:PA; content:"cgi-bin/campas";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Bnbform CGI access attempt";flags:PA; content:"cgi-bin/bnbform.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-AT-admin CGI access attempt";flags:PA; content:"cgi-bin/AT-admin.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Args CGI access attempt";flags:PA; content:"cgi-dos/args.bat";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-AnyForm CGI access attempt";flags:PA; content:"cgi-bin/AnForm2";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Aglimpse CGI access attempt";flags:PA; content:"cgi-bin/aglimpse";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Count.cgi probe!"; flags:PA; content:"cgi-bin/Count.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI:phf";flags:PA; content:"cgi-bin/phf";flags:AP;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-COLDFUSION-cfmlsyntaxcheck";flags:PA; content:"cfdocs/cfmlsyntaxcheck.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-viewexample";flags:PA; content:"cfdocs/snippets/viewexample.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-verify mail";flags:PA; content:"CFUSION_VERIFYMAIL()";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-sourcewindow";flags:PA; content:"cfdocs/exampleapp/docs/sourcewindow.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-settings refresh";flags:PA; content:"CFUSION_SETTINGS_REFRESH()";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-set odbc ini";flags:PA; content:"CFUSION_SETODBCINI()";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-sendmail";flags:PA; content:"cfdocs/expeval/sendmail.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-openfile";flags:PA; content:"cfdocs/expeval/openfile.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-mainframeset";flags:PA; content:"cfdocs/examples/mainframeset.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-gettempdirectory";flags:PA; content:"cfdocs/snippets/gettempdirectory.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-get odbc ini";flags:PA; content:"CFUSION_GETODBCINI()";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-get odbc dsn";flags:PA; content:"CFUSION_GETODBCDSN()";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-get datasourceusername";flags:PA; content:"CF_GETDATASOURCEUSERNAME()";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-fileexists";flags:PA; content:"cfdocs/snippets/fileexists.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-exprcalc";flags:PA; content:"cfdocs/expeval/exprcalc.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-Example-parks";flags:PA; content:"cfdocs/examples/parks/detail.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-Example-cfappman";flags:PA; content:"/cfappman/index.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-Example-beaninfo";flags:PA; content:"cfdocs/examples/cvbeans/beaninfo.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-evaluate";flags:PA; content:"cfdocs/snippets/evaluate.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-display";flags:PA; content:"cfdocs/expeval/displayopenedfile.cfm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-db connections flush";flags:PA; content:"CFUSION_DBCONNECTIONS_FLUSH()";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-datasourceusername";flags:PA; content:"CF_SETDATASOURCEUSERNAME()";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-datasourcepassword";flags:PA; content:"CF_SETDATASOURCEPASSWORD()";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-datasource";flags:PA; content:"CF_ISCOLDFUSIONDATASOURCE()";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-admin-encrypt";flags:PA; content:"CFUSION_ENCRYPT()";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-admin-decrypt";flags:PA; content:"CFUSION_DECRYPT()";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-writeto.cnf";flags:PA; content:"_vti_pvt/writeto.cnf";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-users.pwd";flags:PA; content:"users.pwd";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-svcacl.cnf";flags:PA; content:"_vti_pvt/svcacl.cnf";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-shtml.exe";flags:PA; content:"_vti_bin/shtml.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-shtml.dll";flags:PA; content:"_vti_bin/shtml.dll";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-services.cnf";flags:PA; content:"_vti_pvt/services.cnf";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-service.stp";flags:PA; content:"_vti_pvt/service.stp";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-service.pwd";flags:PA; content:"service.pwd";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-service.cnf";flags:PA; content:"_vti_pvt/service.cnf";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-registrations.txt";flags:PA; content:"_private/registrations.txt";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-registrations.htm";flags:PA; content:"_private/registrations.htm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-register.txt";flags:PA; content:"_private/register.txt";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-register.htm";flags:PA; content:"_private/register.htm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-orders.txt";flags:PA; content:"_private/orders.txt";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-orders.htm";flags:PA; content:"_private/orders.htm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-fpsrvadm.exe";flags:PA; content:"fpsrvadm.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-fpremadm.exe";flags:PA; content:"fpremadm.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-fpadmin.htm";flags:PA; content:"admisapi/fpadmin.htm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-Fpadmcgi.exe";flags:PA; content:"scripts/Fpadmcgi.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-form_results.htm";flags:PA; content:"_private/form_results.htm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-form_results";flags:PA; content:"_private/form_results.txt";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-contents.htm";flags:PA; content:"admcgi/contents.htm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-cfgwiz.exe";flags:PA; content:"cfgqiz.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-authors.pwd";flags:PA; content:"authors.pwd";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-author.exe";flags:PA; content:"_vti_bin/_vti_aut/author.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-administrators.pwd";flags:PA; content:"administrators.pwd";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-admin.pl";flags:PA; content:"admin.pl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-access.cnf";flags:PA; content:"_vti_pvt/access.cnf";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS - Possible Attempt at FPCOUNT.EXE DoS"; flags:PA; content:"fpcount.exe"; content:"Digits=-";) alert tcp !$HOME_NET 1024: -> $HOME_NET 1031:1035 (msg:"IIS - Possible Attempt at NT INETINFO.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET 1024: -> $HOME_NET 1029 (msg:"IIS - Possible Attempt at NT DNS.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET 1024: -> $HOME_NET 1091 (msg:"IIS - Possible Attempt at NT DNS.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET 1024: -> $HOME_NET 1043 (msg:"IIS - Possible Attempt at NT WINS.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET 1024: -> $HOME_NET 1038 (msg:"IIS - Possible Attempt at NT TPSVCS.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-getdrvs.exe";flags:PA; content:"scripts/tools/getdrvs.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-anot3.htr Attempt";flags:PA; content:"iisadmpwd/anot3.htr";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-anot.htr Attempt";flags:PA; content:"iisadmpwd/anot.htr";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-aexp4b.htr Attempt";flags:PA; content:"iisadmpwd/aexp4b.htr";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-aexp4.htr Attempt";flags:PA; content:"iisadmpwd/aexp4.htr";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-aexp2b.htr Attempt";flags:PA; content:"iisadmpwd/aexp2b.htr";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-aexp2.htr Attempt";flags:PA; content:"iisadmpwd/aexp2.htr";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-aexp.htr Attempt";flags:PA; content:"iisadmpwd/aexp.htr";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-achg.htr Attempt";flags:PA; content:"iisadmpwd/achg.htr";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-uploadn";flags:PA; content:"scripts/uploadn.asp";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-srchadm";flags:PA; content:"srchadm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-srch.htm";flags:PA; content:"samples/isapi/srch.htm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-srch.asp";flags:PA; content:"iissamples/issamples/query.asp";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-showcode";flags:PA; content:"msads/Samples/selector/showcode.asp";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-search97";flags:PA; content:"search97.vts";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-scripts-browse";flags:PA; content:"scripts/|20|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-SAM Attempt";flags:PA; content:"sam._";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-perl-browse20";flags:PA; content:"%20.pl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-perl-browse0a";flags:PA; content:"%0a.pl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-perl";flags:PA; content:"scripts/perl?";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-Overflow-htr";flags:PA; content:"BBBB.htrHTTP";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-newdsn";flags:PA; content:"scripts/tools/newdsn.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-newdsn";flags:PA; content:"scripts/tools/newdsn.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-MSProxy";flags:PA; content:"scripts/proxy/w3proxy.dll";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-msadc/msadcs.dll";flags:PA; content:"msadc/msadcs.dll";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-isc$data";flags:PA; content:".idc|3a3a|$data";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-iisadmpwd";flags:PA; content:"iisadmpwd/aexp3.htr";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-idc-srch";flags:PA; content:"#filename=*.idc";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-getdrvrs";flags:PA; content:"scripts/tools/getdrvrs.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-fpcount";flags:PA; content:"scripts/fpcount.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-exec-srch";flags:PA; content:"#filename=*.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-details.idc";flags:PA; content:"scripts/samples/details.idc";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-del";flags:PA; content:"&del+/s+c|3a|\*.*";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-ctguestb.idc";flags:PA; content:"scripts/samples/ctguestb.idc";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-codebrowser SDK";flags:PA; content:"iissamples/sdk/asp/docs/codebrws.asp";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-codebrowser Exair";flags:PA; content:"iissamples/exair/howitworks/codebrws.asp";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-cmd?";flags:PA; content:".cmd?&";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-CGImail";flags:PA; content:"scripts/CGImail.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-catalog_type";flags:PA; content:"AdvWorks/equipment/catalog_type.asp";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-carbo.dll";flags:PA; content:"carbo.dll";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-bdir";flags:PA; content:"scripts/iisadmin/bdir.htr";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-bat?";flags:PA; content:".bat?&";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-asp-srch";flags:PA; content:"#filename=*.asp";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-asp-dot";flags:PA; content:".asp.";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-asp$data";flags:PA; content:".asp|3a3a|$data";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin-dll-serv";flags:PA; content:"scripts/iisadmin/ism.dll?http/serv";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin-dll";flags:PA; content:"scripts/iisadmin/ism.dll?http/dir";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin-default";flags:PA; content:"scripts/iisadmin/default.htm";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin";flags:PA; content:"scripts/iisadmin";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-adctest.asp";flags:PA; content:"msadc/samples/adctest.asp";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-_vti_inf";flags:PA; content:"_vti_inf.html";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-_Site Server Config";flags:PA; content:"adsamples/config/site.csc";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-*.idc";flags:PA; content:"*.idc";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-%2E-asp";flags:PA; content:"%2easp";) alert tcp !$HOME_NET any -> $HOME_NET 457 (msg: "WEB-netscape-overflow-unixware"; flags: AP; content: "|eb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-.wwwacl";flags:PA; content:"secure/wwwacl";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-.htaccess";flags:PA; content:"secure/.htaccess";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cmd.exe Attempt";flags:PA; content:"scripts/../../cmd.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cpshost.dll Attempt";flags:PA; content:"scripts/cpshost.dll";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-convert.bas Attempt";flags:PA; content:"scripts/convert.bas";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-AuthChangeUrl";flags:PA; content:"_AuthChangeUrl?";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-webcart";flags:PA; content:"/webcart/";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-prefix-get //";flags:PA; content:"get //";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-prefix-GET //";flags:PA; content:"GET //";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-PageService";flags:PA; content:"?PageServices";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ORiley-win-c-sample.exe";flags:PA; content:"cgi-shl/win-c-sample.exe";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ORiley-args.bat";flags:PA; content:"cgi-dos/args.bat";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-mylog";flags:PA; content:"mylog.phtml?";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-mlog";flags:PA; content:"mlog.phtml?";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ls%20-l";flags:PA; content:"ls%20-l";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Lotus-EditDoc";flags:PA; content:"?EditDocument";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Lotus-DelDoc";flags:PA; content:"?DeleteDocument";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ICQ webserver";flags:PA; content:".html/......";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-etcpaswd";flags:PA; content:"etc/passwd";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-import.txt";flags:PA; content:"orders/import.txt";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-import.txt";flags:PA; content:"config/import.txt";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-checks.txt";flags:PA; content:"orders/checks.txt";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-check.txt";flags:PA; content:"config/check.txt";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-names.nsf";flags:PA; content:"names.nsf";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-log.nsf";flags:PA; content:"log.nsf";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-domlog.nsf";flags:PA; content:"domlog.nsf";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-domcfg.nsf";flags:PA; content:"domcfg.nsf";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-catalog.nsf";flags:PA; content:"catalog.nsf";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-count.cgi";flags:PA; content:"count.cgi";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-cgi-bin///";flags:PA; content:"cgi-bin///";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-cd..";flags:PA; content:"cd..";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-cat%20";flags:PA; content:"cat%20";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ApacheDOS";flags:PA; content:"|2f2f2f2f2f2f2f2f|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-~root";flags:PA; content:"~root";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-///cgi-bin";flags:PA; content:"///cgi-bin";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-/....";flags:PA; content:"|2f2e2e2e2e|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-..\..";flags:PA; content:"|2e2e5c2e2e|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-../..";flags:PA; content:"|2e2e2f2e2e|";)