[Snort-sigs] snort-rules CURRENT update @ Sat Mar 20 20:15:26 2004

bmc at ...95... bmc at ...95...
Mon Mar 22 06:25:07 EST 2004


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> web-misc.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC NetObserve authentication bypass attempt"; flow:to_server,established; content:"login=0"; nocase; content:"Cookie|3a|"; nocase; pcre:"/^Cookie\x3a[^\n]*?login=0/smi"; reference:bugtraq,9319; classtype:web-application-attack; sid:2441; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC util.pl access"; flow:to_server,established; uricontent:"/util.pl"; nocase; reference:bugtraq,9748; classtype:web-application-activity; sid:2407; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 554 (msg:"WEB-MISC Real Server DESCRIBE buffer overflow attempt"; flow:to_server,established; content:"DESCRIBE"; nocase; content:"../"; distance:1; pcre:"/^DESCRIBE\s[^\n]{300}/smi"; reference:bugtraq,8476; reference:url,www.service.real.com/help/faq/security/rootexploit091103.html; classtype:web-application-attack; sid:2411; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Invision Power Board search.pl access"; flow:to_server,established; uricontent:"/search.pl"; content:"st="; nocase; reference:bugtraq,9766; classtype:web-application-activity; sid:2408; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000:8001 (msg:"WEB-MISC Quicktime User-Agent buffer overflow attempt"; flow:to_server,established; content:"User-Agent|3a|"; nocase; pcre:"/^User-Agent\x3a[^\n]{244,255}/smi"; reference:cve,CAN-2004-0169; classtype:web-application-attack; sid:2442; rev:2;)

     file -> pop3.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2409; rev:1;)

     file -> misc.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server no encryption session initiation attmept"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; offset:288; depth:1; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.asp; classtype:attempted-dos; sid:2418; rev:1;)

     file -> telnet.rules
     alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; reference:bugtraq,9681; classtype:suspicious-login; sid:2406; rev:1;)

     file -> web-cgi.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MDaemon form2raw.cgi access"; flow:to_server,established; content:"/form2raw.cgi"; nocase; reference:bugtraq,9317; classtype:web-application-activity; sid:2434; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3000 (msg:"WEB-CGI MDaemon form2raw.cgi overflow attempt"; flow:to_server,established; uricontent:"/form2raw.cgi"; nocase; pcre:"/\Wfrom=[^\x3b&\n]{100}/si"; reference:bugtraq,9317; classtype:web-application-attack; sid:2433; rev:1;)

     file -> ftp.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; classtype:attempted-admin; sid:2416; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%"; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2417; rev:1;)

     file -> multimedia.rules
     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .smi playlist download attempt"; flow:to_server,established; uricontent:".smi"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2421; rev:2;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rp playlist download attempt"; flow:to_server,established; uricontent:".rp"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2423; rev:2;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rt playlist download attempt"; flow:to_server,established; uricontent:".rt"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2422; rev:2;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rmp playlist download attempt"; flow:to_server,established; uricontent:".rmp"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2420; rev:2;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .ram playlist download attempt"; flow:to_server,established; uricontent:".ram"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2419; rev:2;)

     file -> web-client.rules
     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft emf metafile access"; flow:from_client,established; uricontent:".emf"; classtype:attempted-user; reference:bugtraq,9707; sid:2435; rev:1;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft wmf metafile access"; flow:from_client,established; uricontent:".wmf"; classtype:attempted-user; reference:bugtraq,9707; sid:2436; rev:1;)
     alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist file URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file\://"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; classtype:attempted-user; reference:bugtraq,9579; sid:2438; rev:1;)
     alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist http URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http\://"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; classtype:attempted-user; reference:bugtraq,9579; sid:2439; rev:1;)
     alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp\://"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; classtype:attempted-user; reference:bugtraq,9579; sid:2440; rev:1;)
     alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"Content-Type\:"; pcre:"/^Content-Type\x3a\s+application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"; classtype:attempted-user; reference:cve,CAN-2003-0726; reference:bugtraq,9738; reference:bugtraq,8453; sid:2437; rev:1;)

     file -> exploit.rules
     alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; distance:5; within:2; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"|6e 00|"; distance:5; within:2; content:"|05 00|"; content:"|de 03|";  distance:5; within:2; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2445; rev:2;)
     alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; distance:5; within:2; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"|6e 00|"; distance:5; within:2; content:"|05 00|"; content:"|de 03|";  distance:5; within:2; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:2;)
     alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; distance:5; within:2; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"|6e 00|"; distance:5; within:2; content:"|05 00|"; content:"|de 03|";  distance:5; within:2; byte_jump:2,18,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2444; rev:2;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0b|"; offset:16; depth:1; content:"|00 0c 00 00 00 01 01 00 06 02|"; offset:30; depth:10; classtype:misc-attack; reference:bugtraq,CAN-2004-0164; reference:bugtraq,9416; sid:2414; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0b|"; offset:28; depth:1; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00 60 02|"; distance:-2; within:10; classtype:misc-attack; reference:bugtraq,CAN-2004-0164; reference:bugtraq,9416; sid:2415; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; offset:16; depth:1; content:"|0c|"; offset:28; depth:1; content:"|00 04|"; offset:30; depth:2; classtype:misc-attack; reference:bugtraq,CAN-2004-0164; reference:bugtraq,9416; sid:2413; rev:1;)
     alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; distance:5; within:2; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"|6e 00|"; distance:5; within:2; content:"|05 00|"; content:"|de 03|";  distance:5; within:2; byte_test:2,>,128,18,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2443; rev:2;)

     file -> web-php.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phptest.php access"; flow:to_server,established; uricontent:"/phptest.php"; nocase; reference:bugtraq,9737; classtype:web-application-activity; sid:2405; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; uricontent:"/page.php"; nocase; content:"type_id="; nocase; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:1;)

     file -> deleted.rules
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .ini file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".ini|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2165; rev:2;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vxd file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".vxd|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2170; rev:2;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .scr file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".scr|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:729; rev:5;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".hta|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:2;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".vbs|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:5;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .sys file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".sys|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2171; rev:2;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".doc|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:2;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".shs|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:5;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .chm file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".chm|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2163; rev:2;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".exe|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:2;)
     alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flow:established; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:732;  classtype:misc-activity; rev:6;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hsq file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".hsq|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2173; rev:2;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .reg file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".reg|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2164; rev:2;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .bat file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".bat|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2166; rev:2;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .com file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".com|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2172; rev:2;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .dll file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".dll|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2169; rev:2;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .cpp file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".cpp|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2168; rev:2;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .diz file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".diz|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2167; rev:2;)

     file -> attack-responses.rules
     alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0a|Referer\: res\:/C\:"; classtype:successful-user; sid:2412; rev:2;)

     file -> nntp.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:cve,CAN-2004-00045; reference:bugtraq,9382; classtype:attempted-admin; sid:2428; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:cve,CAN-2004-00045; reference:bugtraq,9382; classtype:attempted-admin; sid:2431; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:cve,CAN-2004-00045; reference:bugtraq,9382; classtype:attempted-admin; sid:2424; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2432; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:cve,CAN-2004-00045; reference:bugtraq,9382; classtype:attempted-admin; sid:2429; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:cve,CAN-2004-00045; reference:bugtraq,9382; classtype:attempted-admin; sid:2426; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:cve,CAN-2004-00045; reference:bugtraq,9382; classtype:attempted-admin; sid:2430; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:cve,CAN-2004-00045; reference:bugtraq,9382; classtype:attempted-admin; sid:2427; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:cve,CAN-2004-00045; reference:bugtraq,9382; classtype:attempted-admin; sid:2425; rev:1;)

  [---]          Removed:          [---]

     file -> virus.rules
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .reg file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".reg|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2164; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hsq file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".hsq|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2173; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .ini file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".ini|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2165; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vxd file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".vxd|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2170; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .bat file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".bat|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2166; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .scr file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".scr|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:729; rev:4;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .com file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".com|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2172; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .dll file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".dll|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2169; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".hta|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".vbs|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:4;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .sys file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".sys|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2171; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".doc|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .cpp file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".cpp|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2168; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".shs|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:4;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .chm file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".chm|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2163; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".exe|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:1;)
     alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .diz file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".diz|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2167; rev:1;)
     alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flow:established; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:732;  classtype:misc-activity; rev:5;)

  [///]       Modified active:     [///]

     file -> web-misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC negative Content-Length attempt"; flow:to_server,established; content:"Content-Length\:"; nocase; pcre:"/^Content-Length\x3a\s+-\d+/smi"; reference:bugtraq,9098; reference:bugtraq,9576; classtype:misc-attack; sid:2278; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC negative Content-Length attempt"; flow:to_server,established; content:"Content-Length\:"; nocase; pcre:"/^Content-Length\x3a\s+-\d+/smi"; reference:bugtraq,9098; reference:bugtraq,9576; reference:cve,CAN-2004-0095; classtype:misc-attack; sid:2278; rev:3;)

     file -> smtp.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3a|"; nocase; isdataat:500,relative; pcre:"/^RCPT TO\s[^\n]{500}/ism"; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3a|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\s[^\n]{300}/ism"; reference:cve,CAN-2001-0260; reference:bugtraq,2283; reference:bugtraq,9696; classtype:attempted-admin; sid:654; rev:10;)

     file -> virus.rules
     old: alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .pif file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".pif|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:721; rev:4;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:6;)

     file -> oracle.rules
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; sid:1685; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_privs"; nocase; classtype:protocol-command-decode; sid:1685; rev:4;)

     file -> chat.rules
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC nick change"; flow:to_server,established; content: "NICK "; offset:0; classtype:misc-activity; sid:542;  rev:8;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC nick change"; flow:to_server,established; content: "NICK "; offset:0; classtype:policy-violation; sid:542;  rev:9;)
     old: alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/plain"; distance:1; classtype:misc-activity; sid:540; rev:8;)
     new: alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:9;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC dns request"; flow:to_server,established; content:"USERHOST "; nocase; offset:0; classtype:misc-activity; sid:1789; rev:1;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC dns request"; flow:to_server,established; content:"USERHOST "; nocase; offset:0; classtype:policy-violation; sid:1789; rev:2;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; content:" \:.DCC CHAT chat"; nocase; classtype:misc-activity; sid:1640;  rev:3;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; content:" \:.DCC CHAT chat"; nocase; classtype:policy-violation; sid:1640;  rev:4;)
     old: alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:established; content:"PRIVMSG "; nocase; classtype:misc-activity; sid:1463; rev:5;)
     new: alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:established; content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463; rev:6;)
     old: alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CHAT IRC dns response"; flow:to_client,established; content:"\:"; offset:0; content:" 302 "; content:"=+"; classtype:misc-activity; sid:1790; rev:2;)
     new: alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CHAT IRC dns response"; flow:to_client,established; content:"\:"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; sid:1790; rev:3;)
     old: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type\: application/x-icq"; content:"[ICQ User]"; reference:bugtraq,3226; reference:cve,CAN-2001-1305; classtype:misc-activity; sid:1832; rev:3;)
     new: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type\: application/x-icq"; content:"[ICQ User]"; reference:bugtraq,3226; reference:cve,CAN-2001-1305; classtype:policy-violation; sid:1832; rev:4;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flow:to_server,established; content:"JOIN \: \#"; nocase; offset:0; classtype:misc-activity; sid:1729;  rev:2;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flow:to_server,established; content:"JOIN \: \#"; nocase; offset:0; classtype:policy-violation; sid:1729;  rev:3;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content: "User-Agent\:ICQ"; classtype:misc-activity; sid:541;  rev:6;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content: "User-Agent\:ICQ"; classtype:policy-violation; sid:541;  rev:7;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; content:" \:.DCC SEND"; nocase; classtype:misc-activity; sid:1639;  rev:3;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; content:" \:.DCC SEND"; nocase; classtype:policy-violation; sid:1639;  rev:4;)

     file -> ftp.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9600; reference:bugtraq,7776; reference:bugtraq,9600; classtype:misc-attack; sid:2178; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9600; reference:bugtraq,7776; reference:bugtraq,9600; reference:bugtraq,9402; classtype:misc-attack; sid:2178; rev:7;)

     file -> web-client.rules
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Outlook EML access"; uricontent:".eml"; flow:from_client,established; classtype:attempted-admin; sid:1233; rev:7;)
     new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Outlook EML access"; uricontent:".eml"; flow:from_client,established; classtype:attempted-user; sid:1233; rev:8;)

     file -> web-php.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Photopost PHP Pro showphoto.php access"; flow:to_server,established; uricontent:"/showphoto.php"; nocase; reference:bugtraq,9557; classtype:web-application-activity; sid:2372; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Photopost PHP Pro showphoto.php access"; flow:to_server,established; uricontent:"/showphoto.php"; nocase; reference:bugtraq,9557; classtype:web-application-activity; sid:2372; rev:2;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "info.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "finger.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "dns.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "snmp.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "virus.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
       # We don't care about virus rules anymore.  BUT, you people won't stop asking
       # us for virus rules.  So... here ya go.
       # There is now one rule that looks for any of the following attachment types:
       #   ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, dot, emf,
       #   eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, mdw, msi, msp,
       #   nws, ocx, pif, pl, pm, pot, pps, ppt, reg, rtf, scr, shs, swf, sys, vb,
       #   vbe, vbs, vcf, vxd, wmd, wmf, wms, wmz, wpd, wpm, wps, wpz, wsc, wsf, wsh,
       #   xls, xlt, xlw
    -> File "multimedia.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "p2p.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "ftp.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "web-client.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "exploit.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "deleted.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
       # squash all of the virus rules into one rule.  go PCRE!
    -> File "attack-responses.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "web-iis.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "sql.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "pop3.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "dos.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
       # All rights reserved.
    -> File "backdoor.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "telnet.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "icmp.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "web-attacks.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "experimental.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "pop2.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "web-frontpage.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "shellcode.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "other-ids.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "web-misc.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
       # YES, the contents are logically backwards as to how the contents are seen on
       # the wire.  snort picks up the first of the longest pattern.  login=0 happens
       # MUCH less than Cookie.  so we do this for speed.
    -> File "icmp-info.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "policy.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "imap.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "web-coldfusion.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "web-cgi.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
       # the prevous rule looks for the attack, but we still want to catch the
       # scanners.  if we had port lists, this rule would be HTTP_PORTS and 3000
    -> File "web-php.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "snort.conf":
        include $RULE_PATH/virus.rules
    -> File "rpc.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "netbios.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "ddos.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "smtp.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "x11.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "tftp.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "scan.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "misc.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "mysql.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "oracle.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "chat.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "bad-traffic.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "rservices.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
    -> File "nntp.rules":
       # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.

  [---]      Removed lines:      [---]
    -> File "info.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "finger.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "dns.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "snmp.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "virus.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
       # NOTE: These rules are NOT being actively maintained.
       # These rules are going away.  We don't care about virus rules anymore.
    -> File "multimedia.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "p2p.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "ftp.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "web-client.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "exploit.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "deleted.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "attack-responses.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "web-iis.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "sql.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "pop3.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "dos.rules":
       # (C) Copyright 2001, Martin Roesch, Brian Caswell, et al.  All rights reserved.
    -> File "backdoor.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "telnet.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "icmp.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "web-attacks.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "experimental.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "pop2.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "web-frontpage.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "shellcode.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "other-ids.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "web-misc.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "icmp-info.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "policy.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "imap.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "web-coldfusion.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "web-cgi.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "web-php.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "snort.conf":
       # include $RULE_PATH/virus.rules
    -> File "rpc.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "netbios.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "ddos.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "smtp.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "x11.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "tftp.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "scan.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "misc.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "mysql.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "oracle.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "chat.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "bad-traffic.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "rservices.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
    -> File "nntp.rules":
       # (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.





More information about the Snort-sigs mailing list