[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Thu Dec 30 07:12:01 EST 2004


[***] Results from Oinkmaster started Wed Dec 29 21:00:02 2004 [***]

[---]         Removed rules:         [---]

     -> Removed from bleeding.rules (169):
        alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 Lsasrv.dll RPC exploit (WinXP)";content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; flow:to_server,established; sid:2000033; rev:2;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Mozilla Cookie theft"; reference:url,www.securiteam.com/securitynews/5GP0T0U60M.html; pcre:"/http\://[\w]+(\.[\w]+){1,2}%00(([\d]+\.*){4}|[\d]+|[\w]+(\.[\w]+){1,2})/i"; classtype:misc-activity; flow:from_server,established; sid:2001207; rev:2;)
        alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sO"; dsize:0; ip_proto:21; reference:arachnids,162; classtype:attempted-recon; sid:2000536; rev:1;)
        alert tcp $EXTERNAL_NET 143 -> $HOME_NET any (msg:"BLEEDING-EDGE Exploit Possible Sun Java Plugin arbitrary package access exploit"; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset:0; depth:30; flow:to_client; classtype:web-application-attack; reference:url,jouko.iki.fi/adv/javaplugin.html; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference:url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference:url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference:url,secunia.com/advisories/13271/; reference:url,www.kb.cert.org/vuls/id/760344; reference:cve,CAN-2004-1029; sid:2001552; rev:1;)
        alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection closing string plus line comment"; flow:to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000488; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 2"; flags:S,12; dsize:24; window:2048; id:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001610; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; uricontent:"/msadcs.dll"; content:"Content-Type\:"; nocase; content:!"|0A|"; within:50; reference:cve,CAN-2002-1142; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337;classtype:web-application-attack; sid:2000003; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting stealth attempt to execute VBScript code"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"vbscript\:"; nocase; classtype:web-application-attack; flow:to_server,established; sid:2001091; rev:2;)
        alert tcp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"BLEEDING-EDGE Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flow:established,to_server; content:"|10 00 00 10 cc|"; offset:0; depth:5; flowbits:isnotset,tagged; flowbits:set,tagged; tag:host,3,packets,src; reference:bugtraq,11265; classtype:attempted-dos; sid:2001366; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt IMG onerror or onload"; content:"<IMG"; nocase; pcre:"/\bonerror\b[\s]*=/Ri"; classtype:web-application-attack; flow:to_server,established; sid:2001075; rev:2;)
        alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Catalyst SSH protocol mismatch"; content:"|61 25 61 25 61 25 61 25 61 25 61 25 61 25|"; flow:to_server,established; reference:url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml; classtype:attempted-dos; sid:2000007; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE libpng tRNS overflow attempt"; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big; flow:established,to_client; classtype:attempted-admin; reference:cve,CAN-2004-0597; sid:2001058; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP Serv-U LIST -l Parameter Buffer Overflow"; content:"LIST -l\:"; nocase; isdataat:134,relative;reference:url,www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html; flow:to_server,established; classtype:misc-activity; sid:2001213; rev:3;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE Suspicious Encrypted Webpage Content"; pcre:"/<SCRIPT[^>]*>[\s]*VAR[\s]+[\w]+[\s]*=[\s]*['"]([a-fA-F0-9]{2}){20}/i"; classtype:bad-unknown; flow:established; sid:2001021; rev:4;)
        alert tcp any any -> any 139 (msg:"BLEEDING-EDGE Pwdump3e Session Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:to_server,established; sid:2000565; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - Nick change on non-std port"; content:"NICK "; offset:0; depth:5; nocase; dsize:<64; flow:to_server,established; tag:session,300,seconds; classtype:trojan-activity; sid:2000345; rev:3;)
        alert tcp $HOME_NET 139 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password Hash Retrieval port 139"; content:"\:|00|5|00|0|00|0"; flow:from_server,established; sid:2000568; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - Channel JOIN on non-std port"; content:"JOIN "; offset:0; depth:5; nocase; pcre:"/&|#|\+|!/R"; dsize:<64; flow:to_server,established; tag:session,300,seconds; classtype:trojan-activity; sid:2000348; rev:3;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Javascript execution with expression eval hex"; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*0x[\da-fA-F]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype:misc-activity; flow:from_server,established; sid:2001106; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:3072; reference:arachnids,162; classtype:attempted-recon; sid:2000540; rev:1;)
        alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 Lsasrv.dll RPC exploit (Win2k)";content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; flow:to_server,established; sid:2000046; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - Private message on non-std port"; content:"PRIVMSG "; nocase; offset:0; depth:8; dsize:<128; flow:to_server,established; tag:session,300,seconds; classtype:trojan-activity; sid:2000347; rev:3;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE IE trojan Ants3set 1.exe - process injection"; content:"|00|KERNEL32.DLL|00|GDI32.dll|00|MSVCRT.dll|00|USER32.dll|00||00|LoadLibraryA|00||00|GetProcAddress|00||00|ExitProcess|00|"; classtype:misc-attack; flow:from_server,established; sid:2001182; rev:3;)
        alert udp any any -> $HOME_NET 514 (msg:"BLEEDING-EDGE Cisco 514 UDP flood DoS"; content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml; classtype:attempted-dos; sid:2000010; rev:2;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE GenXE generated XSS Exploit hex"; pcre:"/eval[\s]*\([\s]*["']eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*0x[\da-fA-F]+[\s]*,){20}/i"; reference:url, www.umbrella.name/genxe/RELEASE_0.9.0/index.html; classtype:misc-activity; flow:from_server,established; sid:2001108; rev:3;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible NULL-pointer crash in png_handle_iCCP"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,>=,0x80000000,0,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001190; rev:2;)
        alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT NTDump Session Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; flow:to_server,established; sid:2001543; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 3"; flags:S,12; dsize:24; window:2048; id:3; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001611; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE FTP Serv-U Server Long Filename Stack Overflow Vulnerability"; pcre:"/chmod[\s]+([\d]{1,4})*[\s]*[\w\.\/]{250}/Bi"; reference:url,www.securiteam.com/windowsntfocus/5OP0N1PBPG.html; classtype:misc-activity; flow:to_server,established; sid:2001215; rev:3;)
        alert tcp $HOME_NET any -> any 6667 (msg:"BLEEDING-EDGE Attack Response Likely Botnet Activity"; tag:session,50,packets; content: "PRIVMSG"; nocase; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; classtype: string-detect; flow:to_server,established; sid:2001620; rev:2;)
        alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Cisco IOS HTTP server DoS"; uricontent:"\/TEST?\/"; flow:to_server,established; classtype:attempted-dos; sid:2000013; rev:3;)
        alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BLEEDING-EDGE Exploit Possible Sun Java Plugin arbitrary package access exploit"; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset:0; depth:30; flow:to_server; classtype:web-application-attack; reference:url,jouko.iki.fi/adv/javaplugin.html; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference:url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference:url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference:url,secunia.com/advisories/13271/; reference:url,www.kb.cert.org/vuls/id/760344; reference:cve,CAN-2004-1029; sid:2001550; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access COM2"; content:"/COM2/"; nocase; flow:established; classtype:string-detect; sid:2000500; rev:3;)
        alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, seconds 120; classtype:attempted-dos; sid:2001219; rev:6;)
        alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS attempt (08)"; content:"|08|"; depth:1; content:!"|3A|"; depth:1; offset:1; dsize:>1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; sid:2000378; rev:1;)
        alert tcp any any -> $HOME_NET 3128 (msg:"BLEEDING-EDGE Squid NTLM Auth Overflow Exploit"; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; offset:96; classtype:misc-attack; flow:to_server; reference:url,www.idefense.com/application/poi/display?id=107; reference:cve,CAN-2004-0541; sid:2000342; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Mozilla FTP View Cross-Site Scripting Vulnerability"; content:"ftp\://"; nocase; content:"<TITLE"; content:"<SCRIPT"; content:"</TITLE"; reference:url,www.securiteam.com/windowsntfocus/5MP0I0080A.html;classtype:misc-activity; flow:from_server,established; sid:2001209; rev:2;)
        alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE Pwdump3e pwservice.exe Access port 139"; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; flow:to_server,established; sid:2000567; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - dns request on non-std port"; flow:to_server,established; content:"USERHOST "; nocase; offset:0; depth:9; tag:session,300,seconds; classtype:policy-violation; sid:2000352; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype:shellcode-detect; flow:established; sid:2001363; rev:2;)
        alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE Exploit winhlp32 ActiveX control attack via EMAIL, phase 3"; flow:to_server,established; flowbits: isset,winhlp32; content: ".HHClick|2829|"; nocase; classtype: web-application-attack; sid:2001627; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-PHP EasyDynamicPages exploit"; classtype:web-application-activity; reference:url,www.securitytracker.com/alerts/2004/Jan/1008584.html; reference:cve,CAN-2004-0073; flow:established,to_server; uricontent:"edp_relative_path="; sid:2001344; rev:2;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Exploit Probable MSIE XPSP2 Remote Compromise"; flow:to_client,established; pcre:"/^file\x3A\\/\/C\x3A\\\WINDOWS\\PCHealth\\HelpCtr\\System\\blurbs\\tools\x2E\htm/mi"; reference:url,freehost07.websamba.com/greyhats/sp2rc-analysis.htm; classtype:web-application-attack; sid:2001633; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt executing hidden Javascript";  pcre:"/window.execScript[\s]*\(/i"; classtype:web-application-attack; flow:to_server,established; sid:2001086; rev:2;)
        alert tcp $HOME_NET any -> 213.219.122.11/32 $HTTP_PORTS (msg:"BLEEDING-EDGE Attack Response Zone-H.org defacement notification"; pcre: "/notify_(defacer|domain|hackmode|reason)=/i"; flow:established,to_server; classtype: trojan-activity; sid:2001616; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE PHPNuke general XSS attemp"; content:"/modules.php?"; content:"name="; uricontent:"SCRIPT"; nocase; pcre:"/<\s*SCRIPT\s*>/iU"; reference:url,www.waraxe.us/?modname=sa&id=030; classtype:web-application-attack; flow:to_server,established; sid:2001218; rev:3;)
        alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE Hotmail LINK CSS Vulnerability"; pcre:"/<[\s]*(LINK)[\s]+(REL)[\s]*(=)[\s]*(STYLESHEET)[\s]+(TYPE)[\s]*(=)[\s]*(")*[\s]*(text/javascript)[\s]*(")*[\s]+(SRC)[\s]*(=)/i"; reference:url, www.securiteam.com/securitynews/5YP0M1555A.html; classtype:web-application-attack; flow:from_server,established; sid:2001074; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + EXPRESSION";  pcre:"/[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i"; classtype:web-application-attack; flow:to_server,established; sid:2001083; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Possible ShixxNote buffer-overflow + remote shell attempt"; flow:established,to_server; content:"|68 61 63 6b 75|"; offset:126; depth:5; content:"|68 61 63 6b 90 61 61 61 61|"; offset:519; depth:9; reference:url,aluigi.altervista.org/adv/shixxbof-adv.txt; classtype:shellcode-detect; sid:2001385; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -f -sF"; dsize:0; ack:0; fragbits:!M; flags:F,12; window:2048; reference:arachnids,162; classtype:attempted-recon; sid:2000543; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.system("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001457; rev:7;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Memory Corruption Bug"; pcre:"/<STYLE>@\;\/\*/i"; reference:url,www.securiteam.com/windowsntfocus/5XP051FDFM.html; classtype:misc-activity; flow:from_server,established; sid:2001205; rev:3;)
        alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password Hash Retrieval port 445"; content:"\:|00|5|00|0|00|0"; flow:from_server,established; sid:2000563; rev:4;)
        alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS bouncing packets"; content:"|0A|"; depth:1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; sid:2000381; rev:1;)
        alert tcp any any -> $HOME_NET 31337 (msg:"BLEEDING-EDGE ATTACK Potential root shell connection detected!"; flow:established,to_server; tag:session, 20, packets; classtype:bad-unknown; sid:2001545; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access LPT1"; content:"/LPT1/"; nocase; flow:established; classtype:string-detect; sid:2000503; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 1"; flags:S,12; dsize:24; window:2048; id:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001609; rev:2;)
        alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE Exploit winhlp32 ActiveX control attack via EMAIL, phase 1"; flow:to_server,established; flowbits: set,winhlp32; flowbits:noalert; content: "|3C|OBJECT"; nocase; content: "application/x-oleobject"; nocase; within: 64; content: "codebase="; nocase; content: "hhctrl.ocx"; nocase; within: 5; classtype: web-application-activity; sid:2001625; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP Serv-U directory traversal vulnerability"; pcre:"/%20[\.]+\//Bi"; reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype:misc-activity; flow:to_server,established; sid:2001212; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE PHPNuke SQL injection attemp"; content:"/modules.php?"; content:"name=Search"; content:"instory="; reference:url,www.waraxe.us/index.php?modname=sa&id=35; classtype:web-application-attack; flow:to_server,established; sid:2001197; rev:2;)
        alert tcp any any -> $HOME_NET 23 (msg:"BLEEDING-EDGE Cisco Telnet Buffer Overflow"; content:"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|"; flow:to_server,established; threshold:type limit, track by_src, count 1, seconds 120; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype:attempted-dos; sid:2000005; rev:1;)
        alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit phpBB Highlight Exploit Attempt"; content:"&highlight=%2527%252Esystem("; nocase; flow:to_server,established; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001605; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE Attack Response Outbound PHP Connection"; flow:established,to_server; content:"From\: anon at ...2944..."; offset:0; depth:19; nocase; content:"User-Agent\: PHP"; nocase; classtype:web-application-activity; sid:2001628; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Javascript execution with expression eval"; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*[\d]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype:misc-activity; flow:from_server,established; sid:2001105; rev:2;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Stealth attempt to execute Javascript code"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"javascript\:"; nocase; classtype:misc-attack; flow:from_server,established; sid:2001101; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"BLEEDING-EDGE Scan Possible SSL Brute Force attack or Site Crawl"; flags:S; flow:established; threshold: type threshold, track by_src, count 100, seconds 60; sid:2001553; rev:3;)
        alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection line comment"; flow:to_server,established; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000373; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer URL parsing vulnerability"; pcre:"/location\.href[\s]*=[\s]*unescape[\s]*\([\s]*['"]%01@['"]/iU"; reference:url,www.securityfocus.com/archive/1/346948; classtype:misc-activity; flow:from_server,established; sid:2001094; rev:2;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Stealth attempt to execute VBScript code"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"vbscript\:"; nocase; classtype:misc-attack; flow:from_server,established; sid:2001102; rev:3;)
        alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg:"BLEEDING-EDGE IRC - Name response on non-std port"; content:"\:"; offset:0; depth:1; content:" 302 "; content:"=+"; content:"@"; dsize:<128; flow:to_client,established; tag:session,300,seconds; classtype:trojan-activity; sid:2000346; rev:4;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access AUX";  content:"/AUX/";  nocase; flow:established; classtype:string-detect; sid:2000507; rev:3;)
        alert tcp any any -> $HOME_NET 445 ( msg:"BLEEDING-EDGE LSA exploit"; content:"|313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset:78; depth:192; flow:to_server,established; classtype: misc-activity; sid:2000032;rev:2;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Mozilla Firefox Certificate Spoofing"; pcre:"/META[\s]+HTTP-EQUIV[\s]*=[\s]*['"]*REFRESH['"]*[\s]+CONTENT[\s]*=[\s]*['"]*[\d]+[\s]*\;[\s]*URL[\s]*=[\s]*http[\s\S]+onunload[\s]*=[\s]*['"]+[\s\S]+document\.write[\s\S]+window\.location\.reload/i"; reference:url,www.securiteam.com/securitynews/5EP0L1PDFG.html;classtype:misc-activity; flow:from_server,established; sid:2001206; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit Suspected PHP Injection Attack"; content: "GET /"; nocase; content: ".php|3f|"; nocase; within: 64; pcre: "/(name=http|cmd=.*(cd|perl|wget|id|uname|t?ftp))/i"; flow:to_server,established; classtype: trojan-activity; sid:2001621; rev:2;)
        alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT NTDump.exe Service Started port 139"; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; sid:2001053; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP Serv-U Local Privilege Escalation Vulnerability"; content:"site exec"; nocase; rawbytes; reference:url,www.securiteam.com/windowsntfocus/5YP0F1FDPO.html; classtype:misc-activity; flow:to_server,established; sid:2001210; rev:3;)
        alert tcp any any -> $HOME_NET 443 (msg: "BLEEDING-EDGE SSL Bomb DoS Attempt"; content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; distance:2; within:1; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; flow:to_server,established; classtype:attempted-dos; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; sid:2000016; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE MS04-032 Bad EMF file"; content: "|01 00 00 00|"; depth: 4; content: "|20 45 4d 46|"; depth: 44; offset: 40; byte_test: 4, >, 256, 60, little; flow:from_server,established; sid:2001374; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Buffer Overflow Exploit in Adobe Acrobat Reader"; pcre:"/URI/URI\(mailto\:[^"]*"[^"]*"x[\d]{3}/i"; reference:url,www.securiteam.com/securitynews/5WP080AAKK.html; classtype:shellcode-detect; flow:established; sid:2001049; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -f -sS"; dsize:0; ack:0; fragbits:!M; flags:S,12; window:2048; reference:arachnids,162; classtype:attempted-recon; sid:2000545; rev:1;)
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit winhlp32 ActiveX control attack, phase 3"; flow:to_client, established; flowbits: isset,winhlp32; content: ".HHClick|2829|"; nocase; classtype: web-application-attack; sid:2001624; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Reading Local Files in Netscape 6 and Mozilla"; pcre:"/([\w]+)[\s]*=[\s]*new[\s]+XMLHttpRequest[\s\S]+\1\.open[\s]*\([\s]*['"]GET['"][\s]*,/i"; reference:url,www.securiteam.com/securitynews/5JP000A76K.html; classtype:misc-activity; flow:from_server,established; sid:2001208; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - DCC file transfer request on non-std port"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC SEND"; nocase; tag:session,300,seconds; classtype:policy-violation; sid:2000349; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + JSCRIPT";  pcre:"/TYPE\s*=\s*['"]text\/jscript/i"; classtype:web-application-attack; flow:to_server,established; sid:2001078; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access LPT2"; content:"/LPT2/"; nocase; flow:established; classtype:string-detect; sid:2000504; rev:3;)
        alert tcp any any -> any !6661:6668 (msg:"BLEEDING-EDGE IRC - Nick change on non-std port"; content: "NICK "; offset:0; depth:5; nocase; dsize:<64; flow:to_server,established; tag:session,300,seconds; classtype:policy-violation; sid:2000344; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"BLEEDING-EDGE CVS server heap overflow attempt (target Solaris)"; flow:to_server,established; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|";offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; rev:1;classtype:attempted-admin;sid:2000049;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt TYPE + JAVASCRIPT"; pcre:"/TYPE\s*=\s*['"]text\/javascript/i"; classtype:web-application-attack; flow:to_server,established; sid:2001076; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - channel join on non-std port"; flow:to_server,established; content:"JOIN \: \#"; nocase; offset:0; depth:8; tag:session,300,seconds; classtype:policy-violation; sid:2000351; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt to execute VBScript code"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*vbscript[\:]/i"; classtype:web-application-attack; flow:to_server,established; sid:2001088; rev:2;)
        alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL Spike buffer overflow"; content:"|12 01 00 34|"; depth:4; reference:url,www.securityfocus.com/bid/5411/exploit; classtype:attempted-admin; sid:2000380; rev:1;)
        alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE ICMP PING IPTools"; itype:8; icode:0; content:"|A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7|"; depth:64; reference:url,www.ks-soft.net/ip-tools.eng; classtype:misc-activity; sid:2000575; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution - Santy.A Worm"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.fwrite(fopen("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001604; rev:4;)
        alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Cisco IOS HTTP DoS"; uricontent:"\/error?\/"; nocase; flow:to_server,established; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; classtype:attempted-dos; sid:2000009; rev:3;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Exploit Probable MSIE XPSP2 Remote Compromise"; flow:to_client,established; content:"writehta.txt"; pcre:"/^C\x3A\\\Documents\s+and\s+Settings\\All\s+Users\\Start\s+Menu\\Programs\\Startup\\+?([A-Z]|[a-z]|[0-9])\x2E\hta/mi"; reference:url,freehost07.websamba.com/greyhats/sp2rc-analysis.htm; classtype:web-application-attack; sid:2001634; rev:1;)
        alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"BLEEDING-EDGE Exploit Possible Sun Java Plugin arbitrary package access exploit"; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset:0; depth:30; flow:to_client; classtype:web-application-attack; reference:url,jouko.iki.fi/adv/javaplugin.html; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference:url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference:url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference:url,secunia.com/advisories/13271/; reference:url,www.kb.cert.org/vuls/id/760344; reference:cve,CAN-2004-1029; sid:2001551; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Plugin.ocx Heap Overflow"; content:"06DD38D0-D187-11CF-A80D-00C04FD74AD8"; nocase; content:".load("; nocase; reference:url,www.hnc3k.com/ievulnerabil.htm; classtype:misc-attack; flow:from_server,established; sid:2001181; rev:3;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Width exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,>=,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001191; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sS"; dsize:0; ack:0; fragbits:!D; flags:S,12; window:2048; reference:arachnids,162; classtype:attempted-recon; sid:2000537; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"BLEEDING-EDGE NII Microsoft ASN.1 Library Buffer Overflow Exploit"; content:"|A1 05 23 03 03 01 07|"; flow:to_server,established; reference:url,www.microsoft.com/technet/security/bulletin/ms04-007.asp; classtype:bad-unknown; sid:2000017; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 4274 (msg:"BLEEDING-EDGE Possible Xedus Webserver Directory Traversal Attempt"; flow:to_server,established; content:"/../data/log.txt"; content:"/../WINNT/"; nocase; reference:url,www.gulftech.org/?node=research&article_id=00047-08302004; classtype:web-application-activity; sid:2001238; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -f -sX"; dsize:0; ack:0; fragbits:!M; flags:FPU,12; window:2048; reference:arachnids,162; classtype:attempted-recon; sid:2000546; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE GenXE generated XSS Exploit"; pcre:"/eval[\s]*\([\s]*["']eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*[\d]+[\s]*,){20}/i"; reference:url, www.umbrella.name/genxe/RELEASE_0.9.0/index.html; classtype:misc-activity; flow:from_server,established; sid:2001107; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access LPT3"; content:"/LPT3/"; nocase; flow:established; classtype:string-detect; sid:2000505; rev:3;)
        alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"BLEEDING-EDGE mIRC <=6.12 DCC Buffer Overflow"; flow:to_client, established; content:"DCC SEND "; isdataat:100, relative; nocase; reference:bugtraq,8880; classtype:attempted-dos; sid:2000329; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + JAVASCRIPT"; pcre:"/TYPE\s*=\s*['"]application\/x-javascript/i"; classtype:web-application-attack; flow:to_server,established; sid:2001077; rev:3;)
        alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump3e pwservice.exe Access port 445"; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; flow:to_server,established; sid:2000564; rev:4;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting stealth attempt to access SHELL\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell\:"; nocase; classtype:web-application-attack; flow:to_server,established; sid:2001092; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Invalid fragment - ACK reset"; fragbits:M; flags:!A,12; classtype:bad-unknown; sid:2001023; rev:1;)
        alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE Microsoft MHTML URL Redirection Attempt"; flow:from_server,established; content:"mhtml|3A|file|3A|"; nocase; reference:cve,CAN-2004-0380; reference:url,www.microsoft.com/technet/security/bulletin/MS04-013.mspx; classtype:web-application-attack; rev:2; sid:2000004;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt using XML";  content:"<XML"; content:"<![CDATA[<]]>SCRIPT"; nocase; classtype:web-application-attack; flow:to_server,established; sid:2001084; rev:2;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE IE Local zone Shell execution of arbitrary code"; content:"<script"; content:"ActiveXObject"; content:"NameSpace"; content:"ParseName"; content:"GetLink"; content:"Path"; content:"Arguments"; content:"Save"; content:"Open"; content:"</script"; reference:url,www.securityfocus.com/archive/1/348688/2003-12-31/2004-01-06/0; classtype:misc-activity; flow:from_server,established; sid:2001093; rev:2;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Stealth attempt to access SHELL\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell\:"; classtype:misc-attack; flow:from_server,established; sid:2001103; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Invalid non-fragmented packet with fragment offset>0"; fragbits:!M; fragoffset:>0; classtype:bad-unknown; sid:2001022; rev:1;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Height exceeds limit"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; byte_test:4,>=,0x80000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001192; rev:2;)
        alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS attempt (08) 1 byte"; content:"|08|"; depth:1; dsize:1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; sid:2000379; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + VBSCRIPT";  pcre:"/TYPE\s*=\s*['"]application\/x-vbscript/i"; classtype:web-application-attack; flow:to_server,established; sid:2001080; rev:3;)
        alert tcp any any -> $HOME_NET 23 (msg:"BLEEDING-EDGE DOS Catalyst memory leak attack"; content:"|41 41 41 0a|"; within:20; flow:to_server,established; classtype:attempted-dos; sid:2000011; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"BLEEDING-EDGE CVS server heap overflow attempt (target BSD)"; flow:to_server,established; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; rev:1;classtype:attempted-admin;sid:2000031;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + VBSCRIPT";  pcre:"/TYPE\s*=\s*['"]text\/vbscript/i"; classtype:web-application-attack; flow:to_server,established; sid:2001079; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC Alternate Data Stream source view attempt"; uricontent:"|3A 3A 24|$DATA"; flow:to_server,established; reference:url,support.microsoft.com/kb/q188806/; reference:cve,1999-0278; sid:2001365; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -sA"; dsize:0; flags:A,12; fragbits:!D; window:1024; reference:arachnids,162; classtype:attempted-recon; sid:2000538; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting stealth attempt to execute Javascript code"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"javascript\:"; nocase; classtype:web-application-attack; flow:to_server,established; sid:2001090; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Cross-site scripting attempt"; flow:to_server,established; pcre:"/((\%27)|')(\s|\+)*union/i"; classtype:Web-application-attack; sid:2000019; rev:5;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + EXPRESSION";  pcre:"/STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i"; classtype:web-application-attack; flow:to_server,established; sid:2001082; rev:2;)
        alert tcp any any -> any 445 (msg:"BLEEDING-EDGE Pwdump3e Session Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:to_server,established; sid:2000566; rev:2;)
        alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Cisco Router HTTP DoS"; uricontent:"\/%%"; flow:to_server,established; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype:attempted-dos; sid:2000006; rev:4;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE AOL Instant Messenger aim goaway URI Handler"; uricontent:"aim\:goaway?message="; reference:url,www.idefense.com/application/poi/display?id=121; classtype:misc-activity; flow:from_server,established; sid:2001189; rev:4;)
        alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Cisco %u IDS evasion"; uricontent:"%u002F"; flow:to_server,established; classtype:attempted-dos; sid:2000012; rev:4;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE IFRAME ExecCommand vulnerability"; content:"<IFRAME"; nocase; pcre:"/SRC[\s]*=[\s]*["']*[\x09\x0a\x0b\x0c\x0d]*f[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*\:/Ri"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype:misc-activity; flow:from_server,established; sid:2001095; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + ECMACRIPT"; pcre:"/TYPE\s*=\s*['"]text\/ecmascript/i"; classtype:web-application-attack; flow:to_server,established; sid:2001081; rev:3;)
        alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT NTDump.exe Service Started port 445"; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; sid:2001544; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"BLEEDING-EDGE WEB-MISC LINK Method"; content:"LINK "; offset:0; depth:5; flow:to_server,established; tag:host,10,packets; sid:2001546; rev:1;)
        alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Catalyst 3500 arbitrary command"; uricontent:"\/exec\/show\/config"; nocase; flow:to_server,established; reference:url,www.securityfocus.com/archive/1/141471; classtype:attempted-admin; sid:2000008; rev:3;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to execute VBScript code"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*vbscript[\:]/i"; classtype:misc-attack; flow:from_server,established; sid:2001099; rev:3;)
        alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow:to_server,established; content:"GET"; nocase; content:"%5C"; depth:100; content:"aspx"; distance:100; sid:2001343; rev:9;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt to execute Javascript code"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*javascript[\:]/i"; classtype:web-application-attack; flow:to_server,established; sid:2001087; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP Serv-U directory traversal vulnerability"; pcre:"/\\[\.]+%20/Bi"; reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype:misc-activity; flow:to_server,established; sid:2001211; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting SQL Injection"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.mysql_query("; nocase; reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; sid:2001557; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt executing hidden Javascript";  pcre:"/eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)/i"; classtype:web-application-attack; flow:to_server,established; sid:2001085; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access COM4"; content:"/COM4/"; nocase; flow:established; classtype:string-detect; sid:2000502; rev:3;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE EXPLOIT IE IFRAME Exploit"; pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w{578}|/W{578}/im"; pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"; content:"\/IFRAME"; nocase; flow:from_server,established; sid:2001401; rev:9;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; classtype:shellcode-detect; flow:established; sid:2001369; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access NULL"; content:"/NULL/"; nocase; flow:established; classtype:string-detect; sid:2000508; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"BLEEDING-EDGE CVS server heap overflow attempt (target Linux)"; flow:to_server,established; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset:0; depth:20; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; rev:1; classtype:attempted-admin;sid:2000048;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Exploit Possible Sun Java Plugin arbitrary package access exploit"; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset:0; depth:30; flow:to_client; classtype:web-application-attack; reference:url,jouko.iki.fi/adv/javaplugin.html; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference:url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference:url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference:url,secunia.com/advisories/13271/; reference:url,www.kb.cert.org/vuls/id/760344; reference:cve,CAN-2004-1029; sid:2001549; rev:1;)
        alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization"; flow:to_server,established; content:"GET"; nocase; content:"|5C|"; nocase; depth:100; content:"aspx"; distance:100; nocase; sid:2001342; rev:10;)
        alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT NTDump Session Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; flow:to_server,established; sid:2001052; rev:3;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BLEEDING-EDGE THCIISLame IIS SSL Exploit Attempt"; reference:url,www.thc.org/exploits/THCIISSLame.c; reference:url,isc.sans.org/diary.php?date=2004-07-17; content:"THCOWNZIIS!"; flow:to_server,established; sid:2000559; rev:5;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC cross site scripting attempt to access SHELL\:"; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*shell[\:]/i"; classtype:web-application-attack; flow:to_server,established; sid:2001089; rev:2;)
        alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL heap overflow attempt"; content:"|08 3A 31|"; depth:3; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-admin; sid:2000377; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt"; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 4F 44 21|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype:shellcode-detect; flow:established; sid:2001364; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE SCAN NMAP -f -sN"; dsize:0; ack:0; fragbits:!M; flags:0,12; window:2048; reference:arachnids,162; classtype:attempted-recon; sid:2000544; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Invalid fragment - illegal flags"; fragbits:M;flags:*FSR,12; classtype:bad-unknown; sid:2001024; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access COM1"; content:"/COM1/"; nocase; flow:established; classtype:string-detect; sid:2000499; rev:3;)
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit winhlp32 ActiveX control attack, phase 2"; flow:to_client,established; flowbits: isset,winhlp32; content: "|3C|PARAM"; nocase; content: "value="; nocase; content: "command|3B|"; nocase; pcre: "/(javascript|http|ftp|vbscript)/iR"; classtype: web-application-attack; sid:2001623; rev:2;)
        alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE Exploit winhlp32 ActiveX control attack via EMAIL, phase 2"; flow:to_server,established; flowbits: isset,winhlp32; content: "|3C|PARAM"; nocase; content: "value="; nocase; content: "command|3B|"; nocase; pcre: "/(javascript|http|ftp|vbscript)/iR"; classtype: web-application-attack; sid:2001626; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access COM3"; content:"/COM3/"; nocase; flow:established; classtype:string-detect; sid:2000501; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Adobe Acrobat Reader Malicious URL Null Byte"; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; flow:to_server,established; uricontent:".pdf|00|"; nocase; classtype:attempted-admin; sid:2001217; rev:4;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE IE process injection iexplore.exe executable download"; content:"|00|iexplore.exe|00|"; content:"|00|GetProcAddress|00|"; content:"|00|LoadLibraryA|00|"; classtype:misc-activity; flow:from_server,established; sid:2001048; rev:2;)
        alert tcp any any -> $HOME_NET 2702 (msg:"BLEEDING-EDGE DOS Microsoft SMS dos attempt"; flow:to_server,established; pcre:"/RCH0####RCHE.{130,}/smi"; reference:url,www.securityfocus.com/archive/1/368911/2004-07-12/2004-07-18/0; sid:2000496; classtype:attempted-dos; rev:3;)
        alert tcp any any -> any any (msg:"BLEEDING-EDGE libPNG - Possible integer overflow in allocation in png_handle_sPLT"; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset:0; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance:0;reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; flow:established; sid:2001195; rev:2;)
        alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Exploit winhlp32 ActiveX control attack, phase 1"; flow:to_client,established; flowbits: set,winhlp32; flowbits:noalert; content: "|3C|OBJECT"; nocase; content: "application/x-oleobject"; nocase; within: 64; content: "codebase="; nocase; content: "hhctrl.ocx"; nocase; within: 5;  sid:2001622; classtype: web-application-activity; rev:1;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE MS04-030 Attempted DoS"; flow:to_server; content:"xmlns\:z"; content:"xml\:"; nocase; flowbits:isnotset,tagged; flowbits:set,tagged; tag:host,10,packets,src; reference:url,isc.sans.org/diary.php?date=2004-10-20; classtype:attempted-dos; sid:2001362;; rev:1;)
        alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Internet Explorer Object Data Remote Execution Vulnerability"; content:"<object"; content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; reference:url,www.securityfocus.com/bid/8456/solution/; classtype:misc-activity; flow:from_server,established; sid:2001097; rev:2;)
        alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"BLEEDING-EDGE MS-SQL SQL Injection running SQL statements line comment"; flow:to_server,established; content:"\;|00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; nocase; classtype:attempted-user; sid:2000372; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE IRC - DCC chat request on non-std port"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC CHAT chat"; nocase; tag:session,300,seconds; classtype:policy-violation; sid:2000350; rev:4;)
        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE PHPNuke general SQL injection attempt"; content:"/modules.php?"; content:"name="; content:"UNION"; nocase; content:"SELECT"; nocase; reference:url,www.waraxe.us/?modname=sa&id=030; reference:url,www.waraxe.us/?modname=sa&id=036; classtype:web-application-attack; flow:to_server,established; sid:2001202; rev:2;)
        alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE FTP inaccessible directory access LPT4"; content:"/LPT4/"; nocase; flow:established; classtype:string-detect; sid:2000506; rev:3;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (2):
        2001635 || BLEEDING-EDGE DOS HTTP GET with newline appended
        2001636 || BLEEDING-EDGE DOS squ1rt Apache DoS

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (5):
        2000019 || BLEEDING-EDGE WEB Cross-site scripting attempt
        2001074 || BLEEDING-EDGE Hotmail LINK CSS Vulnerability || url, www.securiteam.com/securitynews/5YP0M1555A.html
        2001107 || BLEEDING-EDGE GenXE generated XSS Exploit || url, www.umbrella.name/genxe/RELEASE_0.9.0/index.html
        2001108 || BLEEDING-EDGE GenXE generated XSS Exploit hex || url, www.umbrella.name/genxe/RELEASE_0.9.0/index.html
        2001189 || BLEEDING-EDGE AOL Instant Messenger aim goaway URI Handler || url,www.idefense.com/application/poi/display?id=121

     -> Removed from bleeding.rules (62):
        # Access to backdoor created by some SSL exploit
        #Submitted by Joseph Gama
        #Submitted by Joel Esler
        #Erik Fichtner
        #By Chris Norton
        #By Erik Fichtner
        #Submitted by Matt Jonkman
        #Submitted by Cody Hatch
        #Submitted by Cody Hatch
        #submitted by Cody Hatch
        #Submitted by Joseph Gama, Tweaks by Owen Crowe
        #Submitted by Chris Norton
        #Submitted by Johnathan Norman
        #Submitted by Chris Norton
        #Submitted by Joseph Gama
        #Submitted by Matt Jonkman
        #Submitted by Philippe Caturegli
        #Submitted by Cody Hatch
        #Submitted by Cody Hatch
        #Submitted by Cody Hatch
        #Submitted by Cody Hatch
        #Submitted by Cody Hatch
        #Submitted by Cody Hatch
        #Submitted by Joseph Gama
        #Submitted by Joseph Gama
        #This set is a consolidation of all IE exploits. Too many to keep separate...
        #Submitted by Joseph Gama
        #Submitted by Matt Jonkman
        #Joseph Gama
        #Submitted by mjp
        #Submitted by Matt Jonkman
        #Submitted by Joseph Gama
        #Submitted by Joseph Gama
        #Submitted by Joe Stewart
        # From Syke at ...2593...
        #Submitted by Joseph Gama, Tweaks by Owen Crowe
        #Submitted by Joseph Gama
        #Submitted by Chris Norton and Woofz
        #From Erik Fichtner
        #Submitted by Joseph Gama
        #Submitted by Joseph Gama
        #Submitted bu Shirkdog
        #From Dshield
        #From Erik Fichtner
        #Submitted by Federico Petronio
        #Submitted by Matt Jonkman, Updated by Abe and Matt Sheridan
        #Submitted by Abe Use
        #Submitted by Joseph Gama
        #Submitted by Cooljay ref: http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=139
        #Submitted by Dale Handy
        #Written by Erik Fichtner
        #By Sam Pabon
        # Submitted by Frank Knobbe
        # Note: These rules are more practical as PASS rules, or with suppression in threshold.conf, to ignore harmless load-balancer probes
        #Submitted by Joseph Gama
        #Submitted by Joseph Gama
        #Idea from dynamicnet
        #Submitted by Matt Jonkman
        # A LINK method request... weird. Anyone remember what caused this?
        #Submitted by Joseph Gama
        #Written by Cory Altheide, Incidents.org
        #Submitted by Chris Norton

[+] Added files (consider updating your snort.conf to include them): [+]

    -> bleeding-attack_response.rules
    -> bleeding-dos.rules
    -> bleeding-exploit.rules
    -> bleeding-scan.rules
    -> bleeding-web.rules





More information about the Snort-sigs mailing list