[Snort-sigs] snort-rules CURRENT update @ Wed Apr 16 21:16:04 2003

bmc at ...95... bmc at ...95...
Thu Apr 17 08:12:11 EDT 2003


This rule update was brought to you by Oinkmaster.
Written by Andreas Östling <andreaso at ...58...>


[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> sql.rules
     alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL version overflow attempt"; content:"|04|"; offset:0; depth:1; dsize:>100; reference:nessus,10674; reference:cve,CVE-2002-0649; classtype:misc-activity; sid:2050; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL ping attempt"; content:"|02|"; offset:0; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:1;)

     file -> web-misc.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Tomcat null byte directory listing attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:cve,CAN-2003-0042; reference:bugtraq,6721; classtype:web-application-attack; sid:2061; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .exe script source download attempt"; flow:to_server,established; uricontent:".exe"; content:".exe"; content:"."; within:1; classtype:web-application-attack; sid:2067; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC helpout.exe access"; flow:to_server,established; uricontent:"/helpout.exe"; reference:nessus,11162; classtype:web-application-activity; sid:2057; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe access"; flow:to_server,established; uricontent:"/post32.exe"; reference:bugtraq,1485; classtype:web-application-activity; sid:2071; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC DB4Web access"; flow:to_server,established; uricontent:"/DB4Web/"; reference:nessus,11180; classtype:web-application-activity; sid:2060; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe access"; flow:to_server,established; uricontent:"/MsmMask.exe"; reference:nessus,11163; classtype:web-application-activity; sid:2059; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp"; content:".csp"; content:"."; within:1; classtype:web-application-attack; sid:2064; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC lyris.pl access"; flow:to_server,established; uricontent:"/lyris.pl"; reference:cve,CVE-2000-0758; reference:bugtraq,1584; classtype:web-application-activity; sid:2072; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .pl script source download attempt"; flow:to_server,established; uricontent:".pl"; content:".pl"; content:"."; within:1; classtype:web-application-attack; sid:2066; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe arbitrary command attempt"; flow:to_server,established; uricontent:"/post32.exe\|"; reference:bugtraq,1485; classtype:web-application-attack; sid:2070; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC iPlanet .perf access"; flow:to_server,established; uricontent:"/.perf"; classtype:web-application-activity; sid:2062; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe attempt"; flow:to_server,established; uricontent:"/MsmMask.exe"; content:"mask="; reference:nessus,11163; classtype:web-application-attack; sid:2058; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC chip.ini access"; flow:to_server,established; uricontent:"/chip.ini"; reference:bugtraq,2755; reference:cve,CAN-2001-0749; classtype:web-application-activity; sid:2069; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC TRACE attempt"; flow:to_server,established; content:"TRACE"; offset:0; depth:5; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; reference:nessus,11213; classtype:web-application-attack; sid:2056; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC globals.pl access"; flow:to_server,established; uricontent:"/globals.pl"; reference:cve,CVE-2001-0330; reference:bugtraq,2671; classtype:web-application-activity; sid:2073; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC BitKeeper arbitrary command attempt"; flow:to_server,established; uricontent:"/diffs/"; content:"'"; content:"|3b|"; distance:0; content:"'"; distance:1; reference:bugtraq,6588; classtype:web-application-attack; sid:2068; rev:1;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp."; classtype:web-application-attack; sid:2065; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Demarc SQL injection attempt"; flow:to_server,established; uricontent:"/dm/demarc"; content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'"; distance:0; classtype:web-application-activity; sid:2063; rev:1;)

     file -> web-iis.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; classtype:web-application-activity; sid:1568; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS postinfo.asp access"; flow:to_server,established; uricontent:"/scripts/postinfo.asp"; nocase; classtype:web-application-activity; sid:1075; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; classtype:web-application-attack; sid:1567; rev:5;)

     file -> policy.rules
     alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY xtacacs accepted login response"; content:"|80 02|"; offset:0; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2042; rev:2;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET 1723 (msg:"POLICY PPTP setup attempt"; flow:to_server,established; content:"|00 01|"; offset:2; depth:2; content:"|00 01 00 00 01 00 00 00|"; offset:8; depth:8; classtype:misc-activity; sid:2044; rev:3;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY xtacacs login attempt"; content:"|80 01|"; offset:0; depth:2;  content:"|00|"; distance:4; classtype:misc-activity; sid:2040; rev:2;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00 50 01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01 51 80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01 51 80 00 00 00 10|"; classtype:protocol-command-decode; sid:1771; rev:5;)

     file -> scan.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; content: "AAAAAAAAAAAAAAAA"; flags:SFP; ack: 0; depth: 16;reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:6;)

     file -> misc.rules
     alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"MISC xtacacs failed login response"; content:"|80 02|"; offset:0; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2041; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; offset:2; depth:2; classtype:misc-activity; sid:2048; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd module list access"; flow:to_server,established; content:"|23|list"; offset:0; depth:5; classtype:misc-activity; sid:2047; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; offset:0; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; distance:1; within:8; content:"%"; distance:1; within:8; reference:bugtraq,4701; classtype:misc-attack; sid:2039; rev:1;)
     alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"MISC isakmp login failed"; content:"|10 05|"; offset:17; depth:2; content:"|00 00 00 01 01 00 00 18|"; distance:13; within:8; classtype:misc-activity; sid:2043; rev:1;)

     file -> imap.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:" PARTIAL "; content:" BODY.PEEK["; content:!"]"; within:1024; reference:bugtraq,4713; reference:cve,CAN-2002-0379; classtype:misc-attack; sid:2046; rev:1;)

     file -> web-cgi.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI parse_xml.cgi access"; flow:to_server,established; uricontent:"/parse_xml.cgi"; nocase; reference:cve,CAN-2003-0054;  classtype:web-application-activity; sid:2085; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; content:"who="; content:"\;"; distance:0; reference:cve,CAN-2002-0008; classtype:web-application-attack; sid:2054; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; nocase; reference:cve,CAN-2003-0054;  classtype:web-application-activity; sid:2086; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart access"; flow:to_server,established; uricontent:"/cached_feed.cgi"; reference:cve,CAN-2000-0906; reference:bugtraq,1762; classtype:web-application-activity; sid:2051; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board.cgi access"; flow:to_server,established; uricontent:"/way-board.cgi"; nocase; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi access"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; reference:cve,CAN-2002-0008; classtype:web-application-activity; sid:2055; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI process_bug.cgi access"; flow:to_server,established; uricontent:"/process_bug.cgi"; nocase; reference:cve,CAN-2002-0008; classtype:web-application-activity; sid:2053; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mrtg.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/mrtg.cgi"; content:"cfg=/../"; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI overflow.cgi access"; flow:to_server,established; uricontent:"/overflow.cgi"; reference:nessus,11190; reference:url,www.cert.org/advisories/CA-2002-35.html; classtype:web-application-activity; sid:2052; rev:1;)

     file -> deleted.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; flow:to_server,established; dsize: >999; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:571;  rev:5;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts: rr; itype: 0; reference:arachnids,238; sid:455;  classtype:misc-activity; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89d8 40cd 80e8 c8ff ffff|/";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:295; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:5;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00 60 00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; uricontent:"/web_store.cgi?page=../.."; flow:to_server,established; reference:bugtraq,1774; reference:cve,CVE-2000-1005; classtype:web-application-attack; sid:1094; rev:8;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; content: "|C0 22 3F FC A2 02 20 09 C0 2C 7F FF E2 22 3F F4|"; flow:to_server,established; dsize: >999; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:570; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb35 5E80 4601 3080 4602 3080 4603 30|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:297; rev:5;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:592; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb38 5e89f389d880460120804602|"; reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:298; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb58 5E31 db83 c308 83c3 0288 5e26|"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:5;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb34 5e8d 1E89 5e0b 31d2 8956 07|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:296; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:1278;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; flow:to_server,established; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297;  rev:7;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0FF FFFF|/bin/sh"; classtype:attempted-admin; sid:293; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|"; depth:32; reference:cve,CVE-1999-0704; reference:arachnids,217; classtype:attempted-admin; sid:573;  rev:5;)

     file -> web-php.rules
     alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; classtype:attempted-user; sid:1255;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP piranha passwd.php3 access"; flow:to_server,established; uricontent: "/passwd.php3"; reference:bugtraq,1149; reference:cve,CVE-2000-0322; reference:arachnids,272; classtype:attempted-recon; sid:1161; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpBB privmsg.php access"; flow:to_server,established; uricontent:"/privmsg.php"; reference:bugtraq,6634; classtype:web-application-activity; sid:2078; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; content: "|ba49feffff f7d2 b9bfffffff f7d1|"; reference:bugtraq,802; reference:arachnids,431; classtype:web-application-attack; sid:1085; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php access"; flow:to_server,established; uricontent:"/upload.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2077; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; uricontent:"?STRENGUR"; reference:arachnids,430; reference:bugtraq,1786; classtype:web-application-attack; sid:1086; rev:8;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; classtype:attempted-recon; sid:1301; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase;  reference:arachnids,207; classtype:attempted-recon; sid:1197; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase;  reference:arachnids,208; classtype:attempted-recon; sid:1178; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:bugtraq,2271; reference:arachnids,205; classtype:attempted-recon; sid:1134; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php upload php file attempt"; flow:to_server,established; uricontent:"/upload.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2075; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"index.php"; nocase; content:"file=http\://"; nocase; reference:bugtraq,3889; classtype:web-application-attack; sid:1399; rev:7;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; classtype:web-application-attack; sid:1490; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase;  reference:bugtraq,2274; reference:arachnids,206; classtype:attempted-recon; sid:1137; rev:7;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; uricontent:"/uploadimage.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2074; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php access"; flow:to_server,established; uricontent:"/uploadimage.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2076; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; classtype:web-application-activity; reference:bugtraq,3982; sid:1407; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; classtype:attempted-admin; sid:1300; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; classtype:attempted-user; sid:1254; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:bugtraq,2272; reference:arachnids,209; classtype:attempted-recon; sid:1179; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; classtype:web-application-attack; sid:1491; rev:6;)

     file -> rpc.rules
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; offset:12; depth:4; content:"|00 00 00 0B|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2033; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2016; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2028; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 68|"; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2082; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2026; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; offset:16; depth:4; content:"|00 00 00 0B|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2034; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; classtype:attempted-recon; sid:2021; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt UDP"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2029; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; classtype:attempted-recon; sid:2020; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request UDP"; content:"|00 03 0D 70|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2037; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2030; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D 70|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2038; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; classtype:attempted-recon; sid:2022; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; classtype:attempted-recon; sid:2019; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; reference:cve,CVE-2000-0508; reference:bugtraq,1372; classtype:rpc-portmap-decode; sid:2079; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|"; distance:4; classtype:misc-attack; sid:2089; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; reference:cve,CVE-2000-0508; reference:bugtraq,1372; classtype:rpc-portmap-decode; sid:2080; rev:2;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; offset:12; depth:5; content:"|00 00 00 05|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; classtype:rpc-portmap-decode; reference:cve,CAN-2003-0028; reference:bugtraq,7123; sid:2092; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CAN-2002-0391; reference:bugtraq,5356; classtype:attempted-admin; sid:2095; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt UDP"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2027; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; content:"|00 01 86 AB|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack; sid:2024; rev:3;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2031; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 75|"; within:4; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:5;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; classtype:attempted-recon; sid:2023; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2025; rev:3;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7 68|"; offset:12; depth:4; content:"|00 00 00 0D|"; distance:4; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2083; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CAN-2002-0391; reference:bugtraq,5356; classtype:attempted-admin; sid:2094; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; offset:16; depth:5; content:"|00 00 00 05|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; reference:cve,CAN-2003-0028; reference:bugtraq,7123; classtype:rpc-portmap-decode; sid:2093; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D 70|"; within:4; classtype:rpc-portmap-decode; sid:2036; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; classtype:attempted-recon; sid:2018; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2032; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:2;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|"; distance:4; classtype:misc-attack; sid:2088; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D 70|"; within:4; classtype:rpc-portmap-decode; sid:2035; rev:2;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2015; rev:2;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 68|"; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2081; rev:2;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt UDP"; content:"|00 01 87 99|"; offset:12; depth:4; content:"|00 00 01 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7 68|"; offset:16; depth:4; content:"|00 00 00 0D|"; distance:4; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2084; rev:1;)

  [---]          Disabled:         [---]

     file -> web-php.rules
     #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition\:"; content:"form-data\;"; classtype:web-application-attack; reference:bugtraq,4183; sid:1425; rev:6;)

     file -> misc.rules
     #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize: >4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:1;)

  [---]          Removed:          [---]

     file -> web-misc.rules
     alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; classtype:attempted-user; sid:1255;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC piranha passwd.php3 access"; flow:to_server,established; uricontent: "/passwd.php3"; reference:bugtraq,1149; reference:cve,CVE-2000-0322; reference:arachnids,272; classtype:attempted-recon; sid:1161;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC way-board.cgi access"; flow:to_server,established; uricontent:"/way-board.cgi"; nocase; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PHP strings overflow"; flow:to_server,established; content: "|ba49feffff f7d2 b9bfffffff f7d1|"; reference:bugtraq,802; reference:arachnids,431; classtype:web-application-attack; sid:1085;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; classtype:web-application-activity; sid:1568; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; classtype:web-application-attack; sid:1567; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PHP strings overflow"; flow:to_server,established; content: "?STRENGUR ";reference:arachnids,430; classtype:web-application-attack; sid:1086;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mrtg.cgi access"; flow:to_server,established; uricontent:"/mrtg.cgi"; reference:nessus,11001; classtype:web-application-activity; sid:1863; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; classtype:attempted-recon; sid:1301;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase;  reference:arachnids,208; classtype:attempted-recon; sid:1178;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase;  reference:arachnids,207; classtype:attempted-recon; sid:1197;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:bugtraq,2271; reference:arachnids,205; classtype:attempted-recon; sid:1134;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"index.php"; nocase; content:"file=http\://"; nocase; reference:bugtraq,3889; classtype:web-application-attack; sid:1399;  rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorum auth access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase;  reference:bugtraq,2274; reference:arachnids,206; classtype:attempted-recon; sid:1137;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; classtype:web-application-attack; sid:1490;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC postinfo.asp access"; flow:to_server,established; uricontent:"/scripts/postinfo.asp"; nocase; classtype:web-application-activity; sid:1075;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; content: "AAAAAAAAAAAAAAAA"; flags:SFP; ack: 0; depth: 16;reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; classtype:web-application-activity; reference:bugtraq,3982; sid:1407;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; classtype:attempted-user; sid:1254;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; classtype:attempted-admin; sid:1300;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:bugtraq,2272; reference:arachnids,209; classtype:attempted-recon; sid:1179;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; classtype:web-application-attack; sid:1491;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mrtg.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/mrtg.cgi"; content:"cfg=/../"; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:2;)

     file -> web-cgi.rules
     #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; uricontent:"/web_store.cgi?page=../.."; flow:to_server,established; reference:bugtraq,1774; reference:cve,CVE-2000-1005; classtype:web-application-attack; sid:1094;  rev:7;)

     file -> icmp-info.rules
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts: rr; itype: 0; reference:arachnids,238; sid:455;  classtype:misc-activity; rev:4;)

     file -> scan.rules
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00 60 00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:2;)

     file -> rpc.rules
     #alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:592; rev:3;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; flow:to_server,established; dsize: >999; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:571;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:4;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:3;)
     #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:2;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:1278;  rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; flow:to_server,established; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297;  rev:6;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; content: "|C0 22 3F FC A2 02 20 09 C0 2C 7F FF E2 22 3F F4|"; flow:to_server,established; dsize: >999; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:570;  rev:5;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|"; depth:32; reference:cve,CVE-1999-0704; reference:arachnids,217; classtype:attempted-admin; sid:573;  rev:4;)

     file -> misc.rules
     #alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"MISC IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00 50 01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01 51 80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01 51 80 00 00 00 10|"; classtype:protocol-command-decode; sid:1771; rev:3;)

     file -> imap.rules
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb34 5e8d 1E89 5e0b 31d2 8956 07|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:296; rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb38 5e89f389d880460120804602|"; reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:298; rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89d8 40cd 80e8 c8ff ffff|/";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:295; rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0FF FFFF|/bin/sh"; classtype:attempted-admin; sid:293; rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb58 5E31 db83 c308 83c3 0288 5e26|"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb35 5E80 4601 3080 4602 3080 4603 30|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:297; rev:4;)

  [---]    Disabled and modified:  [---]

     file -> rpc.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv solaris"; flow:to_server,established; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";offset: 16; depth: 32; reference:bugtraq,122; reference:arachnids,241; reference:cve,CVE-1999-0003; classtype:attempted-dos; sid:572;  rev:4;)
     new: #alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv Solaris"; flow:to_server,established; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";offset: 16; depth: 32; reference:bugtraq,122; reference:arachnids,241; reference:cve,CVE-1999-0003; classtype:attempted-dos; sid:572;  rev:5;)

  [///]       Modified active:     [///]

     file -> web-misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourcode view"; flow:to_server,established; uricontent:".%256Asp"; nocase; classtype:attempted-recon; sid:1238;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".%256Asp"; nocase; classtype:attempted-recon; sid:1238; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webdav propfind access"; content:"<a\:propfind"; nocase; content:"xmlns\:a=\"DAV\">"; nocase; flow:to_server,established; reference:bugtraq,1656; reference:cve,CVE-2000-0869; classtype:web-application-activity; sid:1079;  rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV propfind access"; content:"<a\:propfind"; nocase; content:"xmlns\:a=\"DAV\">"; nocase; flow:to_server,established; reference:bugtraq,1656; reference:cve,CVE-2000-0869; classtype:web-application-activity; sid:1079; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRUN DOS attempt"; flow:to_server,established; content:"servlet/......."; nocase; classtype:web-application-attack; sid:1084; reference:bugtraq,2337; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRUN DOS attempt"; flow:to_server,established; uricontent:"servlet/......."; nocase; classtype:web-application-attack; sid:1084; reference:bugtraq,2337; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourcode view"; flow:to_server,established; uricontent:".js%2570"; nocase; classtype:attempted-recon; sid:1236;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".js%2570"; nocase; classtype:attempted-recon; sid:1236; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tomcat directory traversal attempt"; flow:to_server,established; uricontent:"%00.jsp"; reference:bugtraq,2518;  classtype:web-application-attack; sid:1055;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat directory traversal attempt"; flow:to_server,established; uricontent:"%00.jsp"; reference:bugtraq,2518;  classtype:web-application-attack; sid:1055; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; classtype:attempted-recon; sid:1144;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; classtype:attempted-recon; sid:1144; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:1059;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:1059; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC netscape dir index wp"; flow:to_server,established; content: "?wp-"; nocase; reference:bugtraq,1063; reference:cve,CVE-2000-0236; reference:arachnids,270; classtype:attempted-recon; sid:1160;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape dir index wp"; flow:to_server,established; uricontent: "?wp-"; nocase; reference:bugtraq,1063; reference:cve,CVE-2000-0236; reference:arachnids,270; classtype:attempted-recon; sid:1160;  rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tomcat server exploit access"; flow:to_server,established; uricontent:"/contextAdmin/contextAdmin.html"; nocase; classtype:attempted-recon; sid:1111;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server exploit access"; flow:to_server,established; uricontent:"/contextAdmin/contextAdmin.html"; nocase; classtype:attempted-recon; sid:1111; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tomcat servlet mapping cross site scripting attempt"; flow:established,to_server; uricontent:"/servlet/"; uricontent:"/org.apache."; reference:nessus,11041; reference:bugtraq,5193; classtype:web-application-attack; sid:1827; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat servlet mapping cross site scripting attempt"; flow:established,to_server; uricontent:"/servlet/"; uricontent:"/org.apache."; reference:nessus,11041; reference:bugtraq,5193; classtype:web-application-attack; sid:1827; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mylog.phtml access"; flow:to_server,established; uricontent:"/mylog.phtml"; nocase; reference:bugtraq,713; reference:cve,CVE-1999-0346; classtype:attempted-recon; sid:1120;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mylog.phtml access"; flow:to_server,established; uricontent:"/mylog.phtml"; nocase; reference:bugtraq,713; reference:cve,CVE-1999-0068; classtype:attempted-recon; sid:1120;  rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"\;"; distance:1; classtype:web-application-attack; sid:1947; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 arbitrary command execution attempt"; flow:to_server,established; uricontent:"/ab2/"; content:"\;"; distance:1; classtype:web-application-attack; sid:1947; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC HP Openview Manager DOS"; flow:to_server,established; uricontent:"/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid="; nocase; reference:bugtraq,2845; sid:1258;  classtype:misc-activity; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC HP OpenView Manager DOS"; flow:to_server,established; uricontent:"/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid="; nocase; reference:bugtraq,2845; sid:1258;  classtype:misc-activity; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-info access"; flow:to_server,established; uricontent:"/server-info"; classtype:web-application-activity; sid:1520; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-info access"; flow:to_server,established; uricontent:"/server-info"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webplus access"; content:"webplus?script"; nocase; flow:to_server,established; reference:cve,CVE-2000-1005; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; classtype:attempted-recon; sid:1159;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webplus access"; uricontent:"/webplus?script"; nocase; flow:to_server,established; reference:cve,CVE-2000-1005; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; classtype:attempted-recon; sid:1159;  rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /...."; flow:to_server,established; content:"|2f2e2e2e2e|"; classtype:attempted-recon; sid:1142;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /.... access"; flow:to_server,established; content:"/...."; classtype:attempted-recon; sid:1142; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tomcat TroubleShooter servlet access"; flow:established,to_server; uricontent:"/examples/servlet/TroubleShooter"; reference:nessus,11046; reference:bugtraq,4575; classtype:web-application-activity; sid:1829; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat TroubleShooter servlet access"; flow:established,to_server; uricontent:"/examples/servlet/TroubleShooter"; reference:nessus,11046; reference:bugtraq,4575; classtype:web-application-activity; sid:1829; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC get32.exe access"; flow:to_server,established; uricontent:"/get32.exe"; nocase; reference:bugtraq,1485; reference:arachnids,258; classtype:attempted-recon; sid:1180;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC get32.exe access"; flow:to_server,established; uricontent:"/get32.exe"; nocase; reference:cve,CAN-1999-0885; reference:bugtraq,770; reference:bugtraq,1485; reference:arachnids,258; classtype:attempted-recon; sid:1180; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC netscape PublishingXpert 2 Exploit"; flow:to_server,established; uricontent:"/PSUser/PSCOErrPage.htm?"; nocase; reference:cve,CAN-2000-1196; classtype:attempted-recon; sid:1157;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape PublishingXpert access"; flow:to_server,established; uricontent:"/PSUser/PSCOErrPage.htm"; nocase; reference:cve,CAN-2000-1196; classtype:web-application-activity; sid:1157; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tomcat SnoopServlet servlet access"; flow:established,to_server; uricontent:"/examples/servlet/SnoopServlet"; reference:nessus,11046; reference:bugtraq,4575; classtype:web-application-activity; sid:1830; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat SnoopServlet servlet access"; flow:established,to_server; uricontent:"/examples/servlet/SnoopServlet"; reference:nessus,11046; reference:bugtraq,4575; classtype:web-application-activity; sid:1830; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-status access"; flow:to_server,established; uricontent:"/server-status"; classtype:web-application-activity; sid:1521; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-status access"; flow:to_server,established; uricontent:"/server-status"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC shopping cart access access"; uricontent:"/quikstore.cfg"; nocase; flow:to_server,established; classtype:attempted-recon; sid:1164;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC shopping cart access access"; uricontent:"/quikstore.cfg"; nocase; flow:to_server,established; classtype:attempted-recon; reference:bugtraq,2049; reference:bugtraq,1983; reference:cve,CAN-1999-0607; reference:cve,CAN-2000-1188; sid:1164; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:1058;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:1058; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:1060;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:1060; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webdav search access"; flow:to_server,established; content: "SEARCH "; depth: 8; nocase;reference:arachnids,474; classtype:web-application-activity; sid:1070;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV search access"; flow:to_server,established; content: "SEARCH "; depth: 8; nocase;reference:arachnids,474; classtype:web-application-activity; sid:1070; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPERIMENTAL WEB-MISC Linksys router default password login attempt \(admin\:admin\)";  flow:to_server,established; content:"Authorization\: "; nocase; content:" Basic "; nocase; content:"YWRtaW46YWRtaW4"; reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default password login attempt \(admin\:admin\)";  flow:to_server,established; content:"Authorization\: "; nocase; content:" Basic "; nocase; content:"YWRtaW46YWRtaW4"; reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC netscape servers suite DOS"; flow:to_server,established; uricontent:"/dsgw/bin/search?context="; nocase; classtype:web-application-attack; sid:1081; reference:bugtraq,1868; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Servers suite DOS"; flow:to_server,established; uricontent:"/dsgw/bin/search?context="; nocase; classtype:web-application-attack; sid:1081; reference:bugtraq,1868; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tomcat view source attempt"; flow:to_server,established; uricontent:"%252ejsp"; reference:bugtraq,2527; classtype:web-application-attack; sid:1056;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat view source attempt"; flow:to_server,established; uricontent:"%252ejsp"; reference:bugtraq,2527; classtype:web-application-attack; sid:1056; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourcode view"; flow:to_server,established; uricontent:".j%2573p"; nocase; classtype:attempted-recon; sid:1237;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".j%2573p"; nocase; classtype:attempted-recon; sid:1237; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"WEB-MISC netscape unixware overflow"; content: "|eb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d|"; flow:to_server,established; reference:arachnids,180; classtype:attempted-recon; sid:1132;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"WEB-MISC Netscape Unixware overflow"; content: "|eb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d|"; flow:to_server,established; reference:arachnids,180; classtype:attempted-recon; sid:1132; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC novell groupwise gwweb.exe attempt"; flow:to_server,established; content:"/GWWEB.EXE?HELP="; nocase; reference:bugtraq,879; reference:cve,CAN-1999-1006; classtype:attempted-recon; sid:1614;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe attempt"; flow:to_server,established; uricontent:"/GWWEB.EXE?HELP="; nocase; reference:bugtraq,879; reference:cve,CAN-1999-1006; classtype:attempted-recon; sid:1614; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Nessus 404 probe"; flow:to_server,established; uricontent: "/nessus_is_probing_you_"; depth: 32;reference:arachnids,301; classtype:web-application-activity; sid:1102;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Nessus 404 probe"; flow:to_server,established; uricontent: "/nessus_is_probing_you_"; depth: 32;reference:arachnids,301; classtype:web-application-attack; sid:1102;  rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC novell groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; reference:bugtraq,879; reference:cve,CAN-1999-1006; classtype:attempted-recon; sid:1165;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; reference:bugtraq,879; reference:cve,CAN-1999-1006; classtype:attempted-recon; sid:1165; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC netscape admin passwd"; flow:to_server,established; uricontent:"/admin-serv/config/admpw"; nocase;reference:bugtraq,1579; classtype:web-application-attack; sid:1103;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape admin passwd"; flow:to_server,established; uricontent:"/admin-serv/config/admpw"; nocase;reference:bugtraq,1579; classtype:web-application-attack; sid:1103; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC plusmail access"; flow:to_server,established; uricontent:"/plusmail"; nocase; classtype:attempted-recon; sid:1217;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC plusmail access"; flow:to_server,established; uricontent:"/plusmail"; nocase; reference:cve,CAN-2000-0074; reference:bugtraq,2653; classtype:attempted-recon; sid:1217;  rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; classtype:web-application-activity; sid:1946; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 admin attempt"; flow:to_server,established; uricontent:"/cgi-bin/admin/admin"; classtype:web-application-activity; sid:1946; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cisco /%% DOS attempt"; flow:to_server,established; uricontent:"/%%"; classtype:web-application-attack; sid:1546; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco /%% DOS attempt"; flow:to_server,established; uricontent:"/%%"; classtype:web-application-attack; reference:cve,CVE-2000-0380; reference:bugtraq,1154; sid:1546; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:1061;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:1061; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; classtype:attempted-recon; sid:1143;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; rawbytes; classtype:attempted-recon; sid:1143; rev:5;)

     file -> info.rules
     old: alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; content: "Login failed";  nocase; flow:from_server,established; classtype:bad-unknown; sid:492;  rev:5;)
     new: alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; content: "Login failed";  nocase; flow:from_server,established; classtype:bad-unknown; sid:492; rev:6;)
     old: alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; content: "Login incorrect"; nocase; flow:from_server,established; classtype:bad-unknown; sid:1251;  rev:4;)
     new: alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; content: "Login incorrect"; nocase; flow:from_server,established; classtype:bad-unknown; sid:1251; rev:5;)
     old: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Bad login"; content:"530 Login "; nocase; flow:from_server,established; classtype:bad-unknown; sid:491; rev:5;)
     new: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login"; content:"530 Login "; nocase; flow:from_server,established; classtype:bad-unknown; sid:491; rev:6;)

     file -> icmp-info.rules
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem (Missing a Requiered Option)"; itype: 12; icode: 1; sid:426;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem (Missing a Required Option)"; itype: 12; icode: 1; sid:426;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Advertisment"; itype: 9; icode: 0; reference:arachnids,173; sid:441;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Advertisement"; itype: 9; icode: 0; reference:arachnids,173; sid:441;  classtype:misc-activity; rev:5;)

     file -> policy.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer java applet download attempt"; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer Java applet download attempt"; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:3;)

     file -> dns.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux overflow attempt (ADMv2)"; flow:to_server,established; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|"; classtype:attempted-admin; sid:265;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt (ADMv2)"; flow:to_server,established; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|"; classtype:attempted-admin; sid:265;  rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux overflow attempt"; flow:to_server,established; content:"|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|"; classtype:attempted-admin; sid:264;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|"; classtype:attempted-admin; sid:264;  rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 freebsd overflow attempt"; flow:to_server,established; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|"; classtype:attempted-admin; sid:266;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|"; classtype:attempted-admin; sid:266;  rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux overflow attempt"; flow:to_server,established; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|"; classtype:attempted-admin; sid:262;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|"; classtype:attempted-admin; sid:262;  rev:4;)

     file -> virus.rules
     old: alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|"; reference:MCAFEE,10450; sid:802;  classtype:misc-activity; rev:3;)
     new: alert tcp any 110 -> any any (msg:"Virus - Possible Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|"; reference:MCAFEE,10450; sid:802;  classtype:misc-activity; rev:4;)

     file -> web-cgi.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/commerce.cgi?page=../.."; nocase; reference:nessus,10612; reference:bugtraq,2361; reference:cve,CAN-2001-0210; classtype:attempted-recon; sid:1572; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/commerce.cgi"; content:"page="; content:"/../"; nocase; reference:nessus,10612; reference:bugtraq,2361; reference:cve,CAN-2001-0210; classtype:attempted-recon; sid:1572; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi attempt"; flow:to_server,established; uricontent:"/directorypro.cgi"; content:"show=../.."; nocase; reference:cve,CAN-2001-0780; classtype:web-application-attack; sid:1574;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi attempt"; flow:to_server,established; uricontent:"/directorypro.cgi"; content:"show="; content:"../.."; distance:1; nocase; reference:cve,CAN-2001-0780; classtype:web-application-attack; sid:1574;  rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/csSearch.cgi"; content:"setup="; content:" `"; reference:bugtraq,4368; reference:nessus,10924; reference:cve,CAN-2002-0495; classtype:web-application-attack; sid:1547; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/csSearch.cgi"; content:"setup="; content:"`"; content:"`"; distance:1; reference:bugtraq,4368; reference:nessus,10924; reference:cve,CAN-2002-0495; classtype:web-application-attack; sid:1547; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe overflow attempt"; flow:to_server,established; uricontent:"/imagemap.exe?"; depth:32; nocase; reference:arachnids,412; reference:cve,CVE-1999-0951; classtype:web-application-attack; sid:821; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe overflow attempt"; flow:to_server,established; uricontent:"/imagemap.exe?";  nocase; reference:arachnids,412; reference:cve,CVE-1999-0951; classtype:web-application-attack; sid:821; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI moreover shopping cart directory traversal"; flow:to_server,established; uricontent:"/cached_feed.cgi"; content:"../"; reference:bugtraq,1762; classtype:web-application-attack; sid:1093;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; uricontent:"/cached_feed.cgi"; content:"../"; reference:cve,CAN-2000-0906; reference:bugtraq,1762; classtype:web-application-attack; sid:1093; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; uricontent:"/hsx.cgi"; content:"../../"; content:"%00"; flow:to_server,established; reference:bugtraq,2314; reference:cve,CAN-2001-0253; classtype:web-application-attack; sid:803;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; uricontent:"/hsx.cgi"; content:"../../"; content:"%00"; distance:1; flow:to_server,established; reference:bugtraq,2314; reference:cve,CAN-2001-0253; classtype:web-application-attack; sid:803;  rev:7;)

     file -> multimedia.rules
     old: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Shoutcast playlist redirection"; flow:from_server,established; content:"Content-type\: audio/x-scpls\r\n"; classtype:policy-violation; sid:1439;  rev:2;)
     new: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Shoutcast playlist redirection"; flow:from_server,established; content:"Content-type\: audio/x-scpls"; content:"|0a|"; within:2; classtype:policy-violation; sid:1439; rev:3;)
     old: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Icecast playlist redirection"; flow:from_server,established; content:"Content-type\: audio/x-mpegurl\r\n"; classtype:policy-violation; sid:1440;  rev:2;)
     new: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Icecast playlist redirection"; flow:from_server,established; content:"Content-type\: audio/x-mpegurl"; content:"|0a|"; within:2; classtype:policy-violation; sid:1440; rev:3;)
     old: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media audio download"; flow:from_server,established; content:"Content-type\: audio/x-ms-wma\r\n"; classtype:policy-violation; sid:1437;  rev:2;)
     new: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media audio download"; flow:from_server,established; content:"Content-type\: audio/x-ms-wma"; content:"|0a|"; within:2; classtype:policy-violation; sid:1437; rev:3;)
     old: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flow:from_server,established; content:"Content-type\: video/x-ms-asf\r\n"; classtype:policy-violation; sid:1438;  rev:2;)
     new: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flow:from_server,established; content:"Content-type\: video/x-ms-asf"; content:"|0a|"; within:2;classtype:policy-violation; sid:1438; rev:3;)

     file -> p2p.rules
     old: alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:misc-activity; sid:564;  rev:5;)
     new: alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:564;  rev:6;)
     old: alert tcp $HOME_NET any <> $EXTERNAL_NET 7777 (msg:"P2P Napster Client Data"; flow:to_server,established; content:".mp3"; nocase; classtype:misc-activity; sid:562;  rev:4;)
     new: alert tcp $HOME_NET any <> $EXTERNAL_NET 7777 (msg:"P2P Napster Client Data"; flow:to_server,established; content:".mp3"; nocase; classtype:policy-violation; sid:562; rev:5;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login"; flow:to_server,established; content:"|00 0200|"; offset:1; depth:3; classtype:misc-activity; sid:549;  rev:5;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login"; flow:to_server,established; content:"|00 0200|"; offset:1; depth:3; classtype:policy-violation; sid:549; rev:6;)
     old: alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:misc-activity; sid:563;  rev:5;)
     new: alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:563; rev:6;)
     old: alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"P2P Napster Server Login"; flow:established; content:"anon at ...597..."; classtype:misc-activity; sid:565; rev:5;)
     new: alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"P2P Napster Server Login"; flow:established; content:"anon at ...597..."; classtype:policy-violation; sid:565; rev:6;)
     old: alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flow:from_server,established; content:"|00 5f02|"; offset:1; depth:3; classtype:misc-activity; sid:552;  rev:4;)
     new: alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flow:from_server,established; content:"|00 5f02|"; offset:1; depth:3; classtype:policy-violation; sid:552; rev:5;)
     old: alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:misc-activity; sid:561;  rev:5;)
     new: alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:561; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack  (kazaa/morpheus) GET request"; flow:to_server,established; content:"GET "; depth:4; reference:url,www.musiccity.com/technology.htm; reference:url,www.kazaa.com; classtype:protocol-command-decode; sid:1383;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack  (kazaa/morpheus) GET request"; flow:to_server,established; content:"GET "; depth:4; reference:url,www.musiccity.com/technology.htm; reference:url,www.kazaa.com; classtype:policy-violation; sid:1383; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack (kazaa/morpheus) traffic"; flow:to_server,established; content:"X-Kazaa-Username"; reference:url,www.kazaa.com; classtype:protocol-command-decode; sid:1699;  rev:2;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Fastrack (kazaa/morpheus) traffic"; flow:to_server,established; content:"GET"; depth:3; content:"UserAgent\: KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:1699; rev:4;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:556;  rev:4;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flow:to_server,established; content:"|00 cb00|"; offset:1; depth:3; classtype:misc-activity; sid:551;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flow:to_server,established; content:"|00 cb00|"; offset:1; depth:3; classtype:policy-violation; sid:551; rev:5;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:misc-activity; sid:1432;  rev:3;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:policy-violation; sid:1432; rev:4;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flow:to_server,established; content:"|00 0600|"; offset:1; depth:3; classtype:misc-activity; sid:550;  rev:5;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flow:to_server,established; content:"|00 0600|"; offset:1; depth:3; classtype:policy-violation; sid:550; rev:6;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:557;  rev:5;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:557; rev:6;)

     file -> ftp.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT "; nocase; content:"?"; reference:bugtraq,4482; classtype:attempted-dos; sid:1778; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; content:"?"; distance:1; reference:bugtraq,4482; classtype:attempted-dos; sid:1778; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT "; nocase; content:"*"; reference:bugtraq,4482; classtype:attempted-dos; sid:1777; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; content:"*"; distance:1; reference:bugtraq,4482; classtype:attempted-dos; sid:1777; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retreval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:3;)

     file -> exploit.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT sco calserver overflow"; flow:to_server,established; content:"|eb7f 5d55 fe4d 98fe 4d9b|"; reference:cve,CVE-2000-0306; reference:bugtraq,2353; classtype:attempted-admin; sid:304;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT SCO calserver overflow"; flow:to_server,established; content:"|eb7f 5d55 fe4d 98fe 4d9b|"; reference:cve,CVE-2000-0306; reference:bugtraq,2353; classtype:attempted-admin; sid:304; rev:6;)
     old: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT netscape 4.7 client overflow"; flow:to_client,established; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; reference:cve,CVE-2000-1187; reference:bugtraq,822; reference:arachnids,215; classtype:attempted-user; sid:283;  rev:5;)
     new: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT Netscape 4.7 client overflow"; flow:to_client,established; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; reference:cve,CVE-2000-1187; reference:bugtraq,822; reference:arachnids,215; classtype:attempted-user; sid:283;  rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 linux overflow"; content:"|0103 0000 0000 0001 0002 02e8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 Linux overflow"; content:"|0103 0000 0000 0001 0002 02e8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|eb56 5E56 5656 31d2 8856 0b88 561e|"; reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:316; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|eb56 5E56 5656 31d2 8856 0b88 561e|"; reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:316; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|5eb0 0289 06fe c889 4604 b006 8946|"; reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:315; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|5eb0 0289 06fe c889 4604 b006 8946|"; reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:315; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|eb40 5E31 c040 8946 0489 c340 8906|";reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:317; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|eb40 5E31 c040 8946 0489 c340 8906|";reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:317; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT redhat 7.0 lprd overflow"; flow:to_server,established; content:"|58 58 58 58 25 2E 31 37 32 75 25 33 30 30 24 6E|"; classtype:attempted-admin; sid:302;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"|58 58 58 58 25 2E 31 37 32 75 25 33 30 30 24 6E|"; classtype:attempted-admin; sid:302;  rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT aix pdnsd overflow"; flow:to_server,established; content:"|7FFF FB78 7FFF FB78 7FFF FB78 7FFF FB78|"; content:"|408A FFC8 4082 FFD8 3B36 FE03 3B76 FE02|"; dsize:>1000; reference:cve,CVE-1999-0745; reference:bugtraq,3237; classtype:attempted-user; sid:1261;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT AIX pdnsd overflow"; flow:to_server,established; content:"|7FFF FB78 7FFF FB78 7FFF FB78 7FFF FB78|"; content:"|408A FFC8 4082 FFD8 3B36 FE03 3B76 FE02|"; dsize:>1000; reference:cve,CVE-1999-0745; reference:bugtraq,3237; classtype:attempted-user; sid:1261;  rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 linux samba overflow"; flow:to_server,established; content:"|eb2f 5feb 4a5e 89fb 893e 89f2|"; reference:bugtraq,1816; reference:cve,CVE-1999-0811; reference:cve,CVE-1999-0182; classtype:attempted-admin; sid:292;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 Linux samba overflow"; flow:to_server,established; content:"|eb2f 5feb 4a5e 89fb 893e 89f2|"; reference:bugtraq,1816; reference:cve,CVE-1999-0811; reference:cve,CVE-1999-0182; classtype:attempted-admin; sid:292;  rev:5;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT netscape 4.7 unsucessful overflow"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flow:to_server,established; reference:cve,CVE-2000-1187; reference:bugtraq,822; reference:arachnids,214; classtype:unsuccessful-user; sid:311;  rev:5;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT Netscape 4.7 unsucessful overflow"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flow:to_server,established; reference:cve,CVE-2000-1187; reference:bugtraq,822; reference:arachnids,214; classtype:unsuccessful-user; sid:311;  rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 solaris overflow"; flow:to_server,established; content:"|eb23 5e33 c088 46fa 8946 f589 36|"; classtype:attempted-admin; sid:300; reference:bugtraq,2319; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 Solaris overflow"; flow:to_server,established; content:"|eb23 5e33 c088 46fa 8946 f589 36|"; classtype:attempted-admin; sid:300; reference:bugtraq,2319; rev:5;)

     file -> web-client.rules
     old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT javascript URL host spoofing attempt"; flow:to_client,established; content:"javascript\://"; nocase; classtype:attempted-user; reference:bugtraq,5293; sid:1841; rev:2;)
     new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript URL host spoofing attempt"; flow:to_client,established; content:"javascript\://"; nocase; classtype:attempted-user; reference:bugtraq,5293; sid:1841; rev:3;)
     old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT javascript document.domain attempt"; flow:to_client,established; content:"document.domain("; nocase; classtype:attempted-user; reference:bugtraq,5346; sid:1840; rev:2;)
     new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain("; nocase; classtype:attempted-user; reference:bugtraq,5346; sid:1840; rev:3;)

     file -> web-php.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrelmail spellcheck arbitrary command attempt"; flow:to_server,established; uricontent:"/squirrelspell/modules/check_me.mod.php"; nocase; content: "SQSPELL_APP["; nocase; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; uricontent:"/squirrelspell/modules/check_me.mod.php"; nocase; content: "SQSPELL_APP["; nocase; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overlfow"; flow:to_server,established; content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|"; reference:bugtraq,4183; classtype:web-application-attack; sid:1423; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|"; reference:bugtraq,4183; classtype:web-application-attack; sid:1423; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrelmail theme arbitrary command attempt"; flow:to_server,established; uricontent:"/left_main.php"; nocase; content:"cmdd="; reference:bugtraq,4385; classtype:web-application-attack; sid:1737; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail theme arbitrary command attempt"; flow:to_server,established; uricontent:"/left_main.php"; nocase; content:"cmdd="; reference:bugtraq,4385; classtype:web-application-attack; sid:1737; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools administror authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; classtype:web-application-attack; sid:1739; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; classtype:web-application-attack; sid:1739; rev:4;)

     file -> deleted.rules
     old: alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hi de/Show Desktop Client Request"; content:"33";  reference:arachnids,106; sid:168 ;  classtype:misc-activity; rev:4;)
     new: alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33";  reference:arachnids,106; sid:168;  classtype:misc-activity; rev:4;)
     old: alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113;  classtype:misc-act ivity; rev:4;)
     new: alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113;  classtype:misc-activity; rev:5;)

     file -> rpc.rules
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC UDP kcms_server request"; content:"|01 87 7D 00 00|"; offset:40; depth:8; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 7D|"; within:4; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; offset:12; depth:4; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1951; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1951; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request RQUOTA UDP"; content:"|01 86 AB 00 00|"; offset:40;depth:8; classtype:rpc-portmap-decode; sid:1961; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; classtype:rpc-portmap-decode; sid:1961; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1950; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1950; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rstatd"; content: "|01 86 A1 00 00|"; reference:arachnids,10; classtype:rpc-portmap-decode; flow:to_server,established; sid:1270;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:1270; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,128,20,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack; sid:1964; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; offset:12; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack; sid:1964; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request selection_svc"; content:"|01 86 AF 00 00|";offset:40;depth:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87 7D|"; offset: 16; content:"/../"; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87 7D|"; offset:16; depth:4; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:598; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:598; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request NFS TCP"; flow:to_server,established; content:"|01 86 A3 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1960; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; classtype:rpc-portmap-decode; sid:1960; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UDP proxy attempt"; content:"|00 01 86 A0|"; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1923; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1923; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request nisd"; content:"|01 87 cc 00 00|";offset:40;depth:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 cc|"; within:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request status"; content:"|01 86 B8 00 00|";offset:40;depth:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; content:"|00 00 00 01|"; distance:4; within:4; byte_test:4,>,512,240,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin; sid:1912; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin; sid:1912; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request espd"; rpc:391029,*,*; flow:to_server,established; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode; sid:595;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 75|"; within:4; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode; sid:595; rev:9;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 01 86 B8|"; content:"|00 00 00 02|"; distance:4; within:4; content:"%x %x"; distance:16; within:256; reference:bugtraq,1480; reference:cve,CVE-2000-0666; classtype:misc-attack; sid:1890; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; reference:bugtraq,1480; reference:cve,CVE-2000-0666; classtype:misc-attack; sid:1890; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rexd";content:"|01 86 B1 00 00|";offset:40;depth:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request selection_svc"; content:"|01 86 AF 00 00|";offset:40;depth:8; reference:arachnids,25; classtype:rpc-portmap-decode; flow:to_server,established; sid:1273;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1280; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1280; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request pcnfsd"; content:"|02 49 f1 00 00|";offset:40;depth:8; reference:arachnids,22; classtype:rpc-portmap-decode; flow:to_server,established; sid:1268;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02 49 f1|"; within:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:1268; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswd"; content:"|01 86 A9 00 00|";offset:40;depth:8; reference:arachnids,14; classtype:rpc-portmap-decode; flow:to_server,established; sid:1275;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request nisd"; content:"|01 87 cc 00 00|";offset:40;depth:8; reference:arachnids,21; classtype:rpc-portmap-decode; flow:to_server,established; sid:1267;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 cc|"; within:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:1267; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rusers"; content:"|01 86 A2 00 00|"; offset:40; depth:8; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode; sid:584; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode; sid:584; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1953; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1953; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request cmsd"; content:"|01 86 E4 00 00|";offset:40;depth:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request mountd"; content:"|01 86 A5 00 00|";offset:40;depth:8; reference:arachnids,13; classtype:rpc-portmap-decode; flow:to_server,established; sid:1266; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request amountd"; content:"|01 87 03 00 00|";offset:40;depth:8; reference:arachnids,19; classtype:rpc-portmap-decode; flow:to_server,established; sid:1263;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:1263; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request admind"; flow:to_server,established; content:"|01 86 F7 00 00|";offset:40;depth:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1952; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1952; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypupdated"; content:"|01 86 BC 00 00|";offset:40;depth:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request mountd"; content:"|01 86 A5 00 00|";offset:40;depth:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC TCP cachefsd request"; flow:to_server,established; content:"|01 87 8B 00 00|"; offset:40; depth:8; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1747; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1747; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request NFS UDP"; content:"|01 86 A3 00 00|"; offset:40;depth:8; classtype:rpc-portmap-decode; sid:1959; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; classtype:rpc-portmap-decode; sid:1959; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin; sid:1907; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin; sid:1907; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC UDP rwalld request"; content:"|01 86 A8 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1732; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; classtype:rpc-portmap-decode; sid:1732; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC UDP cachefsd request"; content:"|01 87 8B 00 00|"; offset:40; depth:8; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1746; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1746; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC TCP kcms_server request"; flow:to_server,established; content:"|01 87 7D 00 00|"; offset:40; depth:8; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 7D|"; within:4; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8; reference:arachnids,20; classtype:rpc-portmap-decode; flow:to_server,established; sid:1272;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:1272; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request tooltalk"; rpc:100083,*,*; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA UDP getquota overflow attempt"; content:"|00 01 86 AB|"; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_test:4,>,128,8,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack; sid:1963; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack; sid:1963; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request RQUOTA TCP"; flow:to_server,established; content:"|01 86 AB 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1962; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; classtype:rpc-portmap-decode; sid:1962; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; offset:16; depth:4; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin; sid:1908; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin; sid:1908; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC tcp portmap request snmpXdmi"; content:"|01 87 99 00 00|"; offset:40; depth:8; flow:to_server,established; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:593;  rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:593; rev:12;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypserv"; content:"|01 86 A4 00 00|";offset:40;depth:8; reference:arachnids,12; classtype:rpc-portmap-decode; flow:to_server,established; sid:1276;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; reference:arachnids,12; classtype:rpc-portmap-decode; sid:1276; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC TCP rwalld request"; flow:to_server,established; content:"|01 86 A8 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1733;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; classtype:rpc-portmap-decode; sid:1733; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request admind"; content:"|01 86 F7 00 00|";offset:40;depth:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ttdbserv"; content:"|01 86 F3 00 00|";offset:40;depth:8; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:arachnids,24; classtype:rpc-portmap-decode; flow:to_server,established; sid:1274;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4;  reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:cve,CAN-2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,122; reference:arachnids,24; classtype:rpc-portmap-decode; sid:1274; rev:9;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1915; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1915; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content: "|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request amountd"; content:"|01 87 03 00 00|";offset:40;depth:8; reference:arachnids,19;classtype:rpc-portmap-decode; sid:576; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:576; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC udp portmap request snmpXdmi"; content:"|01 87 99 00 00|"; offset:40; depth:8; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:1279; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:1279; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1914; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1914; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypserv"; content:"|01 86 A4 00 00|";offset:40;depth:8; reference:arachnids,12; classtype:rpc-portmap-decode; sid:590; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; reference:arachnids,12; classtype:rpc-portmap-decode; sid:590; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswd"; content:"|01 86 A9 00 00|";offset:40;depth:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 04 93 F3|"; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1954; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1954; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request pcnfsd"; content:"|02 49 f1 00 00|";offset:40;depth:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02 49 f1|"; within:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"|00 01 86 E4|"; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request cmsd"; content:"|01 86 E4 00 00|";offset:40;depth:8; reference:arachnids,17; classtype:rpc-portmap-decode; flow:to_server,established; sid:1265;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request tooltalk"; flow:to_server,established; rpc:100083,*,*; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298;  rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap TCP proxy attempt"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1922; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1922; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ttdbserv"; content:"|01 86 F3 00 00|"; offset:40;depth:8; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:cve,CAN-2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,122; reference:arachnids,24; classtype:rpc-portmap-decode; sid:588; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4;  reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:cve,CAN-2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,122; reference:arachnids,24; classtype:rpc-portmap-decode; sid:588; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rexd";content:"|01 86 B1 00 00|";offset:40;depth:8; reference:arachnids,23; classtype:rpc-portmap-decode; flow:to_server,established; sid:1269;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:1269; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1949; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1949; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1913; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1913; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; content:"|00 00 00 07|"; distance:4; within:4; byte_test:4,>,512,16,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack; sid:1906; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack; sid:1906; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rusers"; content:"|01 86 A2 00 00|";offset:40;depth:8; reference:arachnids,133; reference:cve,CVE-1999-0626; classtype:rpc-portmap-decode; flow:to_server,established; sid:1271;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode; sid:1271; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1916; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1916; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rstatd"; content: "|01 86 A1 00 00|"; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request bootparam"; content:"|01 86 BA 00 00|";offset:40;depth:8; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; flow:to_server,established; sid:1264;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; sid:1264; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 04 93 F3|"; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1956; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1956; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; content:"|00 00 00 02|"; distance:4; within:4; content:"%x %x"; distance:16; within:256; reference:bugtraq,1480; reference: cve,CVE-2000-0666; classtype: misc-attack; sid:1891; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; reference:bugtraq,1480; reference: cve,CVE-2000-0666; classtype: misc-attack; sid:1891; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request bootparam"; content:"|01 86 BA 00 00|";offset:40;depth:8; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; sid:577; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; sid:577; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt"; flow:to_server,established; content:"|0000 0f9c|"; offset:0; depth:4; content:"|00018799|"; offset: 16; depth:4; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; offset:16; depth:4; content:"|00 00 01 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,128,20,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack; sid:1965; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack; sid:1965; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypupdated"; flow:to_server,established; content:"|01 86 BC 00 00|";offset:40;depth:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"|00 04 93 F3|"; content:"|00 00 00 07|"; distance:4; within:4; byte_test:4,>,512,16,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack; sid:1905; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;  byte_test:4,>,512,0,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack; sid:1905; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; content:"|00 00 00 01|"; distance:4; within:4; byte_test:4,>,512,240,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin; sid:1911; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin; sid:1911; rev:5;)

     file -> netbios.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; content:"|00|.|00|N|00|W|00|S"; flow:to_server,established; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1294; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; content:"|00|.|00|N|00|W|00|S"; flow:to_server,established; classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml; sid:1294; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF 53 4D 42 25|"; offset:4; depth:5; content:"|00 00|"; offset:43; depth:2; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2101; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF 53 4D 42 25|"; offset:4; depth:5; content:"|00 00|"; offset:43; depth:2; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2101; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF 53 4D 42 25|"; offset:4; depth:5; content:"|00 00|"; offset:45; depth:2; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2102; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF 53 4D 42 25|"; offset:4; depth:5; content:"|00 00|"; offset:45; depth:2; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2102; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; content:"|00|.|00|E|00|M|00|L"; flow:to_server,established; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; content:"|00|.|00|E|00|M|00|L"; flow:to_server,established; classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml; sid:1293; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; flow:to_server,established; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1295; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; flow:to_server,established; classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml; sid:1295; rev:7;)

     file -> attack-responses.rules
     old: alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSE successful kadmind bufferflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:cve,CAN-2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:1;)
     new: alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:cve,CAN-2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:3;)
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES http dir listing"; content: "Volume Serial Number"; flow:from_server,established; classtype:bad-unknown; sid:1292; rev:4;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES directory listing"; content: "Volume Serial Number"; flow:from_server,established; classtype:bad-unknown; sid:1292; rev:7;)
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id check returned www"; flow:from_server,established; content:"uid="; content:"(www)"; classtype:bad-unknown; sid:1882; rev:2;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned www"; flow:from_server,established; content:"uid="; content:"(www)"; classtype:bad-unknown; sid:1882; rev:3;)
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"(nobody)"; classtype:bad-unknown; sid:1883; rev:2;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"(nobody)"; classtype:bad-unknown; sid:1883; rev:3;)
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES command error"; content:"Bad command or filename"; nocase; flow:from_server,established; classtype:bad-unknown; sid:495; rev:5;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command error"; content:"Bad command or filename"; nocase; flow:from_server,established; classtype:bad-unknown; sid:495; rev:6;)
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES command completed"; content:"Command completed"; nocase; flow:from_server,established; classtype:bad-unknown; sid:494; rev:5;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command completed"; content:"Command completed"; nocase; flow:from_server,established; classtype:bad-unknown; sid:494; rev:6;)
     old: alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSE successful kadmind bufferflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:cve,CAN-2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901; rev:1;)
     new: alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:cve,CAN-2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901; rev:3;)
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"(http)"; classtype:bad-unknown; sid:1885; rev:2;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"(http)"; classtype:bad-unknown; sid:1885; rev:3;)
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES Invalid URL"; content:"Invalid URL"; nocase; flow:from_server,established; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.asp; classtype:attempted-recon; sid:1200; rev:7;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Invalid URL"; content:"Invalid URL"; nocase; flow:from_server,established; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.asp; classtype:attempted-recon; sid:1200; rev:8;)
     old: alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSE successful gobbles ssh exploit (uname)"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; classtype:misc-attack; sid:1811; rev:2;)
     new: alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit (uname)"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; classtype:misc-attack; sid:1811; rev:3;)
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; classtype:bad-unknown; sid:1666; rev:3;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:5;)
     old: alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSE successful gobbles ssh exploit (GOBBLE)"; flow:from_server,established; content:"|2a|GOBBLE|2a|"; reference:bugtraq,5093; classtype:successful-admin; sid:1810; rev:2;)
     new: alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit (GOBBLE)"; flow:from_server,established; content:"|2a|GOBBLE|2a|"; reference:bugtraq,5093; classtype:successful-admin; sid:1810; rev:3;)
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES file copied ok"; content:"1 file(s) copied"; nocase; flow:from_server,established; classtype:bad-unknown; sid:497; rev:5;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES file copied ok"; content:"1 file(s) copied"; nocase; flow:from_server,established; classtype:bad-unknown; sid:497; rev:6;)
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"(web)"; classtype:bad-unknown; sid:1884; rev:2;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"(web)"; classtype:bad-unknown; sid:1884; rev:3;)
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"(apache)"; classtype:bad-unknown; sid:1886; rev:2;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"(apache)"; classtype:bad-unknown; sid:1886; rev:3;)
     old: alert ip any any -> any any (msg:"ATTACK RESPONSES id check returned root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:3;)
     new: alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:4;)
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:6;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:7;)
     old: alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES oracle one hour install"; flow:from_server,established; content:"Oracle Applications One-Hour Install"; classtype:bad-unknown; sid:1464; rev:2;)
     new: alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES oracle one hour install"; flow:from_server,established; content:"Oracle Applications One-Hour Install"; classtype:bad-unknown; sid:1464; rev:3;)

     file -> ddos.rules
     old: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server-response-gag"; content: "|73 69 63 6B 65 6E|"; itype: 0; icmp_id: 669; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:1;)
     new: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht gag server response"; content: "sicken"; itype: 0; icmp_id: 669; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password";flags: A+; content:"gOrave"; classtype:attempted-dos; sid:234; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; classtype:attempted-dos; sid:234; rev:2;)
     old: alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flags: S; seq: 674711609; reference:arachnids,253; classtype:attempted-dos; sid:241; rev:2;)
     new: alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flags: S,12; seq: 674711609; reference:arachnids,253; classtype:attempted-dos; sid:241; rev:3;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client-spoofworks"; content: "|73 70 6F 6F 66 77 6F 72 6B 73|"; itype: 0; icmp_id: 1000; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:1;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client spoofworks"; content: "spoofworks"; itype: 0; icmp_id: 1000; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password";flags: A+; content:"killme"; classtype:bad-unknown; sid:235; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2;)
     old: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN server response"; itype:0; icmp_id:123; icmp_seq:0; content: "|73 68 65 6C 6C 20 62 6F 75 6E 64 20 74 6F 20 70 6F 72 74|"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:3;)
     new: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN server response"; itype:0; icmp_id:123; icmp_seq:0; content: "shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00\:Attacker to Master default startup password";flags: A+; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00\:Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:2;)
     old: alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; content: ">"; flags: A+; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:250; rev:1;)
     new: alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:from_server,established; content: ">"; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:250; rev:2;)
     old: alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; content: ">"; flags: A+;reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:248; rev:1;)
     new: alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; content: ">"; flow:to_client,established; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:248; rev:2;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client-check-gag"; content: "|67 65 73 75 6E 64 68 65 69 74 21|"; itype: 0; icmp_id: 668; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:1;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check gag"; content: "gesundheit!"; itype: 0; icmp_id: 668; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client to handler"; flags: A+; reference:arachnids,254; classtype:attempted-dos; sid:230; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client to handler"; flow:established; reference:arachnids,254; classtype:attempted-dos; sid:230; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flags: S; reference:arachnids,111; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:249; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flags: S,12; reference:arachnids,111; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:249; rev:2;)
     old: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server-response"; content: "|66 69 63 6B 65 6E|"; itype: 0; icmp_id: 667; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:1;)
     new: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server response"; content: "ficken"; itype: 0; icmp_id: 667; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:3;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client-check"; content: "|73 6B 69 6C 6C 7A|"; itype: 0; icmp_id: 666; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:1;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check skillz"; content: "skillz"; itype: 0; icmp_id: 666; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:2;)
     old: alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server-spoof"; itype: 0; icmp_id: 666; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:1;)
     new: alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server spoof"; itype: 0; icmp_id: 666; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; content: ">"; flags: A+; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:247; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; content: ">"; flow:to_server,established; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:247; rev:2;)

     file -> web-iis.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS isc$data attempt";flow:to_server,established; content:".idc|3a3a|$data"; nocase; reference:bugtraq,307; reference:cve,CVE-1999-0874; classtype:web-application-attack; sid:1020;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS isc$data attempt";flow:to_server,established; uricontent:".idc|3a3a|$data"; nocase; reference:bugtraq,307; reference:cve,CVE-1999-0874; classtype:web-application-attack; sid:1020;  rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS webdav file lock attempt"; flow:to_server,established; content:"LOCK "; offset:0; depth:5; reference:bugtraq,2736; classtype:web-application-activity; sid:969;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK "; offset:0; depth:5; reference:bugtraq,2736; classtype:web-application-activity; sid:969; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS index server file sourcecode attempt"; flow:to_server,established; content:"?CiWebHitsFile=/"; content:"&CiRestriction=none&CiHiliteType=Full"; classtype:web-application-attack; sid:1019;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS index server file source code attempt"; flow:to_server,established; uricontent:"?CiWebHitsFile=/"; content:"&CiRestriction=none&CiHiliteType=Full"; classtype:web-application-attack; sid:1019;  rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse20 attempt";flow:to_server,established; content:"%20.pl"; nocase; classtype:web-application-attack; sid:1027;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse20 attempt";flow:to_server,established; uricontent:"%20.pl"; nocase; classtype:web-application-attack; sid:1027; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse0a attempt";flow:to_server,established; content:"%0a.pl"; nocase; classtype:web-application-attack; sid:1026;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse0a attempt";flow:to_server,established; uricontent:"%0a.pl"; nocase; classtype:web-application-attack; sid:1026; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS global.asa access"; flow:to_server,established; content:"/global.asa"; nocase; reference:nessus,10491; reference:cve,CVE-2000-0778; classtype:web-application-activity; sid:1016; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS global.asa access"; flow:to_server,established; uricontent:"/global.asa"; nocase; reference:nessus,10491; reference:cve,CVE-2000-0778; classtype:web-application-activity; sid:1016; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll attempt"; flow:to_server,established; content:"%20%20%20%20%20.htr"; nocase; reference:cve,CAN-2000-0457; reference:bugtraq,1193; classtype:web-application-attack; sid:1021;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll attempt"; flow:to_server,established; uricontent:"%20%20%20%20%20.htr"; nocase; reference:cve,CAN-2000-0457; reference:bugtraq,1193; classtype:web-application-attack; sid:1021; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; uricontent:".htw?CiWebHitsFile"; reference:bugtraq,1864; classtype:web-application-attack; sid:979;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; uricontent:".htw?CiWebHitsFile"; reference:bugtraq,1861; classtype:web-application-attack; sid:979; rev:7;)

     file -> pop3.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 bsd overflow"; flow:to_server,established; content:"|5e0 e31c 0b03 b8d7 e0e8 9fa 89f9|"; classtype:attempted-admin; sid:286; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"|5e0 e31c 0b03 b8d7 e0e8 9fa 89f9|"; classtype:attempted-admin; sid:286; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 sco overflow"; flow:to_server,established; content:"|560e 31c0 b03b 8d7e 1289 f989 f9|"; classtype:attempted-admin; sid:289; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"|560e 31c0 b03b 8d7e 1289 f989 f9|"; classtype:attempted-admin; sid:289; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 bsd overflow"; flow:to_server,established; content:"|685d 5eff d5ff d4ff f58b f590 6631|"; classtype:attempted-admin; sid:287; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"|685d 5eff d5ff d4ff f58b f590 6631|"; classtype:attempted-admin; sid:287; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|d840 cd80 e8d9 ffff ff|/bin/sh"; classtype:attempted-admin; sid:288; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|d840 cd80 e8d9 ffff ff|/bin/sh"; classtype:attempted-admin; sid:288; rev:5;)

     file -> porn.rules
     old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.erotica"; content:"alt.binaries.pictures.erotica"; nocase; flags:A+; classtype:kickass-porn; sid:1836; rev:1;)
     new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.erotica"; flow:to_client,established; content:"alt.binaries.pictures.erotica"; nocase; classtype:kickass-porn; sid:1836; rev:2;)
     old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.tinygirls"; content:"alt.binaries.pictures.tinygirls"; nocase; flags:A+; classtype:kickass-porn; sid:1837; rev:1;)
     new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:kickass-porn; sid:1837; rev:2;)

     file -> dos.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DOS cisco attempt"; flow:to_server,established; content:"|13|"; dsize:1; classtype:web-application-attack; sid:1545; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DOS Cisco attempt"; flow:to_server,established; content:"|13|"; dsize:1; classtype:web-application-attack; sid:1545; rev:5;)

     file -> scan.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS";flags:SRAFPU; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags: F; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S; classtype:attempted-recon; sid:618; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12; classtype:attempted-recon; sid:618; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy \(8080\) attempt"; flags:S; classtype:attempted-recon; sid:620; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy \(8080\) attempt"; flags:S,12; classtype:attempted-recon; sid:620; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPNP service discover attempt"; content:"M-SEARCH "; offset:0; depth:9; content:"ssdp\:discover"; classtype:network-scan; sid:1917; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP service discover attempt"; content:"M-SEARCH "; offset:0; depth:9; content:"ssdp\:discover"; classtype:network-scan; sid:1917; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP";flags:A;ack:0; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP"; flags:A,12; ack:0; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt";flags:SFPU; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt"; flags:SFPU; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL";flags:0; seq:0; ack:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flags:0; seq:0; ack:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN";flags:SF; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN";flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS";flags:FPU; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:2;)

     file -> misc.rules
     old: alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flags:S; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:2;)
     new: alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPNP Location overflow"; content:"|0d|Location|3a|"; nocase; content:!"|0a|"; within:128; classtype:misc-attack; reference:cve,CAN-2001-0876; sid:1388; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"|0d|Location|3a|"; nocase; content:!"|0a|"; within:128; classtype:misc-attack; reference:cve,CAN-2001-0876; sid:1388; rev:4;)
     old: alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"\: no such user"; classtype:misc-attack; sid:2008; rev:2;)
     new: alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3a| no such user"; classtype:misc-attack; sid:2008; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPNP malformed advertisement"; content:"NOTIFY * "; nocase; classtype:misc-attack; reference:cve,CAN-2001-0876; reference:cve,CAN-2001-0877; sid:1384; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; classtype:misc-attack; reference:cve,CAN-2001-0876; reference:cve,CAN-2001-0877; sid:1384; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hardware address lenght overflow"; content:"|01|"; offset:0; depth:1; byte_test:1,>,6,2; reference:cve,CAN-1999-0798; classtype:misc-activity; sid:1939; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hardware address length overflow"; content:"|01|"; offset:0; depth:1; byte_test:1,>,6,2; reference:cve,CAN-1999-0798; classtype:misc-activity; sid:1939; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Discolsure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Disclosure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:2;)
     old: alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flags:S; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:2;)
     new: alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:3;)
     old: alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA; reference:arachnids,129; reference:cve,CVE-1999-0430; classtype:bad-unknown; sid:513; rev:3;)
     new: alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA,12; reference:arachnids,129; reference:cve,CVE-1999-0430; classtype:bad-unknown; sid:513; rev:4;)

     file -> backdoor.rules
     old: alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; content: "Remote|3A| You are connected to me."; flags:A+;  reference:arachnids,316; sid:118;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; flow:established,from_server; content:"Remote|3A| You are connected to me."; reference:arachnids,316; sid:118;  classtype:misc-activity; rev:4;)
     old: alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; content: "|57 74 7a 75 70 20 55 73 65|"; flags: A+; depth: 32;  reference:arachnids,312; sid:119;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; flow:established,from_server; content:"Wtzup Use"; depth:32; reference:arachnids,312; sid:119;  classtype:misc-activity; rev:4;)
     old: alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flags: A+; content:"host"; sid:141;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flow:established,from_server; content:"host"; sid:141;  classtype:misc-activity; rev:4;)
     old: alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flags: A+; content:"GateCrasher";reference:arachnids,99; sid:147;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flow:established,from_server; content:"GateCrasher";reference:arachnids,99; sid:147;  classtype:misc-activity; rev:4;)
     old: alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector 1.6 Server to Client"; content:"|57 48 41 54 49 53 49 54|"; flags:A+; sid:120;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector 1.6 Server to Client"; flow:established,from_server; content:"WHATISIT"; sid:120;  classtype:misc-activity; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flags: A+; content:"|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:108;  classtype:misc-activity; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:108;  classtype:misc-activity; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HideSource backdoor attempt";flags: A+; content:"wank"; sid:220;  classtype:misc-activity; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; sid:220;  classtype:misc-activity; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC solaris 2.5 attempt";flags: A+; content:"friday"; classtype:attempted-user; sid:218; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; classtype:attempted-user; sid:218; rev:4;)
     old: alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active" ; flags:SA; content:"|B4 B4|";  reference:arachnids,36; sid:163;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active" ; flags:SA,12; content:"|B4 B4|";  reference:arachnids,36; sid:163;  classtype:misc-activity; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC linux rootkit attempt";flags: A+; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:4;)
     old: alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flags: A+; content:"Girl"; reference:arachnids,98; sid:145;  classtype:misc-activity; rev:3;)
     new: alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; reference:arachnids,98; sid:145;  classtype:misc-activity; rev:4;)
     old: alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flags: A+; content: "|0b 00 00 00 07 00 00 00|Connect"; depth: 16; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; reference:arachnids,483; sid:104;  classtype:misc-activity; rev:4;)
     new: alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flow:to_server,established; content: "|0b 00 00 00 07 00 00 00|Connect"; depth: 16; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; reference:arachnids,483; sid:104;  classtype:misc-activity; rev:5;)
     old: alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flags: A+; content:"c|3A|\\"; sid:152;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flow:established,from_server; content:"c|3A|\\"; sid:152;  classtype:misc-activity; rev:4;)
     old: alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flags: A+; content:"NetSphere";  reference:arachnids,76; sid:155;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flow:from_server,established; content:"NetSphere";  reference:arachnids,76; sid:155;  classtype:misc-activity; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC sm4ck attempt";flags: A+; content:"hax0r"; classtype:attempted-admin; sid:217; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; classtype:attempted-admin; sid:217; rev:3;)
     old: alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flags: A+; content:"phAse"; sid:208;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flow:established,from_server; content:"phAse"; sid:208; classtype:misc-activity; rev:4;)
     old: alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; content:"|46 43 20|"; flags:A+; sid:121;  classtype:misc-activity; rev:3;)
     new: alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; sid:121;  classtype:misc-activity; rev:4;)
     old: alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flags: A+; content:"FTP Port open"; sid:158;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:from_server,established; content:"FTP Port open"; sid:158;  classtype:misc-activity; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC rewt attempt";flags: A+; content:"rewt"; classtype:attempted-admin; sid:212; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; classtype:attempted-admin; sid:212; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HidePak backdoor attempt";flags: A+; content:"StoogR"; sid:219;  classtype:misc-activity; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; sid:219;  classtype:misc-activity; rev:5;)
     old: alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; seq: 101058054; ack: 101058054; flags: A;reference:arachnids,445; sid:106;  classtype:misc-activity; rev:3;)
     new: alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; seq: 101058054; ack: 101058054; flags: A,12;reference:arachnids,445; sid:106;  classtype:misc-activity; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC linux rootkit attempt lrkr0x";flags: A+; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flags: A+; content:"FTPON"; sid:157;  classtype:misc-activity; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; sid:157;  classtype:misc-activity; rev:4;)
     old: alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flags: A+; content: "|3200000006000000|Drives|2400|"; depth: 16; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; sid:105;  classtype:misc-activity; rev:4;)
     new: alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flow:from_server,established; content: "|3200000006000000|Drives|2400|"; depth: 16; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; sid:105;  classtype:misc-activity; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR attempt"; flags: A+; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; content: "ypi0ca"; nocase; flags: A+; depth: 15;  reference:arachnids,263; sid:185;  classtype:misc-activity; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; nocase; depth:15;  reference:arachnids,263; classtype:misc-activity; sid:185; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC linux rootkit attempt";flags: A+; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:4;)
     old: alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flags: A+; content:"NetSphere"; reference:arachnids,76; sid:146;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flow:established,from_server; content:"NetSphere"; reference:arachnids,76; sid:146;  classtype:misc-activity; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC r00t attempt";flags: A+; content:"r00t"; classtype:attempted-admin; sid:211; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; classtype:attempted-admin; sid:211; rev:3;)
     old: alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flags: A+; content:"pINg"; sid:153;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flow:from_server,established; content:"pINg"; sid:153;  classtype:misc-activity; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt";flags: A+; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC linux rootkit satori attempt";flags: A+; content:"satori"; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:6;)
     old: alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR Infector.1.x"; content: "WHATISIT"; flags: A+; reference:arachnids,315; sid:117;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR Infector.1.x"; content: "WHATISIT"; flow:established,from_server; reference:arachnids,315; sid:117;  classtype:misc-activity; rev:4;)

     file -> telnet.rules
     old: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90 25 E0|"; classtype:shellcode-detect; sid:1430; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET Solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90 25 E0|"; classtype:shellcode-detect; sid:1430; rev:6;)

     file -> chat.rules
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; classtype:misc-activity; sid:1463;  rev:3;)
     new: alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:established; content:"PRIVMSG "; nocase; classtype:misc-activity; sid:1463; rev:5;)
     old: alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM recieve message"; flow:to_client; content:"|2a 02|"; offset:0; depth:2; content:"|00 04 00 07|"; offset:6; depth:4; classtype:policy-violation; sid:1633; rev:3;)
     new: alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM receive message"; flow:to_client; content:"|2a 02|"; offset:0; depth:2; content:"|00 04 00 07|"; offset:6; depth:4; classtype:policy-violation; sid:1633; rev:4;)

     file -> bad-traffic.rules
     old: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; classtype:non-standard-protocol; sid:1627; rev:1;)
     new: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:3;)
     old: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC bad frag bits"; fragbits:MD; sid:1322; classtype:misc-activity; rev:4;)
     new: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; sid:1322; classtype:misc-activity; rev:5;)
     old: alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD TRAFFIC tcp port 0 traffic"; classtype:misc-activity; sid:524; rev:5;)
     new: alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; classtype:misc-activity; sid:524; rev:6;)
     old: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC ip reserved bit set"; fragbits:R; sid:523;  classtype:misc-activity; rev:3;)
     new: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC ip reserved bit set"; fragbits:R; sid:523;  classtype:misc-activity; rev:4;)
     old: alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD TRAFFIC syn to multicast address"; flags:S+; classtype:bad-unknown; sid:1431; rev:4;)
     new: alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flags:S+; classtype:bad-unknown; sid:1431; rev:5;)
     old: alert ip any any -> any any (msg:"BAD TRAFFIC same SRC/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:3;)
     new: alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:4;)
     old: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC 0 ttl"; ttl:0; reference:url,www.isi.edu/in-notes/rfc1122.txt; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; sid:1321; classtype:misc-activity; rev:5;)
     new: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,www.isi.edu/in-notes/rfc1122.txt; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; sid:1321; classtype:misc-activity; rev:6;)
     old: alert ip any any <> 127.0.0.0/8 any (msg:"BAD TRAFFIC loopback traffic"; classtype:bad-unknown; reference:url,rr.sans.org/firewall/egress.php; sid:528; rev:3;)
     new: alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; classtype:bad-unknown; reference:url,rr.sans.org/firewall/egress.php; sid:528; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC data in TCP SYN packet"; flags:S; dsize:>6; reference:url,www.cert.org/incident_notes/IN-99-07.html; sid:526;  classtype:misc-activity; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; flags:S,12; dsize:>6; reference:url,www.cert.org/incident_notes/IN-99-07.html; sid:526;  classtype:misc-activity; rev:6;)
     old: alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD TRAFFIC udp port 0 traffic"; reference:cve,CVE-1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:4;)
     new: alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:cve,CVE-1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:5;)

     file -> pop2.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 linux overflow"; flow:to_server,established; content:"|eb2c 5b89 d980 c106 39d9 7c07 8001|"; classtype:attempted-admin; sid:284; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:to_server,established; content:"|eb2c 5b89 d980 c106 39d9 7c07 8001|"; classtype:attempted-admin; sid:284; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 linux overflow"; flow:to_server,established; content:"|ffff ff2f 4249 4e2f 5348 00|"; classtype:attempted-admin; sid:285; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:to_server,established; content:"|ffff ff2f 4249 4e2f 5348 00|"; classtype:attempted-admin; sid:285; rev:6;)

     file -> shellcode.rules
     old: alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE aix NOOP"; content:"|4fff fb82 4fff fb82 4fff fb82 4fff fb82|"; classtype:shellcode-detect; sid:640; rev:3;)
     new: alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE AIX NOOP"; content:"|4fff fb82 4fff fb82 4fff fb82 4fff fb82|"; classtype:shellcode-detect; sid:640; rev:4;)
     old: alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE hpux NOOP"; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";reference:arachnids,359; classtype:shellcode-detect; sid:643; rev:3;)
     new: alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE HP-UX NOOP"; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";reference:arachnids,359; classtype:shellcode-detect; sid:643; rev:4;)
     old: alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE linux shellcode"; content:"|90 90 90 e8 c0 ff ff ff|/bin/sh";  reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:5;)
     new: alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE Linux shellcode"; content:"|90 90 90 e8 c0 ff ff ff|/bin/sh";  reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:6;)
     old: alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE digital unix NOOP"; content:"|47 ff 04 1f 47 ff 04 1f 47 ff 04 1f 47 ff 04 1f|"; reference:arachnids,352; classtype:shellcode-detect; sid:641; rev:3;)
     new: alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE Digital UNIX NOOP"; content:"|47 ff 04 1f 47 ff 04 1f 47 ff 04 1f 47 ff 04 1f|"; reference:arachnids,352; classtype:shellcode-detect; sid:641; rev:4;)
     old: alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE hpux NOOP"; content:"|0821 0280 0821 0280 0821 0280 0821 0280|"; reference:arachnids,358; classtype:shellcode-detect; sid:642; rev:3;)
     new: alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE HP-UX NOOP"; content:"|0821 0280 0821 0280 0821 0280 0821 0280|"; reference:arachnids,358; classtype:shellcode-detect; sid:642; rev:4;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "other-ids.rules":
       #  2) If you are "pen-tester", this is a good way to find out what IDS
       #     systems your target is using after you have gained access to their
       #     network.
    -> File "web-misc.rules":
       # WEBROOT if possible, and verify that a compromise of customer information has
       # argument.  An attacker can use this vulnerability to execute arbitrary
       # is no longer maintained and should be replaced with an actively maintained
       # engines) more efficient.  robots.txt is often used to inform a web spider
    -> File "web-cgi.rules":
       # NOTES: this signature looks for someone accessing the web application
       # "way-board.cgi".  This application allows attackers to view arbitrary
       # files that are readable with the privilages of the web server.
    -> File "deleted.rules":
       # basically duplicate of 330 
       # duplicate of 475
       # not needed thanks to 1964 and 1965
       # dup of 589
       # dup of 1275
       # dup of 1280
       # dup of 1281
       # this has been replaced with sid 1905 and 1906
       # these have been replaced by 1915, 1916, 1914, and 1913
       # duplicate of 1088
       # these are obsolete
       # what is this rule?  we have no idea...
       # These have been replaced by better rules (1915,1916,1913,1914)
    -> File "tftp.rules":
       # that are distributed via TFTP.
    -> File "rpc.rules":
       ## bleck.  Not happy about this.  because of the non-rule ordering foo, I'm
       ## checking the first byte in the version, which should always be 0.  When we
       ## alert multiple times on a packet, I'll put these rules back to:
       ##   content:"|0a 01 86 a0|"; offset:16; depth:4; content:"|00 00 00 05|";
       ##    distance:4; within:4;
       # this rule makes me not happy as well.  see above.
       # not sure what this rule is looking for, other than the procedure 15
       # These need re-verified
       # this needs re-visited...
    -> File "mysql.rules":
       # These signatures detect unusual and potentially malicious mysql traffic.
    -> File "misc.rules":
       # This rule needs some work since you don't have to pass BEGIN and END
       # anywhere near each other.
       #
       #! alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( \
       #!   msg:"MISC CVS username overflow attempt"; flow:to_server,established; \
       #!   content:"BEGIN AUTH REQUEST|0A|"; content:!"|0A|END AUTH REQUEST|0A|"; \
       #!   within:255; classtype:misc-attack;)
       # normally Idon't like using 3a for :, but in this case... I'd like to remove the false positives stemming from someone using anoncvs to checkout snort rules :)
    -> File "oracle.rules":
       # These signatures detect unusual and potentially malicious oracle traffic.

  [---]      Removed lines:      [---]
    -> File "other-ids.rules":
       #  2) If you are "pen-tester", this is a good way to find out what IDSs
       #     your target is using after you have gained access to their network.
    -> File "web-misc.rules":
       # WEBROOT if possile, and verify that a compromise of customer information has
       # arguement.  An attacker can use this vulnerability to execute arbitrary
       # "way-board.cgi".  This application allows attackers to view arbitrary
       # files that are readable with the privilages of the web server.
       # is no longer maintained and should be replaced with an activily maintained
       # engines) more efficent.  robots.txt is often used to inform a web spider
    -> File "deleted.rules":
       # basicly duplicate of 330 
       # spp_conversation takes care of this now
    -> File "tftp.rules":
       # that are distrubted via TFTP.
    -> File "mysql.rules":
       # These signatures detect unusual and potentually malicous mysql traffic.
    -> File "oracle.rules":
       # These signatures detect unusual and potentually malicous oracle traffic.





More information about the Snort-sigs mailing list