home *** CD-ROM | disk | FTP | other *** search
/ Clickx 4 / Clickx 4.iso / Data / pspf.exe / Disk1 / sdi.dat < prev    next >
Encoding:
Text File  |  2002-02-13  |  84.2 KB  |  731 lines
  1. <IdsSignatureLib>
  2.    <Version>1.0.1000</Version>
  3.    <SerialNumber>1.0.1007</SerialNumber>
  4.    <IdsGlobal>
  5.       <IdsSignatureGroupZone>
  6.         <IdsSignatureGroup Id="00000000000000000011000C00000000" Name="SVCHOST_group" Enable="1" Severity="1" Description="SVCHOST_group" ApplicationGroupLink="APP_SVCHOST">
  7.             <IdsSignature Id="00000000000000000011000C00000001" Name="UPnP Location overflow" Enable="1" Severity="10" Description="UPnP Location overflow">
  8.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, dest=(1900), msg="E230010 MISC UPnP Location overflow", content="Location\x3A"</IdsTrafficCondition>
  9.                <Action LogEvent="0" PacketProcess="DROP"/>
  10.             </IdsSignature>
  11.             <IdsSignature Id="00000000000000000011000C00000002" Name="UPnP malformed advertisement" Enable="1" Severity="10" Description="UPnP malformed advertisement">
  12.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, dest=(1900), msg="E230011 MISC UPnP malformed advertisement", content="NOTIFY * "</IdsTrafficCondition>
  13.                <Action LogEvent="0" PacketProcess="DROP"/>
  14.             </IdsSignature>
  15.          </IdsSignatureGroup>
  16.          <IdsSignatureGroup Id="00000000000000000011000300000000" Name="IISweb_GROUP" Enable="1" Severity="1" Description="IIS IDS signature group" ApplicationGroupLink="APP_IIS_WEB">
  17.             <IdsSignature Id="00000000000000000011000300000001" Name="File Permission Canonicalization" Enable="1" Severity="11" Description="File Permission Canonicalization(Chinese charset)" HostType="PASSIVE">
  18.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, msg="E10000 WEB-IIS File permission canonicalization(Chinese charset)", content="/scripts/..%c1%1c../", tcp_flag&ack</IdsTrafficCondition>
  19.                <Action LogEvent="0" PacketProcess="DROP"/>
  20.             </IdsSignature>
  21.             <IdsSignature Id="00000000000000000011000300000002" Name="File permission canonicalization" Enable="1" Severity="11" Description="File permission canonicalization %c1%9c" HostType="PASSIVE">
  22.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, msg="E10001 WEB-IIS File permission canonicalization", content="/scripts/..%c1%9c../", tcp_flag&ack</IdsTrafficCondition>
  23.                <Action LogEvent="0" PacketProcess="DROP"/>
  24.             </IdsSignature>
  25.             <IdsSignature Id="00000000000000000011000300000003" Name="File permission canonicalization" Enable="1" Severity="11" Description="File permission canonicalization %c0%af" HostType="PASSIVE">
  26.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, msg="E10002 WEB-IIS File permission canonicalization", content="/scripts/..%c0%af../", tcp_flag&ack</IdsTrafficCondition>
  27.                <Action LogEvent="0" PacketProcess="DROP"/>
  28.             </IdsSignature>
  29.             <IdsSignature Id="00000000000000000011000300000006" Name="Viewcode access" Enable="1" Severity="11" Description="Viewcode access" HostType="PASSIVE">
  30.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, msg="D10006 WEB-IIS showcode access", content="/Sites/Samples/Knowledge/Push/ViewCode.asp"H, tcp_flag&ack</IdsTrafficCondition>
  31.                <Action LogEvent="0" PacketProcess="DROP"/>
  32.             </IdsSignature>
  33.             <IdsSignature Id="00000000000000000011000300000007" Name="Jet VBA access" Enable="1" Severity="11" Description="Jet VBA access" HostType="PASSIVE">
  34.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, msg="D10007 WEB-IIS JET VBA access", tcp_flag&ack, content="/scripts/samples/details.idc"H</IdsTrafficCondition>
  35.                <Action LogEvent="0" PacketProcess="DROP"/>
  36.             </IdsSignature>
  37.             <IdsSignature Id="00000000000000000011000300000008" Name="newdsn.exe access" Enable="1" Severity="11" Description="newdsn.exe access" HostType="PASSIVE">
  38.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, msg="D10008 WEB-IIS newdsn.exe access",tcp_flag&ack, content="/scripts/tools/newdsn.exe"H</IdsTrafficCondition>
  39.                <Action LogEvent="0" PacketProcess="DROP"/>
  40.             </IdsSignature>
  41.             <IdsSignature Id="00000000000000000011000300000009" Name="Jet VBA access 2" Enable="1" Severity="11" Description="Jet VBA access (ctguestb.idc)" HostType="PASSIVE">
  42.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, msg="D10009 WEB-IIS JET VBA access",tcp_flag&ack, content="/scripts/samples/ctguestb.idc"H</IdsTrafficCondition>
  43.                <Action LogEvent="0" PacketProcess="DROP"/>
  44.             </IdsSignature>
  45.             <IdsSignature Id="0000000000000000001100030000000A" Name="Jet VBA access 3" Enable="1" Severity="11" Description="Jet VBA access (catalog_type.asp)" HostType="PASSIVE">
  46.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, msg="D10010 WEB-IIS jet vba access",tcp_flag&ack, content="/advworks/equipment/catalog_type.asp"H</IdsTrafficCondition>
  47.                <Action LogEvent="0" PacketProcess="DROP"/>
  48.             </IdsSignature>
  49.             <IdsSignature Id="0000000000000000001100030000000B" Name="WEB-FRONTPAGE _vti_rpc access" Enable="1" Severity="10" Description="WEB-FRONTPAGE _vti_rpc access" HostType="PASSIVE">
  50.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11500 WEB-FRONTPAGE _vti_rpc access",tcp_flag&ack,content="/_vti_rpc"</IdsTrafficCondition>
  51.                <Action LogEvent="0" PacketProcess="DROP"/>
  52.             </IdsSignature>
  53.             <IdsSignature Id="0000000000000000001100030000000E" Name="WEB-FRONTPAGE shtml.dll" Enable="1" Severity="10" Description="WEB-FRONTPAGE shtml.dll" HostType="PASSIVE">
  54.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11503 WEB-FRONTPAGE shtml.dll",content="/_vti_bin/shtml.dll",tcp_flag&ack</IdsTrafficCondition>
  55.                <Action LogEvent="0" PacketProcess="DROP"/>
  56.             </IdsSignature>
  57.             <IdsSignature Id="0000000000000000001100030000000F" Name="WEB-FRONTPAGE contents.htm access" Enable="1" Severity="10" Description="WEB-FRONTPAGE contents.htm access" HostType="PASSIVE">
  58.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11504 WEB-FRONTPAGE contents.htm access",tcp_flag&ack,content="/admcgi/contents.htm"</IdsTrafficCondition>
  59.                <Action LogEvent="0" PacketProcess="DROP"/>
  60.             </IdsSignature>
  61.             <IdsSignature Id="00000000000000000011000300000010" Name="WEB-FRONTPAGE orders.htm access" Enable="1" Severity="10" Description="WEB-FRONTPAGE orders.htm access" HostType="PASSIVE">
  62.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11505 WEB-FRONTPAGE orders.htm access",tcp_flag&ack,content="/_private/orders.htm"</IdsTrafficCondition>
  63.                <Action LogEvent="0" PacketProcess="DROP"/>
  64.             </IdsSignature>
  65.             <IdsSignature Id="00000000000000000011000300000015" Name="WEB-FRONTPAGE orders.txt access" Enable="1" Severity="10" Description="WEB-FRONTPAGE orders.txt access" HostType="PASSIVE">
  66.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11510 WEB-FRONTPAGE orders.txt access",tcp_flag&ack,content="/_private/orders.txt"</IdsTrafficCondition>
  67.                <Action LogEvent="0" PacketProcess="DROP"/>
  68.             </IdsSignature>
  69.             <IdsSignature Id="00000000000000000011000300000016" Name="WEB-FRONTPAGE form_results access" Enable="1" Severity="10" Description="WEB-FRONTPAGE form_results access" HostType="PASSIVE">
  70.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11511 WEB-FRONTPAGE form_results access",tcp_flag&ack,content="/_private/form_results.txt"</IdsTrafficCondition>
  71.                <Action LogEvent="0" PacketProcess="DROP"/>
  72.             </IdsSignature>
  73.             <IdsSignature Id="00000000000000000011000300000017" Name="WEB-FRONTPAGE registrations.htm access" Enable="1" Severity="10" Description="WEB-FRONTPAGE registrations.htm access" HostType="PASSIVE">
  74.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11512 WEB-FRONTPAGE registrations.htm access",tcp_flag&ack,content="/_private/registrations.htm"</IdsTrafficCondition>
  75.                <Action LogEvent="0" PacketProcess="DROP"/>
  76.             </IdsSignature>
  77.             <IdsSignature Id="0000000000000000001100030000001C" Name="WEB-FRONTPAGE form_results.htm access" Enable="1" Severity="10" Description="WEB-FRONTPAGE form_results.htm access" HostType="PASSIVE">
  78.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11517 WEB-FRONTPAGE form_results.htm access",tcp_flag&ack,content="/_private/form_results.htm"</IdsTrafficCondition>
  79.                <Action LogEvent="0" PacketProcess="DROP"/>
  80.             </IdsSignature>
  81.             <IdsSignature Id="0000000000000000001100030000001D" Name="WEB-FRONTPAGE access.cnf access" Enable="1" Severity="10" Description="WEB-FRONTPAGE access.cnf access" HostType="PASSIVE">
  82.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11518 WEB-FRONTPAGE access.cnf access",tcp_flag&ack,content="/_vti_pvt/access.cnf"</IdsTrafficCondition>
  83.                <Action LogEvent="0" PacketProcess="DROP"/>
  84.             </IdsSignature>
  85.             <IdsSignature Id="0000000000000000001100030000001E" Name="WEB-FRONTPAGE register.txt access" Enable="1" Severity="10" Description="WEB-FRONTPAGE register.txt access" HostType="PASSIVE">
  86.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11519 WEB-FRONTPAGE register.txt access",tcp_flag&ack,content="/_private/register.txt"</IdsTrafficCondition>
  87.                <Action LogEvent="0" PacketProcess="DROP"/>
  88.             </IdsSignature>
  89.             <IdsSignature Id="0000000000000000001100030000001F" Name="WEB-FRONTPAGE registrations.txt access" Enable="1" Severity="10" Description="WEB-FRONTPAGE registrations.txt access" HostType="PASSIVE">
  90.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11520 WEB-FRONTPAGE registrations.txt access",tcp_flag&ack,content="/_private/registrations.txt"</IdsTrafficCondition>
  91.                <Action LogEvent="0" PacketProcess="DROP"/>
  92.             </IdsSignature>
  93.             <IdsSignature Id="00000000000000000011000300000020" Name="WEB-FRONTPAGE service.cnf access" Enable="1" Severity="10" Description="WEB-FRONTPAGE service.cnf access" HostType="PASSIVE">
  94.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11521 WEB-FRONTPAGE service.cnf access",tcp_flag&ack,content="/_vti_pvt/service.cnf"</IdsTrafficCondition>
  95.                <Action LogEvent="0" PacketProcess="DROP"/>
  96.             </IdsSignature>
  97.             <IdsSignature Id="00000000000000000011000300000022" Name="WEB-FRONTPAGE service.stp access" Enable="1" Severity="10" Description="WEB-FRONTPAGE service.stp access" HostType="PASSIVE">
  98.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11523 WEB-FRONTPAGE service.stp access",tcp_flag&ack,content="/_vti_pvt/service.stp"</IdsTrafficCondition>
  99.                <Action LogEvent="0" PacketProcess="DROP"/>
  100.             </IdsSignature>
  101.             <IdsSignature Id="00000000000000000011000300000023" Name="WEB-FRONTPAGE services.cnf access" Enable="1" Severity="10" Description="WEB-FRONTPAGE services.cnf access" HostType="PASSIVE">
  102.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11524 WEB-FRONTPAGE services.cnf access",tcp_flag&ack,content="/_vti_pvt/services.cnf"</IdsTrafficCondition>
  103.                <Action LogEvent="0" PacketProcess="DROP"/>
  104.             </IdsSignature>
  105.             <IdsSignature Id="00000000000000000011000300000025" Name="WEB-FRONTPAGE svcacl.cnf access" Enable="1" Severity="10" Description="WEB-FRONTPAGE svcacl.cnf access" HostType="PASSIVE">
  106.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11526 WEB-FRONTPAGE svcacl.cnf access",tcp_flag&ack,content="/_vti_pvt/svcacl.cnf"</IdsTrafficCondition>
  107.                <Action LogEvent="0" PacketProcess="DROP"/>
  108.             </IdsSignature>
  109.             <IdsSignature Id="00000000000000000011000300000027" Name="WEB-FRONTPAGE writeto.cnf access" Enable="1" Severity="10" Description="WEB-FRONTPAGE writeto.cnf access" HostType="PASSIVE">
  110.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11528 WEB-FRONTPAGE writeto.cnf access",tcp_flag&ack,content="_vti_pvt/writeto.cnf"</IdsTrafficCondition>
  111.                <Action LogEvent="0" PacketProcess="DROP"/>
  112.             </IdsSignature>
  113.             <IdsSignature Id="00000000000000000011000300000028" Name="WEB-FRONTPAGE fourdots request" Enable="1" Severity="10" Description="WEB-FRONTPAGE fourdots request" HostType="PASSIVE">
  114.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11529 WEB-FRONTPAGE fourdots request",tcp_flag&ack,content="\x2e\x2e\x2e\x2e\x2f"</IdsTrafficCondition>
  115.                <Action LogEvent="0" PacketProcess="DROP"/>
  116.             </IdsSignature>
  117.             <IdsSignature Id="0000000000000000001100030000002A" Name="WEB-FRONTPAGE register.htm access" Enable="1" Severity="10" Description="WEB-FRONTPAGE register.htm access" HostType="PASSIVE">
  118.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D11531 WEB-FRONTPAGE register.htm access",tcp_flag&ack,content="/_private/register.htm"</IdsTrafficCondition>
  119.                <Action LogEvent="0" PacketProcess="DROP"/>
  120.             </IdsSignature>
  121.         <IdsSignature Id="0000000000000000001100030000002B" Name="webhits.exe access" Enable="1" Severity="11" Description="webhits.exe access attack" HostType="PASSIVE">
  122.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,msg="D12016 WEB-MISC webhits.exe access",tcp_flag&ack,content="/scripts/samples/search/webhits.exe"H</IdsTrafficCondition>
  123.                <Action LogEvent="0" PacketProcess="DROP"/>
  124.             </IdsSignature>
  125.          </IdsSignatureGroup>
  126.          <IdsSignatureGroup Id="00000000000000000011000800000000" Name="IDS Trojan Group" Enable="1" Severity="2" Description="IDS signature for Trojans" ApplicationGroupLink="APP_OTHER">
  127.             <IdsSignature Id="00000000000000000011000800000001" Name="Possible QAZ worm infection" Enable="1" Severity="10" Description="Possible QAZ worm infection" HostType="PASSIVE">
  128.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139), msg="D20000 Virus - Possible QAZ Worm Infection",tcp_flag&ack, content="\x71\x61\x7a\x77\x73\x78\x2e\x68\x73\x71"C</IdsTrafficCondition>
  129.                <Action LogEvent="0" PacketProcess="DROP"/>
  130.             </IdsSignature>
  131.             <IdsSignature Id="00000000000000000011000800000002" Name="BackDoor Dagger_1.4.0_client_connect" Enable="1" Severity="10" Description="BackDoor Dagger_1.4.0_client_connect" HostType="PASSIVE">
  132.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, source=(1024-65535), dest=(2589),  msg= "E20004 BACKDOOR - Dagger_1.4.0_client_connect", tcp_flag&ack, content="\x0b\x00\x00\x00\x07\x00\x00\x00Connect"C(0,16)</IdsTrafficCondition>
  133.                <Action LogEvent="0" PacketProcess="DROP"/>
  134.             </IdsSignature>
  135.             <IdsSignature Id="00000000000000000011000800000003" Name="BACKDOOR - Dagger_1.4.0" Enable="1" Severity="10" Description="BACKDOOR - Dagger_1.4.0" HostType="PASSIVE">
  136.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST, source=(2589), dest=(1024-65535), msg= "E20005 BACKDOOR - Dagger_1.4.0", tcp_flag&ack, content="\x32\x00\x00\x00\x06\x00\x00\x00Drives\x24\x00"C(0,16)</IdsTrafficCondition>
  137.                <Action LogEvent="0" PacketProcess="DROP"/>
  138.             </IdsSignature>
  139.             <IdsSignature Id="00000000000000000011000800000004" Name="BACKDOOR subseven DEFCON8 2.1" Enable="1" Severity="10" Description="BACKDOOR subseven DEFCON8 2.1 access" HostType="PASSIVE">
  140.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, source=(16959),  msg="E20007 BACKDOOR subseven DEFCON8 2.1 access", content="PWD", content="acidphreak", tcp_flag&ack </IdsTrafficCondition>
  141.                <Action LogEvent="0" PacketProcess="DROP"/>
  142.             </IdsSignature>
  143.             <IdsSignature Id="00000000000000000011000800000005" Name=" QAZ Worm" Enable="1" Severity="10" Description=" QAZ Worm Client Login access" HostType="PASSIVE">
  144.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(7597),  msg="E20009 BACKDOOR QAZ Worm Client Login access", tcp_flag&ack, content="\x71\x61\x7a\x77\x73\x78\x2e\x68\x73\x71"C</IdsTrafficCondition>
  145.                <Action LogEvent="0" PacketProcess="DROP"/>
  146.             </IdsSignature>
  147.             <IdsSignature Id="00000000000000000011000800000006" Name=" BACKDOOR netbus" Enable="1" Severity="10" Description=" BACKDOOR netbus active" HostType="PASSIVE">
  148.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST, source=(12345),  msg="E20010 BACKDOOR netbus active", tcp_flag&ack, content="NetBus"C</IdsTrafficCondition>
  149.                <Action LogEvent="0" PacketProcess="DROP"/>
  150.             </IdsSignature>
  151.             <IdsSignature Id="00000000000000000011000800000007" Name=" BACKDOOR netbus" Enable="1" Severity="10" Description=" BACKDOOR netbus getinfo" HostType="PASSIVE">
  152.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(12345,12346),  msg="E20011 BACKDOOR netbus getinfo", tcp_flag&ack, content="GetInfo\x0d"C</IdsTrafficCondition>
  153.                <Action LogEvent="0" PacketProcess="DROP"/>
  154.             </IdsSignature>
  155.             <IdsSignature Id="00000000000000000011000800000008" Name="BACKDOOR BackOrifice" Enable="1" Severity="10" Description="BACKDOOR BackOrifice access" HostType="PASSIVE">
  156.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST, source=(80),  msg="E20012 BACKDOOR BackOrifice access", tcp_flag&ack, content="server\x3aBO\x2f"C</IdsTrafficCondition>
  157.                <Action LogEvent="0" PacketProcess="DROP"/>
  158.             </IdsSignature>
  159.             <IdsSignature Id="00000000000000000011000800000009" Name="BACKDOOR DeepThroat" Enable="1" Severity="10" Description="BACKDOOR DeepThroat access">
  160.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(4120),  msg="E20013 BACKDOOR DeepThroat access", content="--Ahhhhhhhhhh"C</IdsTrafficCondition>
  161.                <Action LogEvent="0" PacketProcess="DROP"/>
  162.             </IdsSignature>
  163.             <IdsSignature Id="0000000000000000001100080000000A" Name=" BACKDOOR netbus" Enable="1" Severity="10" Description=" BACKDOOR netbus active" HostType="PASSIVE">
  164.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST, source=(12346),   msg="E20014 BACKDOOR netbus active", tcp_flag&ack, content="NetBus"C</IdsTrafficCondition>
  165.                <Action LogEvent="0" PacketProcess="DROP"/>
  166.             </IdsSignature>
  167.             <IdsSignature Id="0000000000000000001100080000000B" Name=" BACKDOOR netbus" Enable="1" Severity="10" Description=" BACKDOOR netbus active" HostType="PASSIVE">
  168.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST, source=(20034),  msg="E20015 BACKDOOR netbus active", tcp_flag&ack, content="NetBus"C</IdsTrafficCondition>
  169.                <Action LogEvent="0" PacketProcess="DROP"/>
  170.             </IdsSignature>
  171.             <IdsSignature Id="0000000000000000001100080000000C" Name=" BACKDOOR BackOrifice" Enable="1" Severity="10" Description=" BACKDOOR BackOrifice access" HostType="PASSIVE">
  172.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, dest=(31337),  msg="E20016 BACKDOOR BackOrifice access", content="\xce\x63\xd1\xd2\x16\xe7\x13\xcf\x39\xa5\xa5\x86"C</IdsTrafficCondition>
  173.                <Action LogEvent="0" PacketProcess="DROP"/>
  174.             </IdsSignature>
  175.             <IdsSignature Id="0000000000000000001100080000000D" Name="BACKDOOR Infector.1.x" Enable="1" Severity="10" Description="BACKDOOR Infector.1.x" HostType="PASSIVE">
  176.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST, source=(146), dest=(1024), msg="E20017 BACKDOOR Infector.1.x", content="WHATISIT"C, tcp_flag&ack</IdsTrafficCondition>
  177.                <Action LogEvent="0" PacketProcess="DROP"/>
  178.             </IdsSignature>
  179.             <IdsSignature Id="0000000000000000001100080000000E" Name="BACKDOOR SatansBackdoor.2.0.Beta" Enable="1" Severity="10" Description="BACKDOOR SatansBackdoor.2.0.Beta" HostType="PASSIVE">
  180.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST, source=(666), dest=(1024), msg="E20018 BACKDOOR SatansBackdoor.2.0.Beta", content="Remote\x3A You are connected to me."C, tcp_flag&ack</IdsTrafficCondition>
  181.                <Action LogEvent="0" PacketProcess="DROP"/>
  182.             </IdsSignature>
  183.             <IdsSignature Id="0000000000000000001100080000000F" Name=" BACKDOOR Doly 2.0 access" Enable="1" Severity="10" Description=" BACKDOOR Doly 2.0 access" HostType="PASSIVE">
  184.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST, source=(6789),  msg="E20019 BACKDOOR Doly 2.0 access", content="\x57\x74\x7a\x75\x70\x20\x55\x73\x65"C(0,32), tcp_flag&ack</IdsTrafficCondition>
  185.                <Action LogEvent="0" PacketProcess="DROP"/>
  186.             </IdsSignature>
  187.             <IdsSignature Id="00000000000000000011000800000010" Name=" BACKDOOR Infector 1.6" Enable="1" Severity="10" Description="BACKDOOR Infector 1.6 Server to Client" HostType="PASSIVE">
  188.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST, source=(146), dest=(1000-1300),  msg="E20020 BACKDOOR Infector 1.6 Server to Client", content="\x57\x48\x41\x54\x49\x53\x49\x54"C, tcp_flag&ack </IdsTrafficCondition>
  189.                <Action LogEvent="0" PacketProcess="DROP"/>
  190.             </IdsSignature>
  191.             <IdsSignature Id="00000000000000000011000800000011" Name="BACKDOOR Infector 1.6" Enable="1" Severity="10" Description="BACKDOOR Infector 1.6 Client to Server" HostType="PASSIVE">
  192.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, source=(1000-1300), dest=(146),  msg="E20021 BACKDOOR Infector 1.6 Client to Server Connection Request", content="\x46\x43\x20"C, tcp_flag&ack</IdsTrafficCondition>
  193.                <Action LogEvent="0" PacketProcess="DROP"/>
  194.             </IdsSignature>
  195.             <IdsSignature Id="00000000000000000011000800000012" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 System Info Client Request">
  196.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20022 BACKDOOR DeepThroat 3.1 System Info Client Request", content="13"C</IdsTrafficCondition>
  197.                <Action LogEvent="0" PacketProcess="DROP"/>
  198.             </IdsSignature>
  199.             <IdsSignature Id="00000000000000000011000800000013" Name="DeepThroat 3.1" Enable="1" Severity="10" Description="DeepThroat 3.1 Server FTP Port Change Client Request">
  200.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20023 BACKDOOR DeepThroat 3.1 Server FTP Port Change Client Request", content="21"C</IdsTrafficCondition>
  201.                <Action LogEvent="0" PacketProcess="DROP"/>
  202.             </IdsSignature>
  203.             <IdsSignature Id="00000000000000000011000800000014" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 FTP Status Client Request">
  204.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20024 BACKDOOR DeepThroat 3.1 FTP Status Client Request", content="09"C</IdsTrafficCondition>
  205.                <Action LogEvent="0" PacketProcess="DROP"/>
  206.             </IdsSignature>
  207.             <IdsSignature Id="00000000000000000011000800000015" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 E-Mail Info From Server">
  208.                <IdsTrafficCondition>rule udp, saddr=$LOCALHOST, source=(2140), dest=(60000), msg="E20025 BACKDOOR DeepThroat 3.1 E-Mail Info From Server", content="Retreaving"C</IdsTrafficCondition>
  209.                <Action LogEvent="0" PacketProcess="DROP"/>
  210.             </IdsSignature>
  211.             <IdsSignature Id="00000000000000000011000800000016" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 E-Mail Info Client Request">
  212.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20026 BACKDOOR DeepThroat 3.1 E-Mail Info Client Request", content="12"C</IdsTrafficCondition>
  213.                <Action LogEvent="0" PacketProcess="DROP"/>
  214.             </IdsSignature>
  215.             <IdsSignature Id="00000000000000000011000800000017" Name=" BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description=" BACKDOOR DeepThroat 3.1 Server Status From Server">
  216.                <IdsTrafficCondition>rule udp, saddr=$LOCALHOST, source=(2140), dest=(60000), msg="E20027 BACKDOOR DeepThroat 3.1 Server Status From Server", content="Host"C</IdsTrafficCondition>
  217.                <Action LogEvent="0" PacketProcess="DROP"/>
  218.             </IdsSignature>
  219.             <IdsSignature Id="00000000000000000011000800000018" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Server Status Client Request">
  220.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20028 BACKDOOR DeepThroat 3.1 Server Status Client Request", content="10"C</IdsTrafficCondition>
  221.                <Action LogEvent="0" PacketProcess="DROP"/>
  222.             </IdsSignature>
  223.             <IdsSignature Id="00000000000000000011000800000019" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Drive Info From Server">
  224.                <IdsTrafficCondition>rule udp, saddr=$LOCALHOST, source=(2140), dest=(60000), msg="E20029 BACKDOOR DeepThroat 3.1 Drive Info From Server", content="C - "C</IdsTrafficCondition>
  225.                <Action LogEvent="0" PacketProcess="DROP"/>
  226.             </IdsSignature>
  227.             <IdsSignature Id="0000000000000000001100080000001A" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 System Info From Server">
  228.                <IdsTrafficCondition>rule udp, saddr=$LOCALHOST, source=(2140), dest=(60000), msg="E20030 BACKDOOR DeepThroat 3.1 System Info From Server", content="Comp Name"C</IdsTrafficCondition>
  229.                <Action LogEvent="0" PacketProcess="DROP"/>
  230.             </IdsSignature>
  231.             <IdsSignature Id="0000000000000000001100080000001B" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Drive Info Client Request">
  232.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20031 BACKDOOR DeepThroat 3.1 Drive Info Client Request", content="130"C</IdsTrafficCondition>
  233.                <Action LogEvent="0" PacketProcess="DROP"/>
  234.             </IdsSignature>
  235.             <IdsSignature Id="0000000000000000001100080000001C" Name=" BACKDOOR HackAttack 1.20" Enable="1" Severity="10" Description=" BACKDOOR HackAttack 1.20 Connect" HostType="PASSIVE">
  236.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST,  source=(31785), msg="E20041 BACKDOOR HackAttack 1.20 Connect", tcp_flag&ack, content="host"C</IdsTrafficCondition>
  237.                <Action LogEvent="0" PacketProcess="DROP"/>
  238.             </IdsSignature>
  239.             <IdsSignature Id="0000000000000000001100080000001D" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request">
  240.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20042 BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request", content= "40"C</IdsTrafficCondition>
  241.                <Action LogEvent="0" PacketProcess="DROP"/>
  242.             </IdsSignature>
  243.             <IdsSignature Id="0000000000000000001100080000001E" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request">
  244.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140),  msg="E20043 BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request", content="20"C</IdsTrafficCondition>
  245.                <Action LogEvent="0" PacketProcess="DROP"/>
  246.             </IdsSignature>
  247.             <IdsSignature Id="0000000000000000001100080000001F" Name="BACKDOOR ADMw0rm" Enable="1" Severity="10" Description="BACKDOOR ADMw0rm ftp retrieval">
  248.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST,  dest=(21), msg="E20044 BACKDOOR ADMw0rm ftp retrieval",tcp_flag&ack, content="USERw0rm\x0D\x0A"C</IdsTrafficCondition>
  249.                <Action LogEvent="0" PacketProcess="DROP"/>
  250.             </IdsSignature>
  251.             <IdsSignature Id="00000000000000000011000800000020" Name="BACKDOOR GirlFriendaccess" Enable="1" Severity="10" Description="BACKDOOR GirlFriendaccess" HostType="PASSIVE">
  252.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, source=(0-79,81-65535), dest=(21554), msg="E20045 BACKDOOR GirlFriendaccess", tcp_flag&ack, content="Girl"C</IdsTrafficCondition>
  253.                <Action LogEvent="0" PacketProcess="DROP"/>
  254.             </IdsSignature>
  255.             <IdsSignature Id="00000000000000000011000800000021" Name="BACKDOOR NetSphere access" Enable="1" Severity="10" Description="BACKDOOR NetSphere access" HostType="PASSIVE">
  256.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST,  source=(30100),  msg="E20046 BACKDOOR NetSphere access", tcp_flag&ack, content="NetSphere"C</IdsTrafficCondition>
  257.                <Action LogEvent="0" PacketProcess="DROP"/>
  258.             </IdsSignature>
  259.             <IdsSignature Id="00000000000000000011000800000022" Name="BACKDOOR GateCrasher" Enable="1" Severity="10" Description="BACKDOOR GateCrasher" HostType="PASSIVE">
  260.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST,  source=(6969),   msg="E20047 BACKDOOR GateCrasher", tcp_flag&ack, content="GateCrasher"C</IdsTrafficCondition>
  261.                <Action LogEvent="0" PacketProcess="DROP"/>
  262.             </IdsSignature>
  263.             <IdsSignature Id="00000000000000000011000800000023" Name="BACKDOOR BackConstruction 2.1 Connection" Enable="1" Severity="10" Description="BACKDOOR BackConstruction 2.1 Connection" HostType="PASSIVE">
  264.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST,  source=(5401-5402),  msg="E20052 BACKDOOR BackConstruction 2.1 Connection", tcp_flag&ack, content="c\x3A\\"C</IdsTrafficCondition>
  265.                <Action LogEvent="0" PacketProcess="DROP"/>
  266.             </IdsSignature>
  267.             <IdsSignature Id="00000000000000000011000800000024" Name="BACKDOOR DonaldDick 1.53" Enable="1" Severity="10" Description="BACKDOOR DonaldDick 1.53 Traffic">
  268.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST,  source=(23476),  msg="E20053 BACKDOOR DonaldDick 1.53 Traffic", tcp_flag&ack, content="pINg"C</IdsTrafficCondition>
  269.                <Action LogEvent="0" PacketProcess="DROP"/>
  270.             </IdsSignature>
  271.             <IdsSignature Id="00000000000000000011000800000025" Name="BACKDOOR NetSphere 1.31.337 access" Enable="1" Severity="10" Description="BACKDOOR NetSphere 1.31.337 access">
  272.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST,  source=(30100-30102),  msg="E20055 BACKDOOR NetSphere 1.31.337 access", tcp_flag&ack, content="NetSphere"C</IdsTrafficCondition>
  273.                <Action LogEvent="0" PacketProcess="DROP"/>
  274.             </IdsSignature>
  275.             <IdsSignature Id="00000000000000000011000800000026" Name=" DeepThroat 3.1" Enable="1" Severity="10" Description=" DeepThroat 3.1 Visible Window List Client Request">
  276.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20056 BACKDOOR DeepThroat 3.1 Visible Window List Client Request", content="37"C</IdsTrafficCondition>
  277.                <Action LogEvent="0" PacketProcess="DROP"/>
  278.             </IdsSignature>
  279.             <IdsSignature Id="00000000000000000011000800000027" Name="BACKDOOR BackConstruction 2.1" Enable="1" Severity="10" Description="BACKDOOR BackConstruction 2.1 Client FTP Open Request">
  280.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST,  dest=(666),  msg="E20057 BACKDOOR BackConstruction 2.1 Client FTP Open Request", tcp_flag&ack, content="FTPON"C</IdsTrafficCondition>
  281.                <Action LogEvent="0" PacketProcess="DROP"/>
  282.             </IdsSignature>
  283.             <IdsSignature Id="00000000000000000011000800000028" Name="BACKDOOR BackConstruction 2.1" Enable="1" Severity="10" Description="BACKDOOR BackConstruction 2.1 Server FTP Open Reply">
  284.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST,  source=(666),  msg="E20058 BACKDOOR BackConstruction 2.1 Server FTP Open Reply", tcp_flag&ack, content="FTP Port open"C </IdsTrafficCondition>
  285.                <Action LogEvent="0" PacketProcess="DROP"/>
  286.             </IdsSignature>
  287.             <IdsSignature Id="00000000000000000011000800000029" Name="BACKDOOR NetMetro File List" Enable="1" Severity="10" Description="BACKDOOR NetMetro File List">
  288.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST,   dest=(5032),  msg="E20059 BACKDOOR NetMetro File List", tcp_flag&ack, content="\x2D\x2D"C</IdsTrafficCondition>
  289.                <Action LogEvent="0" PacketProcess="DROP"/>
  290.             </IdsSignature>
  291.             <IdsSignature Id="0000000000000000001100080000002B" Name="BACKDOOR Matrix 2.0 Client connect" Enable="1" Severity="10" Description="BACKDOOR Matrix 2.0 Client connect">
  292.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(3344), dest=(3345),  msg="E20061 BACKDOOR Matrix 2.0 Client connect", content="activate"C</IdsTrafficCondition>
  293.                <Action LogEvent="0" PacketProcess="DROP"/>
  294.             </IdsSignature>
  295.             <IdsSignature Id="0000000000000000001100080000002C" Name="BACKDOOR Matrix 2.0 Server access" Enable="1" Severity="10" Description="BACKDOOR Matrix 2.0 Server access">
  296.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(3345), dest=(3344),  msg="E20062 BACKDOOR Matrix 2.0 Server access", content="logged in"C</IdsTrafficCondition>
  297.                <Action LogEvent="0" PacketProcess="DROP"/>
  298.             </IdsSignature>
  299.             <IdsSignature Id="0000000000000000001100080000002D" Name="BACKDOOR WinCrash 1.0 Server Active" Enable="1" Severity="10" Description="BACKDOOR WinCrash 1.0 Server Active">
  300.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST,  source=(5714),  msg="E20063 BACKDOOR WinCrash 1.0 Server Active" , tcp_flag&syn|ack, content="\xB4\xB4"C</IdsTrafficCondition>
  301.                <Action LogEvent="0" PacketProcess="DROP"/>
  302.             </IdsSignature>
  303.             <IdsSignature Id="0000000000000000001100080000002E" Name="BACKDOOR DeepThroat 3.1 Server Active on Network" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Server Active on Network">
  304.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(2140), dest=(60000), msg="E20064 BACKDOOR DeepThroat 3.1 Server Active on Network"</IdsTrafficCondition>
  305.                <Action LogEvent="0" PacketProcess="DROP"/>
  306.             </IdsSignature>
  307.             <IdsSignature Id="0000000000000000001100080000002F" Name="BACKDOOR DeepThroat 3.1 Keylogger on Server ON" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Keylogger on Server ON">
  308.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20065 BACKDOOR DeepThroat 3.1 Keylogger on Server ON", content="KeyLogger Is Enabled On port"C</IdsTrafficCondition>
  309.                <Action LogEvent="0" PacketProcess="DROP"/>
  310.             </IdsSignature>
  311.             <IdsSignature Id="00000000000000000011000800000030" Name="DeepThroat 3.1 Show Picture Client Request" Enable="1" Severity="10" Description="DeepThroat 3.1 Show Picture Client Request">
  312.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20066 BACKDOOR DeepThroat 3.1 Show Picture Client Request", content="22"C</IdsTrafficCondition>
  313.                <Action LogEvent="0" PacketProcess="DROP"/>
  314.             </IdsSignature>
  315.             <IdsSignature Id="00000000000000000011000800000031" Name="BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request">
  316.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20067 BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request", content="32"C</IdsTrafficCondition>
  317.                <Action LogEvent="0" PacketProcess="DROP"/>
  318.             </IdsSignature>
  319.             <IdsSignature Id="00000000000000000011000800000032" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request">
  320.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20068 BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request", content="33"C</IdsTrafficCondition>
  321.                <Action LogEvent="0" PacketProcess="DROP"/>
  322.             </IdsSignature>
  323.             <IdsSignature Id="00000000000000000011000800000033" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request">
  324.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20069 BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request", content="34"C</IdsTrafficCondition>
  325.                <Action LogEvent="0" PacketProcess="DROP"/>
  326.             </IdsSignature>
  327.             <IdsSignature Id="00000000000000000011000800000034" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request">
  328.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20070 BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request", content="110"C</IdsTrafficCondition>
  329.                <Action LogEvent="0" PacketProcess="DROP"/>
  330.             </IdsSignature>
  331.             <IdsSignature Id="00000000000000000011000800000035" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request">
  332.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20071 BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request", content="35"C</IdsTrafficCondition>
  333.                <Action LogEvent="0" PacketProcess="DROP"/>
  334.             </IdsSignature>
  335.             <IdsSignature Id="00000000000000000011000800000036" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request">
  336.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20072 BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request", content="70"C</IdsTrafficCondition>
  337.                <Action LogEvent="0" PacketProcess="DROP"/>
  338.             </IdsSignature>
  339.             <IdsSignature Id="00000000000000000011000800000037" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request">
  340.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20073 BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request", content="71"C</IdsTrafficCondition>
  341.                <Action LogEvent="0" PacketProcess="DROP"/>
  342.             </IdsSignature>
  343.             <IdsSignature Id="00000000000000000011000800000038" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request">
  344.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20074 BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request", content="31"C</IdsTrafficCondition>
  345.                <Action LogEvent="0" PacketProcess="DROP"/>
  346.             </IdsSignature>
  347.             <IdsSignature Id="00000000000000000011000800000039" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Resolution Change Client Request">
  348.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20075 BACKDOOR DeepThroat 3.1 Resolution Change Client Request", content="125"C</IdsTrafficCondition>
  349.                <Action LogEvent="0" PacketProcess="DROP"/>
  350.             </IdsSignature>
  351.             <IdsSignature Id="0000000000000000001100080000003A" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request">
  352.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20076 BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request", content="04"C</IdsTrafficCondition>
  353.                <Action LogEvent="0" PacketProcess="DROP"/>
  354.             </IdsSignature>
  355.             <IdsSignature Id="0000000000000000001100080000003B" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Keylogger on Server OFF">
  356.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20077 BACKDOOR DeepThroat 3.1 Keylogger on Server OFF", content="KeyLogger Shut Down"C</IdsTrafficCondition>
  357.                <Action LogEvent="0" PacketProcess="DROP"/>
  358.             </IdsSignature>
  359.             <IdsSignature Id="0000000000000000001100080000003C" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Send to URL Client Request">
  360.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20078 BACKDOOR DeepThroat 3.1 Send to URL Client Request", content="12"C</IdsTrafficCondition>
  361.                <Action LogEvent="0" PacketProcess="DROP"/>
  362.             </IdsSignature>
  363.             <IdsSignature Id="0000000000000000001100080000003D" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 FTP Server Port Client Request">
  364.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20079 BACKDOOR DeepThroat 3.1 FTP Server Port Client Request", content="21"C</IdsTrafficCondition>
  365.                <Action LogEvent="0" PacketProcess="DROP"/>
  366.             </IdsSignature>
  367.             <IdsSignature Id="0000000000000000001100080000003E" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Process List Client request">
  368.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20080 BACKDOOR DeepThroat 3.1 Process List Client request", content="64"C</IdsTrafficCondition>
  369.                <Action LogEvent="0" PacketProcess="DROP"/>
  370.             </IdsSignature>
  371.             <IdsSignature Id="0000000000000000001100080000003F" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Close Port Scan Client Request">
  372.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20081 BACKDOOR DeepThroat 3.1 Close Port Scan Client Request", content="121"C</IdsTrafficCondition>
  373.                <Action LogEvent="0" PacketProcess="DROP"/>
  374.             </IdsSignature>
  375.             <IdsSignature Id="00000000000000000011000800000040" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Registry Add Client Request">
  376.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20082 BACKDOOR DeepThroat 3.1 Registry Add Client Request", content="89"C</IdsTrafficCondition>
  377.                <Action LogEvent="0" PacketProcess="DROP"/>
  378.             </IdsSignature>
  379.             <IdsSignature Id="00000000000000000011000800000041" Name="BACKDOOR CDK" Enable="1" Severity="10" Description="BACKDOOR CDK">
  380.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST,  dest=(79), msg="E20085 BACKDOOR CDK", content= "ypi0ca"(0,15), tcp_flag&ack</IdsTrafficCondition>
  381.                <Action LogEvent="0" PacketProcess="DROP"/>
  382.             </IdsSignature>
  383.             <IdsSignature Id="00000000000000000011000800000042" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Monitor on/off Client Request">
  384.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20086 BACKDOOR DeepThroat 3.1 Monitor on/off Client Request", content="07"C</IdsTrafficCondition>
  385.                <Action LogEvent="0" PacketProcess="DROP"/>
  386.             </IdsSignature>
  387.             <IdsSignature Id="00000000000000000011000800000043" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="11" Description="BACKDOOR DeepThroat 3.1 Delete File Client Request">
  388.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20087 BACKDOOR DeepThroat 3.1 Delete File Client Request", content="41"C</IdsTrafficCondition>
  389.                <Action LogEvent="0" PacketProcess="DROP"/>
  390.             </IdsSignature>
  391.             <IdsSignature Id="00000000000000000011000800000044" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Kill Window Client Request">
  392.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20088 BACKDOOR DeepThroat 3.1 Kill Window Client Request", content="38"C</IdsTrafficCondition>
  393.                <Action LogEvent="0" PacketProcess="DROP"/>
  394.             </IdsSignature>
  395.             <IdsSignature Id="00000000000000000011000800000045" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Disable Window Client Request">
  396.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20089 BACKDOOR DeepThroat 3.1 Disable Window Client Request", content="23"C</IdsTrafficCondition>
  397.                <Action LogEvent="0" PacketProcess="DROP"/>
  398.             </IdsSignature>
  399.             <IdsSignature Id="00000000000000000011000800000046" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Enable Window Client Request">
  400.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20090 BACKDOOR DeepThroat 3.1 Enable Window Client Request", content="24"C</IdsTrafficCondition>
  401.                <Action LogEvent="0" PacketProcess="DROP"/>
  402.             </IdsSignature>
  403.             <IdsSignature Id="00000000000000000011000800000047" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Change Window Title Client Request">
  404.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20091 BACKDOOR DeepThroat 3.1 Change Window Title Client Request", content="60"C</IdsTrafficCondition>
  405.                <Action LogEvent="0" PacketProcess="DROP"/>
  406.             </IdsSignature>
  407.             <IdsSignature Id="00000000000000000011000800000048" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Hide Window Client Request">
  408.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20092 BACKDOOR DeepThroat 3.1 Hide Window Client Request", content="26"C</IdsTrafficCondition>
  409.                <Action LogEvent="0" PacketProcess="DROP"/>
  410.             </IdsSignature>
  411.             <IdsSignature Id="00000000000000000011000800000049" Name="BACKDOOR DeepThroat 3.1 Show Window Client Request" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Show Window Client Request">
  412.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20093 BACKDOOR DeepThroat 3.1 Show Window Client Request", content="25"C</IdsTrafficCondition>
  413.                <Action LogEvent="0" PacketProcess="DROP"/>
  414.             </IdsSignature>
  415.             <IdsSignature Id="0000000000000000001100080000004A" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Send Text to Window Client Request">
  416.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20094 BACKDOOR DeepThroat 3.1 Send Text to Window Client Request", content="63"C</IdsTrafficCondition>
  417.                <Action LogEvent="0" PacketProcess="DROP"/>
  418.             </IdsSignature>
  419.             <IdsSignature Id="0000000000000000001100080000004B" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Server Response">
  420.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20095 BACKDOOR DeepThroat 3.1 Server Response", content="Ahhhh My Mouth Is Open"C</IdsTrafficCondition>
  421.                <Action LogEvent="0" PacketProcess="DROP"/>
  422.             </IdsSignature>
  423.             <IdsSignature Id="0000000000000000001100080000004C" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request">
  424.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20096 BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request", content="30"C</IdsTrafficCondition>
  425.                <Action LogEvent="0" PacketProcess="DROP"/>
  426.             </IdsSignature>
  427.             <IdsSignature Id="0000000000000000001100080000004D" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 All Window List Client Request">
  428.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20098 BACKDOOR DeepThroat 3.1 All Window List Client Request", content="370"C</IdsTrafficCondition>
  429.                <Action LogEvent="0" PacketProcess="DROP"/>
  430.             </IdsSignature>
  431.             <IdsSignature Id="0000000000000000001100080000004E" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Play Sound Client Request">
  432.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20099 BACKDOOR DeepThroat 3.1 Play Sound Client Request", content="36"C</IdsTrafficCondition>
  433.                <Action LogEvent="0" PacketProcess="DROP"/>
  434.             </IdsSignature>
  435.             <IdsSignature Id="0000000000000000001100080000004F" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Run Program Normal Client Request">
  436.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20100 BACKDOOR DeepThroat 3.1 Run Program Normal Client Request", content="14"C</IdsTrafficCondition>
  437.                <Action LogEvent="0" PacketProcess="DROP"/>
  438.             </IdsSignature>
  439.             <IdsSignature Id="00000000000000000011000800000050" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request">
  440.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20101 BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request", content="15"C</IdsTrafficCondition>
  441.                <Action LogEvent="0" PacketProcess="DROP"/>
  442.             </IdsSignature>
  443.             <IdsSignature Id="00000000000000000011000800000051" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Get NET File Client Request">
  444.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20102 BACKDOOR DeepThroat 3.1 Get NET File Client Request", content="100"C</IdsTrafficCondition>
  445.                <Action LogEvent="0" PacketProcess="DROP"/>
  446.             </IdsSignature>
  447.             <IdsSignature Id="00000000000000000011000800000052" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Find File Client Request">
  448.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20103 BACKDOOR DeepThroat 3.1 Find File Client Request", content="117"C</IdsTrafficCondition>
  449.                <Action LogEvent="0" PacketProcess="DROP"/>
  450.             </IdsSignature>
  451.             <IdsSignature Id="00000000000000000011000800000053" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 Find File Client Request">
  452.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20104 BACKDOOR DeepThroat 3.1 Find File Client Request", content="118"C</IdsTrafficCondition>
  453.                <Action LogEvent="0" PacketProcess="DROP"/>
  454.             </IdsSignature>
  455.             <IdsSignature Id="00000000000000000011000800000054" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 HUP Modem Client Request">
  456.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20105 BACKDOOR DeepThroat 3.1 HUP Modem Client Request", content="199"C</IdsTrafficCondition>
  457.                <Action LogEvent="0" PacketProcess="DROP"/>
  458.             </IdsSignature>
  459.             <IdsSignature Id="00000000000000000011000800000055" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 CD ROM Open Client Request">
  460.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20106 BACKDOOR DeepThroat 3.1 CD ROM Open Client Request", content="02"C</IdsTrafficCondition>
  461.                <Action LogEvent="0" PacketProcess="DROP"/>
  462.             </IdsSignature>
  463.             <IdsSignature Id="00000000000000000011000800000056" Name="BACKDOOR DeepThroat 3.1" Enable="1" Severity="10" Description="BACKDOOR DeepThroat 3.1 CD ROM Close Client Request">
  464.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST, source=(60000), dest=(2140), msg="E20107 BACKDOOR DeepThroat 3.1 CD ROM Close Client Request", content="03"C</IdsTrafficCondition>
  465.                <Action LogEvent="0" PacketProcess="DROP"/>
  466.             </IdsSignature>
  467.             <IdsSignature Id="00000000000000000011000800000057" Name="BACKDOOR PhaseZero Server" Enable="1" Severity="10" Description="BACKDOOR PhaseZero Server Active on Network">
  468.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST,  source=(555),  msg="E20108 BACKDOOR PhaseZero Server Active on Network", tcp_flag&ack, content="phAse"C</IdsTrafficCondition>
  469.                <Action LogEvent="0" PacketProcess="DROP"/>
  470.             </IdsSignature>
  471.             <IdsSignature Id="00000000000000000011000800000062" Name="BACKDOOR NetBus Pro 2.1" Enable="1" Severity="10" Description="BACKDOOR NetBus Pro 2.1">
  472.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, msg= "E20204 BACKDOOR NetBus Pro 2.1 connection attempt", tcp_flag&ack, content="\x05\x00\x41\x0c\x69\x1f\x5d\x12\x61\x82\xa4\x70\xaa\x7d\xa8\x7e\x86\xba\x6e\x91\x20\xd0\xb1"C(8,23)</IdsTrafficCondition>
  473.                <Action LogEvent="0" PacketProcess="DROP"/>
  474.             </IdsSignature>
  475.             <IdsSignature Id="00000000000000000011000800000063" Name="SubSeven 2.2 server response" Enable="1" Severity="10" Description="SubSeven 2.2 server response">
  476.                <IdsTrafficCondition>rule tcp, saddr=$LOCALHOST, msg= "E20205 BACKDOOR SubSeven 2.2 server response", tcp_flag&ack, content="\x0d\x0a\x5b\x52\x50\x4c\x5d\x30\x30\x32\x0d\x0a"C(0,12)</IdsTrafficCondition>
  477.                <Action LogEvent="0" PacketProcess="DROP"/>
  478.             </IdsSignature>
  479.          </IdsSignatureGroup>
  480.          <IdsSignatureGroup Id="00000000000000000011000400000000" Name="IDS-DoS" Enable="1" Severity="1" Description="DoS IDS Signature Group" ApplicationGroupLink="APP_OTHER">
  481.             <IdsSignature Id="00000000000000000011000400000001" Name="DoS Real Audio Server" Enable="1" Severity="10" Description="DoS Real Audio Server">
  482.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,dest=(7070),msg="E23001 DoS Real Audio Server",tcp_flag&ack,content="\xff\xf4\xff\xfd\x06"C</IdsTrafficCondition>
  483.                <Action LogEvent="0" PacketProcess="DROP"/>
  484.             </IdsSignature>
  485.             <IdsSignature Id="00000000000000000011000400000002" Name="DoS Real Server template.html" Enable="1" Severity="10" Description="DoS Real Server template.html">
  486.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,dest=(7070),msg="E23002 DoS Real Server template.html",tcp_flag&ack,content="/viewsource/template.html?"</IdsTrafficCondition>
  487.                <Action LogEvent="0" PacketProcess="DROP"/>
  488.             </IdsSignature>
  489.             <IdsSignature Id="00000000000000000011000400000003" Name="DoS Real Server template.html" Enable="1" Severity="10" Description="DoS Real Server template.html">
  490.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,dest=(8080),msg="E23003 DoS Real Server template.html",tcp_flag&ack,content="/viewsource/template.html?"</IdsTrafficCondition>
  491.                <Action LogEvent="0" PacketProcess="DROP"/>
  492.             </IdsSignature>
  493.             <IdsSignature Id="00000000000000000011000400000005" Name=" DoS ath0" Enable="1" Severity="10" Description=" DoS ath0">
  494.                <IdsTrafficCondition>rule icmp,daddr=$LOCALHOST,msg="E23005 DoS ath0",content="+++ath0",type=8</IdsTrafficCondition>
  495.                <Action LogEvent="0" PacketProcess="DROP"/>
  496.             </IdsSignature>
  497.             <IdsSignature Id="00000000000000000011000400000006" Name="DoS Ascend Route" Enable="1" Severity="10" Description="DoS Ascend Route">
  498.                <IdsTrafficCondition>rule udp,daddr=$LOCALHOST,dest=(9),msg="E23006 DoS Ascend Route",content="\x4e\x41\x4d\x45\x4e\x41\x4d\x45"C(25,50)</IdsTrafficCondition>
  499.                <Action LogEvent="0" PacketProcess="DROP"/>
  500.             </IdsSignature>
  501.             <IdsSignature Id="00000000000000000011000400000007" Name="DoS arkiea backup" Enable="1" Severity="10" Description="DoS arkiea backup">
  502.                <IdsTrafficCondition>rule tcp,daddr=$LOCALHOST,dest=(617),tot_len>=1445,msg="E23007 DoS arkiea backup",tcp_flag&ack</IdsTrafficCondition>
  503.                <Action LogEvent="0" PacketProcess="DROP"/>
  504.             </IdsSignature>
  505.             <IdsSignature Id="00000000000000000011000400000009" Name="DDOS tfn2k icmp possible communication" Enable="1" Severity="10" Description="DDOS tfn2k icmp possible communication">
  506.                <IdsTrafficCondition>rule icmp,daddr=$LOCALHOST,msg="E21001 DDOS tfn2k icmp possible communication",type=0,content="AAAAAAAAAA"C</IdsTrafficCondition>
  507.                <Action LogEvent="0" PacketProcess="DROP"/>
  508.             </IdsSignature>
  509.             <IdsSignature Id="0000000000000000001100040000000A" Name="DDOS Trin00:DaemontoMaster(PONGdetected)" Enable="1" Severity="10" Description="DDOS Trin00:DaemontoMaster(PONGdetected)">
  510.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST,msg="E21002 DDOS Trin00:DaemontoMaster(PONGdetected)",content="PONG"C</IdsTrafficCondition>
  511.                <Action LogEvent="0" PacketProcess="DROP"/>
  512.             </IdsSignature>
  513.             <IdsSignature Id="0000000000000000001100040000000B" Name="DDOS Stacheldraht server-response-gag" Enable="1" Severity="10" Description="DDOS Stacheldraht server-response-gag">
  514.                <IdsTrafficCondition>rule icmp,saddr=$LOCALHOST,msg="E21004 DDOS Stacheldraht server-response-gag",content="\x73\x69\x63\x6B\x65\x6E"C,type=0</IdsTrafficCondition>
  515.                <Action LogEvent="0" PacketProcess="DROP"/>
  516.             </IdsSignature>
  517.             <IdsSignature Id="0000000000000000001100040000000C" Name="DDOS Stacheldraht server-response" Enable="1" Severity="10" Description="DDOS Stacheldraht server-response">
  518.                <IdsTrafficCondition>rule icmp,saddr=$LOCALHOST,msg="E21005 DDOS Stacheldraht server-response",content="\x66\x69\x63\x6B\x65\x6E"C,type=0</IdsTrafficCondition>
  519.                <Action LogEvent="0" PacketProcess="DROP"/>
  520.             </IdsSignature>
  521.             <IdsSignature Id="0000000000000000001100040000000D" Name="DDOS Stacheldraht client-spoofworks" Enable="1" Severity="10" Description="DDOS Stacheldraht client-spoofworks">
  522.                <IdsTrafficCondition>rule icmp,daddr=$LOCALHOST,msg="E21006 DDOS Stacheldraht client-spoofworks",type=0,content="\x73\x70\x6F\x6F\x66\x77\x6F\x72\x6B\x73"C</IdsTrafficCondition>
  523.                <Action LogEvent="0" PacketProcess="DROP"/>
  524.             </IdsSignature>
  525.             <IdsSignature Id="0000000000000000001100040000000F" Name="DDOS Stacheldraht client-check" Enable="1" Severity="10" Description="DDOS Stacheldraht client-check">
  526.                <IdsTrafficCondition>rule icmp,daddr=$LOCALHOST,msg="E21008 DDOS Stacheldraht client-check",content="\x73\x6B\x69\x6C\x6C\x7A"C,type=0</IdsTrafficCondition>
  527.                <Action LogEvent="0" PacketProcess="DROP"/>
  528.             </IdsSignature>
  529.             <IdsSignature Id="00000000000000000011000400000010" Name="DDOS shaft client to handler" Enable="1" Severity="10" Description="DDOS shaft client to handler">
  530.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST,source=(0),dest=(20432),msg="E21009 DDOS shaft client to handler",tcp_flag&ack</IdsTrafficCondition>
  531.                <Action LogEvent="0" PacketProcess="DROP"/>
  532.             </IdsSignature>
  533.             <IdsSignature Id="00000000000000000011000400000011" Name="DDOS Trin00:DaemontoMaster(messagedetected)" Enable="1" Severity="10" Description="DDOS Trin00:DaemontoMaster(messagedetected)">
  534.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST,source=(0),dest=(31335),msg="E21010 DDOS Trin00:DaemontoMaster(messagedetected)",content="l44"C</IdsTrafficCondition>
  535.                <Action LogEvent="0" PacketProcess="DROP"/>
  536.             </IdsSignature>
  537.             <IdsSignature Id="00000000000000000011000400000012" Name="DDOS Trin00:DaemontoMaster(*HELLO*detected)" Enable="1" Severity="10" Description="DDOS Trin00:DaemontoMaster(*HELLO*detected)">
  538.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST,source=(0),dest=(31335),msg="E21011 DDOS Trin00:DaemontoMaster(*HELLO*detected)",content="*HELLO*"C</IdsTrafficCondition>
  539.                <Action LogEvent="0" PacketProcess="DROP"/>
  540.             </IdsSignature>
  541.             <IdsSignature Id="00000000000000000011000400000013" Name="DDOS Trin00:Attacker to Master default startup password" Enable="1" Severity="10" Description="DDOS Trin00:Attacker to Master default startup password">
  542.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST,source=(0),dest=(27665),msg="E21012 DDOS Trin00:Attacker to Master default startup password",tcp_flag&ack,content="betaalmostdone"C</IdsTrafficCondition>
  543.                <Action LogEvent="0" PacketProcess="DROP"/>
  544.             </IdsSignature>
  545.             <IdsSignature Id="00000000000000000011000400000014" Name="DDOS Trin00 Attacker to Master default password" Enable="1" Severity="10" Description="DDOS Trin00 Attacker to Master default password">
  546.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST,source=(0),dest=(27665),msg="E21013 DDOS Trin00 Attacker to Master default password",tcp_flag&ack,content="gOrave"C</IdsTrafficCondition>
  547.                <Action LogEvent="0" PacketProcess="DROP"/>
  548.             </IdsSignature>
  549.             <IdsSignature Id="00000000000000000011000400000015" Name="DDOS Trin00 Attacker to Master default mdie password" Enable="1" Severity="10" Description="DDOS Trin00 Attacker to Master default mdie password">
  550.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST,source=(0),dest=(27665),msg="E21014 DDOS Trin00 Attacker to Master default mdie password",tcp_flag&ack,content="killme"C</IdsTrafficCondition>
  551.                <Action LogEvent="0" PacketProcess="DROP"/>
  552.             </IdsSignature>
  553.             <IdsSignature Id="00000000000000000011000400000016" Name="DDOS Stacheldraht client-check-gag" Enable="1" Severity="10" Description="DDOS Stacheldraht client-check-gag">
  554.                <IdsTrafficCondition>rule icmp, daddr=$LOCALHOST,msg="E21015 DDOS Stacheldraht client-check-gag",content="\x67\x65\x73\x75\x6E\x64\x68\x65\x69\x74\x21",type=0</IdsTrafficCondition>
  555.                <Action LogEvent="0" PacketProcess="DROP"/>
  556.             </IdsSignature>
  557.             <IdsSignature Id="00000000000000000011000400000017" Name="DDOS Trin00:MastertoDaemon(defaultpassdetected!)" Enable="1" Severity="10" Description="DDOS Trin00:MastertoDaemon(defaultpassdetected!)">
  558.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST,source=(0),dest=(27444),msg="E21016 DDOS Trin00:MastertoDaemon(defaultpassdetected!)",content="l44adsl"C</IdsTrafficCondition>
  559.                <Action LogEvent="0" PacketProcess="DROP"/>
  560.             </IdsSignature>
  561.             <IdsSignature Id="00000000000000000011000400000018" Name="DDOS TFN server response" Enable="1" Severity="10" Description="DDOS TFN server response">
  562.                <IdsTrafficCondition>rule icmp, daddr=$LOCALHOST,msg="E21017 DDOS TFN server response",content="\x73\x68\x65\x6C\x6C\x20\x62\x6F\x75\x6E\x64\x20\x74\x6F\x20\x70\x6F\x72\x74",type=0</IdsTrafficCondition>
  563.                <Action LogEvent="0" PacketProcess="DROP"/>
  564.             </IdsSignature>
  565.             <IdsSignature Id="00000000000000000011000400000019" Name="DDOS shaft handler to agent" Enable="1" Severity="10" Description="DDOS shaft handler to agent">
  566.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST,source=(0),dest=(18753),msg="E21018 DDOS shaft handler to agent",content="alive tijgu"C</IdsTrafficCondition>
  567.                <Action LogEvent="0" PacketProcess="DROP"/>
  568.             </IdsSignature>
  569.             <IdsSignature Id="0000000000000000001100040000001A" Name="DDOS shaft agent to handler" Enable="1" Severity="10" Description="DDOS shaft agent to handler">
  570.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST,source=(0),dest=(20433),msg="E21019 DDOS shaft agent to handler",content="alive"C</IdsTrafficCondition>
  571.                <Action LogEvent="0" PacketProcess="DROP"/>
  572.             </IdsSignature>
  573.             <IdsSignature Id="0000000000000000001100040000001B" Name="DDOS shaft synflood outgoing" Enable="1" Severity="10" Description="DDOS shaft synflood outgoing">
  574.                <IdsTrafficCondition>rule tcp,saddr=$LOCALHOST,source=(1024),dest=(0),msg="E21020 DDOS shaft synflood outgoing",tcp_flag&syn</IdsTrafficCondition>
  575.                <Action LogEvent="0" PacketProcess="DROP"/>
  576.             </IdsSignature>
  577.             <IdsSignature Id="0000000000000000001100040000001C" Name="DDOS shaft synflood incoming" Enable="1" Severity="10" Description="DDOS shaft synflood incoming">
  578.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST,source=(1024),dest=(0),msg="E21021 DDOS shaft synflood incoming",tcp_flag&syn</IdsTrafficCondition>
  579.                <Action LogEvent="0" PacketProcess="DROP"/>
  580.             </IdsSignature>
  581.             <IdsSignature Id="0000000000000000001100040000001D" Name="DDOS mstream agent to handler" Enable="1" Severity="10" Description="DDOS mstream agent to handler">
  582.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST,source=(0),dest=(6838),msg="E21022 DDOS mstream agent to handler",content="newserver"C</IdsTrafficCondition>
  583.                <Action LogEvent="0" PacketProcess="DROP"/>
  584.             </IdsSignature>
  585.             <IdsSignature Id="0000000000000000001100040000001E" Name="DDOS mstream handler to agent" Enable="1" Severity="10" Description="DDOS mstream handler to agent">
  586.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST,source=(0),dest=(10498),msg="E21023 DDOS mstream handler to agent",content="stream/"C</IdsTrafficCondition>
  587.                <Action LogEvent="0" PacketProcess="DROP"/>
  588.             </IdsSignature>
  589.             <IdsSignature Id="0000000000000000001100040000001F" Name="DDOS mstream handler ping to agent" Enable="1" Severity="10" Description="DDOS mstream handler ping to agent">
  590.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST,source=(0),dest=(10498),msg="E21024 DDOS mstream handler ping to agent",content="ping"C</IdsTrafficCondition>
  591.                <Action LogEvent="0" PacketProcess="DROP"/>
  592.             </IdsSignature>
  593.             <IdsSignature Id="00000000000000000011000400000020" Name="DDOS mstream agent pong to handler" Enable="1" Severity="10" Description="DDOS mstream agent pong to handler">
  594.                <IdsTrafficCondition>rule udp, daddr=$LOCALHOST,source=(0),dest=(10498),msg="E21025 DDOS mstream agent pong to handler",content="pong"C</IdsTrafficCondition>
  595.                <Action LogEvent="0" PacketProcess="DROP"/>
  596.             </IdsSignature>
  597.             <IdsSignature Id="00000000000000000011000400000021" Name="DDOS mstream client to handler" Enable="1" Severity="10" Description="DDOS mstream client to handler">
  598.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST,source=(0),dest=(12754),msg="E21026 DDOS mstream client to handler",content=">"C,tcp_flag&ack</IdsTrafficCondition>
  599.                <Action LogEvent="0" PacketProcess="DROP"/>
  600.             </IdsSignature>
  601.             <IdsSignature Id="00000000000000000011000400000022" Name="DDOS mstream handler to client" Enable="1" Severity="10" Description="DDOS mstream handler to client">
  602.                <IdsTrafficCondition>rule tcp,saddr=$LOCALHOST,source=(12754),dest=(0),msg="E21027 DDOS mstream handler to client",content=">"C,tcp_flag&ack</IdsTrafficCondition>
  603.                <Action LogEvent="0" PacketProcess="DROP"/>
  604.             </IdsSignature>
  605.             <IdsSignature Id="00000000000000000011000400000023" Name="DDOS mstream client to handler" Enable="1" Severity="10" Description="DDOS mstream client to handler">
  606.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST,source=(0),dest=(15104),msg="E21028 DDOS mstream client to handler",tcp_flag&syn</IdsTrafficCondition>
  607.                <Action LogEvent="0" PacketProcess="DROP"/>
  608.             </IdsSignature>
  609.             <IdsSignature Id="00000000000000000011000400000024" Name="DDOS mstream handler to client" Enable="1" Severity="10" Description="DDOS mstream handler to client">
  610.                <IdsTrafficCondition>rule tcp,saddr=$LOCALHOST,source=(15104),dest=(0),msg="E21029 DDOS mstream handler to client",content=">"C,tcp_flag&ack</IdsTrafficCondition>
  611.                <Action LogEvent="0" PacketProcess="DROP"/>
  612.             </IdsSignature>
  613.          </IdsSignatureGroup>
  614.          <IdsSignatureGroup Id="00000000000000000011000700000000" Name="IDS-MSSQL" Enable="1" Severity="1" Description="Microsoft SQL Server IDS Signature" ApplicationGroupLink="APP_OTHER">
  615.             <IdsSignature Id="00000000000000000011000700000002" Name="MS-SQL - xp_displayparamstmt possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_displayparamstmt possible buffer overflow" HostType="PASSIVE">
  616.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(1433), msg="D42001 MS-SQL - xp_displayparamstmt possible buffer overflow", content="x\x00p\x00_\x00d\x00i\x00s\x00p\x00l\x00a\x00y\x00p\x00a\x00r\x00a\x00m\x00s\x00t\x00m\x00t"(8,0), tcp_flag&ack|psh</IdsTrafficCondition>
  617.                <Action LogEvent="0" PacketProcess="DROP"/>
  618.             </IdsSignature>
  619.             <IdsSignature Id="00000000000000000011000700000003" Name="MS-SQL - xp_setsqlsecurity possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_setsqlsecurity possible buffer overflow" HostType="PASSIVE">
  620.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(1433), msg="D42002 MS-SQL - xp_setsqlsecurity possible buffer overflow", content="x\x00p\x00_\x00s\x00e\x00t\x00s\x00q\x00l\x00s\x00e\x00c\x00u\x00r\x00i\x00t\x00y"(8,0), tcp_flag&ack|psh</IdsTrafficCondition>
  621.                <Action LogEvent="0" PacketProcess="DROP"/>
  622.             </IdsSignature>
  623.             <IdsSignature Id="00000000000000000011000700000009" Name="MS-SQL PIPES xp_cmdshell - program execution" Enable="1" Severity="10" Description="MS-SQL PIPES xp_cmdshell - program execution" HostType="PASSIVE">
  624.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139), msg="D42008 MS-SQL PIPES xp_cmdshell - program execution", content="x\x00p\x00_\x00c\x00m\x00d\x00s\x00h\x00e\x00l\x00l\x00"(32,32), tcp_flag&ack|psh</IdsTrafficCondition>
  625.                <Action LogEvent="0" PacketProcess="DROP"/>
  626.             </IdsSignature>
  627.             <IdsSignature Id="0000000000000000001100070000000A" Name="MS-SQL - xp_enumresultset possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_enumresultset possible buffer overflow" HostType="PASSIVE">
  628.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(1433), msg="D42009 MS-SQL - xp_enumresultset possible buffer overflow", content="x\x00p\x00_\x00e\x00n\x00u\x00m\x00r\x00e\x00s\x00u\x00l\x00t\x00s\x00e\x00t"(8,0), tcp_flag&ack|psh</IdsTrafficCondition>
  629.                <Action LogEvent="0" PacketProcess="DROP"/>
  630.             </IdsSignature>
  631.             <IdsSignature Id="0000000000000000001100070000000E" Name="MS-SQL xp_reg* - registry access" Enable="1" Severity="10" Description="MS-SQL xp_reg* - registry access" HostType="PASSIVE">
  632.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(1433), msg="D42013 MS-SQL xp_reg* - registry access", content="x\x00p\x00_\x00r\x00e\x00g\x00"(8,0), tcp_flag&ack|psh</IdsTrafficCondition>
  633.                <Action LogEvent="0" PacketProcess="DROP"/>
  634.             </IdsSignature>
  635.             <IdsSignature Id="0000000000000000001100070000000F" Name="MS-SQL xp_cmdshell - program execution" Enable="1" Severity="10" Description="MS-SQL xp_cmdshell - program execution" HostType="PASSIVE">
  636.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(1433), msg="D42014 MS-SQL xp_cmdshell - program execution", content="x\x00p\x00_\x00c\x00m\x00d\x00s\x00h\x00e\x00l\x00l\x00"(8,0), tcp_flag&ack|psh</IdsTrafficCondition>
  637.                <Action LogEvent="0" PacketProcess="DROP"/>
  638.             </IdsSignature>
  639.             <IdsSignature Id="00000000000000000011000700000011" Name="MS-SQL PIPES xp_reg* - registry access" Enable="1" Severity="10" Description="MS-SQL PIPES xp_reg* - registry access" HostType="PASSIVE">
  640.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139), msg="D42016 MS-SQL PIPES xp_reg* - registry access", content="x\x00p\x00_\x00r\x00e\x00g\x00"(32,32), tcp_flag&ack|psh</IdsTrafficCondition>
  641.                <Action LogEvent="0" PacketProcess="DROP"/>
  642.             </IdsSignature>
  643.             <IdsSignature Id="00000000000000000011000700000012" Name="MS-SQL - xp_printstatements possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_printstatements possible buffer overflow" HostType="PASSIVE">
  644.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139), msg="D42017 MS-SQL - xp_printstatements possible buffer overflow", content="x\x00p\x00_\x00p\x00r\x00i\x00n\x00t\x00s\x00t\x00a\x00t\x00e\x00m\x00e\x00n\x00t\x00s"(32,0), tcp_flag&ack|psh</IdsTrafficCondition>
  645.                <Action LogEvent="0" PacketProcess="DROP"/>
  646.             </IdsSignature>
  647.             <IdsSignature Id="00000000000000000011000700000013" Name="MS-SQL Buffer overflow shellcode ACTIVE ATTACK" Enable="1" Severity="10" Description="MS-SQL Buffer overflow shellcode ACTIVE ATTACK" HostType="PASSIVE">
  648.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139,1433), msg="D42018 MS-SQL Buffer overflow shellcode ACTIVE ATTACK", content="\x39\x20\xd0\x00\x92\x01\xc2\x00\x52\x00\x55\x00\x39\x20\xec\x00"C, tcp_flag&ack|psh</IdsTrafficCondition>
  649.                <Action LogEvent="0" PacketProcess="DROP"/>
  650.             </IdsSignature>
  651.             <IdsSignature Id="00000000000000000011000700000014" Name="MS-SQL Buffer overflow shellcode ACTIVE ATTACK" Enable="1" Severity="10" Description="MS-SQL Buffer overflow shellcode ACTIVE ATTACK" HostType="PASSIVE">
  652.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139,1433), msg="D42019 MS-SQL Buffer overflow shellcode ACTIVE ATTACK", content="\x48\x00\x25\x00\x78\x00\x77\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x33\x00\xc0\x00\x50\x00\x68\x00\x2e\x00"C, tcp_flag&ack|psh</IdsTrafficCondition>
  653.                <Action LogEvent="0" PacketProcess="DROP"/>
  654.             </IdsSignature>
  655.             <IdsSignature Id="00000000000000000011000700000015" Name="MS-SQL - xp_sprintf possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_sprintf possible buffer overflow" HostType="PASSIVE">
  656.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139), msg="D42020 MS-SQL - xp_sprintf possible buffer overflow", content="x\x00p\x00_\x00s\x00p\x00r\x00i\x00n\x00t\x00f"(32,0), tcp_flag&ack|psh</IdsTrafficCondition>
  657.                <Action LogEvent="0" PacketProcess="DROP"/>
  658.             </IdsSignature>
  659.             <IdsSignature Id="00000000000000000011000700000016" Name="MS-SQL - xp_showcolv possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_showcolv possible buffer overflow" HostType="PASSIVE">
  660.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139), msg="D42021 MS-SQL - xp_showcolv possible buffer overflow", content="x\x00p\x00_\x00s\x00h\x00o\x00w\x00c\x00o\x00l\x00v"(32,0), tcp_flag&ack|psh</IdsTrafficCondition>
  661.                <Action LogEvent="0" PacketProcess="DROP"/>
  662.             </IdsSignature>
  663.             <IdsSignature Id="00000000000000000011000700000017" Name="MS-SQL - xp_peekqueue possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_peekqueue possible buffer overflow" HostType="PASSIVE">
  664.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139), msg="D42022 MS-SQL - xp_peekqueue possible buffer overflow", content="x\x00p\x00_\x00p\x00e\x00e\x00k\x00q\x00u\x00e\x00u\x00e"(32,0), tcp_flag&ack|psh</IdsTrafficCondition>
  665.                <Action LogEvent="0" PacketProcess="DROP"/>
  666.             </IdsSignature>
  667.             <IdsSignature Id="00000000000000000011000700000018" Name="MS-SQL - xp_proxiedmetadata possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_proxiedmetadata possible buffer overflow" HostType="PASSIVE">
  668.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139), msg="D42023 MS-SQL - xp_proxiedmetadata possible buffer overflow", content="x\x00p\x00_\x00p\x00r\x00o\x00x\x00i\x00e\x00d\x00m\x00e\x00t\x00a\x00d\x00a\x00t\x00a"(32,0), tcp_flag&ack|psh</IdsTrafficCondition>
  669.                <Action LogEvent="0" PacketProcess="DROP"/>
  670.             </IdsSignature>
  671.             <IdsSignature Id="00000000000000000011000700000019" Name="MS-SQL - xp_printstatements possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_printstatements possible buffer overflow" HostType="PASSIVE">
  672.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(1433), msg="D42024 MS-SQL - xp_printstatements possible buffer overflow", content="x\x00p\x00_\x00p\x00r\x00i\x00n\x00t\x00s\x00t\x00a\x00t\x00e\x00m\x00e\x00n\x00t\x00s"(8,0), tcp_flag&ack|psh</IdsTrafficCondition>
  673.                <Action LogEvent="0" PacketProcess="DROP"/>
  674.             </IdsSignature>
  675.             <IdsSignature Id="0000000000000000001100070000001A" Name="MS-SQL - xp_updatecolvbm possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_updatecolvbm possible buffer overflow" HostType="PASSIVE">
  676.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139), msg="D42025 MS-SQL - xp_updatecolvbm possible buffer overflow", content="x\x00p\x00_\x00u\x00p\x00d\x00a\x00t\x00e\x00c\x00o\x00l\x00v\x00b\x00m"(32,0), tcp_flag&ack|psh</IdsTrafficCondition>
  677.                <Action LogEvent="0" PacketProcess="DROP"/>
  678.             </IdsSignature>
  679.             <IdsSignature Id="0000000000000000001100070000001B" Name="MS-SQL - xp_updatecolvbm possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_updatecolvbm possible buffer overflow" HostType="PASSIVE">
  680.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(1433), msg="D42026 MS-SQL - xp_updatecolvbm possible buffer overflow", content="x\x00p\x00_\x00u\x00p\x00d\x00a\x00t\x00e\x00c\x00o\x00l\x00v\x00b\x00m"(8,0), tcp_flag&ack|psh</IdsTrafficCondition>
  681.                <Action LogEvent="0" PacketProcess="DROP"/>
  682.             </IdsSignature>
  683.             <IdsSignature Id="0000000000000000001100070000001C" Name="MS-SQL - xp_displayparamstmt possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_displayparamstmt possible buffer overflow" HostType="PASSIVE">
  684.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139), msg="D42027 MS-SQL - xp_displayparamstmt possible buffer overflow", content="x\x00p\x00_\x00d\x00i\x00s\x00p\x00l\x00a\x00y\x00p\x00a\x00r\x00a\x00m\x00s\x00t\x00m\x00t"(32,0), tcp_flag&ack|psh</IdsTrafficCondition>
  685.                <Action LogEvent="0" PacketProcess="DROP"/>
  686.             </IdsSignature>
  687.             <IdsSignature Id="0000000000000000001100070000001D" Name="MS-SQL - xp_setsqlsecurity possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_setsqlsecurity possible buffer overflow" HostType="PASSIVE">
  688.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139), msg="D42028 MS-SQL - xp_setsqlsecurity possible buffer overflow", content="x\x00p\x00_\x00s\x00e\x00t\x00s\x00q\x00l\x00s\x00e\x00c\x00u\x00r\x00i\x00t\x00y"(32,0), tcp_flag&ack|psh</IdsTrafficCondition>
  689.                <Action LogEvent="0" PacketProcess="DROP"/>
  690.             </IdsSignature>
  691.             <IdsSignature Id="0000000000000000001100070000001E" Name="MS-SQL - xp_sprintf possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_sprintf possible buffer overflow" HostType="PASSIVE">
  692.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(1433), msg="D42029 MS-SQL - xp_sprintf possible buffer overflow", content="x\x00p\x00_\x00s\x00p\x00r\x00i\x00n\x00t\x00f"(8,0), tcp_flag&ack|psh</IdsTrafficCondition>
  693.                <Action LogEvent="0" PacketProcess="DROP"/>
  694.             </IdsSignature>
  695.             <IdsSignature Id="0000000000000000001100070000001F" Name="MS-SQL - xp_showcolv possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_showcolv possible buffer overflow" HostType="PASSIVE">
  696.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(1433), msg="D42030 MS-SQL - xp_showcolv possible buffer overflow", content="x\x00p\x00_\x00s\x00h\x00o\x00w\x00c\x00o\x00l\x00v"(8,0), tcp_flag&ack|psh</IdsTrafficCondition>
  697.                <Action LogEvent="0" PacketProcess="DROP"/>
  698.             </IdsSignature>
  699.             <IdsSignature Id="00000000000000000011000700000020" Name="MS-SQL - xp_peekqueue possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_peekqueue possible buffer overflow" HostType="PASSIVE">
  700.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(1433), msg="D42031 MS-SQL - xp_peekqueue possible buffer overflow", content="x\x00p\x00_\x00p\x00e\x00e\x00k\x00q\x00u\x00e\x00u\x00e"(8,0), tcp_flag&ack|psh</IdsTrafficCondition>
  701.                <Action LogEvent="0" PacketProcess="DROP"/>
  702.             </IdsSignature>
  703.             <IdsSignature Id="00000000000000000011000700000021" Name="MS-SQL - xp_proxiedmetadata possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_proxiedmetadata possible buffer overflow" HostType="PASSIVE">
  704.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(1433), msg="D42032 MS-SQL - xp_proxiedmetadata possible buffer overflow", content="x\x00p\x00_\x00p\x00r\x00o\x00x\x00i\x00e\x00d\x00m\x00e\x00t\x00a\x00d\x00a\x00t\x00a"(8,0), tcp_flag&ack|psh</IdsTrafficCondition>
  705.                <Action LogEvent="0" PacketProcess="DROP"/>
  706.             </IdsSignature>
  707.             <IdsSignature Id="00000000000000000011000700000022" Name="MS-SQL - xp_enumresultset possible buffer overflow" Enable="1" Severity="10" Description="MS-SQL - xp_enumresultset possible buffer overflow" HostType="PASSIVE">
  708.                <IdsTrafficCondition>rule tcp, daddr=$LOCALHOST, dest=(139), msg="D42034 MS-SQL - xp_enumresultset possible buffer overflow", content="x\x00p\x00_\x00e\x00n\x00u\x00m\x00r\x00e\x00s\x00u\x00l\x00t\x00s\x00e\x00t"(32,0), tcp_flag&ack|psh</IdsTrafficCondition>
  709.                <Action LogEvent="0" PacketProcess="DROP"/>
  710.             </IdsSignature>
  711.          </IdsSignatureGroup>
  712.      <IdsSignatureGroup Id="00000000000000000011000100000000" Name="Mics_group" Enable="1" Severity="1" Description="Mics_group" ApplicationGroupLink="APP_OTHER">
  713.          </IdsSignatureGroup>
  714.       </IdsSignatureGroupZone>
  715.       <ApplicationGroupZone>
  716.          <ApplicationGroup Name="APP_OTHER" Description="App_Descript_1">
  717.             <Executable Enable="1">*</Executable>
  718.          </ApplicationGroup>
  719.          <ApplicationGroup Name="APP_IIS_WEB" Description="App_Descript_1">
  720.             <Executable Enable="1">inetinfo.exe</Executable>
  721.          </ApplicationGroup>
  722.     <ApplicationGroup Name="APP_SVCHOST" Description="App_Descript_1">
  723.             <Executable Enable="1">svchost.exe</Executable>
  724.          </ApplicationGroup>
  725.       </ApplicationGroupZone>
  726.       <MacroZone>
  727.          <Macro Name="any" Type="NONE" Enable="1" Content="(0.0.0.0/0)" Description="var any=(0.0.0.0/0)"/>
  728.       </MacroZone>
  729.    </IdsGlobal>
  730. </IdsSignatureLib>
  731.