[Snort-sigs] snort-rules 2.1.* update @ Mon Feb 16 15:11:48 2004

bmc at ...95... bmc at ...95...
Thu Feb 19 06:37:03 EST 2004


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> sql.rules
     alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3b|"; distance:0; isdataat:512,relative; content:!"|3b|"; within:512; reference:cve,CAN-2003-0903; reference:bugtraq,9407; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.asp; classtype:attempted-user; sid:2329; rev:2;)

     file -> web-misc.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC negative Content-Length attempt"; flow:to_server,established; content:"Content-Length\:"; nocase; pcre:"/^Content-Length\x3a\s+-\d+/smi"; reference:bugtraq,9098; classtype:misc-attack; sid:2278; rev:1;)

     file -> pop3.rules
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute force attempt"; flow:to_server,established; content:"USER"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2274; rev:2;)

     file -> smtp.rules
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM\:"; nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; sid:2264; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM\:"; nocase; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; classtype:attempted-admin; reference:bugtraq,6991; reference:cve,CAN-2002-1337; sid:2261; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO\:"; nocase; pcre:"/^RCPT TO\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; sid:2270; rev:1;)
     alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; pcre:"/^EXPN[^\n]{255,}/smi"; classtype:attempted-admin; reference:cve,CAN-2003-0161; reference:bugtraq,7230; reference:cve,CAN-2003-0161; reference:bugtraq,6991; reference:cve,CAN-2002-1337; sid:2259; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM\:"; nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; sid:2268; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM\:"; nocase; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; classtype:attempted-admin; reference:bugtraq,6991; reference:cve,CAN-2002-1337; sid:2265; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM\:"; nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; classtype:attempted-admin; reference:bugtraq,6991; reference:cve,CAN-2002-1337; sid:2263; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO\:"; nocase; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; classtype:attempted-admin; reference:bugtraq,6991; reference:cve,CAN-2002-1337; sid:2269; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM\:"; nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; sid:2266; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM\:"; nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; sid:2262; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM\:"; nocase; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; classtype:attempted-admin; reference:bugtraq,6991; reference:cve,CAN-2002-1337; sid:2267; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; pcre:"/^VRFY[^\n]{255,}/smi"; classtype:attempted-admin; reference:cve,CAN-2003-0161; reference:bugtraq,7230; reference:cve,CAN-2003-0161; reference:bugtraq,6991; reference:cve,CAN-2002-1337; sid:2260; rev:1;)

     file -> misc.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; classtype:misc-attack; reference:cve,CAN-2003-0977; reference:bugtraq,9178; sid:2318; rev:1;)
     alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server\: warning\: cannot make directory CVS in /"; classtype:misc-attack; reference:cve,CAN-2003-0977; reference:bugtraq,9178; sid:2317; rev:1;)

     file -> imap.rules
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login brute force attempt"; flow:to_server,established; content:"LOGIN"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2273; rev:2;)

     file -> ftp.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; classtype:misc-attack; reference:cve,CAN-2003-0853; reference:cve,CAN-2003-0854; reference:bugtraq,8875; sid:2272; rev:1;)

     file -> exploit.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:1;)

     file -> web-php.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront arbitrary command execution attempt"; flow:to_server,established; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:nessus,11873; reference:bugtraq,8791; classtype:web-application-attack; sid:2307; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery arbitrary command execution attempt"; flow:to_server,established; uricontent:"/setup/"; content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:nessus,11876; reference:bugtraq,8814; classtype:web-application-attack; sid:2306; rev:2;)

     file -> netbios.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; distance:0; within:1; byte_test:1,<,16,3,relative; content:"|5c 00 5c 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2352; rev:1;)
     alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC ISystemActivator bind accept"; flow:from_server,established; content:"|05|"; distance:0; within:1; content:"|0c|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00 00|"; distance:33; within:2; flowbits:isset,dce.isystemactivator.bind.attempt; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; reference:cve,CAN-2003-0352; classtype:protocol-command-decode; sid:2350; rev:1;)
     alert tcp any any -> any 445 (msg:"NETBIOS DCE/RPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:1; content:"|00|"; distance:1; within:1; byte_test:1,&,3,0,relative; content:"|00 00|"; distance:19; within:2; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2349; rev:1;)
     alert tcp any any -> any 445 (msg:"NETBIOS SMB DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00 50 00 49 00 50 00 45 00 5c 00 00 00 05 00 0b|"; distance:5; within:17; byte_test:1,&,16,1,relative; content:"|78 56 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab|"; distance:29; within:16; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2348; rev:1;)

  [+++]    Enabled and modified:   [+++]

     file -> smtp.rules
     old: #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established,no_stream; content: "HELP "; nocase; depth:5; content:!"|0a|"; within:500; reference:bugtraq,2387; reference:arachnids,266; reference:cve,CAN-1999-0261; classtype:attempted-admin; sid:657; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; reference:bugtraq,2387; reference:arachnids,266; reference:cve,CAN-1999-0261; classtype:attempted-admin; sid:657; rev:9;)
     old: #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3a|"; nocase; content:!"|0a|"; within:800; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3a|"; nocase; isdataat:500,relative; pcre:"/^RCPT TO\s[^\n]{500}/ism"; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:9;)

  [///]       Modified active:     [///]

     file -> info.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP No Password"; content: "PASS"; nocase; offset:0; depth:4; content:"|0a|"; within:3; reference:arachnids,322; flow:from_client,established; classtype:unknown; sid:489; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:7;)

     file -> pop3.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; content:!"|0a|"; within:50; reference:cve,CAN-1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:cve,CAN-1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2110; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2110; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; content:!"|0a|"; within:50; classtype:attempted-admin; sid:1938; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1938; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; content:!"|0a|"; within:50; reference:bugtraq,789; reference:cve,CVE-1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50,}/smi"; reference:bugtraq,789; reference:cve,CVE-1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2112; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2112; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2108; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2108; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; content:!"|0a|"; within:256; reference:cve,CAN-2000-0841; reference:bugtraq,1652; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^PASS\s[^\n]{256}/smi"; reference:cve,CAN-2000-0841; reference:bugtraq,1652; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative arguement attempt"; content:"DELE"; depth:4; nocase; content:"-"; distance:1; byte_test:1,>,0,0,relative,string; classtype:misc-attack; reference:bugtraq,7445; reference:bugtraq,6053; sid:2121; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative arguement attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; classtype:misc-attack; reference:bugtraq,7445; reference:bugtraq,6053; sid:2121; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; content:!"|0a|"; within:50; reference:bugtraq,948; reference:cve,CAN-2000-0096; classtype:attempted-admin; sid:1937; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,CAN-2000-0096; classtype:attempted-admin; sid:1937; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2111; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2111; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; content:!"|0a|"; within:50; classtype:attempted-admin; sid:1936; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1936; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2109; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2109; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative arguement attempt"; content:"UIDL"; depth:4; nocase; content:"-"; distance:1; byte_test:1,>,0,0,relative,string; classtype:misc-attack; reference:bugtraq,6053; sid:2122; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative arguement attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; classtype:misc-attack; reference:bugtraq,6053; sid:2122; rev:4;)

     file -> smtp.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn root"; nocase; reference:arachnids,31; classtype:attempted-recon; sid:660; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; classtype:attempted-recon; sid:660; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn decode"; nocase; reference:arachnids,32; classtype:attempted-recon; sid:659; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; classtype:attempted-recon; sid:659; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN "; offset:0; depth:5; content:!"|0A|"; within:500; reference:cve,CAN-2000-0490; classtype:attempted-admin; sid:1550; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; reference:cve,CAN-2000-0490; classtype:attempted-admin; sid:1550; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn *@"; nocase; reference:cve,CAN-1999-1200; classtype:misc-attack; sid:1450; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,CAN-1999-1200; classtype:misc-attack; sid:1450; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3a| decode"; nocase; reference:arachnids,121; reference:cve,CVE-1999-0203; classtype:attempted-admin; sid:664; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3a|"; content:"decode"; nocase; distance:0; pcre:"/^rcpt to\:\s+decode/smi"; reference:arachnids,121; reference:cve,CVE-1999-0203; classtype:attempted-admin; sid:664; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy root"; nocase; classtype:attempted-recon; sid:1446; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; nocase; distance:1; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:1446; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy decode"; nocase; reference:arachnids,373; classtype:attempted-recon; sid:672; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; nocase; distance:1; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; classtype:attempted-recon; sid:672; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to sed command attempt"; flow:to_server,established; content:"rcpt to\:"; nocase; content:"\|"; distance:0; content:"sed "; distance:0; reference:bugtraq,1; reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to\:"; nocase; pcre:"/^rcpt\s+to\:\s+[|\x3b]/smi"; reference:bugtraq,1; reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO "; offset:0; depth:5; content:!"|0a|"; within:500; reference:bugtraq,895; reference:cve,CVE-2000-0042; reference:nessus,10324; reference:bugtraq,7726; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:11;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO"; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; reference:bugtraq,895; reference:cve,CVE-2000-0042; reference:nessus,10324; reference:bugtraq,7726; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:13;)

     file -> policy.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; content:"USER"; nocase; content:" anonymous|0D0A|"; nocase; flow:to_server,established; classtype:misc-activity; sid:553; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; content:"USER"; nocase; pcre:"/^USER\s+(anonymous|ftp)/smi"; flow:to_server,established; classtype:misc-activity; sid:553; rev:6;)

     file -> misc.rules
     old: alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type (0)"; flow:established; content:"|ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff|"; offset:0; depth:16; content:"|00|"; distance:2; within:1; classtype:bad-unknown; sid:2159; rev:3;)
     new: alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type (0)"; flow:established; content:"|ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff|"; offset:0; depth:16; content:"|00|"; distance:2; within:1; stateless; classtype:bad-unknown; sid:2159; rev:4;)
     old: alert tcp any any <> any 179 (msg:"MISC BGP invalid length"; content:"|ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff|"; byte_test:2,<,19,0,relative; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:1;)
     new: alert tcp any any <> any 179 (msg:"MISC BGP invalid length"; content:"|ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff|"; byte_test:2,<,19,0,relative; stateless; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:2;)
     old: alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:3;)
     new: alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flags:S,12; stateless; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"|0d|Location|3a|"; nocase; content:!"|0a|"; within:128; classtype:misc-attack; reference:cve,CAN-2001-0876; sid:1388; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"Location|3a|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; classtype:misc-attack; reference:cve,CAN-2001-0876; sid:1388; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username\: "; nocase; reference:cve,CAN-1999-1511; reference:bugtraq,791; classtype:attempted-admin; sid:1636; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username\:"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:cve,CAN-1999-1511; reference:bugtraq,791; classtype:attempted-admin; sid:1636; rev:5;)
     old: alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA,12; reference:arachnids,129; reference:cve,CVE-1999-0430; classtype:bad-unknown; sid:513; rev:4;)
     new: alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA,12; stateless; reference:arachnids,129; reference:cve,CVE-1999-0430; classtype:bad-unknown; sid:513; rev:5;)
     old: alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:3;)
     new: alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flags:S,12; stateless; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:4;)

     file -> imap.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:" AUTHENTICATE "; nocase; content:!"|0a|"; within:100; reference:nessus,10292; reference:cve,CVE-1999-0042; classtype:misc-attack; sid:1844; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:nessus,10292; reference:cve,CVE-1999-0042; classtype:misc-attack; sid:1844; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body buffer overflow attempt"; flow:to_server,established; content:" PARTIAL "; content:" BODY["; content:!"]"; within:1024; reference:bugtraq,4713; reference:cve,CAN-2002-0379; classtype:misc-attack; sid:1755; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; nocase; distance:0; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,CAN-2002-0379; classtype:misc-attack; sid:1755; rev:11;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename overflow attempt"; flow:established,to_server; content:" RENAME "; nocase; content:!"|0a|"; within:1024; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1903; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1903; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:" CREATE "; content:!"|0a|"; within:1024; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP find overflow attempt"; flow:established,to_server; content:" FIND "; nocase; content:!"|0a|"; within:1024; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1904; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1904; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:" LIST "; nocase; content:!"|0a|"; within:100; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2118; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2118; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:" LOGIN "; content:!"|0a|"; within:100; reference:nessus,10125; reference:cve,CVE-1999-0005; classtype:attempted-user; sid:1842; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:nessus,10125; reference:cve,CVE-1999-0005; classtype:attempted-user; sid:1842; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; content:" LSUB "; content:!"|0a|"; within:100; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2106; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2106; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:" PARTIAL "; content:" BODY.PEEK["; content:!"]"; within:1024; reference:bugtraq,4713; reference:cve,CAN-2002-0379; classtype:misc-attack; sid:2046; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; nocase; distance:0; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,CAN-2002-0379; classtype:misc-attack; sid:2046; rev:3;)

     file -> ftp.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE overflow attempt"; flow:to_server,established; content:"SITE "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2001-0755; reference:cve,CAN-2001-0770; reference:cve,CVE-1999-0838; classtype:attempted-admin; sid:1529; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,CAN-2001-0755; reference:cve,CAN-2001-0770; reference:cve,CVE-1999-0838; classtype:attempted-admin; sid:1529; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE ZIPCHK attempt"; flow:to_server,established; content:"SITE "; nocase; content:" ZIPCHK "; nocase; content:!"|0a|"; within:100; reference:cve,CVE-2000-0040; classtype:attempted-admin; sid:1921; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; nocase; distance:1; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; reference:cve,CVE-2000-0040; classtype:attempted-admin; sid:1921; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt";flow:to_server,established; content:"DELE "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1975; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt";flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1975; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE "; nocase; content:" NEWER "; nocase; content:!"|0a|"; within:100; reference:cve,CVE-1999-0800; classtype:attempted-admin; sid:1920; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; nocase; distance:0; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; reference:cve,CVE-1999-0800; classtype:attempted-admin; sid:1920; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow attempt";flow:to_server,established; content:"REST "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1974; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow attempt";flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1974; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream;  content:"USER "; nocase; content:!"|0a|"; within:100; reference:bugtraq,4638; reference:cve,CAN-2000-0479; reference:cve,CAN-2000-0656; reference:cve,CAN-2000-1035; reference:cve,CAN-2000-1194; reference:cve,CAN-2001-0794; reference:cve,CAN-2001-0826; reference:cve,CAN-2002-0126; reference:cve,CVE-2000-0943; classtype:attempted-admin; sid:1734; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream;  content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER\s[^\n]{100}/smi"; reference:bugtraq,4638; reference:cve,CAN-2000-0479; reference:cve,CAN-2000-0656; reference:cve,CAN-2000-1035; reference:cve,CAN-2000-1194; reference:cve,CAN-2001-0794; reference:cve,CAN-2001-0826; reference:cve,CAN-2002-0126; reference:cve,CVE-2000-0943; classtype:attempted-admin; sid:1734; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE "; nocase; content:" CPWD "; nocase; content:!"|0a|"; within:100; reference:bugtraq,5427; reference:cve,CAN-2002-0826; classtype:misc-attack; sid:1888; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; nocase; distance:0; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; reference:bugtraq,5427; reference:cve,CAN-2002-0826; classtype:misc-attack; sid:1888; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; content:"CWD "; content:" ~root"; nocase; flow:to_server,established; reference:cve,CVE-1999-0082; reference:arachnids,318; classtype:bad-unknown; sid:336;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; nocase; distance:1; pcre:"/^CWD\s+~root/smi"; reference:cve,CVE-1999-0082; reference:arachnids,318; classtype:bad-unknown; sid:336; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt";flow:to_server,established; content:"MKD "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-1999-0911; reference:bugtraq,612; classtype:attempted-admin; sid:1973; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt";flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:cve,CAN-1999-0911; reference:bugtraq,612; classtype:attempted-admin; sid:1973; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~<NEWLINE> attempt"; content:"CWD "; content:" ~|0A|"; flow:to_server,established; reference:cve,CAN-2001-0421; reference:bugtraq,2601; classtype:denial-of-service; sid:1672;  rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; pcre:"/^CWD\s+~/smi"; reference:cve,CAN-2001-0421; reference:bugtraq,2601; classtype:denial-of-service; sid:1672; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER w0rm|0D0A|"; reference:arachnids,01; sid:144; classtype:suspicious-login;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; nocase; distance:1; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; sid:144; classtype:suspicious-login; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow attempt"; flow:to_server,established;  content:"RMD "; nocase; content:!"|0a|"; within:100;reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1976; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow attempt"; flow:to_server,established;  content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1976; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE "; nocase; content:" CHOWN "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2001-0065; classtype:attempted-admin; sid:1562; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; nocase; distance:0; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; reference:cve,CAN-2001-0065; classtype:attempted-admin; sid:1562; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE "; nocase; content:!" B"; nocase; content:!" A"; nocase; content:!" S"; nocase; content:!" C"; nocase; classtype:protocol-command-decode; sid:1623; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE"; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:1623; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow attempt"; flow:to_server,established; content:"CMD "; nocase; content:!"|0a|"; within:100; classtype:attempted-admin; sid:1621; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1621; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE "; nocase; content:" NEWER "; nocase; reference:cve,CVE-1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; nocase; distance:1; pcre:"/^SITE\s+NEWER/smi"; reference:cve,CVE-1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow attempt"; flow:to_server,established; content:"CWD "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2000-1035; reference:cve,CAN-2000-1194; reference:cve,CAN-2002-0126; classtype:attempted-admin; sid:1919; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:cve,CAN-2000-1035; reference:cve,CAN-2000-1194; reference:cve,CAN-2002-0126; classtype:attempted-admin; sid:1919; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP site exec"; flow:to_server,established; content:"SITE "; nocase; content:"EXEC "; distance:0; nocase; reference:bugtraq,2241; reference:arachnids,317; classtype:bad-unknown; sid:361;  rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; reference:bugtraq,2241; reference:arachnids,317; classtype:bad-unknown; sid:361; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMDIR overflow attempt"; flow:to_server,established;  content:"RMDIR "; nocase; content:!"|0a|"; within:100; classtype:attempted-admin; sid:1942; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMDIR overflow attempt"; flow:to_server,established;  content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1942; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT "; nocase; content:!"|0a|"; within:100; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt";flow:to_server,established; content:"CEL "; nocase; content:!"|0a|"; within:100; reference:bugtraq,679; reference:cve,CVE-1999-0789; reference:arachnids,257; classtype:attempted-admin; sid:337; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt";flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL\s[^\n]{100}/smi"; reference:bugtraq,679; reference:cve,CVE-1999-0789; reference:arachnids,257; classtype:attempted-admin; sid:337; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream;  content:"PASS "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2000-1035; reference:cve,CAN-2002-0126; classtype:attempted-admin; sid:1972; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream;  content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:cve,CAN-2000-1035; reference:cve,CAN-2002-0126; classtype:attempted-admin; sid:1972; rev:3;)

     file -> exploit.rules
     old: alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; offset:0; depth:4; content:!"|0a|"; within:600; reference:bugtraq,5287; classtype:misc-attack; sid:1838; rev:4;)
     new: alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; classtype:misc-attack; sid:1838; rev:6;)
     old: alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG nickserv IDENTIFY"; nocase; offset:0; content:!"|0a|"; within:150; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:7;)
     new: alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; nocase; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT sniffit overflow"; flags: A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; dsize: >512; reference:bugtraq,1158; reference:cve,CAN-2000-0343; reference:arachnids,273; classtype:attempted-admin; sid:309; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT sniffit overflow"; stateless; flags: A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; dsize: >512; reference:bugtraq,1158; reference:cve,CAN-2000-0343; reference:arachnids,273; classtype:attempted-admin; sid:309; rev:4;)

     file -> pop2.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:to_server,established; content:"FOLD "; content:!"|0A|"; within:256; reference:bugtraq,283; reference:cve,CVE-1999-0920; classtype:attempted-admin; sid:1934; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:to_server,established; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,CVE-1999-0920; classtype:attempted-admin; sid:1934; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:to_server,established; content:"FOLD /"; classtype:misc-attack; sid:1935; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:to_server,established; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:1935; rev:4;)

     file -> netbios.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:cve,CAN-2003-0352; classtype:protocol-command-decode; sid:2192; rev:2;)

     file -> nntp.rules
     old: alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer overflow attempt"; flow:to_server,established,no_stream; content:"200 "; offset:0; depth:4; content:!"|0a|"; within:64; reference:bugtraq,4900; reference:cve,CAN-2002-0909; classtype:protocol-command-decode; sid:1792; rev:5;)
     new: alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer overflow attempt"; flow:to_server,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,CAN-2002-0909; classtype:protocol-command-decode; sid:1792; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO USER "; nocase; depth:14; content:!"|0a|"; within:500; reference:cve,CAN-2000-0341; reference:arachnids,274; classtype:attempted-admin; sid:1538; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; nocase; distance:0; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:cve,CAN-2000-0341; reference:arachnids,274; classtype:attempted-admin; sid:1538; rev:8;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "ftp.rules":
       # dup of 1672
       # dup of 1229
    -> File "policy.rules":
       # dup of 553
    -> File "gen-msg.map":
       119 || 1 || http_inspect: ASCII ENCODING
       119 || 2 || http_inspect: DOUBLE DECODING ATTACK
       119 || 3 || http_inspect: U ENCODING
       119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
       119 || 5 || http_inspect: BASE36 ENCODING
       119 || 6 || http_inspect: UTF-8 ENCODING
       119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
       119 || 8 || http_inspect: MULTI_SLASH ENCODING
       119 || 9 || http_inspect: IIS BACKSLASH EVASION
       119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
       119 || 11 || http_inspect: DIRECTORY TRAVERSAL
       119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
       119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
       119 || 14 || http_inspect: NON-RFC DEFINED CHAR
       119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
       119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
       119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
       120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
       121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
       121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
       121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
       121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
    -> File "bad-traffic.rules":
       # linux happens.  Blah
    -> File "snort.conf":
       #   http://www.snort.org     Snort 2.1.0 Ruleset
       # You can take the following steps to create your own custom configuration:
       # You must change the following variables to reflect your local network. The
       # variable is currently setup for an RFC 1918 address space.
       # or use global variable $<interfacename>_ADDRESS which will be always
       # initialized to IP address and netmask of the network interface which you run
       # snort at.  Under Windows, this must be specified as
       # $(<interfacename>_ADDRESS), such as:
       # Set up the external network addresses as well.  A good start may be "any"
       # Configure your server lists.  This allows snort to only look for attacks to
       # systems that have a service up.  Why look for HTTP attacks if you are not
       # running a web server?  This allows quick filtering based on IP addresses
       # List of snmp servers on your network
       var SNMP_SERVERS $HOME_NET
       # Configure your service ports.  This allows snort to look for attacks destined
       # to a specific application only on the ports that application runs on.  For
       # example, if you run a web server on port 8081, set your HTTP_PORTS variable
       # Please note:  [80,8080] does not work.
       # If you wish to define multiple HTTP ports,
       ## var HTTP_PORTS 80 
       ## include somefile.rules 
       ## var HTTP_PORTS 8080
       ## include somefile.rules 
       # AIM servers.  AOL has a habit of adding new AIM servers, so instead of
       # modifying the signatures when they do, we add them to this list of servers.
       # Configure the snort decoder
       # Snort's decoder will alert on lots of things such as header
       # truncation or options of unusual length or infrequently used tcp options
       # In snort 2.0.1 and above, this only alerts when the a TCP option is detected
       # that shows T/TCP being actively used on the network.  If this is normal
       # behavior for your network, disable the next option.
       # config disable_tcpopt_ttcp_alerts
       # Use a different pattern matcher in case you have a machine with very limited
       # resources:
       # Configure Flow tracking module
       # The Flow tracking module is meant to start unifying the state keeping
       # mechanisms of snort into a single place. Right now, only a portscan detector
       # is implemented but in the long term,  many of the stateful subsystems of
       # snort will be migrated over to becoming flow plugins. This must be enabled
       # for flow-portscan to work correctly.
       # See README.flow for additional information
       preprocessor flow: stats_interval 0 hash 2
       # arguments loads the default configuration of the preprocessor, which is a 60
       # second timeout and a 4MB fragment buffer. 
       #    timeout [seconds] - sets the number of [seconds] that an unfinished 
       # Use in concert with the -z [all|est] command line switch to defeat stick/snot
       # against TCP rules.  Also performs full TCP stream reassembly, stateful
       # inspection of TCP streams, etc.  Can statefully detect various portscan
       # types, fingerprinting, ECN, etc.
       preprocessor stream4: disable_evasion_alerts
       # http_inspect: normalize and detect HTTP traffic and protocol anomalies
       # lots of options available here. See doc/README.http_inspect.
       # unicode.map should be wherever your snort.conf lives, or given
       # a full path to where snort can find it.
       preprocessor http_inspect: global \
           iis_unicode_map unicode.map 1252
       preprocessor http_inspect_server: server default \
           profile all \
           ports { 80 8080 }
       #  Example unqiue server configuration
       #preprocessor http_inspect_server: server 1.1.1.1 \
       #    ports { 80 3128 8080 } \
       #    flow_depth 0 \
       #    ascii no \
       #    double_decode yes \
       #    non_rfc_char { 0x00 } \
       #    chunk_length 500000 \
       #    non_strict \
       #    no_alerts
       # RPC may be sent in alternate encodings besides the usual 4-byte encoding
       # that is used by default. This plugin takes the port numbers that RPC
       # services are running on as arguments - it is assumed that the given ports
       # are actually running this type of service. If not, change the ports or turn
       # it off.
       # This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
       # traffic.  It works in much the same way as the http_decode preprocessor,
       # searching for traffic that breaks up the normal data stream of a protocol and
       # replacing it with a normalized representation of that traffic so that the
       # "content" pattern matching keyword can work without requiring modifications.
       # Flow-Portscan: detect a variety of portscans
       # Note:  The Flow preprocessor (above) must first be enabled for Flow-Portscan to
       # work.
       # This module detects portscans based off of flow creation in the flow
       # preprocessors.  The goal is to catch catch one->many hosts and one->many
       # ports scans.
       # Flow-Portscan has numerous options available, please read
       # README.flow-portscan for help configuring this option. 
       # Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:
       #   1       flow-portscan: Fixed Scale Scanner Limit Exceeded
       #   2       flow-portscan: Sliding Scale Scanner Limit Exceeded 
       #   3       flow-portscan: Fixed Scale Talker Limit Exceeded
       #   4	    flow-portscan: Sliding Scale Talker Limit Exceeded
       # preprocessor flow-portscan: \
       #	talker-sliding-scale-factor 0.50 \
       #	talker-fixed-threshold 30 \
       #	talker-sliding-threshold 30 \
       #	talker-sliding-window 20 \
       #	talker-fixed-window 30 \
       #	scoreboard-rows-talker 30000 \
       #	server-watchnet [10.2.0.0/30] \
       #	server-ignore-limit 200 \
       #	server-rows 65535 \
       #	server-learning-time 14400 \
       #	server-scanner-limit 4 \
       #	scanner-sliding-window 20 \
       #	scanner-sliding-scale-factor 0.50 \
       #	scanner-fixed-threshold 15 \
       #	scanner-sliding-threshold 40 \
       #	scanner-fixed-window 15 \
       #	scoreboard-rows-scanner 30000 \
       #	src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
       #	dst-ignore-net [10.0.0.0/30] \
       #	alert-mode once \
       #	output-mode msg \
       #	tcp-penalties on
       # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
       # unicast ARP requests, and specific ARP mapping monitoring.  To make use of
       # this preprocessor you must specify the IP and hardware address of hosts on
       # the same layer 2 segment as you.  Specify one host IP MAC combo per line.
       # Performance Statistics
       # ----------------------
       # Documentation for this is provided in the Snort Manual.  You should read it.
       # It is included in the release distribution as doc/snort_manual.pdf
       # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
       # Uncomment and configure the output plugins you decide to use.  General
       # configuration for output plugins is of the form:
       # Use one or more syslog facilities as arguments.  Win32 can also optionally
       # specify a particular hostname/port.  Under Win32, the default hostname is
       # '127.0.0.1', and the default port is 514.
       # output database: log, odbc, user=snort dbname=snort
       # output database: log, oracle, dbname=snort user=snort password=test
       # The unified output plugin provides two new formats for logging and generating
       # alerts from Snort, the "unified" format.  The unified format is a straight
       # binary format for logging data out of Snort that is designed to be fast and
       # efficient.  Used with barnyard (the new alert/log processor), most of the
       # overhead for logging and alerting to various slow storage mechanisms such as
       # databases or the network can now be avoided.  
       # You can optionally define new rule types and associate one or more output
       # plugins specifically to that type.
       # This example will create a rule type that will log to syslog and a mysql
       # database:
       # EXAMPLE RULE FOR REDALERT RULETYPE:
       # The snort web site has documentation about how to write your own custom snort
       # rules.
       # The rules included with this distribution generate alerts based on on
       # suspicious activity. Depending on your network environment, your security
       # policies, and what you consider to be suspicious, some of these rules may
       # either generate false positives ore may be detecting activity you consider to
       # be acceptable; therefore, you are encouraged to comment out rules that are
       # not applicable in your environment.
       # The following individuals contributed many of rules in this distribution.
       # The following rulesets are disabled by default:
       #   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
       #   chat, multimedia, and p2p
       #            
       # These rules are either site policy specific or require tuning in order to not
       # generate false positive alerts in most enviornments.
       # Please read the specific include file for more information and
       # README.alert_order for how rule ordering affects how alerts are triggered.
       # Include any thresholding or suppression commands. See threshold.conf in the
       # <snort src>/etc directory for details. Commands don't necessarily need to be
       # contained in this conf, but a separate conf makes it easier to maintain them. 
       # Uncomment if needed.
       # include threshold.conf

  [---]      Removed lines:      [---]
    -> File "snort.conf":
       #   http://www.snort.org     Snort 2.0.0 Ruleset
       # You can take the following steps to create your 
       # own custom configuration:
       # You must change the following variables to reflect
       # your local network. The variable is currently 
       # setup for an RFC 1918 address space.
       # or use global variable $<interfacename>_ADDRESS 
       # which will be always initialized to IP address and 
       # netmask of the network interface which you run
       # snort at.  Under Windows, this must be specified
       # as $(<interfacename>_ADDRESS), such as:
       # Set up the external network addresses as well.  
       # A good start may be "any"
       # Configure your server lists.  This allows snort to only look for attacks
       # to systems that have a service up.  Why look for HTTP attacks if you are
       # not running a web server?  This allows quick filtering based on IP addresses
       # Configure your service ports.  This allows snort to look for attacks 
       # destined to a specific application only on the ports that application
       # runs on.  For example, if you run a web server on port 8081, set your
       # HTTP_PORTS variable like this:
       # AIM servers.  AOL has a habit of adding new AIM servers, so instead of 
       # modifying the signatures when they do, we add them to this list of 
       # servers.
       # Configure the snort decoder:
       # config disable_ttcp_alerts
       # Use a different pattern matcher in case you have a machine with very
       # limited resources:
       # arguments loads the default configuration of the preprocessor, which is a 
       # 60 second timeout and a 4MB fragment buffer. 
       #    timeout [seconds] - sets the number of [seconds] than an unfinished 
       # Use in concert with the -z [all|est] command line switch to defeat 
       # stick/snot against TCP rules.  Also performs full TCP stream 
       # reassembly, stateful inspection of TCP streams, etc.  Can statefully
       # detect various portscan types, fingerprinting, ECN, etc.
       preprocessor stream4: detect_scans, disable_evasion_alerts
       # http_decode: normalize HTTP requests
       # ------------------------------------
       # http_decode normalizes HTTP requests from remote 
       # machines by converting any %XX character 
       # substitutions to their ASCII equivalent. This is
       # very useful for doing things like defeating hostile
       # attackers trying to stealth themselves from IDSs by
       # mixing these substitutions in with the request. 
       # Specify the port numbers you want it to analyze as arguments.
       # Major code cleanups thanks to rfp
       # unicode          - normalize unicode
       # iis_alt_unicode  - %u encoding from iis 
       # double_encode    - alert on possible double encodings
       # iis_flip_slash   - normalize \ as /
       # full_whitespace  - treat \t as whitespace ( for apache )
       #   1       UNICODE attack
       #   2       NULL byte attack
       preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
       # RPC may be sent in alternate encodings besides the usual
       # 4-byte encoding that is used by default.  This preprocessor
       # normalized RPC traffic in much the same way as the http_decode
       # preprocessor.  This plugin takes the ports numbers that RPC 
       # services are running on as arguments.
       # This preprocessor "normalizes" telnet negotiation strings from
       # telnet and ftp traffic.  It works in much the same way as the 
       # http_decode preprocessor, searching for traffic that breaks up
       # the normal data stream of a protocol and replacing it with 
       # a normalized representation of that traffic so that the "content"
       # pattern matching keyword can work without requiring modifications.
       # Portscan: detect a variety of portscans
       # portscan preprocessor by Patrick Mullen <p_mullen at ...849...>
       # This preprocessor detects UDP packets or TCP SYN packets going to
       # four different ports in less than three seconds. "Stealth" TCP
       # packets are always detected, regardless of these settings.
       # Portscan uses Generator ID 100 and uses the following SIDS for that GID:
       #   1       Portscan detect
       #   2       Inter-scan info
       #   3       Portscan End
       # preprocessor portscan: $HOME_NET 4 3 portscan.log
       # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
       # specific networks or hosts to reduce false alerts. It is typical
       # to see many false alerts from DNS servers so you may want to
       # add your DNS servers here. You can all multiple hosts/networks
       # in a whitespace-delimited list.
       #preprocessor portscan-ignorehosts: 0.0.0.0
       # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, 
       # unicast ARP requests, and specific ARP mapping monitoring.  To make use
       # of this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you.  Specify one host IP MAC combo per line.
       # Conversation
       #------------------------------------------
       # This preprocessor tracks conversations for tcp, udp and icmp traffic.  It
       # is a prerequisite for running portscan2.
       # allowed_ip_protcols 1 6 17
       #      list of allowed ip protcols ( defaults to any )
       # timeout [num]
       #      conversation timeout ( defaults to 60 )
       # max_conversations [num] 
       #      number of conversations to support at once (defaults to 65335)
       # alert_odd_protocols
       #      alert on protocols not listed in allowed_ip_protocols
       # preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000
       # Portscan2
       #-------------------------------------------
       # Portscan 2, detect portscans in a new and exciting way.  You must enable
       # spp_conversation in order to use this preprocessor.
       # Available options:
       #       scanners_max [num] 
       #       targets_max [num]
       #       target_limit [num]
       #       port_limit [num]
       #       timeout [num]
       #       log [logdir]
       #preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60
       # Too many false alerts from portscan2? Tone it down with
       # portscan2-ignorehosts!
       # A space delimited list of addresses in CIDR notation to ignore
       # preprocessor portscan2-ignorehosts: 10.0.0.0/8 192.168.24.0/24
       # Experimental Perf stats
       # -----------------------
       # No docs. Highly subject to change.
       # preprocessor perfmonitor: console flow events time 10
       # Uncomment and configure the output plugins you decide to use.
       # General configuration for output plugins is of the form:
       # Use one or more syslog facilities as arguments.  Win32 can also
       # optionally specify a particular hostname/port.  Under Win32, the
       # default hostname is '127.0.0.1', and the default port is 514.
       # output database: log, unixodbc, user=snort dbname=snort
       # The unified output plugin provides two new formats for logging
       # and generating alerts from Snort, the "unified" format.  The
       # unified format is a straight binary format for logging data 
       # out of Snort that is designed to be fast and efficient.  Used
       # with barnyard (the new alert/log processor), most of the overhead
       # for logging and alerting to various slow storage mechanisms
       # such as databases or the network can now be avoided.  
       # You can optionally define new rule types and associate one or 
       # more output plugins specifically to that type.
       # This example will create a rule type that will log to syslog
       # and a mysql database.
       # EXAMPLE RULE FOR REDALERT RULETYPE
       # The snort web site has documentation about how to write your own 
       # custom snort rules.
       # The rules included with this distribution generate alerts based on
       # on suspicious activity. Depending on your network environment, your
       # security policies, and what you consider to be suspicious, some of
       # these rules may either generate false positives ore may be detecting
       # activity you consider to be acceptable; therefore, you are
       # encouraged to comment out rules that are not applicable in your
       # environment.
       # Note that using all of the rules at the same time may lead to
       # serious packet loss on slower machines. YMMV, use with caution,
       # standard disclaimers apply. :)
       # The following individuals contributed many of rules in this
       # distribution.
       # shellcode, policy, info, backdoor, and virus rulesets are 
       # disabled by default.  These require tuning and maintance.  
       # Please read the included specific file for more information.

[*] Files added (consider updating your snort.conf to include them): [*]
    -> threshold.conf





More information about the Snort-sigs mailing list