[Snort-sigs] snort-rules STABLE update @ Tue Oct 21 11:15:16 2003

bmc at ...95... bmc at ...95...
Tue Oct 21 10:37:16 EDT 2003


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]          Enabled:          [+++]

     file -> ftp.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD .... attempt"; content:"CWD "; content:" ...."; flow:to_server,established; reference:bugtraq,4884; classtype:denial-of-service; sid:1779; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~<CR><NEWLINE> attempt"; content:"CWD "; content:" ~|0D0A|"; flow:to_server,established; reference:cve,CAN-2001-0421; reference:bugtraq,2601; classtype:denial-of-service; sid:1728;  rev:2;)

     file -> policy.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous (ftp) login attempt"; content:"USER"; nocase; content:" ftp|0D0A|"; nocase; flow:to_server,established; classtype:misc-activity; sid:1449; rev:3;)

  [---]          Removed:          [---]

     file -> web-misc.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webadmin.dll access"; flow:to_server,established; uricontent:"/webadmin.dll"; nocase; reference:nessus,11771; classtype:web-application-activity; sid:2246; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SpamExcp.dll access"; flow:to_server,established; uricontent:"/SpamExcp.dll"; nocase; reference:cve,CAN-2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2235; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cwmail.exe access"; flow:to_server,established; uricontent:"/cwmail.exe"; nocase; reference:cve,CAN-2002-0273; reference:nessus,11727; classtype:web-application-activity; sid:2241; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebLogic ConsoleHelp view source attempt"; flow:to_server,established; uricontent:"/ConsoleHelp/"; nocase; uricontent:".jsp"; nocase; reference:cve,CAN-2000-0682; reference:nessus,11724; classtype:web-application-attack; sid:2238; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC register.dll access"; flow:to_server,established; uricontent:"/register.dll"; nocase; reference:cve,CAN-2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2231; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC redirect.exe access"; flow:to_server,established; uricontent:"/redirect.exe"; nocase; reference:cve,CAN-2000-0401; classtype:web-application-activity; sid:2239; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SFNofitication.dll access"; flow:to_server,established; uricontent:"/SFNofitication.dll"; nocase; reference:cve,CAN-2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2233; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ContentFilter.dll access"; flow:to_server,established; uricontent:"/ContentFilter.dll"; nocase; reference:cve,CAN-2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2232; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC TOP10.dll access"; flow:to_server,established; uricontent:"/TOP10.dll"; nocase; reference:cve,CAN-2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2234; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VsSetCookie.exe access"; flow:to_server,established; uricontent:"/VsSetCookie.exe"; nocase; reference:cve,CAN-2002-0236; reference:nessus,11731; reference:bugtraq,3784; classtype:web-application-activity; sid:2244; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ndcgi.exe access"; flow:to_server,established; uricontent:"/ndcgi.exe"; nocase; reference:cve,CAN-2001-0922; reference:nessus,11730; classtype:web-application-activity; sid:2243; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC changepw.exe access"; flow:to_server,established; uricontent:"/changepw.exe"; nocase; reference:cve,CAN-2000-0401; classtype:web-application-activity; sid:2240; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC spamrule.dll access"; flow:to_server,established; uricontent:"/spamrule.dll"; nocase; reference:cve,CAN-2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2236; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC NetGear router default password login attempt \(admin\:password\)";  flow:to_server,established; content:"Authorization\: "; nocase; content:" Basic "; nocase; content:"YWRtaW46cGFzc3dvcmQ"; reference:nessus,11737; classtype:default-login-attempt; sid:2230; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgiWebupdate.exe access"; flow:to_server,established; uricontent:"/cgiWebupdate.exe"; nocase; reference:cve,CAN-2001-1150; reference:nessus,11722; classtype:web-application-activity; sid:2237; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ddicgi.exe access"; flow:to_server,established; uricontent:"/ddicgi.exe"; nocase; reference:cve,CAN-2000-0826; reference:nessus,11728; reference:bugtraq,1657; classtype:web-application-activity; sid:2242; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Webnews.exe access"; flow:to_server,established; uricontent:"/Webnews.exe"; nocase; reference:cve,CAN-2002-0290; reference:nessus,11732; reference:bugtraq,4124; classtype:web-application-activity; sid:2245; rev:1;)

     file -> web-iis.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS UploadScript11.asp access"; flow:to_server,established; uricontent:"/UploadScript11.asp"; reference:cve,CAN-2001-0938; classtype:web-application-activity; sid:2247; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /pcadmin/login.asp access"; flow:to_server,established; uricontent:"/pcadmin/login.asp"; reference:nessus,11785; reference:bugtraq,8103; classtype:web-application-activity; sid:2249; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS DirectoryListing.asp access"; flow:to_server,established; uricontent:"/DirectoryListing.asp"; reference:cve,CAN-2001-0938; classtype:web-application-activity; sid:2248; rev:1;)

     file -> pop3.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; content:"%"; distance:1; content:"%"; distance:1; reference:bugtraq,7667; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:1;)

     file -> web-cgi.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailfile.cgi access"; flow:to_server,established; uricontent:"/mailfile.cgi"; nocase; reference:cve,CVE-2000-0977; reference:nessus,11748; classtype:web-application-activity; sid:2213; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csNews.cgi access"; flow:to_server,established; uricontent:"/csNews.cgi"; nocase; reference:bugtraq,4994; reference:cve,CVE-2002-0923; reference:nessus,11726;classtype:web-application-activity; sid:2223; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fileseek.cgi access"; flow:to_server,established; uricontent:"/fileseek.cgi"; nocase; reference:cve,CAN-2002-0611; reference:nessus,11748; classtype:web-application-activity; sid:2207; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI multidiff.cgi access"; flow:to_server,established; uricontent:"/multidiff.cgi"; nocase; reference:cve,CAN-2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2199; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezman.cgi access"; flow:to_server,established; uricontent:"/ezman.cgi"; nocase; reference:cve,CAN-2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2206; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CSMailto.cgi access"; flow:to_server,established; uricontent:"/CSMailto.cgi"; nocase; reference:cve,CAN-2002-0749; reference:nessus,11748; classtype:web-application-activity; sid:2194; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gozila.cgi access"; flow:to_server,established; uricontent:"/gozila.cgi"; nocase; reference:nessus,11773; classtype:web-application-activity; sid:2225; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI service.cgi access"; flow:to_server,established; uricontent:"/service.cgi"; nocase; reference:cve,CAN-2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2218; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI download.cgi access"; flow:to_server,established; uricontent:"/download.cgi"; nocase; reference:cve,CAN-1999-1377; reference:nessus,11748; classtype:web-application-activity; sid:2201; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nsManager.cgi access"; flow:to_server,established; uricontent:"/nsManager.cgi"; nocase; reference:cve,CAN-2000-1023; reference:nessus,11748; classtype:web-application-activity; sid:2215; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailview.cgi access"; flow:to_server,established; uricontent:"/mailview.cgi"; nocase; reference:cve,CAN-2000-0526; reference:nessus,11748; classtype:web-application-activity; sid:2214; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezadmin.cgi access"; flow:to_server,established; uricontent:"/ezadmin.cgi"; nocase; reference:cve,CAN-2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2204; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI edit_action.cgi access"; flow:to_server,established; uricontent:"/edit_action.cgi"; nocase; reference:cve,CAN-2001-1196; reference:nessus,11748; classtype:web-application-activity; sid:2202; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI readmail.cgi access"; flow:to_server,established; uricontent:"/readmail.cgi"; nocase; reference:cve,CAN-2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2216; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fom.cgi access"; flow:to_server,established; uricontent:"/fom.cgi"; nocase; reference:cve,CAN-2002-0230; reference:nessus,11748; classtype:web-application-activity; sid:2208; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dnewsweb.cgi access"; flow:to_server,established; uricontent:"/dnewsweb.cgi"; nocase; reference:cve,CAN-2000-0423; reference:nessus,11748; classtype:web-application-activity; sid:2200; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI getdoc.cgi access"; flow:to_server,established; uricontent:"/getdoc.cgi"; nocase; reference:cve,CAN-2000-0288; reference:nessus,11748; classtype:web-application-activity; sid:2209; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alert.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:cve,CAN-2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2195; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvslog.cgi access"; flow:to_server,established; uricontent:"/cvslog.cgi"; nocase; reference:cve,CAN-2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2198; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI everythingform.cgi access"; flow:to_server,established; uricontent:"/everythingform.cgi"; nocase; reference:cve,CAN-2001-0023; reference:nessus,11748; classtype:web-application-activity; sid:2203; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI psunami.cgi access"; flow:to_server,established; uricontent:"/psunami.cgi"; nocase; reference:bugtraq,6607; reference:nessus,11750; classtype:web-application-activity; sid:2224; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI printmail.cgi access"; flow:to_server,established; uricontent:"/printmail.cgi"; nocase; reference:cve,CAN-2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2217; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imageFolio.cgi access"; flow:to_server,established; uricontent:"/imageFolio.cgi"; nocase; reference:cve,CAN-2002-1334; reference:nessus,11748; classtype:web-application-activity; sid:2212; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI global.cgi access"; flow:to_server,established; uricontent:"/global.cgi"; nocase; reference:cve,CVE-2000-0952; reference:nessus,11748; classtype:web-application-activity; sid:2210; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI setpasswd.cgi access"; flow:to_server,established; uricontent:"/setpasswd.cgi"; nocase; reference:cve,CAN-2001-0133; reference:nessus,11748; classtype:web-application-activity; sid:2219; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ws_mail.cgi access"; flow:to_server,established; uricontent:"/ws_mail.cgi"; nocase; reference:cve,CAN-2001-1343; reference:nessus,11748; classtype:web-application-activity; sid:2221; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezboard.cgi access"; flow:to_server,established; uricontent:"/ezboard.cgi"; nocase; reference:cve,CAN-2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2205; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsview2.cgi access"; flow:to_server,established; uricontent:"/csview2.cgi"; nocase; reference:cve,CAN-2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2197; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI guestserver.cgi access"; flow:to_server,established; uricontent:"/guestserver.cgi"; nocase; reference:cve,CAN-2001-0180; reference:nessus,11748; classtype:web-application-activity; sid:2211; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI catgy.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:cve,CAN-2001-1212; reference:nessus,11748; classtype:web-application-activity; sid:2196; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-exploitscanget.cgi access"; flow:to_server,established; uricontent:"/nph-exploitscanget.cgi"; nocase; reference:bugtraq,7910; reference:bugtraq,7911; reference:bugtraq,7912; reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI simplestmail.cgi access"; flow:to_server,established; uricontent:"/simplestmail.cgi"; nocase; reference:cve,CAN-2001-0022; reference:nessus,11748; classtype:web-application-activity; sid:2220; rev:1;)

     file -> ftp.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; content:"%"; distance:1; content:"%"; distance:1; within:10; reference:bugtraq,7474; classtype:misc-attack; sid:2178; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; content:"%"; distance:1;  content:"%"; distance:1; within:10; reference:bugtraq,7474; classtype:misc-attack; sid:2179; rev:1;)

     file -> web-php.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP viewtopic.php access"; flow:to_server,established; uricontent:"viewtopic.php"; reference:nessus,11767; reference:bugtraq,7979; classtype:web-application-attack; sid:2229; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote command execution attempt"; flow:to_server,established; uricontent:"lib.inc.php"; content:"pm_path=http"; reference:nessus,11739; reference:bugtraq,7919; classtype:web-application-attack; sid:2226; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP forum_details.php access"; flow:to_server,established; uricontent:"forum_details.php"; reference:nessus,11760; reference:bugtraq,7933; classtype:web-application-attack; sid:2227; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; uricontent:"db_details_importdocsql.php"; reference:nessus,11761; reference:bugtraq,7965; classtype:web-application-attack; sid:2228; rev:1;)

     file -> rpc.rules
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount path overflow attempt"; content:"|00 01 86 A5 00|"; offset:12; depth:5; content:"|00 00 00 01|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; offset:4; depth:4; classtype:misc-attack; sid:2185; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; offset:16; depth:5; content:"|00 00 00 01|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; offset:8; depth:4; sid:2184; rev:2;)

     file -> backdoor.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flags:S,12; window:55808; sid:2182; rev:1;)

  [---]    Disabled and modified:  [---]

     file -> smtp.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; reference:bugtraq,2387; reference:arachnids,266; reference:cve,CAN-1999-0261; classtype:attempted-admin; sid:657; rev:9;)
     new: #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established,no_stream; content: "HELP "; nocase; depth:5; content:!"|0a|"; within:500; reference:bugtraq,2387; reference:arachnids,266; reference:cve,CAN-1999-0261; classtype:attempted-admin; sid:657; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3a|"; nocase; isdataat:500,relative; pcre:"/^RCPT TO\s[^\n]{500}/ism"; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:9;)
     new: #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3a|"; nocase; content:!"|0a|"; within:800; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:7;)

  [///]       Modified active:     [///]

     file -> info.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP No Password"; content: "PASS"; nocase; offset:0; depth:4; content:"|0a|"; within:3; reference:arachnids,322; flow:from_client,established; classtype:unknown; sid:489; rev:5;)

     file -> web-misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC counter.exe access"; flow:to_server,established; uricontent:"/counter.exe"; nocase; reference:bugtraq,267; classtype:web-application-activity; sid:1078; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC counter.exe access"; flow:to_server,established; uricontent:"/scripts/counter.exe"; nocase; reference:bugtraq,267; classtype:web-application-activity; sid:1078;  rev:5;)

     file -> smtp.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; classtype:attempted-recon; sid:660; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn root"; nocase; reference:arachnids,31; classtype:attempted-recon; sid:660; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; classtype:attempted-recon; sid:659; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn decode"; nocase; reference:arachnids,32; classtype:attempted-recon; sid:659; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; reference:cve,CAN-2000-0490; classtype:attempted-admin; sid:1550; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN "; offset:0; depth:5; content:!"|0A|"; within:500; reference:cve,CAN-2000-0490; classtype:attempted-admin; sid:1550; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,CAN-1999-1200; classtype:misc-attack; sid:1450; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn *@"; nocase; reference:cve,CAN-1999-1200; classtype:misc-attack; sid:1450; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; nocase; distance:1; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:1446; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy root"; nocase; classtype:attempted-recon; sid:1446; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3a|"; content:"decode"; nocase; distance:0; pcre:"/^rcpt to\:\s+decode/smi"; reference:arachnids,121; reference:cve,CVE-1999-0203; classtype:attempted-admin; sid:664; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3a| decode"; nocase; reference:arachnids,121; reference:cve,CVE-1999-0203; classtype:attempted-admin; sid:664; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; nocase; distance:1; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; classtype:attempted-recon; sid:672; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy decode"; nocase; reference:arachnids,373; classtype:attempted-recon; sid:672; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to\:"; nocase; pcre:"/^rcpt\s+to\:\s+[|\;]/smi"; reference:bugtraq,1; reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to sed command attempt"; flow:to_server,established; content:"rcpt to\:"; nocase; content:"\|"; distance:0; content:"sed "; distance:0; reference:bugtraq,1; reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO"; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; reference:bugtraq,895; reference:cve,CVE-2000-0042; reference:nessus,10324; reference:bugtraq,7726; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:13;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO "; offset:0; depth:5; content:!"|0a|"; within:500; reference:bugtraq,895; reference:cve,CVE-2000-0042; reference:nessus,10324; reference:bugtraq,7726; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:11;)

     file -> pop3.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:cve,CAN-1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; content:!"|0a|"; within:50; reference:cve,CAN-1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2110; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2110; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1938; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; content:!"|0a|"; within:50; classtype:attempted-admin; sid:1938; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50,}/smi"; reference:bugtraq,789; reference:cve,CVE-1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; content:!"|0a|"; within:50; reference:bugtraq,789; reference:cve,CVE-1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2112; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2112; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2108; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2108; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^PASS\s[^\n]{256}/smi"; reference:cve,CAN-2000-0841; reference:bugtraq,1652; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; content:!"|0a|"; within:256; reference:cve,CAN-2000-0841; reference:bugtraq,1652; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative arguement attempt"; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; classtype:misc-attack; reference:bugtraq,7445; reference:bugtraq,6053; sid:2121; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative arguement attempt"; content:"DELE"; depth:4; nocase; content:"-"; distance:1; byte_test:1,>,0,0,relative,string; classtype:misc-attack; reference:bugtraq,7445; reference:bugtraq,6053; sid:2121; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,CAN-2000-0096; classtype:attempted-admin; sid:1937; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; content:!"|0a|"; within:50; reference:bugtraq,948; reference:cve,CAN-2000-0096; classtype:attempted-admin; sid:1937; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2111; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2111; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1936; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; content:!"|0a|"; within:50; classtype:attempted-admin; sid:1936; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2109; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2109; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative arguement attempt"; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; classtype:misc-attack; reference:bugtraq,6053; sid:2122; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative arguement attempt"; content:"UIDL"; depth:4; nocase; content:"-"; distance:1; byte_test:1,>,0,0,relative,string; classtype:misc-attack; reference:bugtraq,6053; sid:2122; rev:1;)

     file -> policy.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; content:"USER"; nocase; pcre:"/^USER\s+(anonymous|ftp)/smi"; flow:to_server,established; classtype:misc-activity; sid:553; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; content:"USER"; nocase; content:" anonymous|0D0A|"; nocase; flow:to_server,established; classtype:misc-activity; sid:553; rev:4;)

     file -> misc.rules
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"Location|3a|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; classtype:misc-attack; reference:cve,CAN-2001-0876; sid:1388; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"|0d|Location|3a|"; nocase; content:!"|0a|"; within:128; classtype:misc-attack; reference:cve,CAN-2001-0876; sid:1388; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username\:"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:cve,CAN-1999-1511; reference:bugtraq,791; classtype:attempted-admin; sid:1636; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username\: "; nocase; reference:cve,CAN-1999-1511; reference:bugtraq,791; classtype:attempted-admin; sid:1636; rev:3;)

     file -> imap.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:nessus,10292; reference:cve,CVE-1999-0042; classtype:misc-attack; sid:1844; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:" AUTHENTICATE "; nocase; content:!"|0a|"; within:100; reference:nessus,10292; reference:cve,CVE-1999-0042; classtype:misc-attack; sid:1844; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; nocase; distance:0; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,CAN-2002-0379; classtype:misc-attack; sid:1755; rev:11;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body buffer overflow attempt"; flow:to_server,established; content:" PARTIAL "; content:" BODY["; content:!"]"; within:1024; reference:bugtraq,4713; reference:cve,CAN-2002-0379; classtype:misc-attack; sid:1755; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1903; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename overflow attempt"; flow:established,to_server; content:" RENAME "; nocase; content:!"|0a|"; within:1024; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1903; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:" CREATE "; content:!"|0a|"; within:1024; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1904; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP find overflow attempt"; flow:established,to_server; content:" FIND "; nocase; content:!"|0a|"; within:1024; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1904; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2118; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:" LIST "; nocase; content:!"|0a|"; within:100; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2118; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:nessus,10125; reference:cve,CVE-1999-0005; classtype:attempted-user; sid:1842; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:" LOGIN "; content:!"|0a|"; within:100; reference:nessus,10125; reference:cve,CVE-1999-0005; classtype:attempted-user; sid:1842; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2106; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; content:" LSUB "; content:!"|0a|"; within:100; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2106; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; nocase; distance:0; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,CAN-2002-0379; classtype:misc-attack; sid:2046; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:" PARTIAL "; content:" BODY.PEEK["; content:!"]"; within:1024; reference:bugtraq,4713; reference:cve,CAN-2002-0379; classtype:misc-attack; sid:2046; rev:1;)

     file -> ftp.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,CAN-2001-0755; reference:cve,CAN-2001-0770; reference:cve,CVE-1999-0838; classtype:attempted-admin; sid:1529; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE overflow attempt"; flow:to_server,established; content:"SITE "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2001-0755; reference:cve,CAN-2001-0770; reference:cve,CVE-1999-0838; classtype:attempted-admin; sid:1529; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; nocase; distance:1; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; reference:cve,CVE-2000-0040; classtype:attempted-admin; sid:1921; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE ZIPCHK attempt"; flow:to_server,established; content:"SITE "; nocase; content:" ZIPCHK "; nocase; content:!"|0a|"; within:100; reference:cve,CVE-2000-0040; classtype:attempted-admin; sid:1921; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt";flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1975; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt";flow:to_server,established; content:"DELE "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1975; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; nocase; distance:0; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; reference:cve,CVE-1999-0800; classtype:attempted-admin; sid:1920; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE "; nocase; content:" NEWER "; nocase; content:!"|0a|"; within:100; reference:cve,CVE-1999-0800; classtype:attempted-admin; sid:1920; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow attempt";flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1974; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow attempt";flow:to_server,established; content:"REST "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1974; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream;  content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER\s[^\n]{100}/smi"; reference:bugtraq,4638; reference:cve,CAN-2000-0479; reference:cve,CAN-2000-0656; reference:cve,CAN-2000-1035; reference:cve,CAN-2000-1194; reference:cve,CAN-2001-0794; reference:cve,CAN-2001-0826; reference:cve,CAN-2002-0126; reference:cve,CVE-2000-0943; classtype:attempted-admin; sid:1734; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream;  content:"USER "; nocase; content:!"|0a|"; within:100; reference:bugtraq,4638; reference:cve,CAN-2000-0479; reference:cve,CAN-2000-0656; reference:cve,CAN-2000-1035; reference:cve,CAN-2000-1194; reference:cve,CAN-2001-0794; reference:cve,CAN-2001-0826; reference:cve,CAN-2002-0126; reference:cve,CVE-2000-0943; classtype:attempted-admin; sid:1734; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; nocase; distance:0; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; reference:bugtraq,5427; reference:cve,CAN-2002-0826; classtype:misc-attack; sid:1888; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE "; nocase; content:" CPWD "; nocase; content:!"|0a|"; within:100; reference:bugtraq,5427; reference:cve,CAN-2002-0826; classtype:misc-attack; sid:1888; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; nocase; distance:1; pcre:"/^CWD\s+~root/smi"; reference:cve,CVE-1999-0082; reference:arachnids,318; classtype:bad-unknown; sid:336; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; content:"CWD "; content:" ~root"; nocase; flow:to_server,established; reference:cve,CVE-1999-0082; reference:arachnids,318; classtype:bad-unknown; sid:336;  rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt";flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:cve,CAN-1999-0911; reference:bugtraq,612; classtype:attempted-admin; sid:1973; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt";flow:to_server,established; content:"MKD "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-1999-0911; reference:bugtraq,612; classtype:attempted-admin; sid:1973; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; pcre:"/^CWD\s+~/smi"; reference:cve,CAN-2001-0421; reference:bugtraq,2601; classtype:denial-of-service; sid:1672; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~<NEWLINE> attempt"; content:"CWD "; content:" ~|0A|"; flow:to_server,established; reference:cve,CAN-2001-0421; reference:bugtraq,2601; classtype:denial-of-service; sid:1672;  rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; nocase; distance:1; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; sid:144; classtype:suspicious-login; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER w0rm|0D0A|"; reference:arachnids,01; sid:144; classtype:suspicious-login;  rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow attempt"; flow:to_server,established;  content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1976; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow attempt"; flow:to_server,established;  content:"RMD "; nocase; content:!"|0a|"; within:100;reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1976; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; nocase; distance:0; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; reference:cve,CAN-2001-0065; classtype:attempted-admin; sid:1562; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE "; nocase; content:" CHOWN "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2001-0065; classtype:attempted-admin; sid:1562; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE"; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:1623; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE "; nocase; content:!" B"; nocase; content:!" A"; nocase; content:!" S"; nocase; content:!" C"; nocase; classtype:protocol-command-decode; sid:1623; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1621; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow attempt"; flow:to_server,established; content:"CMD "; nocase; content:!"|0a|"; within:100; classtype:attempted-admin; sid:1621; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; nocase; distance:1; pcre:"/^SITE\s+NEWER/smi"; reference:cve,CVE-1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE "; nocase; content:" NEWER "; nocase; reference:cve,CVE-1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; classtype:bad-unknown; sid:1229; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD "; content:" ..."; classtype:bad-unknown; sid:1229;  rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:cve,CAN-2000-1035; reference:cve,CAN-2000-1194; reference:cve,CAN-2002-0126; classtype:attempted-admin; sid:1919; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow attempt"; flow:to_server,established; content:"CWD "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2000-1035; reference:cve,CAN-2000-1194; reference:cve,CAN-2002-0126; classtype:attempted-admin; sid:1919; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; reference:bugtraq,2241; reference:arachnids,317; classtype:bad-unknown; sid:361; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP site exec"; flow:to_server,established; content:"SITE "; nocase; content:"EXEC "; distance:0; nocase; reference:bugtraq,2241; reference:arachnids,317; classtype:bad-unknown; sid:361;  rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMDIR overflow attempt"; flow:to_server,established;  content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1942; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMDIR overflow attempt"; flow:to_server,established;  content:"RMDIR "; nocase; content:!"|0a|"; within:100; classtype:attempted-admin; sid:1942; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT "; nocase; content:!"|0a|"; within:100; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt";flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL\s[^\n]{100}/smi"; reference:bugtraq,679; reference:cve,CVE-1999-0789; reference:arachnids,257; classtype:attempted-admin; sid:337; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt";flow:to_server,established; content:"CEL "; nocase; content:!"|0a|"; within:100; reference:bugtraq,679; reference:cve,CVE-1999-0789; reference:arachnids,257; classtype:attempted-admin; sid:337; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream;  content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:cve,CAN-2000-1035; reference:cve,CAN-2002-0126; classtype:attempted-admin; sid:1972; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream;  content:"PASS "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2000-1035; reference:cve,CAN-2002-0126; classtype:attempted-admin; sid:1972; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; nocase; distance:0; content:"%"; distance:1; content:"%"; distance:1; classtype:bad-unknown; sid:1971; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC "; nocase; distance:0; content:"%"; distance:1; content:"%"; distance:1; classtype:bad-unknown; sid:1971; rev:1;)

     file -> web-cgi.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi NULL attempt"; flow:to_server,established; uricontent:"/emumail.cgi"; content:"type="; nocase; content:"%00"; reference:cve,CAN-2002-1526; classtype:web-application-activity; sid:1723;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi NULL attempt"; flow:to_server,established; uricontent:"/emumail.cgi"; content:"type="; nocase; content:"%00"; classtype:web-application-activity; sid:1723;  rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi access"; flow:to_server,established; uricontent:"/emumail.cgi"; nocase; reference:cve,CAN-2002-1526; classtype:web-application-activity; sid:1724; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi access"; flow:to_server,established; uricontent:"/emumail.cgi"; nocase; classtype:web-application-activity; sid:1724;  rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gbook.cgi access"; flow:to_server,established; uricontent:"/gbook.cgi"; nocase; reference:cve,CVE-2000-1131; classtype:web-application-activity; sid:1716; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gbook.cgi access"; flow:to_server,established; uricontent:"/gbook.cgi"; nocase; classtype:web-application-activity; sid:1716;  rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb directory traversal attempt"; flow:to_server,established; uricontent:"/YaBB"; nocase; content: "../"; reference:cve,CVE-2000-0853; reference:arachnids,462; reference:bugtraq,1668; classtype:attempted-recon; sid:806;  rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/YaBB.pl"; nocase; content: "../"; reference:cve,CVE-2000-0853; reference:arachnids,462; reference:bugtraq,1668; classtype:attempted-recon; sid:806;  rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb access"; flow:to_server,established; uricontent:"/YaBB"; nocase; reference:cve,CVE-2000-0853; reference:arachnids,462; reference:bugtraq,1668; classtype:attempted-recon; sid:1637;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb.cgi access"; flow:to_server,established; uricontent:"/YaBB.pl"; nocase; reference:cve,CVE-2000-0853; reference:arachnids,462; reference:bugtraq,1668; classtype:attempted-recon; sid:1637;  rev:3;)

     file -> exploit.rules
     old: alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; classtype:misc-attack; sid:1838; rev:6;)
     new: alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; offset:0; depth:4; content:!"|0a|"; within:600; reference:bugtraq,5287; classtype:misc-attack; sid:1838; rev:4;)
     old: alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; nocase; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:9;)
     new: alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG nickserv IDENTIFY"; nocase; offset:0; content:!"|0a|"; within:150; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:7;)

     file -> pop2.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:to_server,established; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,CVE-1999-0920; classtype:attempted-admin; sid:1934; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:to_server,established; content:"FOLD "; content:!"|0A|"; within:256; reference:bugtraq,283; reference:cve,CVE-1999-0920; classtype:attempted-admin; sid:1934; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:to_server,established; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:1935; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:to_server,established; content:"FOLD /"; classtype:misc-attack; sid:1935; rev:1;)

     file -> rpc.rules
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; offset:12; depth:4; content:"|00 00 00 0B|"; distance:4; within:4; reference:bugtraq,6016; reference:bugtraq,5914; reference:cve,CAN-2002-1232; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2033; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A4|"; offset:12; depth:4; content:"|00 00 00 0B|"; distance:4; within:4; reference:bugtraq,6016; reference:bugtraq,5914; reference:cve,CAN-2002-1232; classtype:rpc-portmap-decode; sid:2033; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 7D|"; within:4; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2005; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 7D|"; within:4; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; reference:arachnids,15; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2016; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2016; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2028; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2028; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 68|"; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2082; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 68|"; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2082; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; offset:12; depth:4; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1957; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP PING"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 87 88|"; offset:12; depth:4; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; offset:16; depth:4; content:"|00 00 00 0B|"; distance:4; within:4; reference:bugtraq,6016; reference:bugtraq,5914; reference:Cve,CAN-2002-1232; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2034; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A4|"; offset:16; depth:4; content:"|00 00 00 0B|"; distance:4; within:4; reference:bugtraq,6016; reference:bugtraq,5914; reference:Cve,CAN-2002-1232; classtype:rpc-portmap-decode; sid:2034; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1951; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1951; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1961; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; classtype:rpc-portmap-decode; sid:1961; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1950; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1950; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; reference:arachnids,10; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1270; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:1270; rev:9;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; offset:12; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1964; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 F3|"; offset:12; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack; sid:1964; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt UDP"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2029; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2029; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; reference:arachnids,25; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:586; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87 7D|"; offset:16; depth:4; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2007; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 87 7D|"; offset:16; depth:4; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,428; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:598; rev:11;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1960; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; classtype:rpc-portmap-decode; sid:1960; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2030; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2030; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request UDP"; content:"|00 03 0D 70|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2037; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 03 0D 70|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2037; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1923; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1923; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 cc|"; within:4; reference:arachnids,21; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:580; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 cc|"; within:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:599; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:9;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; reference:arachnids,15; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:587; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 75|"; within:4; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:595; rev:11;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 75|"; within:4; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode; sid:595; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; classtype:attempted-recon;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2022; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; classtype:attempted-recon; sid:2022; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1912; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 87 88|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin; sid:1912; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; reference:bugtraq,1480; reference:cve,CVE-2000-0666; classtype:misc-attack;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1890; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; reference:bugtraq,1480; reference:cve,CVE-2000-0666; classtype:misc-attack; sid:1890; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; reference:arachnids,23; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:582; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; reference:arachnids,25; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1273; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; reference:cve,CVE-2000-0508; reference:bugtraq,1372; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2080; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; reference:cve,CVE-2000-0508; reference:bugtraq,1372; classtype:rpc-portmap-decode; sid:2080; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; offset:12; depth:5; content:"|00 00 00 05|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; classtype:rpc-portmap-decode; reference:cve,CAN-2003-0028; reference:bugtraq,7123;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2092; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0 00|"; offset:12; depth:5; content:"|00 00 00 05|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; classtype:rpc-portmap-decode; reference:cve,CAN-2003-0028; reference:bugtraq,7123; sid:2092; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1926; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,428; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1280; rev:8;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:1280; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02 49 f1|"; within:4; reference:arachnids,22; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1268; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02 49 f1|"; within:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:1268; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; content:"|00 01 86 AB|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2024; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 AB|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack; sid:2024; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; reference:arachnids,14; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1275; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update UDP"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2031; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2031; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 75|"; within:4; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2017; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 75|"; within:4; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 cc|"; within:4; reference:arachnids,21; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1267; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 cc|"; within:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:1267; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; classtype:attempted-recon;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2023; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; classtype:attempted-recon; sid:2023; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; reference:cve,CVE-2001-0779; reference:bugtraq,2763;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2025; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; reference:cve,CVE-2001-0779; reference:bugtraq,2763; sid:2025; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:584; rev:8;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode; sid:584; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1953; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1953; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7 68|"; offset:12; depth:4; content:"|00 00 00 0D|"; distance:4; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2083; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 05 F7 68|"; offset:12; depth:4; content:"|00 00 00 0D|"; distance:4; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2083; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; reference:arachnids,19; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1263; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:1263; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; reference:arachnids,13; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1266; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; reference:arachnids,17; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:578; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rusers query UDP"; content:"|00 01 86 A2|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:cve,CVE-1999-0626; classtype:attempted-recon;  content:"|00 00 00 00|"; offset:4; depth:4; sid:612; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rusers query UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A2|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:cve,CVE-1999-0626; classtype:attempted-recon; sid:612; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; reference:arachnids,18; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1262; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1952; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1952; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; offset:16; depth:5; content:"|00 00 00 05|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; reference:cve,CAN-2003-0028; reference:bugtraq,7123; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2093; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0 00|"; offset:16; depth:5; content:"|00 00 00 05|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; reference:cve,CAN-2003-0028; reference:bugtraq,7123; classtype:rpc-portmap-decode; sid:2093; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; reference:arachnids,13; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:579; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; reference:arachnids,125; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1277; rev:8;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D 70|"; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2036; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D 70|"; within:4; classtype:rpc-portmap-decode; sid:2036; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1747; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1747; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1959; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; classtype:rpc-portmap-decode; sid:1959; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:bugtraq,1892; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2015; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt UDP 111"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2015; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1909; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D 70|"; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2035; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D 70|"; within:4; classtype:rpc-portmap-decode; sid:2035; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1925; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1907; rev:8;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin; sid:1907; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 68|"; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2081; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 68|"; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2081; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1732; rev:8;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; classtype:rpc-portmap-decode; sid:1732; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1746; rev:8;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1746; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7 68|"; offset:16; depth:4; content:"|00 00 00 0D|"; distance:4; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2084; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 05 F7 68|"; offset:16; depth:4; content:"|00 00 00 0D|"; distance:4; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2084; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 7D|"; within:4; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2006; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 7D|"; within:4; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1924; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; reference:arachnids,20; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1272; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:1272; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1908; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin; sid:1908; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; offset:16; depth:4; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1958; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 87 88|"; offset:16; depth:4; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1962; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; classtype:rpc-portmap-decode; sid:1962; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1963; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 AB|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack; sid:1963; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; reference:cve,CVE-2001-0779; reference:bugtraq,2763;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2026; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; reference:cve,CVE-2001-0779; reference:bugtraq,2763; sid:2026; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:593; rev:14;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:593; rev:13;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; reference:arachnids,20; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:585; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; classtype:attempted-recon;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2021; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; classtype:attempted-recon; sid:2021; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; classtype:attempted-recon;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2020; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; classtype:attempted-recon; sid:2020; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1733; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; classtype:rpc-portmap-decode; sid:1733; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; reference:bugtraq,6016; reference:bugtraq,5914; reference:cve,CAN-2002-1232; reference:cve,CVE-2000-1042; reference:cve,CVE-2000-1043; reference:arachnids,12; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1276; rev:11;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; reference:bugtraq,6016; reference:bugtraq,5914; reference:cve,CAN-2002-1232; reference:cve,CVE-2000-1042; reference:cve,CVE-2000-1043; reference:arachnids,12; classtype:rpc-portmap-decode; sid:1276; rev:10;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; reference:arachnids,18; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:575; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,122; reference:arachnids,24; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1274; rev:12;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,122; reference:arachnids,24; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:11;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1281; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1915; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1915; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D 70|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2038; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 03 0D 70|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2038; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; reference:arachnids,19; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:576; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:576; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1279; rev:10;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:1279; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1914; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1914; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; classtype:attempted-recon;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2019; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; classtype:attempted-recon; sid:2019; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; reference:cve,CVE-2000-0508; reference:bugtraq,1372; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2079; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; reference:cve,CVE-2000-0508; reference:bugtraq,1372; classtype:rpc-portmap-decode; sid:2079; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|"; distance:4; classtype:misc-attack;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2089; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 BC|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|"; distance:4; classtype:misc-attack; sid:2089; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; reference:arachnids,14; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:589; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; reference:bugtraq,6016; reference:bugtraq,5914; reference:cve,CAN-2002-1232; reference:cve,CVE-2000-1042; reference:cve,CVE-2000-1043; reference:arachnids,12; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:590; rev:9;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; reference:bugtraq,6016; reference:bugtraq,5914; reference:cve,CAN-2002-1232; reference:cve,CVE-2000-1042; reference:cve,CVE-2000-1043; reference:arachnids,12; classtype:rpc-portmap-decode; sid:590; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1954; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1954; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CAN-2002-0391; reference:bugtraq,5356; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2095; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CAN-2002-0391; reference:bugtraq,5356; classtype:attempted-admin; sid:2095; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt UDP"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2027; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2027; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02 49 f1|"; within:4; reference:arachnids,22; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:581; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02 49 f1|"; within:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1910; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; reference:arachnids,17; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1265; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1922; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1922; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4;  reference:bugtraq,122; reference:arachnids,24; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:588; rev:12;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4;  reference:bugtraq,122; reference:arachnids,24; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:11;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; reference:arachnids,23; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1269; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:1269; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1949; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1949; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CAN-2002-0391; reference:bugtraq,5356; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2094; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CAN-2002-0391; reference:bugtraq,5356; classtype:attempted-admin; sid:2094; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1913; rev:8;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 B8|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1913; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; classtype:attempted-recon;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2018; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; classtype:attempted-recon; sid:2018; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1906; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack; sid:1906; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2032; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2032; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:bugtraq,1892; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2014; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1271; rev:11;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode; sid:1271; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1916; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1916; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; reference:arachnids,10; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:583; rev:8;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1264; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; sid:1264; rev:9;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1956; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1956; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; reference:bugtraq,1480; reference: cve,CVE-2000-0666; classtype: misc-attack;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1891; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 B8|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4;  byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; reference:bugtraq,1480; reference: cve,CVE-2000-0666; classtype: misc-attack; sid:1891; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|"; distance:4; classtype:misc-attack;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2088; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 BC|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|"; distance:4; classtype:misc-attack; sid:2088; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:4; depth:4; sid:577; rev:10;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; sid:577; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; offset:16; depth:4; content:"|00 00 01 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:8; depth:4; sid:569; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 87 99|"; offset:16; depth:4; content:"|00 00 01 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1955; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1955; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack;  content:"|00 00 00 00|"; offset:8; depth:4; sid:1965; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 F3|"; offset:16; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack; sid:1965; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; reference:arachnids,125; classtype:rpc-portmap-decode;  content:"|00 00 00 00|"; offset:8; depth:4; sid:591; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;  byte_test:4,>,512,0,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1905; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 04 93 F3|"; offset:12; depth:4; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;  byte_test:4,>,512,0,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack; sid:1905; rev:5;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt UDP"; content:"|00 01 87 99|"; offset:12; depth:4; content:"|00 00 01 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:4; depth:4; sid:2045; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt UDP"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 87 99|"; offset:12; depth:4; content:"|00 00 01 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon;  content:"|00 00 00 00|"; offset:8; depth:4; sid:574; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin;  content:"|00 00 00 00|"; offset:4; depth:4; sid:1911; rev:7;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 01 87 88|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin; sid:1911; rev:6;)

     file -> netbios.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; reference:cve,CAN-2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.asp; reference:cve,CAN-2003-0715; sid:2252; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets; classtype:attempted-admin; reference:cve,CAN-2003-0715; reference:cve,CAN-2003-0528; reference:cve,CAN-2003-0605; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.asp; sid:2252; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.asp; reference:cve,CAN-2003-0715; sid:2251; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets; reference:cve,CAN-2003-0715; reference:cve,CAN-2003-0528; reference:cve,CAN-2003-0605;  classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.asp; sid:2251; rev:3;)

     file -> web-frontpage.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE .... request"; flow:to_server,established; uricontent:"..../"; nocase; reference:bugtraq,989; reference:cve,CAN-2000-0153; reference:arachnids,248; classtype:web-application-attack; sid:966; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fourdots request"; flow:to_server,established; content: "|2e 2e 2e 2e 2f|"; nocase; reference:bugtraq,989; reference:cve,CAN-2000-0153; reference:arachnids,248; classtype:web-application-attack; sid:966;  rev:5;)

     file -> nntp.rules
     old: alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer overflow attempt"; flow:to_server,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,CAN-2002-0909; classtype:protocol-command-decode; sid:1792; rev:7;)
     new: alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer overflow attempt"; flow:to_server,established,no_stream; content:"200 "; offset:0; depth:4; content:!"|0a|"; within:64; reference:bugtraq,4900; reference:cve,CAN-2002-0909; classtype:protocol-command-decode; sid:1792; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; nocase; distance:0; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:cve,CAN-2000-0341; reference:arachnids,274; classtype:attempted-admin; sid:1538; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO USER "; nocase; depth:14; content:!"|0a|"; within:500; reference:cve,CAN-2000-0341; reference:arachnids,274; classtype:attempted-admin; sid:1538; rev:5;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "snort.conf":
       #   http://www.snort.org     Snort 2.0.0 Ruleset
       # Configure the snort decoder:
       # config disable_ttcp_alerts
       preprocessor stream4: detect_scans, disable_evasion_alerts
       # http_decode: normalize HTTP requests
       # ------------------------------------
       # http_decode normalizes HTTP requests from remote 
       # machines by converting any %XX character 
       # substitutions to their ASCII equivalent. This is
       # very useful for doing things like defeating hostile
       # attackers trying to stealth themselves from IDSs by
       # mixing these substitutions in with the request. 
       # Specify the port numbers you want it to analyze as arguments.
       # Major code cleanups thanks to rfp
       # unicode          - normalize unicode
       # iis_alt_unicode  - %u encoding from iis 
       # double_encode    - alert on possible double encodings
       # iis_flip_slash   - normalize \ as /
       # full_whitespace  - treat \t as whitespace ( for apache )
       #   1       UNICODE attack
       #   2       NULL byte attack
       preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
       # Conversation
       #------------------------------------------
       # This preprocessor tracks conversations for tcp, udp and icmp traffic.  It
       # is a prerequisite for running portscan2.
       # allowed_ip_protcols 1 6 17
       #      list of allowed ip protcols ( defaults to any )
       # timeout [num]
       #      conversation timeout ( defaults to 60 )
       # max_conversations [num] 
       #      number of conversations to support at once (defaults to 65335)
       # alert_odd_protocols
       #      alert on protocols not listed in allowed_ip_protocols
       # preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000
       # Portscan2
       #-------------------------------------------
       # Portscan 2, detect portscans in a new and exciting way.  You must enable
       # spp_conversation in order to use this preprocessor.
       # Available options:
       #       scanners_max [num] 
       #       targets_max [num]
       #       target_limit [num]
       #       port_limit [num]
       #       timeout [num]
       #       log [logdir]
       #preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60
       # Too many false alerts from portscan2? Tone it down with
       # portscan2-ignorehosts!
       # A space delimited list of addresses in CIDR notation to ignore
       # preprocessor portscan2-ignorehosts: 10.0.0.0/8 192.168.24.0/24

  [---]      Removed lines:      [---]
    -> File "ftp.rules":
       # dup of 1672
       # dup of 1229
    -> File "policy.rules":
       # dup of 553
    -> File "gen-msg.map":
       119 || 1 || http_inspect: ASCII ENCODING
       119 || 2 || http_inspect: DOUBLE DECODING ATTACK
       119 || 3 || http_inspect: U ENCODING
       119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
       119 || 5 || http_inspect: BASE36 ENCODING
       119 || 6 || http_inspect: UTF-8 ENCODING
       119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
       119 || 8 || http_inspect: MULTI_SLASH ENCODING
       119 || 9 || http_inspect: IIS BACKSLASH EVASION
       119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
       119 || 11 || http_inspect: DIRECTORY TRAVERSAL
       119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
       119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
       119 || 14 || http_inspect: NON-RFC DEFINED CHAR
       119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
       119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
       119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
       120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
       121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
       121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
       121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
       121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
    -> File "experimental.rules":
       alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flags:S,12; window:55808;)
    -> File "rpc.rules":
       alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; offset:16; depth:4; content:"|00 00 00 01 00 00 00 01|"; distance:4; within:8; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; distance:0; within:4;)
       alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt UDP"; content:"|00 01 87 88|"; offset:12; depth:4; content:"|00 00 00 01 00 00 00 01|"; distance:4; within:8; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; distance:0; within:4;)
    -> File "snort.conf":
       #   http://www.snort.org     Snort 2.1.0 Ruleset
       # List of snmp servers on your network
       var SNMP_SERVERS $HOME_NET
       output log_unified
       # Please note:  [80,8080] does not work.
       # If you wish to define multiple HTTP ports,
       # var HTTP_PORTS 80 
       # include web.rules
       # var HTTP_PORTS 8080
       # include web.rules
       # Configure the snort decoder
       # Snort's decoder will alert on lots of things such as header
       # truncation or options of unusual length or infrequently used tcp options
       #  In snort 2.0.1 and above, this only alerts when the a TCP option
       #  is detected that shows T/TCP being actively used on the network.
       #  If this is normal behavior for your network, disable the next option.
       #   config disable_tcpopt_ttcp_alerts
       preprocessor stream4: disable_evasion_alerts
       # http_inspect: normalize and detect HTTP traffic and protocol anomalies
       # lots of options available here. See doc/README.http_inspect
       preprocessor http_inspect: global \
           iis_unicode_map unicode.map 1252
       preprocessor http_inspect_server: server default \
           profile all \
           ports { 80 8080 }
       #  Example unqiue server configuration
       #preprocessor http_inspect_server: server 1.1.1.1 \
       #    flow_depth 0 \
       #    ascii no \
       #    double_decode yes \
       #    non_rfc_char { 0x00 } \
       #    chunk_length 500000 \
       #    non_strict \
       #    no_alerts





More information about the Snort-sigs mailing list