[Snort-sigs] snort-rules CURRENT update @ Wed May 14 14:14:32 2003

bmc at ...95... bmc at ...95...
Wed May 14 13:15:15 EDT 2003


This rule update was brought to you by Oinkmaster.
Written by Andreas Östling <andreaso at ...58...>


[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> web-iis.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Battleaxe Forum login.asp access"; flow:to_server,established; uricontent:"myaccount/login.asp"; reference:cve,CAN-2003-0215; reference:bugtraq,7416; classtype:web-application-activity; sid:2117; rev:2;)

     file -> pop3.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2110; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative arguement attempt"; content:"DELE"; depth:4; nocase; content:"-"; distance:1; byte_test:1,>,0,0,relative,string; classtype:misc-attack; reference:bugtraq,7445; reference:bugtraq,6053; sid:2121; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2111; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2109; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2112; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative arguement attempt"; content:"UIDL"; depth:4; nocase; content:"-"; distance:1; byte_test:1,>,0,0,relative,string; classtype:misc-attack; reference:bugtraq,6053; sid:2122; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2108; rev:1;)

     file -> web-cgi.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI album.pl access"; flow:to_server,established; content:"/album.pl"; nocase; reference:bugtraq,7444;  classtype:web-application-activity; sid:2115; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI chipcfg.cgi access"; flow:to_server,established; uricontent:"/chipcfg.cgi"; nocase; reference:bugtraq,2767; reference:cve,CAN-2001-1341;  classtype:web-application-activity; sid:2116; rev:1;)

     file -> deleted.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; id:3868; seq: 3868; flags:S; reference:cve,CVE-1999-0016; classtype:attempted-dos; sid:269; rev:3;)
     alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"(http)"; classtype:bad-unknown; sid:1885; rev:4;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|eb53 eb20 5bfc 33c9 b182 8bf3 802b|"; reference:bugtraq,895; reference:cve,CVE-2000-0042; classtype:attempted-admin; sid:656; rev:6;)
     alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"(apache)"; classtype:bad-unknown; sid:1886; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Web DOS attempt"; flow:to_server,established; content: "|20 2F 25 25|"; depth: 16; reference:arachnids,275; classtype:attempted-dos; sid:1138;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3a207c| sed '1,/^$/d'|7c|"; nocase;reference:arachnids,120; classtype:attempted-user; sid:666; rev:5;)
     alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"(web)"; classtype:bad-unknown; sid:1884; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF 53 4D 42 25|"; offset:4; depth:5; content:"|00 00|"; offset:45; depth:2; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2102; rev:3;)
     alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"(nobody)"; classtype:bad-unknown; sid:1883; rev:4;)

     file -> imap.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate literal overflow attempt"; flow:established,to_server; content:" AUTHENTICATE "; nocase; content:"{"; distance:0; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10292; reference:cve,CVE-1999-0042; classtype:misc-attack; sid:2105; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:" CREATE "; content:!"|0a|"; within:1024; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:" LIST "; nocase; content:!"|0a|"; within:100; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2118; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; content:" LSUB "; content:!"|0a|"; within:100; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2106; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename literal overflow attempt"; flow:established,to_server; content:" RENAME |22|"; content:"|22| {"; distance:0; nocase; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2119; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create literal buffer overflow attempt"; flow:to_server,established; content:" CREATE"; content:" {"; distance:0; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2120; rev:1;)

     file -> rservices.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec password overflow attempt"; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2114; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec username overflow attempt"; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2113; rev:2;)

     file -> attack-responses.rules
     alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES rexec username too long response"; flow:from_server,established; content:"username too long"; offset:0; depth:17; classtype:unsuccessful-user; sid:2104; rev:2;)

  [---]          Disabled:         [---]

     file -> netbios.rules
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Samba clientaccess"; flow:to_server,established; content:"|00|Unix|00|Samba"; reference:arachnids,341; classtype:not-suspicious; sid:539;  rev:4;)

  [---]          Removed:          [---]

     file -> web-misc.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Web DOS attempt"; flow:to_server,established; content: "|20 2F 25 25|"; depth: 16; reference:arachnids,275; classtype:attempted-dos; sid:1138;  rev:4;)

     file -> smtp.rules
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|eb53 eb20 5bfc 33c9 b182 8bf3 802b|"; reference:bugtraq,895; reference:cve,CVE-2000-0042; classtype:attempted-admin; sid:656; rev:5;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3a207c| sed '1,/^$/d'|7c|"; nocase;reference:arachnids,120; classtype:attempted-user; sid:666; rev:4;)

     file -> dos.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; id:3868; seq: 3868; flags:S; reference:cve,CVE-1999-0016; classtype:attempted-dos; sid:269; rev:2;)

     file -> netbios.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF 53 4D 42 25|"; offset:4; depth:5; content:"|00 00|"; offset:45; depth:2; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2102; rev:2;)

     file -> attack-responses.rules
     alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"(http)"; classtype:bad-unknown; sid:1885; rev:3;)
     alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"(apache)"; classtype:bad-unknown; sid:1886; rev:3;)
     alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"(web)"; classtype:bad-unknown; sid:1884; rev:3;)
     alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"(nobody)"; classtype:bad-unknown; sid:1883; rev:3;)

  [///]       Modified active:     [///]

     file -> pop3.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS "; nocase; content:!"|0a|"; within:50; reference:cve,CAN-1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; content:!"|0a|"; within:50; reference:cve,CAN-1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP "; nocase; content:!"|0a|"; within:256; reference:cve,CAN-2000-0841; reference:bugtraq,1652; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; content:!"|0a|"; within:256; reference:cve,CAN-2000-0841; reference:bugtraq,1652; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"|5e0 e31c 0b03 b8d7 e0e8 9fa 89f9|"; classtype:attempted-admin; sid:286; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"|5e0 e31c 0b03 b8d7 e0e8 9fa 89f9|"; reference:cve,CVE-1999-0006; reference:bugtraq,133; classtype:attempted-admin; sid:286; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND "; nocase; content:!"|0a|"; within:50; classtype:attempted-admin; sid:1938; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; content:!"|0a|"; within:50; classtype:attempted-admin; sid:1938; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST "; nocase; content:!"|0a|"; within:50; reference:bugtraq,948; reference:cve,CAN-2000-0096; classtype:attempted-admin; sid:1937; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; content:!"|0a|"; within:50; reference:bugtraq,948; reference:cve,CAN-2000-0096; classtype:attempted-admin; sid:1937; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER "; nocase; content:!"|0a|"; within:50; reference:bugtraq,789; reference:cve,CVE-1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; content:!"|0a|"; within:50; reference:bugtraq,789; reference:cve,CVE-1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH "; nocase; content:!"|0a|"; within:50; classtype:attempted-admin; sid:1936; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; content:!"|0a|"; within:50; classtype:attempted-admin; sid:1936; rev:2;)

     file -> smtp.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.8 overflow"; flow:to_server,established; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|";  reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to sed command attempt"; flow:to_server,established; content:"rcpt to\:"; nocase; content:"\|"; distance:0; content:"sed "; distance:0; reference:bugtraq,1; reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO "; offset:0; depth:5; content:!"|0a|"; within:500; reference:cve,CVE-2000-0042; reference:nessus,10324; classtype:attempted-admin; sid:1549; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO "; offset:0; depth:5; content:!"|0a|"; within:500; reference:bugtraq,895; reference:cve,CVE-2000-0042; reference:nessus,10324; classtype:attempted-admin; sid:1549; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP exchange mime DOS"; flow:to_server,established; content:"|63 68 61 72 73 65 74 20 3D 20 22 22|"; classtype:attempted-dos; sid:658; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP exchange mime DOS"; flow:to_server,established; content:"charset = |22 22|"; classtype:attempted-dos; sid:658; rev:5;)

     file -> exploit.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 Linux samba overflow"; flow:to_server,established; content:"|eb2f 5feb 4a5e 89fb 893e 89f2|"; reference:bugtraq,1816; reference:cve,CVE-1999-0811; reference:cve,CVE-1999-0182; classtype:attempted-admin; sid:292;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 Linux samba overflow"; flow:to_server,established; content:"|eb2f 5feb 4a5e 89fb 893e 89f2|"; reference:bugtraq,1816; reference:cve,CVE-1999-0811; reference:cve,CVE-1999-0182; classtype:attempted-admin; sid:292; rev:5;)

     file -> dns.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content: "|00 00 FC|"; offset:15; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:8;)

     file -> web-php.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; classtype:attempted-recon; sid:1301; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,7532; reference:bugtraq,3361; classtype:attempted-recon; sid:1301; rev:6;)

     file -> rpc.rules
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; offset:12; depth:4; content:"|00 00 00 0B|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2033; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A4|"; offset:12; depth:4; content:"|00 00 00 0B|"; distance:4; within:4; reference:bugtraq,6016; reference:bugtraq,5914; reference:cve,CAN-2002-1232; classtype:rpc-portmap-decode; sid:2033; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 7D|"; within:4; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 7D|"; within:4; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2016; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2016; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2028; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2028; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 68|"; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2082; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 68|"; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2082; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; offset:12; depth:4; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP PING"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 87 88|"; offset:12; depth:4; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; offset:16; depth:4; content:"|00 00 00 0B|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2034; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A4|"; offset:16; depth:4; content:"|00 00 00 0B|"; distance:4; within:4; reference:bugtraq,6016; reference:bugtraq,5914; reference:Cve,CAN-2002-1232; classtype:rpc-portmap-decode; sid:2034; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1951; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1951; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; classtype:rpc-portmap-decode; sid:1961; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; classtype:rpc-portmap-decode; sid:1961; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1950; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1950; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:1270; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:1270; rev:9;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; offset:12; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack; sid:1964; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 F3|"; offset:12; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack; sid:1964; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt UDP"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2029; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2029; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87 7D|"; offset:16; depth:4; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 87 7D|"; offset:16; depth:4; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:598; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; classtype:rpc-portmap-decode; sid:1960; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; classtype:rpc-portmap-decode; sid:1960; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2030; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2030; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request UDP"; content:"|00 03 0D 70|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2037; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 03 0D 70|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2037; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1923; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1923; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 cc|"; within:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 cc|"; within:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:9;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 75|"; within:4; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode; sid:595; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 75|"; within:4; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode; sid:595; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; classtype:attempted-recon; sid:2022; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; classtype:attempted-recon; sid:2022; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin; sid:1912; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 87 88|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin; sid:1912; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; reference:bugtraq,1480; reference:cve,CVE-2000-0666; classtype:misc-attack; sid:1890; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; reference:bugtraq,1480; reference:cve,CVE-2000-0666; classtype:misc-attack; sid:1890; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; reference:cve,CVE-2000-0508; reference:bugtraq,1372; classtype:rpc-portmap-decode; sid:2080; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; reference:cve,CVE-2000-0508; reference:bugtraq,1372; classtype:rpc-portmap-decode; sid:2080; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; offset:12; depth:5; content:"|00 00 00 05|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; classtype:rpc-portmap-decode; reference:cve,CAN-2003-0028; reference:bugtraq,7123; sid:2092; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0 00|"; offset:12; depth:5; content:"|00 00 00 05|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; classtype:rpc-portmap-decode; reference:cve,CAN-2003-0028; reference:bugtraq,7123; sid:2092; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1280; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:1280; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02 49 f1|"; within:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:1268; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02 49 f1|"; within:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:1268; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; content:"|00 01 86 AB|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack; sid:2024; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 AB|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack; sid:2024; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2031; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2031; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 75|"; within:4; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 75|"; within:4; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 cc|"; within:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:1267; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 cc|"; within:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:1267; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; classtype:attempted-recon; sid:2023; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; classtype:attempted-recon; sid:2023; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2025; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; reference:cve,CVE-2001-0779; reference:bugtraq,2763; sid:2025; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode; sid:584; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode; sid:584; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1953; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1953; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7 68|"; offset:12; depth:4; content:"|00 00 00 0D|"; distance:4; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2083; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 05 F7 68|"; offset:12; depth:4; content:"|00 00 00 0D|"; distance:4; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2083; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:1263; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:1263; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rusers query"; content:"|0000000000000002000186A2|"; offset:5; reference:cve,CVE-1999-0626; reference:arachnids,136; classtype:attempted-recon; sid:612; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rusers query UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:cve,CVE-1999-0626; classtype:attempted-recon; sid:612; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1952; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1952; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; offset:16; depth:5; content:"|00 00 00 05|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; reference:cve,CAN-2003-0028; reference:bugtraq,7123; classtype:rpc-portmap-decode; sid:2093; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0 00|"; offset:16; depth:5; content:"|00 00 00 05|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; reference:cve,CAN-2003-0028; reference:bugtraq,7123; classtype:rpc-portmap-decode; sid:2093; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D 70|"; within:4; classtype:rpc-portmap-decode; sid:2036; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D 70|"; within:4; classtype:rpc-portmap-decode; sid:2036; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1747; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1747; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; classtype:rpc-portmap-decode; sid:1959; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; classtype:rpc-portmap-decode; sid:1959; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2015; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt UDP 111"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2015; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D 70|"; within:4; classtype:rpc-portmap-decode; sid:2035; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D 70|"; within:4; classtype:rpc-portmap-decode; sid:2035; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin; sid:1907; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin; sid:1907; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 68|"; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2081; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 68|"; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2081; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; classtype:rpc-portmap-decode; sid:1732; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; classtype:rpc-portmap-decode; sid:1732; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1746; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1746; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7 68|"; offset:16; depth:4; content:"|00 00 00 0D|"; distance:4; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2084; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 05 F7 68|"; offset:16; depth:4; content:"|00 00 00 0D|"; distance:4; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2084; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 7D|"; within:4; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 7D|"; within:4; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:1272; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:1272; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:8;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin; sid:1908; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin; sid:1908; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; offset:16; depth:4; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 87 88|"; offset:16; depth:4; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; classtype:rpc-portmap-decode; sid:1962; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; classtype:rpc-portmap-decode; sid:1962; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack; sid:1963; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 AB|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack; sid:1963; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2026; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; reference:cve,CVE-2001-0779; reference:bugtraq,2763; sid:2026; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:593; rev:12;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:593; rev:13;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; classtype:attempted-recon; sid:2021; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; classtype:attempted-recon; sid:2021; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; classtype:attempted-recon; sid:2020; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; classtype:attempted-recon; sid:2020; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; classtype:rpc-portmap-decode; sid:1733; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; classtype:rpc-portmap-decode; sid:1733; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; reference:arachnids,12; classtype:rpc-portmap-decode; sid:1276; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; reference:bugtraq,6016; reference:bugtraq,5914; reference:cve,CAN-2002-1232; reference:cve,CVE-2000-1042; reference:cve,CVE-2000-1043; reference:arachnids,12; classtype:rpc-portmap-decode; sid:1276; rev:10;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4;  reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:cve,CAN-2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,122; reference:arachnids,24; classtype:rpc-portmap-decode; sid:1274; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4;  reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:cve,CAN-2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,122; reference:arachnids,24; classtype:rpc-portmap-decode; sid:1274; rev:10;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1915; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1915; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D 70|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2038; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 03 0D 70|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2038; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:576; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:576; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:1279; rev:8;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:1279; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1914; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1914; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; classtype:attempted-recon; sid:2019; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; classtype:attempted-recon; sid:2019; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; reference:cve,CVE-2000-0508; reference:bugtraq,1372; classtype:rpc-portmap-decode; sid:2079; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; reference:cve,CVE-2000-0508; reference:bugtraq,1372; classtype:rpc-portmap-decode; sid:2079; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|"; distance:4; classtype:misc-attack; sid:2089; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 BC|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|"; distance:4; classtype:misc-attack; sid:2089; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; reference:arachnids,12; classtype:rpc-portmap-decode; sid:590; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; reference:bugtraq,6016; reference:bugtraq,5914; reference:cve,CAN-2002-1232; reference:cve,CVE-2000-1042; reference:cve,CVE-2000-1043; reference:arachnids,12; classtype:rpc-portmap-decode; sid:590; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1954; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1954; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CAN-2002-0391; reference:bugtraq,5356; classtype:attempted-admin; sid:2095; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CAN-2002-0391; reference:bugtraq,5356; classtype:attempted-admin; sid:2095; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt UDP"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2027; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2027; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02 49 f1|"; within:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02 49 f1|"; within:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1922; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1922; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4;  reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:cve,CAN-2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,122; reference:arachnids,24; classtype:rpc-portmap-decode; sid:588; rev:9;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4;  reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:cve,CAN-2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,122; reference:arachnids,24; classtype:rpc-portmap-decode; sid:588; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:1269; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:1269; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1949; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1949; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CAN-2002-0391; reference:bugtraq,5356; classtype:attempted-admin; sid:2094; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CAN-2002-0391; reference:bugtraq,5356; classtype:attempted-admin; sid:2094; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1913; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1913; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; classtype:attempted-recon; sid:2018; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; classtype:attempted-recon; sid:2018; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack; sid:1906; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack; sid:1906; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2032; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2032; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode; sid:1271; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode; sid:1271; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1916; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1916; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; sid:1264; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; sid:1264; rev:9;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1956; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1956; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; reference:bugtraq,1480; reference: cve,CVE-2000-0666; classtype: misc-attack; sid:1891; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; reference:bugtraq,1480; reference: cve,CVE-2000-0666; classtype: misc-attack; sid:1891; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|"; distance:4; classtype:misc-attack; sid:2088; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 BC|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|"; distance:4; classtype:misc-attack; sid:2088; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; sid:577; rev:8;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; sid:577; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; offset:16; depth:4; content:"|00 00 01 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 87 99|"; offset:16; depth:4; content:"|00 00 01 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1955; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1955; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack; sid:1965; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack; sid:1965; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;  byte_test:4,>,512,0,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack; sid:1905; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;  byte_test:4,>,512,0,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack; sid:1905; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt UDP"; content:"|00 01 87 99|"; offset:12; depth:4; content:"|00 00 01 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 87 99|"; offset:12; depth:4; content:"|00 00 01 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin; sid:1911; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 87 88|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin; sid:1911; rev:6;)

     file -> imap.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; content:"{"; distance:0; nocase; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:1993; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal buffer overflow attempt"; flow:established,to_server; content:" LOGIN "; content:" {"; distance:0; nocase; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:1993; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:" AUTHENTICATE {"; nocase; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10292; reference:cve,CVE-1999-0042; classtype:misc-attack; sid:1844; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:" AUTHENTICATE "; nocase; content:!"|0a|"; within:100; reference:nessus,10292; reference:cve,CVE-1999-0042; classtype:misc-attack; sid:1844; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; content:" LSUB |22 22| {"; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1902; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1902; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:" LIST |22 22| {"; nocase; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1845; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list literal overflow attempt"; flow:established,to_server; content:" LIST |22|"; content:"|22| {"; distance:0; nocase; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1845; rev:11;)

     file -> netbios.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|ff 53 4d 42 32|"; offset:4; depth:5; content:"|00 14|"; offset:60; depth:2; byte_test:2,>,1024,0,relative,little; reference:cve,CAN-2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|ff|SMB|32|"; offset:4; depth:5; content:"|00 14|"; offset:60; depth:2; byte_test:2,>,1024,0,relative,little; reference:cve,CAN-2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF 53 4D 42 25|"; offset:4; depth:5; content:"|00 00|"; offset:43; depth:2; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2101; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; offset:4; depth:5; content:"|00 00 00 00|"; offset:43; depth:4; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2101; rev:4;)

     file -> attack-responses.rules
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned www"; flow:from_server,established; content:"uid="; content:"(www)"; classtype:bad-unknown; sid:1882; rev:3;)
     new: alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:4;)

  [///]      Modified inactive:    [///]

     file -> rpc.rules
     old: #alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv Solaris"; flow:to_server,established; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";offset: 16; depth: 32; reference:bugtraq,122; reference:arachnids,241; reference:cve,CVE-1999-0003; classtype:attempted-dos; sid:572;  rev:5;)
     new: #alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";offset: 16; depth: 32; reference:bugtraq,122; reference:arachnids,241; reference:cve,CVE-1999-0003; classtype:attempted-dos; sid:572;  rev:6;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "pop3.rules":
       # bsd-qpopper.c
       # overflow in the reading of a line in qpopper
    -> File "deleted.rules":
       # basically duplicate of 330
       # specific example for sid:1549
       # this is properly caught by sid:527
       # duplicate of 1546
       # these are obsoleted by cleaning up 663
    -> File "rpc.rules":
       # rusers
       # XXX - Need to find out if rusers exists on TCP and if so, implement one of
       # these for TCP...
       # XXX - These need re-verified
    -> File "imap.rules":
       # auth is an imap2 function and only accepts literal usage
       # FIND does not accept a literal command

  [---]      Removed lines:      [---]
    -> File "deleted.rules":
       # basically duplicate of 330 
    -> File "rpc.rules":
       # These need re-verified
       # this needs re-visited...





More information about the Snort-sigs mailing list