home *** CD-ROM | disk | FTP | other *** search

---

/ ftp2.mweb.co.za / ftp2.mweb.co.za.tar / ftp2.mweb.co.za / AV_CntrSpy_Resq_tl / VIPRERescue6194.exe / Definitions / idsrules.dat

< prev

next >

Wrap

Text File  |  2009-08-04  |  136KB  |  476 lines

---

1. #rulegroup Sunbelt
2. alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (SBRuleId:1; msg:"Win32.Gimmiv trojan activity"; flags:A+; content:"GET|20 2F|"; offset:0; depth:5; content:"|3F|abc|3D|"; content:"|3F|def|3D|"; content:"|20|HTTP|2F|1|2E|"; content:!"|0A|Accept|3A 20|"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A; sid:1999967; rev:2; SBRiskLevel:2; SBCategory:"trojan-activity";)
3. alert udp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:2; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999968; SBRiskLevel:2; SBCategory:"attempted-admin";)
4. alert udp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:3; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..\\..\\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999969; SBRiskLevel:2; SBCategory:"attempted-admin";)
5. alert udp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:4; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999970; SBRiskLevel:2; SBCategory:"attempted-admin";)
6. alert udp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:5; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999971; SBRiskLevel:2; SBCategory:"attempted-admin";)
7. alert udp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:6; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999972; SBRiskLevel:2; SBCategory:"attempted-admin";)
8. alert udp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:7; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999973; SBRiskLevel:2; SBCategory:"attempted-admin";)
9. alert udp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:8; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..\\..\\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999974; SBRiskLevel:2; SBCategory:"attempted-admin";)
10. alert udp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:9; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999975; SBRiskLevel:2; SBCategory:"attempted-admin";)
11. alert udp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:10; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999976; SBRiskLevel:2; SBCategory:"attempted-admin";)
12. alert udp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:11; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999977; SBRiskLevel:2; SBCategory:"attempted-admin";)
13. alert udp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:12; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance"; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999978; SBRiskLevel:2; SBCategory:"attempted-admin";)
14. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:13; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999979; SBRiskLevel:2; SBCategory:"attempted-admin";)
15. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:14; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"\\..\\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999980; SBRiskLevel:2; SBCategory:"attempted-admin";)
16. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:15; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999981; SBRiskLevel:2; SBCategory:"attempted-admin";)
17. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:16; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999982; SBRiskLevel:2; SBCategory:"attempted-admin";)
18. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:17; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999983; SBRiskLevel:2; SBCategory:"attempted-admin";)
19. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:18; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999984; SBRiskLevel:2; SBCategory:"attempted-admin";)
20. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:19; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..\\..\\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999985; SBRiskLevel:2; SBCategory:"attempted-admin";)
21. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:20; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999986; SBRiskLevel:2; SBCategory:"attempted-admin";)
22. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:21; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999987; SBRiskLevel:2; SBCategory:"attempted-admin";)
23. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:22; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999988; SBRiskLevel:2; SBCategory:"attempted-admin";)
24. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:23; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999989; SBRiskLevel:2; SBCategory:"attempted-admin";)
25. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:24; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"\\..\\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999990; SBRiskLevel:2; SBCategory:"attempted-admin";)
26. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:25; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999991; SBRiskLevel:2; SBCategory:"attempted-admin";)
27. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:26; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999992; SBRiskLevel:2; SBCategory:"attempted-admin";)
28. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:27; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999993; SBRiskLevel:2; SBCategory:"attempted-admin";)
29. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:28; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999994; SBRiskLevel:2; SBCategory:"attempted-admin";)
30. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:29; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..\\..\\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999995; SBRiskLevel:2; SBCategory:"attempted-admin";)
31. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:30; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999996; SBRiskLevel:2; SBCategory:"attempted-admin";)
32. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:31; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999997; SBRiskLevel:2; SBCategory:"attempted-admin";)
33. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:32; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067"; flags:A+; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999998; SBRiskLevel:2; SBCategory:"attempted-admin";)
34. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:33; msg:"Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance"; flags:A+; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; rev:1; sid:1999999; SBRiskLevel:2; SBCategory:"attempted-admin";)
35.  
36. #rulegroup Attack responses
37. alert tcp $HOME_NET any -> $EXTERNAL_NET any (SBRuleId:34; msg:"ATTACK-RESPONSES directory listing"; flow:established; content:"Volume Serial Number"; classtype:bad-unknown; sid:1292; rev:9; SBRiskLevel:1; SBCategory:"bad-unknown";)
38. alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (SBRuleId:35; msg:"ATTACK-RESPONSES command completed"; flow:established; content:"Command completed"; nocase; reference:bugtraq,1806; classtype:bad-unknown; sid:494; rev:10; SBRiskLevel:1; SBCategory:"bad-unknown";)
39. alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (SBRuleId:36; msg:"ATTACK-RESPONSES command error"; flow:established; content:"Bad command or filename"; nocase; classtype:bad-unknown; sid:495; rev:8; SBRiskLevel:1; SBCategory:"bad-unknown";)
40. alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (SBRuleId:37; msg:"ATTACK-RESPONSES file copied ok"; flow:established; content:"1 file|28|s|29| copied"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:12; SBRiskLevel:1; SBCategory:"bad-unknown";)
41. alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (SBRuleId:38; msg:"ATTACK-RESPONSES Invalid URL"; flow:from_server,established; content:"Invalid URL"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:1200; rev:10; SBRiskLevel:1; SBCategory:"attempted-recon";)
42. alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (SBRuleId:39; msg:"ATTACK-RESPONSES index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:5; SBRiskLevel:1; SBCategory:"bad-unknown";)
43. alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (SBRuleId:40; msg:"ATTACK-RESPONSES 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:7; SBRiskLevel:1; SBCategory:"attempted-recon";)
44. alert ip any any -> any any (SBRuleId:41; msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; rev:6; SBRiskLevel:1; SBCategory:"bad-unknown";)
45. alert ip $HOME_NET any -> $EXTERNAL_NET any (SBRuleId:42; msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:10; SBRiskLevel:1; SBCategory:"bad-unknown";)
46. alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (SBRuleId:43; msg:"ATTACK-RESPONSES oracle one hour install"; flow:from_server,established; content:"Oracle Applications One-Hour Install"; reference:nessus,10737; classtype:bad-unknown; sid:1464; rev:5; SBRiskLevel:1; SBCategory:"bad-unknown";)
47. alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (SBRuleId:44; msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt port 749"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:10; SBRiskLevel:2; SBCategory:"successful-admin";)
48. alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (SBRuleId:45; msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt port 751"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901; rev:10; SBRiskLevel:2; SBCategory:"successful-admin";)
49. alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (SBRuleId:46; msg:"ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE"; flow:from_server,established; content:"*GOBBLE*"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:successful-admin; sid:1810; rev:12; SBRiskLevel:2; SBCategory:"successful-admin";)
50. alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (SBRuleId:47; msg:"ATTACK-RESPONSES successful gobbles ssh exploit uname"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1811; rev:8; SBRiskLevel:1; SBCategory:"misc-attack";)
51. alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (SBRuleId:48; msg:"ATTACK-RESPONSES rexec username too long response"; flow:from_server,established; content:"username too long"; depth:17; reference:bugtraq,7459; classtype:unsuccessful-user; sid:2104; rev:5; SBRiskLevel:2; SBCategory:"unsuccessful-user";)
52. alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (SBRuleId:49; msg:"ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:3; SBRiskLevel:2; SBCategory:"successful-admin";)
53. alert tcp $HOME_NET any -> $EXTERNAL_NET any (SBRuleId:50; msg:"ATTACK-RESPONSES successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; classtype:successful-user; sid:2412; rev:3; SBRiskLevel:2; SBCategory:"successful-user";)
54.  
55. #rulegroup Backdoor
56. alert icmp 255.255.255.0/24 any -> $HOME_NET any (SBRuleId:51; msg:"BACKDOOR SIGNATURE - Q ICMP"; dsize:>1; itype:0; reference:arachnids,202; classtype:misc-activity; sid:183; rev:4; SBRiskLevel:0; SBCategory:"misc-activity";)
57. alert ip any any -> 216.80.99.202 any (SBRuleId:52; msg:"BACKDOOR fragroute trojan connection attempt"; reference:bugtraq,4898; classtype:trojan-activity; sid:1791; rev:2; SBRiskLevel:2; SBCategory:"trojan-activity";)
58. alert tcp $EXTERNAL 1000:1300 -> $INTERNAL 146 (SBRuleId:53; msg: "BACKDOOR trojan active Infector 1.6 client to server"; flags: A+; content: "FC "; classtype: attempted-admin; reference: arachnids,503;sid:6000100;rev:1; SBRiskLevel:2; SBCategory:"attempted-admin";)
59. alert tcp $EXTERNAL 1024: -> $INTERNAL 2589 (SBRuleId:54; msg: "BACKDOOR trojan dagger 1.4.0 client connect"; flags: A+; content: "|0b 00 00 00 07 00 00 00|Connect"; depth: 16; classtype: attempted-admin; reference: arachnids,483;sid:6000095;rev:1; SBRiskLevel:2; SBCategory:"attempted-admin";)
60. alert tcp $EXTERNAL 16959 -> $INTERNAL any (SBRuleId:55; msg: "BACKDOOR trojan subseven defcon8 2.1 access"; flags: A+; content: "PWD"; content: "acidphreak"; nocase; classtype: successful-user; reference: arachnids,500;sid:6000098;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
61. alert tcp $EXTERNAL 27374 -> $INTERNAL any (SBRuleId:56; msg: "BACKDOOR trojan active subseven22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; classtype: successful-user; reference: arachnids,485;sid:6000097;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
62. alert tcp $EXTERNAL 555 -> $INTERNAL any (SBRuleId:57; msg: "BACKDOOR trojan active PhaseZero server"; flags: A+; content: "phAse"; classtype: successful-user; reference: arachnids,509;sid:6000106;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
63. alert tcp $EXTERNAL any -> $INTERNAL 12346 (SBRuleId:58; msg: "BACKDOOR trojan netbus getinfo 12346"; flags: A+; content: "GetInfo|0d|"; classtype: successful-user; reference: arachnids,404;sid:6000089;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
64. alert tcp $EXTERNAL any -> $INTERNAL 666 (SBRuleId:59; msg: "BACKDOOR trojan active BackConstruction 2.1 ftp open request"; flags: A+; content: "FTPON"; classtype: attempted-admin; reference: arachnids,507;sid:6000104;rev:1; SBRiskLevel:2; SBCategory:"attempted-admin";)
65. alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (SBRuleId:60; msg:"BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; reference:arachnids,98; classtype:misc-activity; sid:145; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
66. alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (SBRuleId:61; msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:121; rev:8; SBRiskLevel:0; SBCategory:"misc-activity";)
67. alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (SBRuleId:62; msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:16; reference:arachnids,483; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:104; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
68. alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (SBRuleId:63; msg:"BACKDOOR subseven 22"; flow:to_server,established; content:"|0D 0A|[RPL]002|0D 0A|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
69. alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (SBRuleId:64; msg:"BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; reference:arachnids,314; classtype:attempted-recon; sid:614; rev:8; SBRiskLevel:1; SBCategory:"attempted-recon";)
70. alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (SBRuleId:65; msg:"BACKDOOR ACKcmdC trojan scan"; flow:stateless; ack:101058054; flags:A,12; seq:101058054; reference:arachnids,445; classtype:misc-activity; sid:106; rev:9; SBRiskLevel:0; SBCategory:"misc-activity";)
71. alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (SBRuleId:66; msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:110; rev:4; SBRiskLevel:0; SBCategory:"misc-activity";)
72. alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (SBRuleId:67; msg:"BACKDOOR RUX the Tick get system directory attempt"; flow:to_server,established; content:"SYSDIR"; depth:6; classtype:misc-activity; sid:3011; rev:1; SBRiskLevel:0; SBCategory:"misc-activity";)
73. alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (SBRuleId:68; msg:"BACKDOOR RUX the Tick get windows directory attempt"; flow:to_server,established; content:"WINDIR"; depth:6; classtype:misc-activity; sid:3010; rev:1; SBRiskLevel:0; SBCategory:"misc-activity";)
74. alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (SBRuleId:69; msg:"BACKDOOR RUX the Tick upload/execute arbitrary file attempt"; flow:to_server,established; content:"ABCJZDATEIV"; depth:11; classtype:misc-activity; sid:3012; rev:1; SBRiskLevel:0; SBCategory:"misc-activity";)
75. alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (SBRuleId:70; msg:"BACKDOOR mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:3272; rev:2; SBRiskLevel:2; SBCategory:"trojan-activity";)
76. alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (SBRuleId:71; msg:"BACKDOOR DoomJuice file upload attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:3; SBRiskLevel:2; SBCategory:"trojan-activity";)
77. alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (SBRuleId:72; msg:"BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; classtype:trojan-activity; sid:3155; rev:2; SBRiskLevel:2; SBCategory:"trojan-activity";)
78. alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (SBRuleId:73; msg:"BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:6; SBRiskLevel:2; SBCategory:"attempted-admin";)
79. alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (SBRuleId:74; msg:"BACKDOOR Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:3; SBRiskLevel:2; SBCategory:"trojan-activity";)
80. alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (SBRuleId:75; msg:"BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
81. alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (SBRuleId:76; msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; classtype:misc-activity; sid:157; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
82. alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (SBRuleId:77; msg:"BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:108; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
83. alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (SBRuleId:78; msg:"BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; reference:arachnids,263; classtype:misc-activity; sid:185; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
84. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:79; msg:"BACKDOOR typot trojan traffic"; flow:stateless; flags:S,12; window:55808; reference:MCAFEE,100406; classtype:trojan-activity; sid:2182; rev:8; SBRiskLevel:2; SBCategory:"trojan-activity";)
85. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (SBRuleId:80; msg:"BACKDOOR sensepost.exe command shell attempt"; flow:to_server,established; uricontent:"/sensepost.exe"; nocase; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:11; SBRiskLevel:1; SBCategory:"web-application-activity";)
86. alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (SBRuleId:81; msg:"BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; classtype:misc-activity; sid:219; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
87. alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (SBRuleId:82; msg:"BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; classtype:misc-activity; sid:220; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
88. alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (SBRuleId:83; msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:4; SBRiskLevel:2; SBCategory:"attempted-admin";)
89. alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (SBRuleId:84; msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:4; SBRiskLevel:2; SBCategory:"attempted-admin";)
90. alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (SBRuleId:85; msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:4; SBRiskLevel:2; SBCategory:"attempted-admin";)
91. alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (SBRuleId:86; msg:"BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:6; SBRiskLevel:2; SBCategory:"attempted-admin";)
92. alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (SBRuleId:87; msg:"BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; classtype:attempted-user; sid:218; rev:4; SBRiskLevel:2; SBCategory:"attempted-user";)
93. alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (SBRuleId:88; msg:"BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; classtype:attempted-admin; sid:211; rev:3; SBRiskLevel:2; SBCategory:"attempted-admin";)
94. alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (SBRuleId:89; msg:"BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; classtype:attempted-admin; sid:212; rev:3; SBRiskLevel:2; SBCategory:"attempted-admin";)
95. alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (SBRuleId:90; msg:"BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; classtype:attempted-admin; sid:217; rev:3; SBRiskLevel:2; SBCategory:"attempted-admin";)
96. alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (SBRuleId:91; msg:"BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:3; SBRiskLevel:2; SBCategory:"attempted-admin";)
97. alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (SBRuleId:92; msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:4; SBRiskLevel:2; SBCategory:"attempted-admin";)
98. alert tcp $HOME_NET 1015 -> $EXTERNAL_NET any (SBRuleId:93; msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; content:"Connected."; classtype:trojan-activity; sid:1985; rev:2; SBRiskLevel:2; SBCategory:"trojan-activity";)
99. alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (SBRuleId:94; msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
100. alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (SBRuleId:95; msg:"BACKDOOR Infector 1.6 Server to Client"; flow:established,from_server; content:"WHATISIT"; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:120; rev:8; SBRiskLevel:0; SBCategory:"misc-activity";)
101. alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (SBRuleId:96; msg:"BACKDOOR Infector.1.x"; flow:established,from_server; content:"WHATISIT"; reference:arachnids,315; classtype:misc-activity; sid:117; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
102. alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (SBRuleId:97; msg:"BACKDOOR subseven DEFCON8 2.1 access"; flow:from_server,established; content:"PWD"; classtype:trojan-activity; sid:107; rev:6; SBRiskLevel:2; SBCategory:"trojan-activity";)
103. alert tcp $HOME_NET 17499 -> $EXTERNAL_NET any (SBRuleId:98; msg:"BACKDOOR Crazzy Net 5.0 connection established"; flow:from_server,established; content:"Crazzynet"; depth:9; classtype:trojan-activity; sid:3636; rev:1; SBRiskLevel:2; SBCategory:"trojan-activity";)
104. alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (SBRuleId:99; msg:"BACKDOOR Insane Network 4.0 connection established"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3015; rev:3; SBRiskLevel:0; SBCategory:"misc-activity";)
105. alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (SBRuleId:100; msg:"BACKDOOR NetBus Pro 2.0 connection established"; flow:from_server,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; classtype:misc-activity; sid:115; rev:9; SBRiskLevel:0; SBCategory:"misc-activity";)
106. alert tcp $HOME_NET 23032 -> $EXTERNAL_NET any (SBRuleId:101; msg:"BACKDOOR Amanda 2.0 connection established"; flow:from_server,established; content:"Connected To Amanda 2.0"; depth:23; classtype:trojan-activity; sid:3635; rev:2; SBRiskLevel:2; SBCategory:"trojan-activity";)
107. alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (SBRuleId:102; msg:"BACKDOOR DonaldDick 1.53 Traffic"; flow:from_server,established; content:"pINg"; reference:MCAFEE,98575; classtype:misc-activity; sid:153; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
108. alert tcp $HOME_NET 2583 -> $EXTERNAL_NET any (SBRuleId:103; msg:"BACKDOOR WinCrash 2.0 Server Active" ; flags:SA,12; content:"|B4 B4|";  reference:arachnids,36; sid:163;  classtype:misc-activity; sid:6000004;rev:4; SBRiskLevel:0; SBCategory:"misc-activity";)
109. alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (SBRuleId:104; msg:"BACKDOOR - Dagger_1.4.0"; flow:from_server,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:105; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
110. alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (SBRuleId:105; msg:"BACKDOOR NetSphere access"; flow:established,from_server; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:146; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
111. alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (SBRuleId:106; msg:"BACKDOOR NetSphere 1.31.337 access"; flow:from_server,established; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:155; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
112. alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (SBRuleId:107; msg:"BACKDOOR HackAttack 1.20 Connect"; flow:established,from_server; content:"host"; classtype:misc-activity; sid:141; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
113. alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (SBRuleId:108; msg:"BACKDOOR BackConstruction 2.1 Connection"; flow:established,from_server; content:"c|3A 5C|"; classtype:misc-activity; sid:152; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
114. alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (SBRuleId:109; msg:"BACKDOOR PhaseZero Server Active on Network"; flow:established,from_server; content:"phAse"; classtype:misc-activity; sid:208; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
115. alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (SBRuleId:110; msg:"BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; reference:arachnids,36; classtype:misc-activity; sid:163; rev:9; SBRiskLevel:0; SBCategory:"misc-activity";)
116. alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (SBRuleId:111; msg:"BACKDOOR Insane Network 4.0 connection established port 63536"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3016; rev:3; SBRiskLevel:0; SBCategory:"misc-activity";)
117. alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (SBRuleId:112; msg:"BACKDOOR SatansBackdoor.2.0.Beta"; flow:established,from_server; content:"Remote|3A| You are connected to me."; reference:arachnids,316; classtype:misc-activity; sid:118; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
118. alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (SBRuleId:113; msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:from_server,established; content:"FTP Port open"; classtype:misc-activity; sid:158; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
119. alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (SBRuleId:114; msg:"BACKDOOR Doly 2.0 access"; flow:established,from_server; content:"Wtzup Use"; depth:32; reference:arachnids,312; classtype:misc-activity; sid:119; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
120. alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (SBRuleId:115; msg:"BACKDOOR GateCrasher"; flow:established,from_server; content:"GateCrasher"; reference:arachnids,99; classtype:misc-activity; sid:147; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
121. alert tcp $HOME_NET any -> $EXTERNAL_NET any (SBRuleId:116; msg:"BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:2; SBRiskLevel:2; SBCategory:"trojan-activity";)
122. alert tcp $HOME_NET any -> $EXTERNAL_NET any (SBRuleId:117; msg:"BACKDOOR SubSeven 2.1 Gold server connection response"; flow:from_server,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; reference:MCAFEE,10566; reference:nessus,10409; classtype:misc-activity; sid:2100; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
123. alert tcp $INTERNAL 12346 -> $EXTERNAL any (SBRuleId:118; msg: "BACKDOOR trojan active netbus 12346"; flags: A+; content: "NetBus"; classtype: successful-user; reference: arachnids,402;sid:6000088;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
124. alert tcp $INTERNAL 146 -> $EXTERNAL 1000:1300 (SBRuleId:119; msg: "BACKDOOR trojan active Infector 1.6 server to client"; flags: A+; content: "WHATISIT"; classtype: successful-user; reference: arachnids,502;sid:6000099;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
125. alert tcp $INTERNAL 16484 -> $EXTERNAL any (SBRuleId:120; msg: "BACKDOOR trojan active mosucker11 badlogin"; flags: A+; content: "Wrong Password"; depth: 16; classtype: successful-user; reference: arachnids,477;sid:6000092;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
126. alert tcp $INTERNAL 16484 -> $EXTERNAL any (SBRuleId:121; msg: "BACKDOOR trojan active mosucker11"; flags: A+; content: "KEY|3d|"; depth: 5; classtype: successful-user; reference: arachnids,478;sid:6000093;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
127. alert tcp $INTERNAL 21 -> $EXTERNAL any (SBRuleId:122; msg: "BACKDOOR trojan active deepthroat ftpd"; flags: A+; content: "220 Deep Throat FTP Server Ready"; classtype: successful-user; reference: arachnids,406;sid:6000091;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
128. alert tcp $INTERNAL 23476 -> $EXTERNAL any (SBRuleId:123; msg: "BACKDOOR trojan active DonaldDick 1.53"; flags: A+; content: "pINg"; classtype: successful-user; reference: arachnids,506;sid:6000103;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
129. alert tcp $INTERNAL 2589 -> $EXTERNAL 1024: (SBRuleId:124; msg: "BACKDOOR trojan active dagger_1.4.0"; flags: A+; content: "|3200000006000000|Drives|2400|"; depth: 16; classtype: successful-user; reference: arachnids,484;sid:6000096;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
130. alert tcp $INTERNAL 31785 -> $EXTERNAL any (SBRuleId:125; msg: "BACKDOOR trojan active HackAttack 1.20"; flags: A+; content: "host"; classtype: successful-user; reference: arachnids,504;sid:6000101;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
131. alert tcp $INTERNAL 51966 -> $EXTERNAL 1010:1100 (msg: "BACKDOOR trojan active CAFEini0.9"; flags: A+; content: "CAFEiNi 0.9 (SBRuleId:126; cafeini@vi"; classtype: successful-user; reference: arachnids,293;sid:6000081;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
132. alert tcp $INTERNAL 5401:5402 -> $EXTERNAL any (SBRuleId:127; msg: "BACKDOOR trojan active BackConstruction 2.1"; flags: A+; content: "c|3A|\\"; classtype: successful-user; reference: arachnids,505;sid:6000102;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
133. alert tcp $INTERNAL 5556 -> $EXTERNAL any (SBRuleId:128; msg: "BACKDOOR trojan h0rtiga"; flags: A+; content: "Win9x.h0rtiga"; classtype: successful-user; reference: arachnids,299;sid:6000082;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
134. alert tcp $INTERNAL 666 -> $EXTERNAL any (SBRuleId:129; msg: "BACKDOOR trojan active BackConstruction 2.1 ftp open reply"; flags: A+; content: "FTP Port open"; classtype: successful-user; reference: arachnids,508;sid:6000105;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
135. alert tcp $INTERNAL 80 -> $EXTERNAL any (SBRuleId:130; msg: "BACKDOOR trojan active BackOrifice1 web"; flags: A+; content: "server|3a| BO|2f|"; classtype: successful-user; reference: arachnids,400;sid:6000087;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
136. alert tcp $INTERNAL any -> $EXTERNAL 1024:65535 (SBRuleId:131; msg: "BACKDOOR trojan active mosucker21"; flags: A+; content: "MoSucker 2.1 server on"; classtype: successful-user; reference: arachnids,479;sid:6000094;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
137. alert tcp 255.255.255.0/24 any -> $HOME_NET any (SBRuleId:132; msg:"BACKDOOR Q access"; flow:stateless; dsize:>1; flags:A+; reference:arachnids,203; classtype:misc-activity; sid:184; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
138. alert tcp any any -> 212.146.0.34 1963 (SBRuleId:133; msg:"BACKDOOR TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:1929; rev:5; SBRiskLevel:2; SBCategory:"trojan-activity";)
139. alert udp $EXTERNAL 5881 -> $INTERNAL 5882 (SBRuleId:134; msg: "BACKDOOR trojan Y3K Rat 1.3"; content: "Y3K"; depth: 3; classtype: successful-user; reference: arachnids,306;sid:6000083;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
140. alert udp $EXTERNAL any -> $INTERNAL 31337 (SBRuleId:135; msg: "BACKDOOR trojan BackOrifice1 scan"; content: "|ce63 d1d2 16e7 13cf 38a5 a586|"; classtype: attempted-user; reference: arachnids,397;sid:6000084;rev:1; SBRiskLevel:2; SBCategory:"attempted-user";)
141. alert udp $EXTERNAL any -> $INTERNAL 31337 (SBRuleId:136; msg: "BACKDOOR trojan active BackOrifice1 dir"; content: "|ce63 d1d2 16e7 13cf 3ca5 a586|"; classtype: successful-user; reference: arachnids,398;sid:6000085;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
142. alert udp $EXTERNAL any -> $INTERNAL 31337 (SBRuleId:137; msg: "BACKDOOR trojan active BackOrifice1 info"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|"; classtype: successful-user; reference: arachnids,399;sid:6000086;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
143. alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (SBRuleId:138; msg:"BACKDOOR Matrix 2.0 Client connect"; content:"activate"; reference:arachnids,83; classtype:misc-activity; sid:161; rev:4; SBRiskLevel:0; SBCategory:"misc-activity";)
144. alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (SBRuleId:139; msg:"BACKDOOR Matrix 2.0 Server access"; content:"logged in"; reference:arachnids,83; classtype:misc-activity; sid:162; rev:4; SBRiskLevel:0; SBCategory:"misc-activity";)
145. alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (SBRuleId:140; msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; reference:MCAFEE,98574; reference:nessus,10053; classtype:misc-activity; sid:1980; rev:4; SBRiskLevel:0; SBCategory:"misc-activity";)
146. alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (SBRuleId:141; msg:"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"; content:"00"; depth:2; reference:MCAFEE,98574; reference:nessus,10053; classtype:misc-activity; sid:1981; rev:3; SBRiskLevel:0; SBCategory:"misc-activity";)
147. alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (SBRuleId:142; msg:"BACKDOOR win-trin00 connection attempt"; content:"png []..Ks l44"; depth:14; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:6; SBRiskLevel:2; SBCategory:"attempted-admin";)
148. alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (SBRuleId:143; msg:"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"; content:"00"; depth:2; reference:MCAFEE,98574; reference:nessus,10053; classtype:misc-activity; sid:1983; rev:3; SBRiskLevel:0; SBCategory:"misc-activity";)
149. alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (SBRuleId:144; msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:MCAFEE,98574; reference:nessus,10053; classtype:misc-activity; sid:195; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
150. alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (SBRuleId:145; msg:"BACKDOOR DeepThroat 3.1 Server Response [3150]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:MCAFEE,98574; reference:nessus,10053; classtype:misc-activity; sid:1982; rev:3; SBRiskLevel:0; SBCategory:"misc-activity";)
151. alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (SBRuleId:146; msg:"BACKDOOR DeepThroat 3.1 Server Response [4120]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:MCAFEE,98574; reference:nessus,10053; classtype:misc-activity; sid:1984; rev:3; SBRiskLevel:0; SBCategory:"misc-activity";)
152. alert udp $INTERNAL 2140 -> $EXTERNAL any (SBRuleId:147; msg: "BACKDOOR trojan active DeepThroat"; content: "--Ahhhhhhhhhh"; classtype: successful-user; reference: arachnids,405;sid:6000090;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
153. alert udp $INTERNAL 28431 -> $EXTERNAL 28432 (SBRuleId:148; msg: "BACKDOOR trojan active hack-a-tack-2000"; content: "H"; depth: 1; classtype: successful-user; reference: arachnids,289;sid:6000080;rev:1; SBRiskLevel:2; SBCategory:"successful-user";)
154.  
155. #rulegroup Bad traffic
156. alert ip $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:149; msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8; SBRiskLevel:0; SBCategory:"misc-activity";)
157. alert ip $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:150; msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:3; SBRiskLevel:1; SBCategory:"non-standard-protocol";)
158. alert ip $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:151; msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; sid:1322; classtype:misc-activity; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
159. alert ip $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:152; msg:"BAD-TRAFFIC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:523; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
160. alert ip any any -> any any (SBRuleId:153; msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2189; rev:3; SBRiskLevel:1; SBCategory:"non-standard-protocol";) 
161. alert ip any any -> any any (SBRuleId:154; msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2186; rev:3; SBRiskLevel:1; SBCategory:"non-standard-protocol";)
162. alert ip any any -> any any (SBRuleId:155; msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2187; rev:3; SBRiskLevel:1; SBCategory:"non-standard-protocol";)
163. alert ip any any -> any any (SBRuleId:156; msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2188; rev:3; SBRiskLevel:1; SBCategory:"non-standard-protocol";)
164. alert ip any any -> any any (SBRuleId:157; msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8; SBRiskLevel:1; SBCategory:"bad-unknown";)
165. alert ip any any <> 127.0.0.0/8 any (SBRuleId:158; msg:"BAD-TRAFFIC loopback traffic"; reference:url,www.sans.org/y2k/egress.htm; classtype:bad-unknown; sid:528; rev:5; SBRiskLevel:1; SBCategory:"bad-unknown";)
166. alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (SBRuleId:159; msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8; SBRiskLevel:0; SBCategory:"misc-activity";)
167. alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (SBRuleId:160; msg:"BAD-TRAFFIC syn to multicast address"; flow:stateless; flags:S+; classtype:bad-unknown; sid:1431; rev:9; SBRiskLevel:1; SBCategory:"bad-unknown";)
168. alert udp $EXTERNAL_NET any <> $HOME_NET 0 (SBRuleId:161; msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9; SBRiskLevel:0; SBCategory:"misc-activity";) 
169.  
170. #rulegroup DDOS
171. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:162; msg:"DDOS - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:251; rev:3; SBRiskLevel:1; SBCategory:"attempted-dos";)
172. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:163; msg:"DDOS Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:6; SBRiskLevel:1; SBCategory:"attempted-dos";)
173. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:164; msg:"DDOS Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:5; SBRiskLevel:1; SBCategory:"attempted-dos";)
174. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:165; msg:"DDOS Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:6; SBRiskLevel:1; SBCategory:"attempted-dos";)
175. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:166; msg:"DDOS TFN Probe"; icmp_id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:221; rev:4; SBRiskLevel:1; SBCategory:"attempted-recon";)
176. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:167; msg:"DDOS TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:228; rev:3; SBRiskLevel:1; SBCategory:"attempted-dos";)
177. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:168; msg:"DDOS tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:222; rev:2; SBRiskLevel:1; SBCategory:"attempted-dos";)
178. alert icmp $EXTERNAL_NET any <> $HOME_NET any (SBRuleId:169; msg:"DDOS Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:7; SBRiskLevel:1; SBCategory:"attempted-dos";)
179. alert icmp $EXTERNAL_NET any <> $HOME_NET any (SBRuleId:170; msg:"DDOS Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:7; SBRiskLevel:1; SBCategory:"attempted-dos";)
180. alert icmp $EXTERNAL_NET any <> $HOME_NET any (SBRuleId:171; msg:"DDOS Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:7; SBRiskLevel:1; SBCategory:"attempted-dos";)
181. alert icmp $HOME_NET any -> $EXTERNAL_NET any (SBRuleId:172; msg:"DDOS Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:6; SBRiskLevel:1; SBCategory:"attempted-dos";)
182. alert icmp $HOME_NET any -> $EXTERNAL_NET any (SBRuleId:173; msg:"DDOS Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:6; SBRiskLevel:1; SBCategory:"attempted-dos";)
183. alert icmp $HOME_NET any -> $EXTERNAL_NET any (SBRuleId:174; msg:"DDOS TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:6; SBRiskLevel:1; SBCategory:"attempted-dos";)
184. alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (SBRuleId:175; msg:"DDOS Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:3; SBRiskLevel:1; SBCategory:"attempted-dos";)
185. alert tcp $EXTERNAL 1024: -> $INTERNAL any (SBRuleId:176; msg: "DDOS shaft synflood incoming"; seq: 674711609; flags: S; classtype: denial-of-service; reference: arachnids,252;sid:6000119;rev:1; SBRiskLevel:1; SBCategory:"denial-of-service";)
186. alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (SBRuleId:177; msg:"DDOS mstream client to handler"; flow:to_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:4; SBRiskLevel:1; SBCategory:"attempted-dos";)
187. alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (SBRuleId:178; msg:"DDOS mstream client to handler"; flow:stateless; flags:S,12; reference:arachnids,111; reference:cve,2000-0138; classtype:attempted-dos; sid:249; rev:8; SBRiskLevel:1; SBCategory:"attempted-dos";)
188. alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (SBRuleId:179; msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2; SBRiskLevel:1; SBCategory:"bad-unknown";)
189. alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (SBRuleId:180; msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; classtype:attempted-dos; sid:234; rev:2; SBRiskLevel:1; SBCategory:"attempted-dos";)
190. alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (SBRuleId:181; msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3; SBRiskLevel:1; SBCategory:"attempted-dos";)
191. alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (SBRuleId:182; msg:"DDOS mstream handler to client"; flow:to_client,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:4; SBRiskLevel:1; SBCategory:"attempted-dos";)
192. alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (SBRuleId:183; msg:"DDOS mstream handler to client"; flow:from_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:4; SBRiskLevel:1; SBCategory:"attempted-dos";)
193. alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (SBRuleId:184; msg:"DDOS shaft client login to handler"; flow:from_server,established; content:"login|3A|"; reference:arachnids,254; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:5; SBRiskLevel:1; SBCategory:"attempted-dos";)
194. alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (SBRuleId:185; msg:"DDOS mstream agent pong to handler"; content:"pong"; classtype:attempted-dos; sid:246; rev:2; SBRiskLevel:1; SBCategory:"attempted-dos";)
195. alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (SBRuleId:186; msg:"DDOS mstream handler ping to agent"; content:"ping"; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:3; SBRiskLevel:1; SBCategory:"attempted-dos";)
196. alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (SBRuleId:187; msg:"DDOS mstream handler to agent"; content:"stream/"; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:3; SBRiskLevel:1; SBCategory:"attempted-dos";)
197. alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (SBRuleId:188; msg:"DDOS shaft handler to agent"; content:"alive tijgu"; reference:arachnids,255; classtype:attempted-dos; sid:239; rev:2; SBRiskLevel:1; SBCategory:"attempted-dos";)
198. alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (SBRuleId:189; msg:"DDOS shaft agent to handler"; content:"alive"; reference:arachnids,256; classtype:attempted-dos; sid:240; rev:2; SBRiskLevel:1; SBCategory:"attempted-dos";)
199. alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (SBRuleId:190; msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2; SBRiskLevel:1; SBCategory:"attempted-dos";)
200. alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (SBRuleId:191; msg:"DDOS Trin00 Daemon to Master *HELLO* message detected"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:5; SBRiskLevel:1; SBCategory:"attempted-dos";)
201. alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (SBRuleId:192; msg:"DDOS Trin00 Daemon to Master PONG message detected"; content:"PONG"; reference:arachnids,187; classtype:attempted-recon; sid:223; rev:3; SBRiskLevel:1; SBCategory:"attempted-recon";)
202. alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (SBRuleId:193; msg:"DDOS Trin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186; classtype:attempted-dos; sid:231; rev:3; SBRiskLevel:1; SBCategory:"attempted-dos";)
203. alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (SBRuleId:194; msg:"DDOS mstream agent to handler"; content:"newserver"; classtype:attempted-dos; sid:243; rev:2; SBRiskLevel:1; SBCategory:"attempted-dos";)
204.  
205. #rulegroup DOS
206. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:195; msg:"DOS ath"; itype:8; content:"+++ath"; nocase; reference:arachnids,264; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:5; SBRiskLevel:1; SBCategory:"attempted-dos";) 
207. alert ip $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:196; msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:272; rev:10; SBRiskLevel:1; SBCategory:"attempted-dos";)
208. alert ip $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:197; msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4; SBRiskLevel:1; SBCategory:"attempted-dos";) 
209. alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (SBRuleId:198; msg:"DOS iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; reference:bugtraq,6844; reference:cve,1999-1566; classtype:misc-attack; sid:1605; rev:6; SBRiskLevel:1; SBCategory:"misc-attack";)
210. alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (SBRuleId:199; msg:"DOS arkiea backup"; flow:to_server,established; dsize:>1445; reference:arachnids,261; reference:bugtraq,662; reference:cve,1999-0788; classtype:attempted-dos; sid:282; rev:8; SBRiskLevel:1; SBCategory:"attempted-dos";)
211. alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (SBRuleId:200; msg:"DOS Real Audio Server"; flow:to_server,established; content:"|FF F4 FF FD 06|"; reference:arachnids,411; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:276; rev:5; SBRiskLevel:1; SBCategory:"attempted-dos";)
212. alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (SBRuleId:201; msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:277; rev:5; SBRiskLevel:1; SBCategory:"attempted-dos";)
213. alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (SBRuleId:202; msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:5; SBRiskLevel:1; SBCategory:"attempted-dos";)
214. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (SBRuleId:203; msg:"DOS Cisco attempt"; flow:to_server,established; dsize:1; content:"|13|"; classtype:web-application-attack; sid:1545; rev:8; SBRiskLevel:2; SBCategory:"web-application-attack";)
215. alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (SBRuleId:204; msg:"DOS BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:7; SBRiskLevel:1; SBCategory:"attempted-dos";)
216. alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (SBRuleId:205; msg:"DOS squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:2; SBRiskLevel:2; SBCategory:"attempted-user";)
217. alert udp $EXTERNAL_NET any -> $HOME_NET 500 (SBRuleId:206; msg:"DOS ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:5; SBRiskLevel:1; SBCategory:"attempted-dos";)
218. alert udp $EXTERNAL_NET any -> $HOME_NET 9 (SBRuleId:207; msg:"DOS Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:arachnids,262; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:5; SBRiskLevel:1; SBCategory:"attempted-dos";)
219. alert udp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:208; msg:"DOS Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6; SBRiskLevel:1; SBCategory:"attempted-dos";)
220. alert udp any 19 <> any 7 (SBRuleId:209; msg:"DOS UDP echo+chargen bomb"; reference:cve,CAN-1999-0635; reference:cve,CVE-1999-0103; classtype:attempted-dos; sid:271; rev:3; SBRiskLevel:1; SBCategory:"attempted-dos";)
221.  
222. #rulegroup ICMP
223. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:210; msg:"ICMP Address Mask Reply undefined code"; icode:>0; itype:18; classtype:misc-activity; sid:387; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
224. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:211; msg:"ICMP Address Mask Request undefined code"; icode:>0; itype:17; classtype:misc-activity; sid:389; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
225. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:212; msg:"ICMP Address Mask Request"; icode:0; itype:17; classtype:misc-activity; sid:388; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
226. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:213; msg:"ICMP Alternate Host Address undefined code"; icode:>0; itype:6; classtype:misc-activity; sid:391; rev:8; SBRiskLevel:0; SBCategory:"misc-activity";)
227. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:214; msg:"ICMP Alternate Host Address"; icode:0; itype:6; classtype:misc-activity; sid:390; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
228. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:215; msg:"ICMP Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:478; rev:3; SBRiskLevel:1; SBCategory:"attempted-recon";)
229. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:216; msg:"ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; classtype:misc-activity; sid:393; rev:8; SBRiskLevel:0; SBCategory:"misc-activity";)
230. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:217; msg:"ICMP Datagram Conversion Error"; icode:0; itype:31; classtype:misc-activity; sid:392; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
231. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:218; msg:"ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; classtype:misc-activity; sid:394; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
232. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:219; msg:"ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; classtype:misc-activity; sid:395; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
233. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:220; msg:"ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; classtype:misc-activity; sid:396; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
234. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:221; msg:"ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; classtype:misc-activity; sid:397; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
235. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:222; msg:"ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; classtype:misc-activity; sid:398; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
236. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:223; msg:"ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; classtype:misc-activity; sid:400; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
237. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:224; msg:"ICMP Destination Unreachable Port Unreachable"; icode:3; itype:3; classtype:misc-activity; sid:402; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
238. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:225; msg:"ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; classtype:misc-activity; sid:403; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
239. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:226; msg:"ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; classtype:misc-activity; sid:404; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
240. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:227; msg:"ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; classtype:misc-activity; sid:405; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
241. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:228; msg:"ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; classtype:misc-activity; sid:406; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
242. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:229; msg:"ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; classtype:misc-activity; sid:407; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
243. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:230; msg:"ICMP Echo Reply undefined code"; icode:>0; itype:0; classtype:misc-activity; sid:409; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
244. #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:408; rev:5;)
245. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:231; msg:"ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:410; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
246. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:232; msg:"ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; classtype:misc-activity; sid:412; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
247. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:233; msg:"ICMP IPV6 I-Am-Here"; icode:0; itype:34; classtype:misc-activity; sid:411; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
248. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:234; msg:"ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; classtype:misc-activity; sid:414; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
249. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:235; msg:"ICMP IPV6 Where-Are-You"; icode:0; itype:33; classtype:misc-activity; sid:413; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
250. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:236; msg:"ICMP IRDP router advertisement"; itype:9; reference:arachnids,173; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
251. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:237; msg:"ICMP IRDP router selection"; itype:10; reference:arachnids,174; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
252. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:238; msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3; SBRiskLevel:1; SBCategory:"attempted-recon";)
253. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:239; msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3; SBRiskLevel:1; SBCategory:"attempted-recon";) 
254. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:240; msg:"ICMP Information Request undefined code"; icode:>0; itype:15; classtype:misc-activity; sid:418; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
255. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:241; msg:"ICMP Information Request"; icode:0; itype:15; classtype:misc-activity; sid:417; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
256. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:242; msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:4; SBRiskLevel:1; SBCategory:"attempted-recon";)
257. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:243; msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4; SBRiskLevel:1; SBCategory:"bad-unknown";)
258. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:244; msg:"ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; classtype:misc-activity; sid:420; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
259. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:245; msg:"ICMP Mobile Host Redirect"; icode:0; itype:32; classtype:misc-activity; sid:419; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
260. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:246; msg:"ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; classtype:misc-activity; sid:422; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
261. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:247; msg:"ICMP Mobile Registration Reply"; icode:0; itype:36; classtype:misc-activity; sid:421; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
262. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:248; msg:"ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; classtype:misc-activity; sid:424; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
263. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:249; msg:"ICMP Mobile Registration Request"; icode:0; itype:35; classtype:misc-activity; sid:423; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
264. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:250; msg:"ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:467; rev:3; SBRiskLevel:1; SBCategory:"attempted-recon";)
265. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:251; msg:"ICMP PATH MTU denial of service"; itype:3; icode:4; byte_test:2,<,576,1; reference:cve,2004-1060; classtype:attempted-dos; sid:3626; rev:1; SBRiskLevel:1; SBCategory:"attempted-dos";)
266. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:252; msg:"ICMP PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:366; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
267. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:253; msg:"ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; reference:arachnids,152; classtype:misc-activity; sid:368; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
268. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:254; msg:"ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; reference:arachnids,438; reference:arachnids,444; classtype:misc-activity; sid:369; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
269. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:255; msg:"ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; reference:arachnids,151; classtype:misc-activity; sid:370; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
270. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:256; msg:"ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; reference:arachnids,153; classtype:misc-activity; sid:371; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
271. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:257; msg:"ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:483; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
272. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:258; msg:"ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; reference:arachnids,155; classtype:misc-activity; sid:372; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
273. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:259; msg:"ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; reference:arachnids,156; classtype:misc-activity; sid:373; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
274. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:260; msg:"ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; reference:arachnids,157; classtype:misc-activity; sid:374; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
275. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:261; msg:"ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; reference:arachnids,447; classtype:misc-activity; sid:375; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
276. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:262; msg:"ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; reference:arachnids,159; classtype:misc-activity; sid:376; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
277. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:263; msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3; SBRiskLevel:1; SBCategory:"attempted-recon";)
278. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:264; msg:"ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; reference:arachnids,161; classtype:misc-activity; sid:377; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
279. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:265; msg:"ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; reference:arachnids,164; classtype:misc-activity; sid:378; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
280. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:266; msg:"ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; reference:arachnids,163; classtype:misc-activity; sid:379; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
281. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:267; msg:"ICMP PING Seer Windows"; itype:8; content:"|88 04|              "; depth:32; reference:arachnids,166; classtype:misc-activity; sid:380; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
282. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:268; msg:"ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:484; rev:4; SBRiskLevel:0; SBCategory:"misc-activity";)
283. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:269; msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
284. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:270; msg:"ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:482; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
285. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:271; msg:"ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; reference:arachnids,169; classtype:misc-activity; sid:382; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
286. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:272; msg:"ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:480; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
287. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:273; msg:"ICMP PING undefined code"; icode:>0; itype:8; classtype:misc-activity; sid:365; rev:8; SBRiskLevel:0; SBCategory:"misc-activity";)
288. #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0; itype:8; classtype:misc-activity; sid:384; rev:5;)
289. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:274; msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12; classtype:misc-activity; sid:425; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
290. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:275; msg:"ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; classtype:misc-activity; sid:426; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
291. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:276; msg:"ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; classtype:misc-activity; sid:427; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
292. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:277; msg:"ICMP Parameter Problem undefined Code"; icode:>2; itype:12; classtype:misc-activity; sid:428; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
293. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:278; msg:"ICMP Photuris Reserved"; icode:0; itype:40; classtype:misc-activity; sid:429; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
294. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:279; msg:"ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; classtype:misc-activity; sid:430; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
295. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:280; msg:"ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; classtype:misc-activity; sid:431; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
296. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:281; msg:"ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; classtype:misc-activity; sid:432; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
297. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:282; msg:"ICMP Photuris undefined code!"; icode:>3; itype:40; classtype:misc-activity; sid:433; rev:8; SBRiskLevel:0; SBCategory:"misc-activity";)
298. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:283; msg:"ICMP Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:436; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
299. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:284; msg:"ICMP Redirect for TOS and Network"; icode:2; itype:5; classtype:misc-activity; sid:437; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
300. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:285; msg:"ICMP Redirect undefined code"; icode:>3; itype:5; classtype:misc-activity; sid:438; rev:9; SBRiskLevel:0; SBCategory:"misc-activity";)
301. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:286; msg:"ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; classtype:misc-activity; sid:440; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
302. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:287; msg:"ICMP Reserved for Security Type 19"; icode:0; itype:19; classtype:misc-activity; sid:439; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
303. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:288; msg:"ICMP Router Advertisement"; icode:0; itype:9; reference:arachnids,173; classtype:misc-activity; sid:441; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
304. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:289; msg:"ICMP Router Selection"; icode:0; itype:10; reference:arachnids,174; classtype:misc-activity; sid:443; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
305. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:290; msg:"ICMP SKIP undefined code"; icode:>0; itype:39; classtype:misc-activity; sid:446; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
306. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:291; msg:"ICMP SKIP"; icode:0; itype:39; classtype:misc-activity; sid:445; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
307. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:292; msg:"ICMP Source Quench undefined code"; icode:>0; itype:4; classtype:misc-activity; sid:448; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
308. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:293; msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2; SBRiskLevel:1; SBCategory:"bad-unknown";)
309. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:294; msg:"ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:481; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
310. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:295; msg:"ICMP Timestamp Reply undefined code"; icode:>0; itype:14; classtype:misc-activity; sid:452; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
311. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:296; msg:"ICMP Timestamp Reply"; icode:0; itype:14; classtype:misc-activity; sid:451; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
312. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:297; msg:"ICMP Timestamp Request undefined code"; icode:>0; itype:13; classtype:misc-activity; sid:454; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
313. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:298; msg:"ICMP Timestamp Request"; icode:0; itype:13; classtype:misc-activity; sid:453; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
314. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:299; msg:"ICMP Traceroute undefined code"; icode:>0; itype:30; classtype:misc-activity; sid:457; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
315. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:300; msg:"ICMP Traceroute"; icode:0; itype:30; classtype:misc-activity; sid:456; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
316. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:301; msg:"ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com"; depth:22; classtype:misc-activity; sid:1813; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
317. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:302; msg:"ICMP icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:471; rev:3; SBRiskLevel:1; SBCategory:"attempted-recon";)
318. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:303; msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4; SBRiskLevel:1; SBCategory:"bad-unknown";)
319. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:304; msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4; SBRiskLevel:1; SBCategory:"bad-unknown";)
320. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:305; msg:"ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:474; rev:4; SBRiskLevel:1; SBCategory:"attempted-recon";)
321. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:306; msg:"ICMP traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:3; SBRiskLevel:1; SBCategory:"attempted-recon";)
322. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:307; msg:"ICMP traceroute"; itype:8; ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:4; SBRiskLevel:1; SBCategory:"attempted-recon";)
323. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:308; msg:"ICMP unassigned type 1 undefined code"; itype:1; classtype:misc-activity; sid:459; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
324. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:309; msg:"ICMP unassigned type 1"; icode:0; itype:1; classtype:misc-activity; sid:458; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
325. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:310; msg:"ICMP unassigned type 2 undefined code"; itype:2; classtype:misc-activity; sid:461; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
326. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:311; msg:"ICMP unassigned type 2"; icode:0; itype:2; classtype:misc-activity; sid:460; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
327. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:312; msg:"ICMP unassigned type 7 undefined code"; itype:7; classtype:misc-activity; sid:463; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
328. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:313; msg:"ICMP unassigned type 7"; icode:0; itype:7; classtype:misc-activity; sid:462; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
329. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:314; msg:"ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:476; rev:4; SBRiskLevel:1; SBCategory:"attempted-recon";)
330. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:315; msg:"ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:476; rev:4; SBRiskLevel:1; SBCategory:"attempted-recon";) 
331. alert icmp $HOME_NET any -> $EXTERNAL_NET any (SBRuleId:316; msg:"ICMP Address Mask Reply"; icode:0; itype:18; classtype:misc-activity; sid:386; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
332. alert icmp $HOME_NET any -> $EXTERNAL_NET any (SBRuleId:317; msg:"ICMP Information Reply undefined code"; icode:>0; itype:16; classtype:misc-activity; sid:416; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
333. alert icmp $HOME_NET any -> $EXTERNAL_NET any (SBRuleId:318; msg:"ICMP Information Reply"; icode:0; itype:16; classtype:misc-activity; sid:415; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
334. alert icmp $HOME_NET any -> $EXTERNAL_NET any (SBRuleId:319; msg:"ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:450; rev:8; SBRiskLevel:0; SBCategory:"misc-activity";)
335. alert icmp $HOME_NET any -> $EXTERNAL_NET any (SBRuleId:320; msg:"ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:449; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
336. alert icmp any any -> any any (SBRuleId:321; msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4; SBRiskLevel:0; SBCategory:"misc-activity";)
337. alert icmp any any -> any any (SBRuleId:322; msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4; SBRiskLevel:0; SBCategory:"misc-activity";)
338. alert icmp any any -> any any (SBRuleId:323; msg:"ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4; SBRiskLevel:0; SBCategory:"misc-activity";)
339.  
340. #rulegroup Miscellaneous
341. alert ip $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:324; msg:"MISC source route lssr"; ipopts:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:500; rev:5; SBRiskLevel:1; SBCategory:"bad-unknown";)
342. #alert ip $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:325; msg:"MISC source route lssre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:501; rev:5; SBRiskLevel:1; SBCategory:"bad-unknown";)
343. alert ip $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:326; msg:"MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2; SBRiskLevel:1; SBCategory:"bad-unknown";)
344. alert tcp $AIM_SERVERS any -> $HOME_NET any (SBRuleId:327; msg:"MISC AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1752; rev:4; SBRiskLevel:1; SBCategory:"misc-attack";)
345. alert tcp $AIM_SERVERS any -> $HOME_NET any (SBRuleId:328; msg:"MISC AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1393; rev:12; SBRiskLevel:1; SBCategory:"misc-attack";)
346. alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (SBRuleId:329; msg:"MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:7; SBRiskLevel:1; SBCategory:"bad-unknown";)
347. alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (SBRuleId:330; msg:"MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:7; SBRiskLevel:1; SBCategory:"bad-unknown";)
348. alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (SBRuleId:331; msg:"MISC Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; reference:arachnids,229; classtype:bad-unknown; sid:505; rev:5; SBRiskLevel:1; SBCategory:"bad-unknown";)
349. alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (SBRuleId:332; msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; dsize:>156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; reference:bugtraq,5807; reference:cve,2002-1214; reference:url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx; classtype:attempted-admin; sid:2126; rev:8; SBRiskLevel:2; SBCategory:"attempted-admin";)
350. alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (SBRuleId:333; msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; dsize:>156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; reference:bugtraq,5807; reference:cve,2002-1214; reference:url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx; classtype:attempted-admin; sid:2126; rev:8; SBRiskLevel:2; SBCategory:"attempted-admin";) 
351. alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (SBRuleId:334; msg:"MISC Alcatel PABX 4400 connection attempt"; flow:established,to_server; content:"|00 01|C"; depth:3; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:5; SBRiskLevel:0; SBCategory:"misc-activity";)
352. alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (SBRuleId:335; msg:"MISC MS Terminal Server no encryption session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2418; rev:4; SBRiskLevel:1; SBCategory:"attempted-dos";)
353. alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (SBRuleId:336; msg:"MISC MS Terminal server request RDP"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1447; rev:12; SBRiskLevel:0; SBCategory:"protocol-command-decode";)
354. alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (SBRuleId:337; msg:"MISC MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1448; rev:12; SBRiskLevel:0; SBCategory:"protocol-command-decode";)
355. alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (SBRuleId:338; msg:"MISC distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:3061; rev:2; SBRiskLevel:0; SBCategory:"misc-activity";)
356. alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (SBRuleId:339; msg:"MISC PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:4; SBRiskLevel:2; SBCategory:"attempted-admin";)
357. alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (SBRuleId:340; msg:"MISC Arkeia client backup generic info probe"; flow:established,to_server; content:"ARKFS|00|root|00|root"; nocase; reference:bugtraq,12594; classtype:attempted-recon; sid:3454; rev:1; SBRiskLevel:1; SBCategory:"attempted-recon";)
358. alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (SBRuleId:341; msg:"MISC gopher proxy"; flow:to_server,established; content:"ftp|3A|"; nocase; content:"@/"; reference:arachnids,409; classtype:bad-unknown; sid:508; rev:7; SBRiskLevel:1; SBCategory:"bad-unknown";)
359. alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (SBRuleId:342; msg:"MISC xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:7; SBRiskLevel:0; SBCategory:"misc-activity";)
360. alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (SBRuleId:343; msg:"MISC HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:1; SBRiskLevel:2; SBCategory:"attempted-admin";)
361. alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (SBRuleId:344; msg:"MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:1; SBRiskLevel:1; SBCategory:"web-application-activity";)
362. alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (SBRuleId:345; msg:"MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9978; classtype:web-application-activity; sid:2547; rev:2; SBRiskLevel:1; SBCategory:"web-application-activity";)
363. alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (SBRuleId:346; msg:"MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2548; rev:1; SBRiskLevel:1; SBCategory:"web-application-activity";)
364. alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (SBRuleId:347; msg:"MISC rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2047; rev:2; SBRiskLevel:0; SBCategory:"misc-activity";)
365. alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (SBRuleId:348; msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2048; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
366. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (SBRuleId:349; msg:"MISC OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:3; SBRiskLevel:2; SBCategory:"web-application-attack";)
367. alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (SBRuleId:350; msg:"MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2159; rev:11; SBRiskLevel:1; SBCategory:"bad-unknown";)
368. alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (SBRuleId:351; msg:"MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2010; rev:4; SBRiskLevel:1; SBCategory:"misc-attack";)
369. alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (SBRuleId:352; msg:"MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2011; rev:4; SBRiskLevel:1; SBCategory:"misc-attack";)
370. alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (SBRuleId:353; msg:"MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2013; rev:2; SBRiskLevel:1; SBCategory:"misc-attack";)
371. alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (SBRuleId:354; msg:"MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2009; rev:2; SBRiskLevel:1; SBCategory:"misc-attack";)
372. alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (SBRuleId:355; msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2008; rev:4; SBRiskLevel:1; SBCategory:"misc-attack";)
373. alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (SBRuleId:356; msg:"MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2012; rev:2; SBRiskLevel:1; SBCategory:"misc-attack";)
374. alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (SBRuleId:357; msg:"MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2317; rev:4; SBRiskLevel:1; SBCategory:"misc-attack";)
375. alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (SBRuleId:358; msg:"MISC PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:4; SBRiskLevel:2; SBCategory:"unsuccessful-user";)
376. alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (SBRuleId:359; msg:"MISC PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:4; SBRiskLevel:2; SBCategory:"unsuccessful-user";) 
377. alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (SBRuleId:360; msg:"MISC ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; reference:arachnids,461; classtype:bad-unknown; sid:514; rev:5; SBRiskLevel:1; SBCategory:"bad-unknown";)
378. alert tcp $HOME_NET any -> $HOME_NET 2702 (SBRuleId:361; msg:"MISC Microsoft SMS remote control client DoS overly long length attempt"; flow:to_server,established; content:"RCH0"; nocase; content:"RCHE"; nocase; byte_test:2,>,131,-8,relative,little; isdataat:131,relative; reference:bugtraq,10726; reference:cve,2004-0728; classtype:attempted-user; sid:3673; rev:1; SBRiskLevel:2; SBCategory:"attempted-user";)
379. alert tcp any any <> any 179 (SBRuleId:362; msg:"MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:8; SBRiskLevel:1; SBCategory:"bad-unknown";)
380. alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (SBRuleId:363; msg:"MISC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:5; SBRiskLevel:2; SBCategory:"trojan-activity";)
381. alert udp $EXTERNAL_NET any -> $HOME_NET 161 (SBRuleId:364; msg:"MISC SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:5; SBRiskLevel:1; SBCategory:"attempted-recon";)
382. alert udp $EXTERNAL_NET any -> $HOME_NET 177 (SBRuleId:365; msg:"MISC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:1; SBRiskLevel:1; SBCategory:"attempted-recon";)
383. alert udp $EXTERNAL_NET any -> $HOME_NET 177 (SBRuleId:366; msg:"MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; reference:arachnids,476; classtype:attempted-recon; sid:517; rev:1; SBRiskLevel:1; SBCategory:"attempted-recon";)
384. alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (SBRuleId:367; msg:"MISC UPnP Location overflow"; content:"Location|3A|"; nocase; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:1388; rev:12; SBRiskLevel:1; SBCategory:"misc-attack";) 
385. alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (SBRuleId:368; msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:1384; rev:8; SBRiskLevel:1; SBCategory:"misc-attack";)
386. alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (SBRuleId:369; msg:"MISC GlobalSunTech Access Point Information Disclosure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:2; SBRiskLevel:0; SBCategory:"misc-activity";)
387. alert udp $EXTERNAL_NET any -> $HOME_NET 67 (SBRuleId:370; msg:"MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:4; SBRiskLevel:0; SBCategory:"misc-activity";)
388. alert udp $EXTERNAL_NET any -> $HOME_NET 67 (SBRuleId:371; msg:"MISC bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:6; SBRiskLevel:1; SBCategory:"misc-attack";)
389. alert udp $EXTERNAL_NET any -> $HOME_NET 67 (SBRuleId:372; msg:"MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:3; SBRiskLevel:0; SBCategory:"misc-activity";)
390. alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (SBRuleId:373; msg:"MISC AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:6; SBRiskLevel:0; SBCategory:"misc-activity";)
391. alert udp $HOME_NET 49 -> $EXTERNAL_NET any (SBRuleId:374; msg:"MISC xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2041; rev:2; SBRiskLevel:0; SBCategory:"misc-activity";)
392. alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (SBRuleId:375; msg:"MISC isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2043; rev:2; SBRiskLevel:0; SBCategory:"misc-activity";)
393.  
394. #rulegroup Netbios
395. alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (SBRuleId:376; msg:"NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2315; rev:6; SBRiskLevel:1; SBCategory:"misc-attack";)
396. alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (SBRuleId:377; msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2251; rev:14; SBRiskLevel:2; SBCategory:"attempted-admin";)
397. alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (SBRuleId:378; msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2251; rev:14; SBRiskLevel:2; SBCategory:"attempted-admin";) 
398. #alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (SBRuleId:377; msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2251; rev:14; SBRiskLevel:2; SBCategory:"attempted-admin";)
399. #alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (SBRuleId:378; msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2251; rev:14; SBRiskLevel:2; SBCategory:"attempted-admin";) 
400. alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (SBRuleId:379; msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2190; rev:3; SBRiskLevel:1; SBCategory:"attempted-dos";)
401. alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (SBRuleId:380; msg:"NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:3195; rev:4; SBRiskLevel:2; SBCategory:"attempted-admin";)
402. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:381; msg:"NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:529; rev:7; SBRiskLevel:1; SBCategory:"attempted-dos";)
403. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:382; msg:"NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:10; SBRiskLevel:1; SBCategory:"attempted-recon";)
404. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:383; msg:"NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:10; SBRiskLevel:1; SBCategory:"attempted-recon";) 
405. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:384; msg:"NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:9; SBRiskLevel:1; SBCategory:"attempted-recon";)
406. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:385; msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:534; rev:6; SBRiskLevel:1; SBCategory:"attempted-recon";)
407. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:386; msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:535; rev:6; SBRiskLevel:1; SBCategory:"attempted-recon";)
408. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:387; msg:"NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2309; rev:6; SBRiskLevel:1; SBCategory:"misc-attack";)
409. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:388; msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2308; rev:6; SBRiskLevel:1; SBCategory:"misc-attack";)
410. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:389; msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2101; rev:11; SBRiskLevel:1; SBCategory:"denial-of-service";)
411. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:390; msg:"NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2403; rev:4; SBRiskLevel:2; SBCategory:"attempted-admin";)
412. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:391; msg:"NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2401; rev:4; SBRiskLevel:2; SBCategory:"attempted-admin";)
413. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:392; msg:"NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2176; rev:4; SBRiskLevel:1; SBCategory:"attempted-recon";)
414. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:393; msg:"NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2176; rev:4; SBRiskLevel:1; SBCategory:"attempted-recon";) 
415. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:394; msg:"NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2177; rev:4; SBRiskLevel:1; SBCategory:"attempted-recon";)
416. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:395; msg:"NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2177; rev:4; SBRiskLevel:1; SBCategory:"attempted-recon";) 
417. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:396; msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:9; SBRiskLevel:2; SBCategory:"attempted-admin";)
418. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:397; msg:"NETBIOS nimda .eml"; flow:to_server,established; content:"|00|.|00|E|00|M|00|L"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1293; rev:10; SBRiskLevel:1; SBCategory:"bad-unknown";)
419. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:398; msg:"NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:10; SBRiskLevel:1; SBCategory:"bad-unknown";)
420. alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (SBRuleId:399; msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:9; SBRiskLevel:1; SBCategory:"bad-unknown";)
421. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:400; msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2191; rev:3; SBRiskLevel:1; SBCategory:"attempted-dos";)
422. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:401; msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2191; rev:3; SBRiskLevel:1; SBCategory:"attempted-dos";) 
423. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:402; msg:"NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2193; rev:11; SBRiskLevel:0; SBCategory:"protocol-command-decode";) 
424. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:403; msg:"NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2258; rev:9; SBRiskLevel:2; SBCategory:"attempted-admin";)
425. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:404; msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2252; rev:14; SBRiskLevel:2; SBCategory:"attempted-admin";)
426. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:405; msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2252; rev:14; SBRiskLevel:2; SBCategory:"attempted-admin";) 
427. #alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:404; msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2252; rev:14; SBRiskLevel:2; SBCategory:"attempted-admin";)
428. #alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:405; msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2252; rev:14; SBRiskLevel:2; SBCategory:"attempted-admin";) 
429. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:406; msg:"NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2311; rev:7; SBRiskLevel:1; SBCategory:"misc-attack";)
430. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:407; msg:"NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2310; rev:8; SBRiskLevel:1; SBCategory:"misc-attack";)
431. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:408; msg:"NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2404; rev:5; SBRiskLevel:2; SBCategory:"attempted-admin";)
432. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (SBRuleId:409; msg:"NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2402; rev:5; SBRiskLevel:2; SBCategory:"attempted-admin";)
433. alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (SBRuleId:410; msg:"NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2923; rev:3; SBRiskLevel:2; SBCategory:"unsuccessful-user";)
434. alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (SBRuleId:411; msg:"NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2924; rev:3; SBRiskLevel:2; SBCategory:"unsuccessful-user";)
435. alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (SBRuleId:412; msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; reference:bugtraq,10334; reference:bugtraq,10335; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:4; SBRiskLevel:2; SBCategory:"attempted-admin";)
436. alert udp $EXTERNAL_NET 137 -> $HOME_NET any (SBRuleId:413; msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:4; SBRiskLevel:2; SBCategory:"attempted-admin";)
437. alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (SBRuleId:414; msg:"NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2316; rev:6; SBRiskLevel:1; SBCategory:"misc-attack";)
438. alert udp $EXTERNAL_NET any -> $HOME_NET 135 (SBRuleId:415; msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2257; rev:9; SBRiskLevel:2; SBCategory:"attempted-admin";)
439. alert udp $EXTERNAL_NET any -> $HOME_NET 135 (SBRuleId:416; msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2257; rev:9; SBRiskLevel:2; SBCategory:"attempted-admin";) 
440. alert udp $EXTERNAL_NET any -> $HOME_NET 135 (SBRuleId:417; msg:"NETBIOS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3234; rev:2; SBRiskLevel:2; SBCategory:"attempted-admin";)
441. alert udp $EXTERNAL_NET any -> $HOME_NET 135 (SBRuleId:418; msg:"NETBIOS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3235; rev:2; SBRiskLevel:2; SBCategory:"attempted-admin";)
442. alert udp $EXTERNAL_NET any -> $HOME_NET 137 (SBRuleId:419; msg:"NETBIOS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:3196; rev:2; SBRiskLevel:2; SBCategory:"attempted-admin";)
443.  
444. #rulegroup Scans
445. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:420; msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6; SBRiskLevel:0; SBCategory:"network-scan";)
446. alert icmp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:421; msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6; SBRiskLevel:0; SBCategory:"network-scan";) 
447. alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (SBRuleId:422; msg:"SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6; SBRiskLevel:1; SBCategory:"attempted-recon";)
448. alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (SBRuleId:423; msg:"SCAN myscan"; stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6; SBRiskLevel:1; SBCategory:"attempted-recon";)
449. alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (SBRuleId:424; msg:"SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4; SBRiskLevel:1; SBCategory:"attempted-recon";)
450. alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (SBRuleId:425; msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5; SBRiskLevel:0; SBCategory:"network-scan";)
451. alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (SBRuleId:426; msg:"SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:6; SBRiskLevel:1; SBCategory:"attempted-recon";)
452. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:427; msg:"SCAN FIN"; flow:stateless; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:7; SBRiskLevel:1; SBCategory:"attempted-recon";)
453. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:428; msg:"SCAN FIN"; stateless; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:7; SBRiskLevel:1; SBCategory:"attempted-recon";) 
454. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:429; msg:"SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:6; SBRiskLevel:1; SBCategory:"attempted-recon";)
455. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:430; msg:"SCAN NULL"; stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:6; SBRiskLevel:1; SBCategory:"attempted-recon";)
456. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:431; msg:"SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:7; SBRiskLevel:1; SBCategory:"attempted-recon";)
457. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:432; msg:"SCAN SYN FIN"; stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:7; SBRiskLevel:1; SBCategory:"attempted-recon";) 
458. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:433; msg:"SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:7; SBRiskLevel:1; SBCategory:"attempted-recon";)
459. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:434; msg:"SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:8; SBRiskLevel:1; SBCategory:"attempted-recon";)
460. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:435; msg:"SCAN cybercop os PA12 attempt"; stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:8; SBRiskLevel:1; SBCategory:"attempted-recon";)
461. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:436; msg:"SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:8; SBRiskLevel:1; SBCategory:"attempted-recon";)
462. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:437; msg:"SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:8; SBRiskLevel:1; SBCategory:"attempted-recon";) 
463. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:438; msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7; SBRiskLevel:1; SBCategory:"attempted-recon";)
464. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:439; msg:"SCAN nmap XMAS"; stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7; SBRiskLevel:1; SBCategory:"attempted-recon";) 
465. alert tcp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:440; msg:"SCAN nmap fingerprint attempt"; stateless; flags:SFPU; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:2; SBRiskLevel:1; SBCategory:"attempted-recon";)
466. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (SBRuleId:441; msg:"SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12; SBRiskLevel:1; SBCategory:"attempted-recon";)
467. alert tcp any any -> any any (SBRuleId:442; msg:"PortScan"; kportscan; classtype:network-scan; sid:5000555; rev:2; SBRiskLevel:0; SBCategory:"network-scan";)
468. alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (SBRuleId:443; msg:"SCAN Amanda client version request"; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:2; SBRiskLevel:1; SBCategory:"attempted-recon";)
469. alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (SBRuleId:444; msg:"SCAN Amanda client version request"; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:2; SBRiskLevel:1; SBCategory:"attempted-recon";) 
470. alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (SBRuleId:445; msg:"SCAN UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:1917; rev:6; SBRiskLevel:0; SBCategory:"network-scan";)
471. alert udp $EXTERNAL_NET any -> $HOME_NET 49 (SBRuleId:446; msg:"SCAN XTACACS logout"; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; reference:arachnids,408; classtype:bad-unknown; sid:635; rev:3; SBRiskLevel:1; SBCategory:"bad-unknown";)
472. alert udp $EXTERNAL_NET any -> $HOME_NET 49 (SBRuleId:447; msg:"SCAN XTACACS logout"; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; reference:arachnids,408; classtype:bad-unknown; sid:635; rev:3; SBRiskLevel:1; SBCategory:"bad-unknown";) 
473. alert udp $EXTERNAL_NET any -> $HOME_NET 7 (SBRuleId:448; msg:"SCAN cybercop udp bomb"; content:"cybercop"; reference:arachnids,363; classtype:bad-unknown; sid:636; rev:1; SBRiskLevel:1; SBCategory:"bad-unknown";)
474. alert udp $EXTERNAL_NET any -> $HOME_NET any (SBRuleId:449; msg:"SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; reference:arachnids,308; classtype:attempted-recon; sid:637; rev:3; SBRiskLevel:1; SBCategory:"attempted-recon";)
475.  
476.