[Snort-sigs] snort-rules CURRENT update @ Tue Aug 10 10:02:57 2004

bmc at ...95... bmc at ...95...
Mon Aug 16 07:52:24 EDT 2004


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> web-misc.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 901 (msg:"WEB-MISC Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization|3a| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2598; rev:1;)

     file -> web-php.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; uricontent:"/modules.php"; nocase; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.*'/"; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:2;)

     file -> deleted.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC order.log access"; flow:to_server,established; uricontent:"/admin_files/order.log"; nocase; classtype:attempted-recon; sid:1176; rev:6;)

     file -> misc.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:1;)

     file -> oracle.rules
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2632; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE cancel_statistics named sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/(s|o)name\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2609; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2613; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2625; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2610; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE utl.register_flavor_change ordered buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2621; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_mview_repgroup named gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/gowner\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2639; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_master_repobject named type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/type\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2619; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repobject named type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/type\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2637; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE utl.drop_an_object ordered buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2622; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_online named refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/refresh_template_name\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2647; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE revoke_surrogate_repcat named userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/userid\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2612; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2618; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2636; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE unregister_user_repgroup named privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/privilege_type\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2624; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2644; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2642; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repgroup named gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/gname\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2601; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE add_grouped_column named sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/(s|o)name\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2599; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2634; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2616; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2614; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE check_ddl_text ordered buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2608; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2646; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2628; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2640; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE comment_on_repobject named type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/type\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2606; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"(user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2650; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE utl.create_snapshot_repgroup ordered buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2623; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt"; flow: to_server,established; content:"NUMTO"; nocase; content:"INTERVAL"; nocase; distance:2; pcre:"/NUMTO(DS|YM)INTERVAL\s*\(\s*\d+\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt; reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt; classtype:attempted-user; sid:2651; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_mview_propagation named gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/gname\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2617; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2648; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE send_old_values ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user;  sid:2626; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"(service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2649; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE snapshot.end_load named gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/gname\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2635; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2604; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE register_user_repgroup named privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/privilege_type\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2629; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2602; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE LINK metadata buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"DATABASE"; nocase; content:"LINK"; nocase; pcre:"/USING\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:cve,CAN-2003-0222; reference:bugtraq,7453; reference:url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html; classtype:attempted-user; sid:2611; rev:2;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2638; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_site_instantiate named refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/refresh_template_name\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2641; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2630; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE og.begin_load named gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/gname\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2652; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_offline named refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/refresh_template_name\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2645; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE repcat_import_check named gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/(gowner|gname)\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2627; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22 ]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2600; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE rectifier_diff named sname1 attempt"; flow:to_server,established; content:"dbms_rectifier_diff."; nocase; pcre:"/sname1\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2633; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ensure_not_published ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2643; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create_mview_repgroup named fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/fname\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2603; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2620; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE compare_old_values ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2605; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE refresh_mview_repgroup named gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/gowner\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2631; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2607; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant_surrogate_repcat named userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/userid\s*=>\s*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2615; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2653; rev:1;)

  [---]          Removed:          [---]

     file -> web-misc.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC order.log access"; flow:to_server,established; uricontent:"/admin_files/order.log"; nocase; classtype:attempted-recon; sid:1176; rev:5;)

  [///]       Modified active:     [///]

     file -> web-misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser access"; flow:to_server,established; uricontent:"/newuser"; classtype:web-application-activity; reference:bugtraq,1704; sid:1493; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser access"; flow:to_server,established; uricontent:"/newuser"; classtype:web-application-activity; reference:bugtraq,1704; reference:nessus,10521; reference:cve,CVE-2000-1036; sid:1493; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC architext_query.pl access"; flow:to_server,established; uricontent:"/ews/architext_query.pl"; nocase; classtype:attempted-recon; reference:bugtraq,2248; reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt; sid:1173; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC architext_query.pl access"; flow:to_server,established; uricontent:"/ews/architext_query.pl"; nocase; classtype:attempted-recon; reference:bugtraq,2248; reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt; reference:nessus,10064; sid:1173; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser  directory traversal attempt"; flow:to_server,established; uricontent:"/newuser?Image=../.."; classtype:web-application-attack; reference:bugtraq,1704; sid:1492; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser  directory traversal attempt"; flow:to_server,established; uricontent:"/newuser?Image=../.."; classtype:web-application-attack; reference:bugtraq,1704; reference:nessus,10521; reference:cve,CVE-2000-1036; sid:1492; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2520; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12204; reference:nessus,12204; sid:2520; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Annex Terminal DOS attempt"; flow:to_server,established; uricontent:"/ping?query="; reference:arachnids,260; reference:cve,1999-1070; classtype:attempted-dos; sid:1181; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Annex Terminal DOS attempt"; flow:to_server,established; uricontent:"/ping?query="; reference:arachnids,260; reference:cve,1999-1070; classtype:attempted-dos; reference:nessus,10017; sid:1181; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache source.asp file access"; flow:to_server,established; uricontent:"/site/eg/source.asp"; nocase; reference:bugtraq,1457; reference:cve,2000-0628; classtype:attempted-recon; sid:1110; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache source.asp file access"; flow:to_server,established; uricontent:"/site/eg/source.asp"; nocase; reference:bugtraq,1457; reference:cve,2000-0628; classtype:attempted-recon; reference:nessus,10480; sid:1110; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2505; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2505; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rpm_query access"; flow:to_server,established; uricontent:"/rpm_query"; nocase; reference:bugtraq,1036; reference:cve,2000-0192; classtype:attempted-recon; sid:1167; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rpm_query access"; flow:to_server,established; uricontent:"/rpm_query"; nocase; reference:bugtraq,1036; reference:cve,2000-0192; classtype:attempted-recon; reference:nessus,10340; sid:1167; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webadmin.dll access"; flow:to_server,established; uricontent:"/webadmin.dll"; nocase; reference:nessus,11771; classtype:web-application-activity; sid:2246; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webadmin.dll access"; flow:to_server,established; uricontent:"/webadmin.dll"; nocase; reference:nessus,11771; classtype:web-application-activity; reference:bugtraq,7438; reference:bugtraq,7439; reference:bugtraq,8024; reference:cve,2003-0471; sid:2246; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc"; depth:36; nocase; reference:arachnids,300; classtype:web-application-attack; sid:509; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc"; depth:36; nocase; reference:arachnids,300; classtype:web-application-attack; reference:bugtraq,1557; reference:cve,CVE-2000-0707; reference:nessus,10783; sid:509; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape admin passwd"; flow:to_server,established; uricontent:"/admin-serv/config/admpw"; nocase; reference:bugtraq,1579; classtype:web-application-attack; sid:1103; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape admin passwd"; flow:to_server,established; uricontent:"/admin-serv/config/admpw"; nocase; reference:bugtraq,1579; classtype:web-application-attack; reference:nessus,10468; sid:1103; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC plusmail access"; flow:to_server,established; uricontent:"/plusmail"; nocase; reference:bugtraq,2653; reference:cve,2000-0074; classtype:attempted-recon; sid:1217; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC plusmail access"; flow:to_server,established; uricontent:"/plusmail"; nocase; reference:bugtraq,2653; reference:cve,2000-0074; classtype:attempted-recon; reference:nessus,10181; sid:1217; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ExAir access"; flow:to_server,established; uricontent:"/exair/search/"; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1500; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ExAir access"; flow:to_server,established; uricontent:"/exair/search/"; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; reference:nessus,10002; reference:nessus,10003; reference:nessus,10004; sid:1500; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /Carello/add.exe access"; flow:to_server,established; uricontent:"/Carello/add.exe"; nocase; reference:bugtraq,1245; reference:cve,2000-0396; classtype:web-application-activity; sid:1943; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /Carello/add.exe access"; flow:to_server,established; uricontent:"/Carello/add.exe"; nocase; reference:bugtraq,1245; reference:cve,2000-0396; classtype:web-application-activity; reference:nessus,11776; sid:1943; rev:4;)
     old: alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2521; rev:5;)
     new: alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12204; reference:nessus,12204; sid:2521; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2522; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; reference:nessus,12204; sid:2522; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC schema overflow attempt"; flow:to_server,established; uricontent:"|3A|//"; pcre:"/^[^\/]{14,}?\x3a\/\//U"; reference:bugtraq,9581; reference:cve,2004-0039; classtype:attempted-admin; sid:2381; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC schema overflow attempt"; flow:to_server,established; uricontent:"|3A|//"; pcre:"/^[^\/]{14,}?\x3a\/\//U"; reference:bugtraq,9581; reference:cve,2004-0039; classtype:attempted-admin; reference:nessus,12084; sid:2381; rev:6;)

     file -> dns.rules
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; classtype:attempted-recon; sid:1948; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; classtype:attempted-recon; reference:nessus,10595; sid:1948; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; classtype:attempted-recon; sid:255; rev:11;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; classtype:attempted-recon; reference:nessus,10595; sid:255; rev:12;)

     file -> imap.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2531; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2531; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2497; rev:7;)
     old: alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2530; rev:3;)
     new: alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12204; sid:2530; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2529; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12204; sid:2529; rev:4;)

     file -> web-cgi.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AnyForm2 access"; flow:to_server,established; uricontent:"/AnyForm2"; nocase; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:892; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AnyForm2 access"; flow:to_server,established; uricontent:"/AnyForm2"; nocase; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; reference:nessus,10277; sid:892; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI php.cgi access"; flow:to_server,established; uricontent:"/php.cgi"; nocase; reference:arachnids,232; reference:bugtraq,2250; reference:cve,1999-0238; classtype:attempted-recon; sid:824; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI php.cgi access"; flow:to_server,established; uricontent:"/php.cgi"; nocase; reference:arachnids,232; reference:bugtraq,2250; reference:cve,1999-0238; classtype:attempted-recon; reference:nessus,10178; reference:bugtraq,712; reference:cve,1999-058; sid:824; rev:12;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campas access"; flow:to_server,established; uricontent:"/campas"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; classtype:attempted-recon; sid:847; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campas access"; flow:to_server,established; uricontent:"/campas"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; classtype:attempted-recon; reference:nessus,10035; sid:847; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail emumail.fcgi access"; flow:to_server,established; uricontent:"/emumail.fcgi"; nocase; reference:bugtraq,9861; classtype:web-application-activity; sid:2568; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail emumail.fcgi access"; flow:to_server,established; uricontent:"/emumail.fcgi"; nocase; reference:bugtraq,9861; classtype:web-application-activity; reference:nessus,12095; sid:2568; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI glimpse access"; flow:to_server,established; uricontent:"/glimpse"; nocase; reference:bugtraq,2026; classtype:attempted-recon; sid:825; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI glimpse access"; flow:to_server,established; uricontent:"/glimpse"; nocase; reference:bugtraq,2026; classtype:attempted-recon; reference:cve,1999-0147; reference:nessus,10095; sid:825; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailnews.cgi access"; flow:to_server,established; uricontent:"/mailnews.cgi"; nocase; reference:cve,2001-0271; classtype:attempted-recon; sid:1471; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailnews.cgi access"; flow:to_server,established; uricontent:"/mailnews.cgi"; nocase; reference:cve,2001-0271; classtype:attempted-recon; reference:bugtraq,2391; reference:nessus,10641; sid:1471; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/jj access"; flow:to_server,established; uricontent:"/cgi-bin/jj"; nocase; reference:bugtraq,2002; reference:cve,1999-0260; classtype:web-application-activity; sid:1174; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/jj access"; flow:to_server,established; uricontent:"/cgi-bin/jj"; nocase; reference:bugtraq,2002; reference:cve,1999-0260; classtype:web-application-activity; reference:nessus,10131; sid:1174; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus attempt"; flow:to_server,established; uricontent:"/campus?|0A|"; nocase; reference:bugtraq,1975; classtype:web-application-attack; sid:1652; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus attempt"; flow:to_server,established; uricontent:"/campus?|0A|"; nocase; reference:bugtraq,1975; classtype:web-application-attack; reference:nessus,10035; sid:1652; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailit.pl access"; flow:to_server,established; uricontent:"/mailit.pl"; nocase; classtype:attempted-recon; sid:1475; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailit.pl access"; flow:to_server,established; uricontent:"/mailit.pl"; nocase; classtype:attempted-recon; reference:nessus,10417; sid:1475; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus access"; flow:to_server,established; uricontent:"/campus"; nocase; reference:bugtraq,1975; classtype:web-application-activity; sid:1653; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus access"; flow:to_server,established; uricontent:"/campus"; nocase; reference:bugtraq,1975; classtype:web-application-activity; reference:nessus,10035; sid:1653; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ppdscgi.exe access"; flow:to_server,established; uricontent:"/ppdscgi.exe"; nocase; reference:bugtraq,491; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ppdscgi.exe access"; flow:to_server,established; uricontent:"/ppdscgi.exe"; nocase; reference:bugtraq,491; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; reference:nessus,10187; sid:889; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail init.emu access"; flow:to_server,established; uricontent:"/init.emu"; nocase; reference:bugtraq,9861; classtype:web-application-activity; sid:2567; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail init.emu access"; flow:to_server,established; uricontent:"/init.emu"; nocase; reference:bugtraq,9861; classtype:web-application-activity; reference:nessus,12095; sid:2567; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-exploitscanget.cgi access"; flow:to_server,established; uricontent:"/nph-exploitscanget.cgi"; nocase; reference:bugtraq,7910; reference:bugtraq,7911; reference:bugtraq,7912; reference:cve,2003-0434; reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-exploitscanget.cgi access"; flow:to_server,established; uricontent:"/nph-exploitscanget.cgi"; nocase; reference:bugtraq,7910; reference:bugtraq,7911; reference:bugtraq,7913; reference:cve,2003-0434; reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:6;)

     file -> ftp.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; content:"?"; distance:1; reference:bugtraq,4482; reference:cve,2002-0073; classtype:attempted-dos; sid:1778; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; content:"?"; distance:1; reference:bugtraq,4482; reference:cve,2002-0073; classtype:attempted-dos; reference:nessus,10934; sid:1778; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; content:"*"; distance:1; reference:bugtraq,4482; reference:cve,2002-0073; classtype:attempted-dos; sid:1777; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; content:"*"; distance:1; reference:bugtraq,4482; reference:cve,2002-0073; classtype:attempted-dos; reference:nessus,10934; sid:1777; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:bugtraq,612; reference:bugtraq,9872; reference:cve,1999-0911; classtype:attempted-admin; reference:bugtraq,7278; sid:1973; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:bugtraq,612; reference:bugtraq,9872; reference:cve,1999-0911; classtype:attempted-admin; reference:bugtraq,7278; reference:nessus,12108; sid:1973; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; reference:cve,2000-0133; sid:2391; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; reference:cve,2000-0133; reference:bugtraq,8542; sid:2391; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; reference:cve,2001-0325; reference:cve,2001-1021; sid:1379; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; reference:cve,2001-0325; reference:cve,2001-1021; reference:bugtraq,8542; reference:bugtraq,3507; sid:1379; rev:11;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,2000-1035; reference:cve,2002-0126; classtype:attempted-admin; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2002-0895; reference:bugtraq,10720; sid:1972; rev:14;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,2000-1035; reference:cve,2002-0126; classtype:attempted-admin; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2002-0895; reference:bugtraq,10720; reference:bugtraq,10078; sid:1972; rev:15;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; classtype:misc-attack; reference:nessus,10041; sid:2178; rev:14;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; classtype:misc-attack; reference:nessus,10041; reference:nessus,11687; sid:2178; rev:15;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER\s[^\n]{100}/smi"; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; classtype:attempted-admin; reference:cve,1999-1510; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,1999-1514; reference:cve,2000-0761; reference:cve,2001-0256; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; reference:bugtraq,7307; sid:1734; rev:27;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER\s[^\n]{100}/smi"; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; classtype:attempted-admin; reference:cve,1999-1510; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,1999-1514; reference:cve,2000-0761; reference:cve,2001-0256; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; reference:bugtraq,7307; reference:bugtraq,10078; reference:bugtraq,8376; sid:1734; rev:29;)

     file -> multimedia.rules
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .smi playlist download attempt"; flow:to_server,established; uricontent:".smi"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2421; rev:2;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .smi playlist download attempt"; flow:to_server,established; uricontent:".smi"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2421; rev:3;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rp playlist download attempt"; flow:to_server,established; uricontent:".rp"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2423; rev:2;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rp playlist download attempt"; flow:to_server,established; uricontent:".rp"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2423; rev:3;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rt playlist download attempt"; flow:to_server,established; uricontent:".rt"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2422; rev:2;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rt playlist download attempt"; flow:to_server,established; uricontent:".rt"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2422; rev:3;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rmp playlist download attempt"; flow:to_server,established; uricontent:".rmp"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2420; rev:2;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rmp playlist download attempt"; flow:to_server,established; uricontent:".rmp"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2420; rev:3;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .ram playlist download attempt"; flow:to_server,established; uricontent:".ram"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2419; rev:2;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .ram playlist download attempt"; flow:to_server,established; uricontent:".ram"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2419; rev:3;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MULTIMEDIA Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; classtype:policy-violation; sid:1436; rev:4;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MULTIMEDIA Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; nocase; classtype:policy-violation; sid:1436; rev:5;)

     file -> exploit.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2554; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; reference:nessus,12126; sid:2554; rev:3;)
     old: alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"EXPLOIT eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; classtype:attempted-user; sid:2584; rev:1;)
     new: alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"EXPLOIT eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; classtype:attempted-user; reference:nessus,12233; sid:2584; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2559; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; reference:nessus,12126; sid:2559; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; dsize:>720; flow:to_server,established; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; classtype:misc-attack; sid:1751; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; dsize:>720; flow:to_server,established; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; classtype:misc-attack; reference:nessus,10951; sid:1751; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2551; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; reference:nessus,12126; sid:2551; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2556; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; reference:nessus,12126; sid:2556; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2560; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; reference:nessus,12126; sid:2560; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2552; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; reference:nessus,12126; sid:2552; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2555; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; reference:nessus,12126; sid:2555; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2558; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; reference:nessus,12126; sid:2558; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2553; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; reference:nessus,12126; sid:2553; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2557; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; reference:nessus,12126; sid:2557; rev:3;)

     file -> web-php.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPBB viewforum.php access"; flow:to_server,established; uricontent:"/viewforum.php"; nocase; reference:bugtraq,9866; classtype:web-application-activity; sid:2566; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPBB viewforum.php access"; flow:to_server,established; uricontent:"/viewforum.php"; nocase; reference:bugtraq,9866; classtype:web-application-activity; reference:nessus,12093; reference:bugtraq,9865; sid:2566; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php"; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php"; reference:nessus,11073; classtype:web-application-activity; reference:cve,CAN-2001-1408; sid:2000; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"name=|22 CC CC CC CC CC|"; reference:bugtraq,4183; reference:cve,2002-0081; classtype:web-application-attack; sid:1423; rev:12;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"name=|22 CC CC CC CC CC|"; reference:bugtraq,4183; reference:cve,2002-0081; classtype:web-application-attack; reference:nessus,10867; sid:1423; rev:13;)

     file -> deleted.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; sid:981; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:981; rev:11;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; sid:982; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:982; rev:11;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2498; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2498; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; sid:1945; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:1945; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2499; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2499; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS multiple decode attempt"; flow:to_server,established; uricontent:"%5c"; uricontent:".."; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-attack; sid:970; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS multiple decode attempt"; flow:to_server,established; uricontent:"%5c"; uricontent:".."; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-attack; reference:nessus,10671; sid:970; rev:11;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; sid:2385; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2385; rev:11;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2503; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2503; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2506; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2506; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; sid:983; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:983; rev:11;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; sid:2384; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2384; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2102; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; reference:nessus,11110; sid:2102; rev:9;)

     file -> netbios.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2352; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; reference:nessus,11808; sid:2352; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative; asn1:double_overflow, oversize_length 2048, bitstring_overflow,relative_offset 54; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; classtype:attempted-admin; sid:2382; rev:12;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative; asn1:double_overflow, oversize_length 2048, bitstring_overflow,relative_offset 54; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; classtype:attempted-admin; reference:nessus,12065; sid:2382; rev:13;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2258; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; reference:nessus,11888; reference:nessus,11890; sid:2258; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2491; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12206; sid:2491; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2351; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; reference:nessus,11808; sid:2351; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2251; rev:11;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; reference:nessus,11835; reference:nessus,11798; sid:2251; rev:13;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2257; rev:5;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; reference:nessus,11888; reference:nessus,11890; sid:2257; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2496; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; reference:nessus,12206; sid:2496; rev:6;)
     old: alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC ISystemActivator bind accept"; flow:from_server,established; content:"|05|"; within:1; content:"|0C|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00 00|"; within:2; distance:33; flowbits:isset,dce.isystemactivator.bind.attempt; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2350; rev:7;)
     new: alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC ISystemActivator bind accept"; flow:from_server,established; content:"|05|"; within:1; content:"|0C|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00 00|"; within:2; distance:33; flowbits:isset,dce.isystemactivator.bind.attempt; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; reference:nessus,11808; sid:2350; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2495; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; reference:nessus,12206; sid:2495; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2492; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12206; sid:2492; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2494; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; reference:nessus,12206; sid:2494; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2192; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; reference:nessus,11808; sid:2192; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2493; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12206; sid:2493; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2193; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; reference:nessus,11808; sid:2193; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative; asn1:double_overflow, oversize_length 2048, bitstring_overflow,relative_offset 54; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; classtype:attempted-admin; sid:2383; rev:12;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,8,6,relative; asn1:double_overflow, oversize_length 2048, bitstring_overflow,relative_offset 54; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; classtype:attempted-admin; reference:nessus,12065; sid:2383; rev:13;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2252; rev:11;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; reference:nessus,11835; reference:nessus,11798; sid:2252; rev:13;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2101; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; reference:nessus,11110; sid:2101; rev:10;)

     file -> sql.rules
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; classtype:attempted-user; sid:697; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; sid:697; rev:9;)
     old: alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:5;)
     new: alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; reference:nessus,11214; sid:2004; rev:6;)
     old: alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL/SMB sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; classtype:attempted-user; sid:680; rev:6;)
     new: alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL/SMB sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; classtype:attempted-user; reference:bugtraq,4797; reference:cve,2000-1209; sid:680; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; classtype:attempted-user; sid:700; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; sid:700; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; classtype:attempted-user; sid:703; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; reference:cve,CAN-2000-1088; sid:703; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; classtype:attempted-user; sid:695; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; sid:695; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; classtype:attempted-user; sid:702; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; sid:702; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; classtype:attempted-user; sid:682; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; reference:bugtraq,2031; reference:cve,2000-1082; sid:682; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; classtype:attempted-user; sid:701; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; sid:701; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; classtype:attempted-user; sid:707; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; sid:707; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; classtype:attempted-user; sid:696; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; classtype:attempted-user; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; sid:696; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; classtype:attempted-user; sid:708; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; sid:708; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; classtype:attempted-user; sid:674; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; sid:674; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase; reference:bugtraq,3733; reference:cve,2001-0542; classtype:attempted-user; sid:1387; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase; reference:bugtraq,3733; reference:cve,2001-0542; classtype:attempted-user; reference:nessus,11217; sid:1387; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; classtype:attempted-user; sid:675; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; reference:cve,2000-1088; sid:675; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; classtype:attempted-user; sid:704; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; classtype:attempted-user; reference:cve,CAN-2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; sid:704; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; classtype:attempted-user; sid:690; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; sid:690; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; classtype:attempted-user; sid:706; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; sid:706; rev:8;)
     old: alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; classtype:unsuccessful-user; sid:688; rev:6;)
     new: alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; classtype:unsuccessful-user; reference:cve,CAN-2000-1209; reference:bugtraq,4797; reference:nessus,10673; sid:688; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; classtype:attempted-user; sid:699; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; sid:699; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; reference:bugtraq,3733; reference:cve,2001-0542; classtype:attempted-user; sid:1386; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; reference:bugtraq,3733; reference:cve,2001-0542; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; sid:1386; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; classtype:attempted-user; sid:705; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; sid:705; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; classtype:attempted-user; sid:698; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; sid:698; rev:9;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:6;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; reference:nessus,11214; sid:2003; rev:7;)

     file -> web-iis.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS isc$data attempt"; flow:to_server,established; uricontent:".idc|3A 3A 24|data"; nocase; reference:bugtraq,307; reference:cve,1999-0874; classtype:web-application-attack; sid:1020; rev:10;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS isc$data attempt"; flow:to_server,established; uricontent:".idc|3A 3A 24|data"; nocase; reference:bugtraq,307; reference:cve,1999-0874; classtype:web-application-attack; reference:nessus,10116; sid:1020; rev:11;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; classtype:web-application-activity; reference:nessus,10781; reference:bugtraq,3301; reference:cve,2001-0660; sid:1568; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; classtype:web-application-activity; reference:nessus,10781; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; sid:1568; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS +.htr code fragment attempt"; flow:to_server,established; uricontent:"+.htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; classtype:web-application-attack; sid:1725; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS +.htr code fragment attempt"; flow:to_server,established; uricontent:"+.htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; classtype:web-application-attack; reference:nessus,10680; sid:1725; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; classtype:web-application-attack; reference:nessus,10781; reference:bugtraq,3301; reference:cve,2001-0660; sid:1567; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; classtype:web-application-attack; reference:nessus,10781; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; sid:1567; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr access"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; classtype:web-application-activity; sid:987; rev:12;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr access"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; classtype:web-application-activity; reference:nessus,10680; sid:987; rev:13;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS nsiislog.dll access"; flow:to_server,established; uricontent:"/nsiislog.dll"; nocase; reference:bugtraq,8035; reference:cve,2003-0349; reference:nessus,11664; reference:url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx; classtype:web-application-activity; sid:2129; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS nsiislog.dll access"; flow:to_server,established; uricontent:"/nsiislog.dll"; nocase; reference:bugtraq,8035; reference:cve,2003-0349; reference:nessus,11664; reference:url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx; classtype:web-application-activity; reference:cve,CAN-2003-0227; sid:2129; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msadcs.dll access"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; reference:bugtraq,529; reference:cve,1999-1011; classtype:web-application-activity; sid:1023; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msadcs.dll access"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; reference:bugtraq,529; reference:cve,1999-1011; classtype:web-application-activity; reference:nessus,10357; sid:1023; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; classtype:attempted-dos; sid:2386; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; classtype:attempted-dos; reference:nessus,12065; sid:2386; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .printer access"; flow:to_server,established; uricontent:".printer"; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; classtype:web-application-activity; sid:971; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .printer access"; flow:to_server,established; uricontent:".printer"; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; classtype:web-application-activity; reference:nessus,10661; sid:971; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll attempt"; flow:to_server,established; uricontent:" .htr"; nocase; reference:bugtraq,1193; reference:cve,2000-0457; classtype:web-application-attack; sid:1021; rev:11;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll attempt"; flow:to_server,established; uricontent:" .htr"; nocase; reference:bugtraq,1193; reference:cve,2000-0457; classtype:web-application-attack; reference:nessus,10680; sid:1021; rev:12;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2090; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; reference:nessus,11413; sid:2090; rev:9;)

     file -> pop3.rules
     old: alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2536; rev:3;)
     new: alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12204; sid:2536; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2535; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12204; sid:2535; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2537; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2537; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2501; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2502; rev:8;)

     file -> smtp.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2542; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12204; sid:2542; rev:4;)
     old: alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2539; rev:3;)
     new: alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12204; sid:2539; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2504; rev:7;)
     old: alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP TLS SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2543; rev:3;)
     new: alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP TLS SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12204; sid:2543; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2538; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12204; sid:2538; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2544; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2544; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2541; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2541; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2253; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889; sid:2253; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2540; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2540; rev:4;)

     file -> dos.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; dsize:>1023; flow:to_server,established; reference:bugtraq,4006; reference:cve,2002-0224; classtype:attempted-dos; sid:1408; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; dsize:>1023; flow:to_server,established; reference:bugtraq,4006; reference:cve,2002-0224; classtype:attempted-dos; reference:nessus,10939; sid:1408; rev:9;)

     file -> misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2534; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2534; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; classtype:misc-activity; sid:2048; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; classtype:misc-activity; reference:bugtraq,9153; reference:cve,CAN-2003-0962; reference:nessus,11943; sid:2048; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; dsize:>500; flow:to_server,established; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; classtype:attempted-admin; sid:1636; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; dsize:>500; flow:to_server,established; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; classtype:attempted-admin; reference:nessus,10323; sid:1636; rev:9;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; classtype:misc-attack; sid:2039; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; classtype:misc-attack; reference:nessus,11312; sid:2039; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2532; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12204; sid:2532; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; classtype:string-detect; sid:2561; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; classtype:string-detect; reference:nessus,12230; sid:2561; rev:3;)
     old: alert tcp $HOME_NET 639 -> $EXTERNAL_NET any (msg:"MISC LDAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2533; rev:5;)
     new: alert tcp $HOME_NET 639 -> $EXTERNAL_NET any (msg:"MISC LDAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; reference:nessus,12204; sid:2533; rev:6;)

     file -> oracle.rules
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE generate_replication_support prefix overflow attempt"; flow:to_server,established; content:"generate_replication_support"; nocase; pcre:"/(package|procedure)_prefix[\s\r\n]*=>[\s\r\n]*('[^']{1000,}|"[^"]{1000,})/Rsmi"; classtype:attempted-user; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; sid:2576; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE generate_replication_support prefix buffer overflow attempt"; flow:to_server,established; content:"generate_replication_support"; nocase; pcre:"/(package|procedure)_prefix[\s\r\n]*=>[\s\r\n]*(\x27[^\x27]{1000,}|\x22[^\x22]{1000,})/Rsmi"; classtype:attempted-user; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; sid:2576; rev:5;)

     file -> web-frontpage.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE .... request"; flow:to_server,established; uricontent:"..../"; nocase; reference:arachnids,248; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; classtype:web-application-attack; sid:966; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE .... request"; flow:to_server,established; uricontent:"..../"; nocase; reference:arachnids,248; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; classtype:web-application-attack; reference:nessus,10142; sid:966; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.exe access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.exe"; nocase; reference:bugtraq,1174; reference:bugtraq,1608; reference:cve,2000-0413; reference:cve,2000-0709; reference:nessus,10405; classtype:web-application-activity; sid:962; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.exe access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.exe"; nocase; reference:bugtraq,1174; reference:bugtraq,1608; reference:cve,2000-0413; reference:cve,2000-0709; reference:nessus,10405; classtype:web-application-activity; reference:bugtraq,5804; reference:cve,CVE-2002-0692; reference:nessus,11311; sid:962; rev:12;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_rpc access"; flow:to_server,established; uricontent:"/_vti_rpc"; nocase; reference:bugtraq,2144; classtype:web-application-activity; sid:937; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_rpc access"; flow:to_server,established; uricontent:"/_vti_rpc"; nocase; reference:bugtraq,2144; classtype:web-application-activity; reference:nessus,10585; reference:cve,2001-0096; sid:937; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.dll access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.dll"; nocase; reference:arachnids,292; classtype:web-application-activity; sid:940; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.dll access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.dll"; nocase; reference:arachnids,292; classtype:web-application-activity; reference:nessus,11395; reference:cve,CAN-2000-0746; reference:cve,CAN-2000-0746; reference:bugtraq,1594; reference:bugtraq,1595; reference:url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx; sid:940; rev:13;)

  [///]      Modified inactive:    [///]

     file -> web-iis.rules
     old: #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/ctguestb.idc"; nocase; reference:bugtraq,307; reference:cve,1999-0874; classtype:web-application-activity; sid:984; rev:8;)
     new: #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/ctguestb.idc"; nocase; reference:bugtraq,307; reference:cve,1999-0874; classtype:web-application-activity; reference:nessus,10116; sid:984; rev:9;)

     file -> web-php.rules
     old: #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"form-data|3B|"; reference:bugtraq,4183; reference:cve,2002-0081; classtype:web-application-attack; sid:1425; rev:11;)
     new: #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"form-data|3B|"; reference:bugtraq,4183; reference:cve,2002-0081; classtype:web-application-attack; reference:nessus,10867; sid:1425; rev:12;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "deleted.rules":
       # handled by 1212





More information about the Snort-sigs mailing list