Hosting Provided By

[Snort-sigs] snort-rules CURRENT update @ Wed Apr 16 21:16:04 2003

From: <bmc(at)snort.org>
Date: Wed Apr 16 2003 - 21:16:04 EDT

This rule update was brought to you by Oinkmaster. Written by Andreas Östling <andreaso@it.su.se>

[*] Rule modifications: [*]

[+++] Added: [+++]

     file -> sql.rules
     alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL version overflow attempt"; content:"|04|"; offset:0; depth:1; dsize:>100; reference:nessus,10674; reference:cve,CVE-2002-0649; classtype:misc-activity; sid:2050; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL ping attempt"; content:"|02|"; offset:0; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:1;)

     file -> web-misc.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Tomcat null byte directory listing attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:cve,CAN-2003-0042; reference:bugtraq,6721; classtype:web-application-attack; sid:2061; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .exe script source download attempt"; flow:to_server,established; uricontent:".exe"; content:".exe"; content:"."; within:1; classtype:web-application-attack; sid:2067; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC helpout.exe access"; flow:to_server,established; uricontent:"/helpout.exe"; reference:nessus,11162; classtype:web-application-activity; sid:2057; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe access"; flow:to_server,established; uricontent:"/post32.exe"; reference:bugtraq,1485; classtype:web-application-activity; sid:2071; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC DB4Web access"; flow:to_server,established; uricontent:"/DB4Web/"; reference:nessus,11180; classtype:web-application-activity; sid:2060; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe access"; flow:to_server,established; uricontent:"/MsmMask.exe"; reference:nessus,11163; classtype:web-application-activity; sid:2059; rev:1;)
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp"; content:".csp"; content:"."; within:1; classtype:web-application-attack; sid:2064; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC lyris.pl access"; flow:to_server,established; uricontent:"/lyris.pl"; reference:cve,CVE-2000-0758; reference:bugtraq,1584; classtype:web-application-activity; sid:2072; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .pl script source download attempt"; flow:to_server,established; uricontent:".pl"; content:".pl"; content:"."; within:1; classtype:web-application-attack; sid:2066; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe arbitrary command attempt"; flow:to_server,established; uricontent:"/post32.exe\|"; reference:bugtraq,1485; classtype:web-application-attack; sid:2070; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC iPlanet .perf access"; flow:to_server,established; uricontent:"/.perf"; classtype:web-application-activity; sid:2062; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe attempt"; flow:to_server,established; uricontent:"/MsmMask.exe"; content:"mask="; reference:nessus,11163; classtype:web-application-attack; sid:2058; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC chip.ini access"; flow:to_server,established; uricontent:"/chip.ini"; reference:bugtraq,2755; reference:cve,CAN-2001-0749; classtype:web-application-activity; sid:2069; rev:1;)
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC TRACE attempt"; flow:to_server,established; content:"TRACE"; offset:0; depth:5; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; reference:nessus,11213; classtype:web-application-attack; sid:2056; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC globals.pl access"; flow:to_server,established; uricontent:"/globals.pl"; reference:cve,CVE-2001-0330; reference:bugtraq,2671; classtype:web-application-activity; sid:2073; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC BitKeeper arbitrary command attempt"; flow:to_server,established; uricontent:"/diffs/"; content:"'"; content:"|3b|"; distance:0; content:"'"; distance:1; reference:bugtraq,6588; classtype:web-application-attack; sid:2068; rev:1;)

     #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp."; classtype:web-application-attack; sid:2065; rev:1;)


     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Demarc SQL injection attempt"; flow:to_server,established; uricontent:"/dm/demarc"; content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'"; distance:0; classtype:web-application-activity; sid:2063; rev:1;)

     file -> web-iis.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; classtype:web-application-activity; sid:1568; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS postinfo.asp access"; flow:to_server,established; uricontent:"/scripts/postinfo.asp"; nocase; classtype:web-application-activity; sid:1075; rev:6;)
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; classtype:web-application-attack; sid:1567; rev:5;)

     file -> policy.rules
     alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY xtacacs accepted login response"; content:"|80 02|"; offset:0; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2042; rev:2;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET 1723 (msg:"POLICY PPTP setup attempt"; flow:to_server,established; content:"|00 01|"; offset:2; depth:2; content:"|00 01 00 00 01 00 00 00|"; offset:8; depth:8; classtype:misc-activity; sid:2044; rev:3;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY xtacacs login attempt"; content:"|80 01|"; offset:0; depth:2;  content:"|00|"; distance:4; classtype:misc-activity; sid:2040; rev:2;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00 50 01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01 51 80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01 51 80 00 00 00 10|"; classtype:protocol-command-decode; sid:1771; rev:5;)

     file -> scan.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; content: "AAAAAAAAAAAAAAAA"; flags:SFP; ack: 0; depth: 16;reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:6;)

     file -> misc.rules
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"MISC xtacacs failed login response"; content:"|80 02|"; offset:0; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2041; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; offset:2; depth:2; classtype:misc-activity; sid:2048; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd module list access"; flow:to_server,established; content:"|23|list"; offset:0; depth:5; classtype:misc-activity; sid:2047; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; offset:0; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; distance:1; within:8; content:"%"; distance:1; within:8; reference:bugtraq,4701; classtype:misc-attack; sid:2039; rev:1;)
     alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"MISC isakmp login failed"; content:"|10 05|"; offset:17; depth:2; content:"|00 00 00 01 01 00 00 18|"; distance:13; within:8; classtype:misc-activity; sid:2043; rev:1;)

     file -> imap.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:" PARTIAL "; content:" BODY.PEEK["; content:!"]"; within:1024; reference:bugtraq,4713; reference:cve,CAN-2002-0379; classtype:misc-attack; sid:2046; rev:1;)

     file -> web-cgi.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI parse_xml.cgi access"; flow:to_server,established; uricontent:"/parse_xml.cgi"; nocase; reference:cve,CAN-2003-0054;  classtype:web-application-activity; sid:2085; rev:1;)
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; content:"who="; content:"\;"; distance:0; reference:cve,CAN-2002-0008; classtype:web-application-attack; sid:2054; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; nocase; reference:cve,CAN-2003-0054;  classtype:web-application-activity; sid:2086; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart access"; flow:to_server,established; uricontent:"/cached_feed.cgi"; reference:cve,CAN-2000-0906; reference:bugtraq,1762; classtype:web-application-activity; sid:2051; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board.cgi access"; flow:to_server,established; uricontent:"/way-board.cgi"; nocase; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi access"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; reference:cve,CAN-2002-0008; classtype:web-application-activity; sid:2055; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI process_bug.cgi access"; flow:to_server,established; uricontent:"/process_bug.cgi"; nocase; reference:cve,CAN-2002-0008; classtype:web-application-activity; sid:2053; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mrtg.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/mrtg.cgi"; content:"cfg=/../"; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:3;)
Confused? Frustrated? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI overflow.cgi access"; flow:to_server,established; uricontent:"/overflow.cgi"; reference:nessus,11190; reference:url,www.cert.org/advisories/CA-2002-35.html; classtype:web-application-activity; sid:2052; rev:1;)

     file -> deleted.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; flow:to_server,established; dsize: >999; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:571;  rev:5;)
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts: rr; itype: 0; reference:arachnids,238; sid:455;  classtype:misc-activity; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89d8 40cd 80e8 c8ff ffff|/";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:295; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:5;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00 60 00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:3;)
Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; uricontent:"/web_store.cgi?page=../.."; flow:to_server,established; reference:bugtraq,1774; reference:cve,CVE-2000-1005; classtype:web-application-attack; sid:1094; rev:8;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; content: "|C0 22 3F FC A2 02 20 09 C0 2C 7F FF E2 22 3F F4|"; flow:to_server,established; dsize: >999; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:570; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb35 5E80 4601 3080 4602 3080 4603 30|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:297; rev:5;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:592; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb38 5e89f389d880460120804602|"; reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:298; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb58 5E31 db83 c308 83c3 0288 5e26|"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:5;)
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb34 5e8d 1E89 5e0b 31d2 8956 07|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:296; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:1278;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; flow:to_server,established; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297;  rev:7;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0FF FFFF|/bin/sh"; classtype:attempted-admin; sid:293; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|"; depth:32; reference:cve,CVE-1999-0704; reference:arachnids,217; classtype:attempted-admin; sid:573;  rev:5;)
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek

     file -> web-php.rules
     alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; classtype:attempted-user; sid:1255;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP piranha passwd.php3 access"; flow:to_server,established; uricontent: "/passwd.php3"; reference:bugtraq,1149; reference:cve,CVE-2000-0322; reference:arachnids,272; classtype:attempted-recon; sid:1161; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpBB privmsg.php access"; flow:to_server,established; uricontent:"/privmsg.php"; reference:bugtraq,6634; classtype:web-application-activity; sid:2078; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; content: "|ba49feffff f7d2 b9bfffffff f7d1|"; reference:bugtraq,802; reference:arachnids,431; classtype:web-application-attack; sid:1085; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php access"; flow:to_server,established; uricontent:"/upload.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2077; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; uricontent:"?STRENGUR"; reference:arachnids,430; reference:bugtraq,1786; classtype:web-application-attack; sid:1086; rev:8;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; classtype:attempted-recon; sid:1301; rev:5;)
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase;  reference:arachnids,207; classtype:attempted-recon; sid:1197; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase;  reference:arachnids,208; classtype:attempted-recon; sid:1178; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:bugtraq,2271; reference:arachnids,205; classtype:attempted-recon; sid:1134; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php upload php file attempt"; flow:to_server,established; uricontent:"/upload.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2075; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"index.php"; nocase; content:"file=http\://"; nocase; reference:bugtraq,3889; classtype:web-application-attack; sid:1399; rev:7;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; classtype:web-application-attack; sid:1490; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase;  reference:bugtraq,2274; reference:arachnids,206; classtype:attempted-recon; sid:1137; rev:7;)
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; uricontent:"/uploadimage.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2074; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php access"; flow:to_server,established; uricontent:"/uploadimage.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2076; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; classtype:web-application-activity; reference:bugtraq,3982; sid:1407; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; classtype:attempted-admin; sid:1300; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; classtype:attempted-user; sid:1254; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:bugtraq,2272; reference:arachnids,209; classtype:attempted-recon; sid:1179; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; classtype:web-application-attack; sid:1491; rev:6;)
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek

     file -> rpc.rules
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; offset:12; depth:4; content:"|00 00 00 0B|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2033; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2016; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2028; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 68|"; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2082; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2026; rev:3;)
Confused? Frustrated? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; offset:16; depth:4; content:"|00 00 00 0B|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2034; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; classtype:attempted-recon; sid:2021; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt UDP"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2029; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; classtype:attempted-recon; sid:2020; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request UDP"; content:"|00 03 0D 70|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2037; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2030; rev:2;)
Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D 70|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2038; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 04|"; distance:4; within:4; classtype:attempted-recon; sid:2022; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; classtype:attempted-recon; sid:2019; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; reference:cve,CVE-2000-0508; reference:bugtraq,1372; classtype:rpc-portmap-decode; sid:2079; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|"; distance:4; classtype:misc-attack; sid:2089; rev:1;)
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; reference:cve,CVE-2000-0508; reference:bugtraq,1372; classtype:rpc-portmap-decode; sid:2080; rev:2;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; offset:12; depth:5; content:"|00 00 00 05|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; classtype:rpc-portmap-decode; reference:cve,CAN-2003-0028; reference:bugtraq,7123; sid:2092; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; offset:16; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CAN-2002-0391; reference:bugtraq,5356; classtype:attempted-admin; sid:2095; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt UDP"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2027; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; content:"|00 01 86 AB|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack; sid:2024; rev:3;)
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2031; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 75|"; within:4; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:5;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; content:"|00 01 86 A5|"; offset:12; depth:4; content:"|00 00 00 04|"; distance:4; within:4; classtype:attempted-recon; sid:2023; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; classtype:rpc-portmap-decode; sid:2025; rev:3;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7 68|"; offset:12; depth:4; content:"|00 00 00 0D|"; distance:4; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2083; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; offset:12; depth:4; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CAN-2002-0391; reference:bugtraq,5356; classtype:attempted-admin; sid:2094; rev:1;)
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; offset:16; depth:5; content:"|00 00 00 05|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; reference:cve,CAN-2003-0028; reference:bugtraq,7123; classtype:rpc-portmap-decode; sid:2093; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D 70|"; within:4; classtype:rpc-portmap-decode; sid:2036; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; classtype:attempted-recon; sid:2018; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update"; flow:to_server,established; content:"|00 01 86 A9|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:2032; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; offset:16; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:2;)
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; offset:12; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|"; distance:4; classtype:misc-attack; sid:2088; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D 70|"; within:4; classtype:rpc-portmap-decode; sid:2035; rev:2;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 02|"; distance:4; within:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2015; rev:2;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; offset:12; depth:4; content:"|00 00 00 03|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7 68|"; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2081; rev:2;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt UDP"; content:"|00 01 87 99|"; offset:12; depth:4; content:"|00 00 01 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:2;)
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7 68|"; offset:16; depth:4; content:"|00 00 00 0D|"; distance:4; within:4; reference:cve,CAN-2002-0359; reference:bugtraq,5075; classtype:rpc-portmap-decode; sid:2084; rev:1;)

  [---]          Disabled:         [---]

     file -> web-php.rules

     #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition\:"; content:"form-data\;"; classtype:web-application-attack; reference:bugtraq,4183; sid:1425; rev:6;)



     file -> misc.rules

     #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize: >4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:1;)



  [---]          Removed:          [---]

     file -> web-misc.rules
     alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; classtype:attempted-user; sid:1255;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC piranha passwd.php3 access"; flow:to_server,established; uricontent: "/passwd.php3"; reference:bugtraq,1149; reference:cve,CVE-2000-0322; reference:arachnids,272; classtype:attempted-recon; sid:1161;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC way-board.cgi access"; flow:to_server,established; uricontent:"/way-board.cgi"; nocase; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PHP strings overflow"; flow:to_server,established; content: "|ba49feffff f7d2 b9bfffffff f7d1|"; reference:bugtraq,802; reference:arachnids,431; classtype:web-application-attack; sid:1085;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; classtype:web-application-activity; sid:1568; rev:4;)
Confused? Frustrated? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; classtype:web-application-attack; sid:1567; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PHP strings overflow"; flow:to_server,established; content: "?STRENGUR ";reference:arachnids,430; classtype:web-application-attack; sid:1086;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mrtg.cgi access"; flow:to_server,established; uricontent:"/mrtg.cgi"; reference:nessus,11001; classtype:web-application-activity; sid:1863; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; classtype:attempted-recon; sid:1301;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase;  reference:arachnids,208; classtype:attempted-recon; sid:1178;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase;  reference:arachnids,207; classtype:attempted-recon; sid:1197;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:bugtraq,2271; reference:arachnids,205; classtype:attempted-recon; sid:1134;  rev:5;)
Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"index.php"; nocase; content:"file=http\://"; nocase; reference:bugtraq,3889; classtype:web-application-attack; sid:1399;  rev:6;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorum auth access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase;  reference:bugtraq,2274; reference:arachnids,206; classtype:attempted-recon; sid:1137;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; classtype:web-application-attack; sid:1490;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC postinfo.asp access"; flow:to_server,established; uricontent:"/scripts/postinfo.asp"; nocase; classtype:web-application-activity; sid:1075;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; content: "AAAAAAAAAAAAAAAA"; flags:SFP; ack: 0; depth: 16;reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; classtype:web-application-activity; reference:bugtraq,3982; sid:1407;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; classtype:attempted-user; sid:1254;  rev:5;)
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; classtype:attempted-admin; sid:1300;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:bugtraq,2272; reference:arachnids,209; classtype:attempted-recon; sid:1179;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; classtype:web-application-attack; sid:1491;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mrtg.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/mrtg.cgi"; content:"cfg=/../"; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:2;)

     file -> web-cgi.rules

     #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; uricontent:"/web_store.cgi?page=../.."; flow:to_server,established; reference:bugtraq,1774; reference:cve,CVE-2000-1005; classtype:web-application-attack; sid:1094;  rev:7;)



     file -> icmp-info.rules
     alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts: rr; itype: 0; reference:arachnids,238; sid:455;  classtype:misc-activity; rev:4;)

     file -> scan.rules

     #alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00 60 00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:2;)



     file -> rpc.rules

     #alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:592; rev:3;)

     #alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; flow:to_server,established; dsize: >999; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:571;  rev:4;)

     #alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597;  rev:4;)

     #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:4;)

     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:3;)

     #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:2;)

     #alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596;  rev:4;)

     #alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:1278;  rev:3;)

     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; flow:to_server,established; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297;  rev:6;)

     #alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; content: "|C0 22 3F FC A2 02 20 09 C0 2C 7F FF E2 22 3F F4|"; flow:to_server,established; dsize: >999; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:570;  rev:5;)

     #alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|"; depth:32; reference:cve,CVE-1999-0704; reference:arachnids,217; classtype:attempted-admin; sid:573;  rev:4;)


     file -> misc.rules

     #alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"MISC IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00 50 01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01 51 80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01 51 80 00 00 00 10|"; classtype:protocol-command-decode; sid:1771; rev:3;)



     file -> imap.rules
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek

     #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb34 5e8d 1E89 5e0b 31d2 8956 07|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:296; rev:4;)

     #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb38 5e89f389d880460120804602|"; reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:298; rev:4;)

     #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89d8 40cd 80e8 c8ff ffff|/";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:295; rev:4;)

     #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0FF FFFF|/bin/sh"; classtype:attempted-admin; sid:293; rev:4;)

     #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb58 5E31 db83 c308 83c3 0288 5e26|"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:4;)

     #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|eb35 5E80 4601 3080 4602 3080 4603 30|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:297; rev:4;)

[---] Disabled and modified: [---]

     file -> rpc.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv solaris"; flow:to_server,established; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";offset: 16; depth: 32; reference:bugtraq,122; reference:arachnids,241; reference:cve,CVE-1999-0003; classtype:attempted-dos; sid:572;  rev:4;)
     new: #alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv Solaris"; flow:to_server,established; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";offset: 16; depth: 32; reference:bugtraq,122; reference:arachnids,241; reference:cve,CVE-1999-0003; classtype:attempted-dos; sid:572;  rev:5;)

  [///]       Modified active:     [///]

     file -> web-misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourcode view"; flow:to_server,established; uricontent:".%256Asp"; nocase; classtype:attempted-recon; sid:1238;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".%256Asp"; nocase; classtype:attempted-recon; sid:1238; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webdav propfind access"; content:""; nocase; flow:to_server,established; reference:bugtraq,1656; reference:cve,CVE-2000-0869; classtype:web-application-activity; sid:1079;  rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV propfind access"; content:""; nocase; flow:to_server,established; reference:bugtraq,1656; reference:cve,CVE-2000-0869; classtype:web-application-activity; sid:1079; rev:8;)
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRUN DOS attempt"; flow:to_server,established; content:"servlet/......."; nocase; classtype:web-application-attack; sid:1084; reference:bugtraq,2337; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRUN DOS attempt"; flow:to_server,established; uricontent:"servlet/......."; nocase; classtype:web-application-attack; sid:1084; reference:bugtraq,2337; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourcode view"; flow:to_server,established; uricontent:".js%2570"; nocase; classtype:attempted-recon; sid:1236;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".js%2570"; nocase; classtype:attempted-recon; sid:1236; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tomcat directory traversal attempt"; flow:to_server,established; uricontent:"%00.jsp"; reference:bugtraq,2518;  classtype:web-application-attack; sid:1055;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat directory traversal attempt"; flow:to_server,established; uricontent:"%00.jsp"; reference:bugtraq,2518;  classtype:web-application-attack; sid:1055; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; classtype:attempted-recon; sid:1144;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; classtype:attempted-recon; sid:1144; rev:5;)
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:1059;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:1059; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC netscape dir index wp"; flow:to_server,established; content: "?wp-"; nocase; reference:bugtraq,1063; reference:cve,CVE-2000-0236; reference:arachnids,270; classtype:attempted-recon; sid:1160;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape dir index wp"; flow:to_server,established; uricontent: "?wp-"; nocase; reference:bugtraq,1063; reference:cve,CVE-2000-0236; reference:arachnids,270; classtype:attempted-recon; sid:1160;  rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tomcat server exploit access"; flow:to_server,established; uricontent:"/contextAdmin/contextAdmin.html"; nocase; classtype:attempted-recon; sid:1111;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server exploit access"; flow:to_server,established; uricontent:"/contextAdmin/contextAdmin.html"; nocase; classtype:attempted-recon; sid:1111; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tomcat servlet mapping cross site scripting attempt"; flow:established,to_server; uricontent:"/servlet/"; uricontent:"/org.apache."; reference:nessus,11041; reference:bugtraq,5193; classtype:web-application-attack; sid:1827; rev:3;)
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat servlet mapping cross site scripting attempt"; flow:established,to_server; uricontent:"/servlet/"; uricontent:"/org.apache."; reference:nessus,11041; reference:bugtraq,5193; classtype:web-application-attack; sid:1827; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mylog.phtml access"; flow:to_server,established; uricontent:"/mylog.phtml"; nocase; reference:bugtraq,713; reference:cve,CVE-1999-0346; classtype:attempted-recon; sid:1120;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mylog.phtml access"; flow:to_server,established; uricontent:"/mylog.phtml"; nocase; reference:bugtraq,713; reference:cve,CVE-1999-0068; classtype:attempted-recon; sid:1120;  rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"\;"; distance:1; classtype:web-application-attack; sid:1947; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 arbitrary command execution attempt"; flow:to_server,established; uricontent:"/ab2/"; content:"\;"; distance:1; classtype:web-application-attack; sid:1947; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC HP Openview Manager DOS"; flow:to_server,established; uricontent:"/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid="; nocase; reference:bugtraq,2845; sid:1258;  classtype:misc-activity; rev:6;)
Confused? Frustrated? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC HP OpenView Manager DOS"; flow:to_server,established; uricontent:"/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid="; nocase; reference:bugtraq,2845; sid:1258;  classtype:misc-activity; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-info access"; flow:to_server,established; uricontent:"/server-info"; classtype:web-application-activity; sid:1520; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-info access"; flow:to_server,established; uricontent:"/server-info"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webplus access"; content:"webplus?script"; nocase; flow:to_server,established; reference:cve,CVE-2000-1005; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; classtype:attempted-recon; sid:1159;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webplus access"; uricontent:"/webplus?script"; nocase; flow:to_server,established; reference:cve,CVE-2000-1005; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; classtype:attempted-recon; sid:1159;  rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /...."; flow:to_server,established; content:"|2f2e2e2e2e|"; classtype:attempted-recon; sid:1142;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /.... access"; flow:to_server,established; content:"/...."; classtype:attempted-recon; sid:1142; rev:5;)
Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tomcat TroubleShooter servlet access"; flow:established,to_server; uricontent:"/examples/servlet/TroubleShooter"; reference:nessus,11046; reference:bugtraq,4575; classtype:web-application-activity; sid:1829; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat TroubleShooter servlet access"; flow:established,to_server; uricontent:"/examples/servlet/TroubleShooter"; reference:nessus,11046; reference:bugtraq,4575; classtype:web-application-activity; sid:1829; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC get32.exe access"; flow:to_server,established; uricontent:"/get32.exe"; nocase; reference:bugtraq,1485; reference:arachnids,258; classtype:attempted-recon; sid:1180;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC get32.exe access"; flow:to_server,established; uricontent:"/get32.exe"; nocase; reference:cve,CAN-1999-0885; reference:bugtraq,770; reference:bugtraq,1485; reference:arachnids,258; classtype:attempted-recon; sid:1180; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC netscape PublishingXpert 2 Exploit"; flow:to_server,established; uricontent:"/PSUser/PSCOErrPage.htm?"; nocase; reference:cve,CAN-2000-1196; classtype:attempted-recon; sid:1157;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape PublishingXpert access"; flow:to_server,established; uricontent:"/PSUser/PSCOErrPage.htm"; nocase; reference:cve,CAN-2000-1196; classtype:web-application-activity; sid:1157; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tomcat SnoopServlet servlet access"; flow:established,to_server; uricontent:"/examples/servlet/SnoopServlet"; reference:nessus,11046; reference:bugtraq,4575; classtype:web-application-activity; sid:1830; rev:3;)
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat SnoopServlet servlet access"; flow:established,to_server; uricontent:"/examples/servlet/SnoopServlet"; reference:nessus,11046; reference:bugtraq,4575; classtype:web-application-activity; sid:1830; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-status access"; flow:to_server,established; uricontent:"/server-status"; classtype:web-application-activity; sid:1521; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-status access"; flow:to_server,established; uricontent:"/server-status"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC shopping cart access access"; uricontent:"/quikstore.cfg"; nocase; flow:to_server,established; classtype:attempted-recon; sid:1164;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC shopping cart access access"; uricontent:"/quikstore.cfg"; nocase; flow:to_server,established; classtype:attempted-recon; reference:bugtraq,2049; reference:bugtraq,1983; reference:cve,CAN-1999-0607; reference:cve,CAN-2000-1188; sid:1164; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:1058;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:1058; rev:6;)
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:1060;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:1060; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webdav search access"; flow:to_server,established; content: "SEARCH "; depth: 8; nocase;reference:arachnids,474; classtype:web-application-activity; sid:1070;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV search access"; flow:to_server,established; content: "SEARCH "; depth: 8; nocase;reference:arachnids,474; classtype:web-application-activity; sid:1070; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPERIMENTAL WEB-MISC Linksys router default password login attempt \(admin\:admin\)";  flow:to_server,established; content:"Authorization\: "; nocase; content:" Basic "; nocase; content:"YWRtaW46YWRtaW4"; reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default password login attempt \(admin\:admin\)";  flow:to_server,established; content:"Authorization\: "; nocase; content:" Basic "; nocase; content:"YWRtaW46YWRtaW4"; reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:4;)
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC netscape servers suite DOS"; flow:to_server,established; uricontent:"/dsgw/bin/search?context="; nocase; classtype:web-application-attack; sid:1081; reference:bugtraq,1868; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Servers suite DOS"; flow:to_server,established; uricontent:"/dsgw/bin/search?context="; nocase; classtype:web-application-attack; sid:1081; reference:bugtraq,1868; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tomcat view source attempt"; flow:to_server,established; uricontent:"%252ejsp"; reference:bugtraq,2527; classtype:web-application-attack; sid:1056;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat view source attempt"; flow:to_server,established; uricontent:"%252ejsp"; reference:bugtraq,2527; classtype:web-application-attack; sid:1056; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourcode view"; flow:to_server,established; uricontent:".j%2573p"; nocase; classtype:attempted-recon; sid:1237;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".j%2573p"; nocase; classtype:attempted-recon; sid:1237; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"WEB-MISC netscape unixware overflow"; content: "|eb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d|"; flow:to_server,established; reference:arachnids,180; classtype:attempted-recon; sid:1132;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"WEB-MISC Netscape Unixware overflow"; content: "|eb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d|"; flow:to_server,established; reference:arachnids,180; classtype:attempted-recon; sid:1132; rev:4;)
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC novell groupwise gwweb.exe attempt"; flow:to_server,established; content:"/GWWEB.EXE?HELP="; nocase; reference:bugtraq,879; reference:cve,CAN-1999-1006; classtype:attempted-recon; sid:1614;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe attempt"; flow:to_server,established; uricontent:"/GWWEB.EXE?HELP="; nocase; reference:bugtraq,879; reference:cve,CAN-1999-1006; classtype:attempted-recon; sid:1614; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Nessus 404 probe"; flow:to_server,established; uricontent: "/nessus_is_probing_you_"; depth: 32;reference:arachnids,301; classtype:web-application-activity; sid:1102;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Nessus 404 probe"; flow:to_server,established; uricontent: "/nessus_is_probing_you_"; depth: 32;reference:arachnids,301; classtype:web-application-attack; sid:1102;  rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC novell groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; reference:bugtraq,879; reference:cve,CAN-1999-1006; classtype:attempted-recon; sid:1165;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; reference:bugtraq,879; reference:cve,CAN-1999-1006; classtype:attempted-recon; sid:1165; rev:6;)
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC netscape admin passwd"; flow:to_server,established; uricontent:"/admin-serv/config/admpw"; nocase;reference:bugtraq,1579; classtype:web-application-attack; sid:1103;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape admin passwd"; flow:to_server,established; uricontent:"/admin-serv/config/admpw"; nocase;reference:bugtraq,1579; classtype:web-application-attack; sid:1103; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC plusmail access"; flow:to_server,established; uricontent:"/plusmail"; nocase; classtype:attempted-recon; sid:1217;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC plusmail access"; flow:to_server,established; uricontent:"/plusmail"; nocase; reference:cve,CAN-2000-0074; reference:bugtraq,2653; classtype:attempted-recon; sid:1217;  rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; classtype:web-application-activity; sid:1946; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 admin attempt"; flow:to_server,established; uricontent:"/cgi-bin/admin/admin"; classtype:web-application-activity; sid:1946; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cisco /%% DOS attempt"; flow:to_server,established; uricontent:"/%%"; classtype:web-application-attack; sid:1546; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco /%% DOS attempt"; flow:to_server,established; uricontent:"/%%"; classtype:web-application-attack; reference:cve,CVE-2000-0380; reference:bugtraq,1154; sid:1546; rev:6;)
Confused? Frustrated? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:1061;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:1061; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; classtype:attempted-recon; sid:1143;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; rawbytes; classtype:attempted-recon; sid:1143; rev:5;)
     file -> info.rules
     old: alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; content: "Login failed";  nocase; flow:from_server,established; classtype:bad-unknown; sid:492;  rev:5;)
     new: alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; content: "Login failed";  nocase; flow:from_server,established; classtype:bad-unknown; sid:492; rev:6;)
     old: alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; content: "Login incorrect"; nocase; flow:from_server,established; classtype:bad-unknown; sid:1251;  rev:4;)
     new: alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; content: "Login incorrect"; nocase; flow:from_server,established; classtyp