snort-rules-default 2.9.2-3ubuntu1 / etc / snort / rules / web-cgi.rules

# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules").  The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved.  All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights).  In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: web-cgi.rules,v 1.77.2.7.2.6 2005/07/22 19:19:54 mwatchinski Exp $
#--------------
# WEB-CGI RULES
#--------------
#

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/hsx.cgi"; content:"../../"; content:"%00"; distance:1; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-attack; sid:803; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi access"; flow:to_server,established; uricontent:"/hsx.cgi"; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-activity; sid:1607; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SWSoft ASPSeek Overflow attempt"; flow:to_server,established; uricontent:"/s.cgi"; nocase; content:"tmpl="; reference:bugtraq,2492; reference:cve,2001-0476; classtype:web-application-attack; sid:804; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspeed access"; flow:to_server,established; uricontent:"/wsisa.dll/WService="; nocase; content:"WSMadmin"; nocase; reference:arachnids,467; reference:bugtraq,969; reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb directory traversal attempt"; flow:to_server,established; uricontent:"/YaBB"; nocase; content:"../"; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:806; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb access"; flow:to_server,established; uricontent:"/YaBB"; nocase; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:1637; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /wwwboard/passwd.txt access"; flow:to_server,established; uricontent:"/wwwboard/passwd.txt"; nocase; reference:arachnids,463; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdriver access"; flow:to_server,established; uricontent:"/webdriver"; nocase; reference:arachnids,473; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/whois_raw.cgi?"; content:"|0A|"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:web-application-attack; sid:809; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi access"; flow:to_server,established; uricontent:"/whois_raw.cgi"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websitepro path access"; flow:to_server,established; content:" /HTTP/1."; nocase; reference:arachnids,468; reference:bugtraq,932; reference:cve,2000-0066; classtype:attempted-recon; sid:811; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus version access"; flow:to_server,established; uricontent:"/webplus?about"; nocase; reference:arachnids,470; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus directory traversal"; flow:to_server,established; uricontent:"/webplus?script"; nocase; content:"../"; reference:arachnids,471; reference:bugtraq,1102; reference:cve,2000-0282; classtype:web-application-attack; sid:813; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websendmail access"; flow:to_server,established; uricontent:"/websendmail"; nocase; reference:arachnids,469; reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301; classtype:attempted-recon; sid:815; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/dcforum.cgi"; content:"forum=../.."; reference:bugtraq,2611; reference:cve,2001-0436; reference:cve,2001-0437; classtype:web-application-attack; sid:1571; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi access"; flow:to_server,established; uricontent:"/dcforum.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:818; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi invalid user addition attempt"; flow:to_server,established; uricontent:"/dcboard.cgi"; content:"command=register"; content:"%7cadmin"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack; sid:817; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi access"; flow:to_server,established; uricontent:"/dcboard.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mmstdod.cgi access"; flow:to_server,established; uricontent:"/mmstdod.cgi"; nocase; reference:bugtraq,2063; reference:cve,2001-0021; reference:nessus,10566; classtype:attempted-recon; sid:819; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anaconda directory transversal attempt"; flow:to_server,established; uricontent:"/apexec.pl"; content:"template=../"; nocase; reference:bugtraq,2338; reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308; classtype:web-application-attack; sid:820; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe overflow attempt"; flow:to_server,established; uricontent:"/imagemap.exe?"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-attack; sid:821; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe access"; flow:to_server,established; uricontent:"/imagemap.exe"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-activity; sid:1700; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsweb.cgi access"; flow:to_server,established; uricontent:"/cvsweb.cgi"; nocase; reference:bugtraq,1469; reference:cve,2000-0670; reference:nessus,10465; classtype:attempted-recon; sid:823; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI php.cgi access"; flow:to_server,established; uricontent:"/php.cgi"; nocase; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:824; rev:13;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI glimpse access"; flow:to_server,established; uricontent:"/glimpse"; nocase; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:825; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript attempt"; flow:to_server,established; uricontent:"/htmlscript?../.."; nocase; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:web-application-attack; sid:1608; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript access"; flow:to_server,established; uricontent:"/htmlscript"; nocase; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:attempted-recon; sid:826; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI info2www access"; flow:to_server,established; uricontent:"/info2www"; nocase; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI maillist.pl access"; flow:to_server,established; uricontent:"/maillist.pl"; nocase; classtype:attempted-recon; sid:828; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-test-cgi access"; flow:to_server,established; uricontent:"/nph-test-cgi"; nocase; reference:arachnids,224; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-maillist.pl"; nocase; reference:bugtraq,2563; reference:cve,2001-0400; classtype:attempted-recon; sid:1451; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-publish"; nocase; reference:cve,1999-1177; reference:nessus,10164; classtype:attempted-recon; sid:830; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rguest.exe access"; flow:to_server,established; uricontent:"/rguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:833; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rwwwshell.pl access"; flow:to_server,established; uricontent:"/rwwwshell.pl"; nocase; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi attempt"; flow:to_server,established; uricontent:"/test-cgi/*?*"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:web-application-attack; sid:1644; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi access"; flow:to_server,established; uricontent:"/test-cgi"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:9;)
# testcgi is *one* of many scripts to look for.  this *ALSO* triggers on testcgi.exe.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI testcgi access"; flow:to_server,established; uricontent:"/testcgi"; nocase; reference:bugtraq,7214; reference:nessus,11610; classtype:web-application-activity; sid:1645; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.cgi access"; flow:to_server,established; uricontent:"/test.cgi"; nocase; classtype:web-application-activity; sid:1646; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI textcounter.pl access"; flow:to_server,established; uricontent:"/textcounter.pl"; nocase; reference:bugtraq,2265; reference:cve,1999-1479; reference:nessus,11451; classtype:attempted-recon; sid:836; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI uploader.exe access"; flow:to_server,established; uricontent:"/uploader.exe"; nocase; reference:bugtraq,1611; reference:cve,1999-0177; reference:cve,2000-0769; reference:nessus,10291; classtype:attempted-recon; sid:837; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webgais access"; flow:to_server,established; uricontent:"/webgais"; nocase; reference:arachnids,472; reference:bugtraq,2058; reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon; sid:838; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI finger access"; flow:to_server,established; uricontent:"/finger"; nocase; reference:arachnids,221; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perlshop.cgi access"; flow:to_server,established; uricontent:"/perlshop.cgi"; nocase; reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdisplay.cgi access"; flow:to_server,established; uricontent:"/pfdispaly.cgi"; nocase; reference:bugtraq,64; reference:cve,1999-0270; reference:nessus,10174; classtype:attempted-recon; sid:841; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI aglimpse access"; flow:to_server,established; uricontent:"/aglimpse"; nocase; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:842; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anform2 access"; flow:to_server,established; uricontent:"/AnForm2"; nocase; reference:arachnids,225; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.bat access"; flow:to_server,established; uricontent:"/args.bat"; nocase; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:844; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.cmd access"; flow:to_server,established; uricontent:"/args.cmd"; nocase; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:1452; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-admin.cgi access"; flow:to_server,established; uricontent:"/AT-admin.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-generated.cgi access"; flow:to_server,established; uricontent:"/AT-generated.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:1453; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bnbform.cgi access"; flow:to_server,established; uricontent:"/bnbform.cgi"; nocase; reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon; sid:846; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campas access"; flow:to_server,established; uricontent:"/campas"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:attempted-recon; sid:847; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source directory traversal"; flow:to_server,established; uricontent:"/view-source"; nocase; content:"../"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack; sid:848; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source access"; flow:to_server,established; uricontent:"/view-source"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:attempted-recon; sid:849; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wais.pl access"; flow:to_server,established; uricontent:"/wais.pl"; nocase; classtype:attempted-recon; sid:850; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwwais access"; flow:to_server,established; uricontent:"/wwwwais"; nocase; reference:cve,2001-0223; reference:nessus,10597; classtype:attempted-recon; sid:1454; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI files.pl access"; flow:to_server,established; uricontent:"/files.pl"; nocase; reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wguest.exe access"; flow:to_server,established; uricontent:"/wguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wrap access"; flow:to_server,established; uricontent:"/wrap"; reference:arachnids,234; reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317; classtype:attempted-recon; sid:853; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI classifieds.cgi access"; flow:to_server,established; uricontent:"/classifieds.cgi"; nocase; reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon; sid:854; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI environ.cgi access"; flow:to_server,established; uricontent:"/environ.cgi"; nocase; classtype:attempted-recon; sid:856; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey access"; flow:to_server,established; uricontent:"/faxsurvey"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-activity; sid:857; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI filemail access"; flow:to_server,established; uricontent:"/filemail.pl"; nocase; reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI man.sh access"; flow:to_server,established; uricontent:"/man.sh"; nocase; reference:bugtraq,2276; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snork.bat access"; flow:to_server,established; uricontent:"/snork.bat"; nocase; reference:arachnids,220; reference:bugtraq,1053; reference:cve,2000-0169; classtype:attempted-recon; sid:860; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql access"; flow:to_server,established; uricontent:"/w3-msql/"; nocase; reference:arachnids,210; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datacopier.cgi access"; flow:to_server,established; uricontent:"/day5datacopier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datanotifier.cgi access"; flow:to_server,established; uricontent:"/day5datanotifier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI post-query access"; flow:to_server,established; uricontent:"/post-query"; nocase; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI visadmin.exe access"; flow:to_server,established; uricontent:"/visadmin.exe"; nocase; reference:bugtraq,1808; reference:cve,1999-0970; reference:cve,1999-1970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dumpenv.pl access"; flow:to_server,established; uricontent:"/dumpenv.pl"; nocase; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl arbitrary command execution attempt"; flow:to_server,established; uricontent:"/calendar_admin.pl?config=|7C|"; reference:cve,2000-0432; classtype:web-application-attack; sid:1536; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl access"; flow:to_server,established; uricontent:"/calendar_admin.pl"; reference:cve,2000-0432; classtype:web-application-activity; sid:1537; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calender_admin.pl access"; flow:to_server,established; uricontent:"/calender_admin.pl"; nocase; reference:cve,2000-0432; classtype:attempted-recon; sid:1456; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar.pl access"; flow:to_server,established; uricontent:"calendar"; nocase; pcre:"/calendar(|[-_]admin)\.pl/Ui"; reference:bugtraq,1215; reference:cve,2000-0432; classtype:attempted-recon; sid:1455; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar access"; flow:to_server,established; uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_admin.pl access"; flow:to_server,established; uricontent:"/user_update_admin.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_passwd.pl access"; flow:to_server,established; uricontent:"/user_update_passwd.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snorkerz.cmd access"; flow:to_server,established; uricontent:"/snorkerz.cmd"; nocase; classtype:attempted-recon; sid:870; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI survey.cgi access"; flow:to_server,established; uricontent:"/survey.cgi"; nocase; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI scriptalias access"; flow:to_server,established; uricontent:"///"; reference:arachnids,227; reference:bugtraq,2300; reference:cve,1999-0236; classtype:attempted-recon; sid:873; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI win-c-sample.exe access"; flow:to_server,established; uricontent:"/win-c-sample.exe"; nocase; reference:arachnids,231; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3tvars.pm access"; flow:to_server,established; uricontent:"/w3tvars.pm"; nocase; classtype:attempted-recon; sid:878; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admin.pl access"; flow:to_server,established; uricontent:"/admin.pl"; nocase; reference:bugtraq,3839; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI LWGate access"; flow:to_server,established; uricontent:"/LWGate"; nocase; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI archie access"; flow:to_server,established; uricontent:"/archie"; nocase; classtype:attempted-recon; sid:881; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI flexform access"; flow:to_server,established; uricontent:"/flexform"; nocase; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail arbitrary command execution attempt"; flow:to_server,established; uricontent:"/formmail"; nocase; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:1610; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail access"; flow:to_server,established; uricontent:"/formmail"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:884; rev:14;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf arbitrary command execution attempt"; flow:to_server,established; uricontent:"/phf"; nocase; content:"QALIAS"; nocase; content:"%0a"; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack; sid:1762; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf access"; flow:to_server,established; uricontent:"/phf"; nocase; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI www-sql access"; flow:to_server,established; uricontent:"/www-sql"; nocase; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwadmin.pl access"; flow:to_server,established; uricontent:"/wwwadmin.pl"; nocase; classtype:attempted-recon; sid:888; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ppdscgi.exe access"; flow:to_server,established; uricontent:"/ppdscgi.exe"; nocase; reference:bugtraq,491; reference:nessus,10187; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendform.cgi access"; flow:to_server,established; uricontent:"/sendform.cgi"; nocase; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.pl access"; flow:to_server,established; uricontent:"/upload.pl"; nocase; classtype:attempted-recon; sid:891; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AnyForm2 access"; flow:to_server,established; uricontent:"/AnyForm2"; nocase; reference:bugtraq,719; reference:cve,1999-0066; reference:nessus,10277; classtype:attempted-recon; sid:892; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo"; nocase; reference:cve,1999-1067; classtype:attempted-recon; sid:893; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh attempt"; flow:to_server,established; uricontent:"/bb-hist.sh?HISTFILE=../.."; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh access"; flow:to_server,established; uricontent:"/bb-hist.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histlog.sh access"; flow:to_server,established; uricontent:"/bb-histlog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:1459; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histsvc.sh access"; flow:to_server,established; uricontent:"/bb-histsvc.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh attempt"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC?../.."; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-attack; sid:1532; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh"; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-activity; sid:1533; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-rep.sh access"; flow:to_server,established; uricontent:"/bb-rep.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-replog.sh access"; flow:to_server,established; uricontent:"/bb-replog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI redirect access"; flow:to_server,established; uricontent:"/redirect"; nocase; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wayboard attempt"; flow:to_server,established; uricontent:"/way-board/way-board.cgi"; content:"db="; content:"../.."; nocase; reference:bugtraq,2370; reference:cve,2001-0214; classtype:web-application-attack; sid:1397; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board access"; flow:to_server,established; uricontent:"/way-board"; nocase; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; content:"documentName="; reference:bugtraq,2372; reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack; sid:1222; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi access"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/commerce.cgi"; content:"page="; content:"/../"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:1572; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi access"; flow:to_server,established; uricontent:"/commerce.cgi"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; content:"templ="; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-attack; sid:899; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl access"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-activity; sid:1702; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; content:"../../"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi access"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tstisapi.dll access"; flow:to_server,established; uricontent:"tstisapi.dll"; nocase; reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendmessage.cgi access"; flow:to_server,established; uricontent:"/sendmessage.cgi"; nocase; reference:bugtraq,3673; reference:cve,2001-1100; classtype:attempted-recon; sid:1308; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI lastlines.cgi access"; flow:to_server,established; uricontent:"/lastlines.cgi"; nocase; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi attempt"; flow:to_server,established; uricontent:"/zml.cgi"; content:"file=../"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1395; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi access"; flow:to_server,established; uricontent:"/zml.cgi"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1396; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AHG search.cgi access"; flow:to_server,established; uricontent:"/publisher/search.cgi"; nocase; content:"template="; nocase; reference:bugtraq,3985; classtype:web-application-activity; sid:1405; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi attempt"; flow:to_server,established; uricontent:"/store/agora.cgi?cart_id=<SCRIPT>"; nocase; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-attack; sid:1534; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi access"; flow:to_server,established; uricontent:"/store/agora.cgi"; nocase; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-activity; sid:1406; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rksh access"; flow:to_server,established; uricontent:"/rksh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access"; flow:to_server,established; uricontent:"/bash"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl.exe command attempt"; flow:to_server,established; uricontent:"/perl.exe?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1648; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl.exe access"; flow:to_server,established; uricontent:"/perl.exe"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl command attempt"; flow:to_server,established; uricontent:"/perl?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1649; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zsh access"; flow:to_server,established; uricontent:"/zsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1309; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csh access"; flow:to_server,established; uricontent:"/csh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tcsh access"; flow:to_server,established; uricontent:"/tcsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rsh access"; flow:to_server,established; uricontent:"/rsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ksh access"; flow:to_server,established; uricontent:"/ksh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI auktion.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/auktion.cgi"; nocase; content:"menue=../../"; nocase; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-attack; sid:1703; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI auktion.cgi access"; flow:to_server,established; uricontent:"/auktion.cgi"; nocase; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-activity; sid:1465; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiforum.pl attempt"; flow:to_server,established; uricontent:"/cgiforum.pl?thesection=../.."; nocase; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-attack; sid:1573; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiforum.pl access"; flow:to_server,established; uricontent:"/cgiforum.pl"; nocase; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-activity; sid:1466; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi attempt"; flow:to_server,established; uricontent:"/directorypro.cgi"; content:"show="; content:"../.."; distance:1; nocase; reference:bugtraq,2793; reference:cve,2001-0780; classtype:web-application-attack; sid:1574; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi access"; flow:to_server,established; uricontent:"/directorypro.cgi"; nocase; reference:bugtraq,2793; reference:cve,2001-0780; classtype:web-application-activity; sid:1467; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Web Shopper shopper.cgi attempt"; flow:to_server,established; uricontent:"/shopper.cgi"; nocase; content:"newpage=../"; nocase; reference:bugtraq,1776; reference:cve,2000-0922; classtype:web-application-attack; sid:1468; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Web Shopper shopper.cgi access"; flow:to_server,established; uricontent:"/shopper.cgi"; nocase; reference:bugtraq,1776; reference:cve,2000-0922; classtype:attempted-recon; sid:1469; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI listrec.pl access"; flow:to_server,established; uricontent:"/listrec.pl"; nocase; reference:bugtraq,3328; reference:cve,2001-0997; classtype:attempted-recon; sid:1470; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailnews.cgi access"; flow:to_server,established; uricontent:"/mailnews.cgi"; nocase; reference:bugtraq,2391; reference:cve,2001-0271; reference:nessus,10641; classtype:attempted-recon; sid:1471; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI book.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/book.cgi"; nocase; content:"current=|7C|"; nocase; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-attack; sid:1879; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI book.cgi access"; flow:to_server,established; uricontent:"/book.cgi"; nocase; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-activity; sid:1472; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI newsdesk.cgi access"; flow:to_server,established; uricontent:"/newsdesk.cgi"; nocase; reference:bugtraq,2172; reference:cve,2001-0232; classtype:attempted-recon; sid:1473; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cal_make.pl directory traversal attempt"; flow:to_server,established; uricontent:"/cal_make.pl"; nocase; content:"p0=../../"; nocase; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-attack; sid:1704; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cal_make.pl access"; flow:to_server,established; uricontent:"/cal_make.pl"; nocase; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-activity; sid:1474; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailit.pl access"; flow:to_server,established; uricontent:"/mailit.pl"; nocase; reference:nessus,10417; classtype:attempted-recon; sid:1475; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sdbsearch.cgi access"; flow:to_server,established; uricontent:"/sdbsearch.cgi"; nocase; reference:bugtraq,1658; reference:cve,2001-1130; reference:nessus,10503; reference:nessus,10720; classtype:attempted-recon; sid:1476; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc access"; flow:to_server,established; uricontent:"/swc"; nocase; reference:nessus,10493; classtype:attempted-recon; sid:1478; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi arbitrary file attempt"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; content:"pg=../"; nocase; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:web-application-attack; sid:1479; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi access"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:attempted-recon; sid:1480; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.cgi access"; flow:to_server,established; uricontent:"/upload.cgi"; nocase; reference:nessus,10290; classtype:attempted-recon; sid:1481; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view_source access"; flow:to_server,established; uricontent:"/view_source"; nocase; reference:bugtraq,2251; reference:cve,1999-0174; reference:nessus,10294; classtype:attempted-recon; sid:1482; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ustorekeeper.pl directory traversal attempt"; flow:to_server,established; uricontent:"/ustorekeeper.pl"; nocase; content:"file=../../"; nocase; reference:bugtraq,2536; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-attack; sid:1730; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ustorekeeper.pl access"; flow:to_server,established; uricontent:"/ustorekeeper.pl"; nocase; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-activity; sid:1483; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI icat access"; flow:to_server,established; uricontent:"/icat"; reference:cve,1999-1069; classtype:web-application-activity; sid:1606; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Bugzilla doeditvotes.cgi access"; flow:to_server,established; uricontent:"/doeditvotes.cgi"; reference:bugtraq,3800; reference:cve,2002-0011; classtype:web-application-activity; sid:1617; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch arbitrary configuration file attempt"; flow:to_server,established; uricontent:"/htsearch?-c"; nocase; reference:cve,2000-0208; classtype:web-application-attack; sid:1600; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch arbitrary file read attempt"; flow:to_server,established; uricontent:"/htsearch?exclude=`"; nocase; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-attack; sid:1601; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch access"; flow:to_server,established; uricontent:"/htsearch"; nocase; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-activity; sid:1602; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats a1disp3.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/a1disp3.cgi?/../../"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-attack; sid:1501; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats a1disp3.cgi access"; flow:to_server,established; uricontent:"/a1disp3.cgi"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1502; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats access"; flow:to_server,established; uricontent:"/a1stats/"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1731; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admentor admin.asp access"; flow:to_server,established; uricontent:"/admentor/admin/admin.asp"; reference:bugtraq,4152; reference:cve,2002-0308; reference:nessus,10880; reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html; classtype:web-application-activity; sid:1503; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alchemy http server PRN arbitrary command execution attempt"; flow:to_server,established; uricontent:"/PRN/../../"; reference:bugtraq,3599; reference:cve,2001-0871; classtype:web-application-activity; sid:1505; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alchemy http server NUL arbitrary command execution attempt"; flow:to_server,established; uricontent:"/NUL/../../"; reference:bugtraq,3599; reference:cve,2001-0871; classtype:web-application-activity; sid:1506; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alibaba.pl arbitrary command execution attempt"; flow:to_server,established; uricontent:"/alibaba.pl|7C|"; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-attack; sid:1507; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alibaba.pl access"; flow:to_server,established; uricontent:"/alibaba.pl"; reference:bugtraq,770; reference:cve ,CAN-1999-0885; reference:nessus,10013; classtype:web-application-activity; sid:1508; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AltaVista Intranet Search directory traversal attempt"; flow:to_server,established; uricontent:"/query?mss=.."; reference:bugtraq,896; reference:cve,2000-0039; reference:nessus,10015; classtype:web-application-attack; sid:1509; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/test.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1510; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.bat access"; flow:to_server,established; uricontent:"/test.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1511; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/input.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1512; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input.bat access"; flow:to_server,established; uricontent:"/input.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1513; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input2.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/input2.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1514; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input2.bat access"; flow:to_server,established; uricontent:"/input2.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1515; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI envout.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/envout.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1516; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI envout.bat access"; flow:to_server,established; uricontent:"/envout.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1517; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI echo.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/echo.bat"; content:"&"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1705; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI echo.bat access"; flow:to_server,established; uricontent:"/echo.bat"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1706; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI hello.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/hello.bat"; content:"&"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1707; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI hello.bat access"; flow:to_server,established; uricontent:"/hello.bat"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1708; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tst.bat access"; flow:to_server,established; uricontent:"/tst.bat"; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10014; classtype:web-application-activity; sid:1650; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ls access"; flow:to_server,established; uricontent:"/cgi-bin/ls"; nocase; reference:bugtraq,936; reference:cve,2000-0079; classtype:web-application-activity; sid:1539; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgimail access"; flow:to_server,established; uricontent:"/cgimail"; nocase; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:1542; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiwrap access"; flow:to_server,established; uricontent:"/cgiwrap"; nocase; reference:bugtraq,1238; reference:bugtraq,3084; reference:bugtraq,777; reference:cve,1999-1530; reference:cve,2000-0431; reference:cve,2001-0987; reference:nessus,10041; classtype:web-application-activity; sid:1543; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/csSearch.cgi"; content:"setup="; content:"`"; content:"`"; distance:1; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-attack; sid:1547; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi access"; flow:to_server,established; uricontent:"/csSearch.cgi"; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-activity; sid:1548; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cart/cart.cgi access"; flow:to_server,established; uricontent:"/cart/cart.cgi"; reference:bugtraq,1115; reference:cve,2000-0252; classtype:web-application-activity; sid:1553; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dbman db.cgi access"; flow:to_server,established; uricontent:"/dbman/db.cgi"; reference:bugtraq,1178; reference:cve,2000-0381; reference:nessus,10403; classtype:web-application-activity; sid:1554; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop access"; flow:to_server,established; uricontent:"/dcshop"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1555; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop orders.txt access"; flow:to_server,established; uricontent:"/orders/orders.txt"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1556; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop auth_user_file.txt access"; flow:to_server,established; uricontent:"/auth_data/auth_user_file.txt"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1557; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eshop.pl arbitrary commane execution attempt"; flow:to_server,established; uricontent:"/eshop.pl?seite=|3B|"; nocase; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-attack; sid:1565; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eshop.pl access"; flow:to_server,established; uricontent:"/eshop.pl"; nocase; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-activity; sid:1566; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI loadpage.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/loadpage.cgi"; content:"file=../"; nocase; reference:bugtraq,2109; reference:cve,2000-1092; classtype:web-application-attack; sid:1569; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI loadpage.cgi access"; flow:to_server,established; uricontent:"/loadpage.cgi"; nocase; reference:bugtraq,2109; reference:cve,2000-1092; classtype:web-application-activity; sid:1570; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faqmanager.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/faqmanager.cgi?toc="; uricontent:"|00|"; nocase; reference:bugtraq,3810; reference:nessus,10837; classtype:web-application-attack; sid:1590; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faqmanager.cgi access"; flow:to_server,established; uricontent:"/faqmanager.cgi"; nocase; reference:bugtraq,3810; reference:nessus,10837; classtype:web-application-activity; sid:1591; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /fcgi-bin/echo.exe access"; flow:to_server,established; uricontent:"/fcgi-bin/echo.exe"; nocase; reference:nessus,10838; classtype:web-application-activity; sid:1592; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi directory traversal attempt attempt"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; content:"reply_message_attach="; nocase; content:"/../"; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1628; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi external site redirection attempt"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; content:"redirect=http"; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1593; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi access"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-activity; sid:1594; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI guestbook.cgi access"; flow:to_server,established; uricontent:"/guestbook.cgi"; nocase; reference:cve,1999-0237; reference:nessus,10098; classtype:web-application-activity; sid:1597; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Home Free search.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/search.cgi"; content:"letter=../.."; nocase; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-attack; sid:1598; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI search.cgi access"; flow:to_server,established; uricontent:"/search.cgi"; nocase; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-activity; sid:1599; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI environ.pl access"; flow:to_server,established; uricontent:"/environ.pl"; nocase; classtype:web-application-activity; sid:1651; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus attempt"; flow:to_server,established; uricontent:"/campus?|0A|"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:web-application-attack; sid:1652; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus access"; flow:to_server,established; uricontent:"/campus"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:web-application-activity; sid:1653; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cart32.exe access"; flow:to_server,established; uricontent:"/cart32.exe"; nocase; reference:bugtraq,1153; classtype:web-application-activity; sid:1654; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdispaly.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/pfdispaly.cgi?'"; nocase; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-attack; sid:1655; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdispaly.cgi access"; flow:to_server,established; uricontent:"/pfdispaly.cgi"; nocase; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-activity; sid:1656; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pagelog.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/pagelog.cgi"; nocase; content:"name=../"; nocase; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1657; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pagelog.cgi access"; flow:to_server,established; uricontent:"/pagelog.cgi"; nocase; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1658; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ad.cgi access"; flow:to_server,established; uricontent:"/ad.cgi"; nocase; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-activity; sid:1709; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bbs_forum.cgi access"; flow:to_server,established; uricontent:"/bbs_forum.cgi"; nocase; reference:bugtraq,2177; reference:cve,2001-0123; reference:url,www.cgisecurity.com/advisory/3.1.txt; classtype:web-application-activity; sid:1710; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bsguest.cgi access"; flow:to_server,established; uricontent:"/bsguest.cgi"; nocase; reference:bugtraq,2159; reference:cve,2001-0099; classtype:web-application-activity; sid:1711; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bslist.cgi access"; flow:to_server,established; uricontent:"/bslist.cgi"; nocase; reference:bugtraq,2160; reference:cve,2001-0100; classtype:web-application-activity; sid:1712; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgforum.cgi access"; flow:to_server,established; uricontent:"/cgforum.cgi"; nocase; reference:bugtraq,1951; reference:cve,2000-1132; classtype:web-application-activity; sid:1713; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI newdesk access"; flow:to_server,established; uricontent:"/newdesk"; nocase; classtype:web-application-activity; sid:1714; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI register.cgi access"; flow:to_server,established; uricontent:"/register.cgi"; nocase; reference:bugtraq,2157; reference:cve,2001-0076; classtype:web-application-activity; sid:1715; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gbook.cgi access"; flow:to_server,established; uricontent:"/gbook.cgi"; nocase; reference:bugtraq,1940; reference:cve,2000-1131; classtype:web-application-activity; sid:1716; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI simplestguest.cgi access"; flow:to_server,established; uricontent:"/simplestguest.cgi"; nocase; reference:bugtraq,2106; reference:cve,2001-0022; classtype:web-application-activity; sid:1717; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI statsconfig.pl access"; flow:to_server,established; uricontent:"/statsconfig.pl"; nocase; reference:bugtraq,2211; reference:cve,2001-0113; classtype:web-application-activity; sid:1718; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI talkback.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/talkbalk.cgi"; nocase; content:"article=../../"; nocase; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-attack; sid:1719; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI talkback.cgi access"; flow:to_server,established; uricontent:"/talkbalk.cgi"; nocase; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-activity; sid:1720; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI adcycle access"; flow:to_server,established; uricontent:"/adcycle"; nocase; reference:bugtraq,3741; reference:cve,2001-1226; classtype:web-application-activity; sid:1721; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo"; nocase; reference:cve,1999-1067; classtype:web-application-activity; sid:1722; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi NULL attempt"; flow:to_server,established; uricontent:"/emumail.cgi"; content:"type="; nocase; content:"%00"; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1723; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi access"; flow:to_server,established; uricontent:"/emumail.cgi"; nocase; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1724; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI document.d2w access"; flow:to_server,established; uricontent:"/document.d2w"; reference:bugtraq,2017; reference:cve,2000-1110; classtype:web-application-activity; sid:1642; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI db2www access"; flow:to_server,established; uricontent:"/db2www"; reference:cve,2000-0677; classtype:web-application-activity; sid:1643; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ access"; flow:to_server,established; uricontent:"/cgi-bin/"; content:"/cgi-bin/ HTTP"; nocase; classtype:web-application-attack; sid:1668; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-dos/ access"; flow:to_server,established; uricontent:"/cgi-dos/"; content:"/cgi-dos/ HTTP"; nocase; classtype:web-application-attack; sid:1669; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote main.cgi file directory traversal attempt"; flow:to_server,established; uricontent:"/technote/main.cgi"; nocase; content:"filename="; nocase; content:"../../"; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1051; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote print.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/technote/print.cgi"; nocase; content:"board="; nocase; content:"../../"; content:"%00"; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1052; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ads.cgi command execution attempt"; flow:to_server,established; uricontent:"/ads.cgi"; nocase; content:"file="; nocase; content:"../../"; content:"|7C|"; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-attack; sid:1053; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eXtropia webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi"; content:"page=../"; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-attack; sid:1088; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eXtropia webstore access"; flow:to_server,established; uricontent:"/web_store.cgi"; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-activity; sid:1611; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI shopping cart directory traversal"; flow:to_server,established; uricontent:"/shop.cgi"; content:"page=../"; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-application-attack; sid:1089; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Allaire Pro Web Shell attempt"; flow:to_server,established; uricontent:"/authenticate.cgi?PASSWORD"; content:"config.ini"; classtype:web-application-attack; sid:1090; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Armada Style Master Index directory traversal"; flow:to_server,established; uricontent:"/search.cgi?keys"; content:"catigory=../"; reference:bugtraq,1772; reference:cve,2000-0924; reference:nessus,10562; reference:url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt; classtype:web-application-attack; sid:1092; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; uricontent:"/cached_feed.cgi"; content:"../"; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart access"; flow:to_server,established; uricontent:"/cached_feed.cgi"; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-activity; sid:2051; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Talentsoft Web+ exploit attempt"; flow:to_server,established; uricontent:"/webplus.cgi?Script=/webplus/webping/webping.wml"; reference:bugtraq,1725; classtype:web-application-attack; sid:1097; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Poll-it access"; flow:to_server,established; uricontent:"/pollit/Poll_It_SSI_v2.0.cgi"; nocase; reference:bugtraq,1431; reference:cve,2000-0590; reference:nessus,10459; classtype:web-application-activity; sid:1106; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI count.cgi access"; flow:to_server,established; uricontent:"/count.cgi"; nocase; reference:bugtraq,128; reference:cve,1999-0021; reference:nessus,10049; classtype:web-application-activity; sid:1149; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdist.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/webdist.cgi"; nocase; content:"distloc=|3B|"; nocase; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-attack; sid:1865; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdist.cgi access"; flow:to_server,established; uricontent:"/webdist.cgi"; nocase; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-activity; sid:1163; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bigconf.cgi access"; flow:to_server,established; uricontent:"/bigconf.cgi"; nocase; reference:bugtraq,778; reference:cve,1999-1550; reference:nessus,10027; classtype:web-application-activity; sid:1172; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/jj access"; flow:to_server,established; uricontent:"/cgi-bin/jj"; nocase; reference:bugtraq,2002; reference:cve,1999-0260; reference:nessus,10131; classtype:web-application-activity; sid:1174; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bizdbsearch attempt"; flow:to_server,established; uricontent:"/bizdb1-search.cgi"; nocase; content:"mail"; nocase; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-attack; sid:1185; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bizdbsearch access"; flow:to_server,established; uricontent:"/bizdb1-search.cgi"; nocase; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-activity; sid:1535; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sojourn.cgi File attempt"; flow:to_server,established; uricontent:"/sojourn.cgi?cat="; content:"%00"; nocase; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-attack; sid:1194; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sojourn.cgi access"; flow:to_server,established; uricontent:"/sojourn.cgi"; nocase; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-activity; sid:1195; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SGI InfoSearch fname attempt"; flow:to_server,established; uricontent:"/infosrch.cgi?"; content:"fname="; nocase; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-attack; sid:1196; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SGI InfoSearch fname access"; flow:to_server,established; uricontent:"/infosrch.cgi"; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:1727; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ax-admin.cgi access"; flow:to_server,established; uricontent:"/ax-admin.cgi"; classtype:web-application-activity; sid:1204; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI axs.cgi access"; flow:to_server,established; uricontent:"/axs.cgi"; classtype:web-application-activity; sid:1205; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cachemgr.cgi access"; flow:to_server,established; uricontent:"/cachemgr.cgi"; reference:bugtraq,2059; reference:cve,1999-0710; reference:nessus,10034; classtype:web-application-activity; sid:1206; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI responder.cgi access"; flow:to_server,established; uricontent:"/responder.cgi"; reference:bugtraq,3155; classtype:web-application-activity; sid:1208; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI web-map.cgi access"; flow:to_server,established; uricontent:"/web-map.cgi"; classtype:web-application-activity; sid:1211; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ministats admin access"; flow:to_server,established; uricontent:"/ministats/admin.cgi"; nocase; classtype:web-application-activity; sid:1215; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dfire.cgi access"; flow:to_server,established; uricontent:"/dfire.cgi"; nocase; reference:bugtraq,564; reference:cve,1999-0913; classtype:web-application-activity; sid:1219; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI txt2html.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/txt2html.cgi"; nocase; content:"/../../../../"; classtype:web-application-attack; sid:1305; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI txt2html.cgi access"; flow:to_server,established; uricontent:"/txt2html.cgi"; nocase; classtype:web-application-activity; sid:1304; rev:7;)
# do we really need two of these?
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi product directory traversal attempt"; flow:to_server,established; uricontent:"/store.cgi"; nocase; content:"product="; content:"../.."; reference:bugtraq,2385; reference:cve,2001-0305; classtype:web-application-attack; sid:1306; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/store.cgi"; nocase; content:"../"; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-attack; sid:1488; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi access"; flow:to_server,established; uricontent:"/store.cgi"; nocase; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-activity; sid:1307; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SIX webboard generate.cgi attempt"; flow:to_server,established; uricontent:"/generate.cgi"; content:"content=../"; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-attack; sid:1494; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SIX webboard generate.cgi access"; flow:to_server,established; uricontent:"/generate.cgi"; reference:bugtraq,3175; reference:cve,2001-1115; classtype:web-application-activity; sid:1495; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI spin_client.cgi access"; flow:to_server,established; uricontent:"/spin_client.cgi"; reference:nessus,10393; classtype:web-application-activity; sid:1496; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csPassword.cgi access"; flow:to_server,established; uricontent:"/csPassword.cgi"; reference:bugtraq,4885; reference:bugtraq,4886; reference:bugtraq,4887; reference:bugtraq,4889; reference:cve,2002-0917; reference:cve,2002-0918; classtype:web-application-activity; sid:1787; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csPassword password.cgi.tmp access"; flow:to_server,established; uricontent:"/password.cgi.tmp"; reference:bugtraq,4889; reference:cve,2002-0920; classtype:web-application-activity; sid:1788; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; uricontent:"/cgiproc?Nocfile="; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1763; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; uricontent:"/cgiproc?|24|"; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1764; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc access"; flow:to_server,established; uricontent:"/cgiproc"; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-activity; sid:1765; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Oracle reports CGI access"; flow:to_server,established; uricontent:"/rwcgi60"; content:"setauth="; reference:bugtraq,4848; reference:cve,2002-0947; classtype:web-application-activity; sid:1805; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alienform.cgi directory traversal attempt"; flow:established,to_server; uricontent:"/alienform.cgi"; content:".|7C|./.|7C|."; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1822; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AlienForm af.cgi directory traversal attempt"; flow:established,to_server; uricontent:"/af.cgi"; content:".|7C|./.|7C|."; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1823; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alienform.cgi access"; flow:established,to_server; uricontent:"/alienform.cgi"; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1824; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AlienForm af.cgi access"; flow:established,to_server; uricontent:"/af.cgi"; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1825; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-CGI story.pl arbitrary file read attempt"; flow:to_server,established; uricontent:"/story.pl"; content:"next=../"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1868; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-CGI story.pl access"; flow:to_server,established; uricontent:"/story.pl"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1869; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI siteUserMod.cgi access"; flow:to_server,established; uricontent:"/.cobalt/siteUserMod/siteUserMod.cgi"; reference:bugtraq,951; reference:cve,2000-0117; reference:nessus,10253; classtype:web-application-activity; sid:1870; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgicso access"; flow:to_server,established; uricontent:"/cgicso"; reference:bugtraq,6141; reference:nessus,10779; reference:nessus,10780; classtype:web-application-activity; sid:1875; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-publish.cgi access"; flow:to_server,established; uricontent:"/nph-publish.cgi"; reference:cve,1999-1177; reference:nessus,10164; classtype:web-application-activity; sid:1876; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI printenv access"; flow:to_server,established; uricontent:"/printenv"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:1877; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sdbsearch.cgi access"; flow:to_server,established; uricontent:"/sdbsearch.cgi"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10503; classtype:web-application-activity; sid:1878; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rpc-nlog.pl access"; flow:to_server,established; uricontent:"/rpc-nlog.pl"; reference:cve,1999-1278; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2; classtype:web-application-activity; sid:1931; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rpc-smb.pl access"; flow:to_server,established; uricontent:"/rpc-smb.pl"; reference:cve,1999-1278; classtype:web-application-activity; sid:1932; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cart.cgi access"; flow:to_server,established; uricontent:"/cart.cgi"; reference:bugtraq,1115; reference:cve,2000-0252; reference:nessus,10368; classtype:web-application-activity; sid:1933; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI vpasswd.cgi access"; flow:to_server,established; uricontent:"/vpasswd.cgi"; reference:bugtraq,6038; reference:nessus,11165; classtype:web-application-activity; sid:1994; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alya.cgi access"; flow:to_server,established; uricontent:"/alya.cgi"; reference:nessus,11118; classtype:web-application-activity; sid:1995; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI viralator.cgi access"; flow:to_server,established; uricontent:"/viralator.cgi"; reference:bugtraq,3495; reference:cve,2001-0849; reference:nessus,11107; classtype:web-application-activity; sid:1996; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI smartsearch.cgi access"; flow:to_server,established; uricontent:"/smartsearch.cgi"; reference:bugtraq,7133; classtype:web-application-activity; sid:2001; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mrtg.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/mrtg.cgi"; content:"cfg=/../"; reference:bugtraq,4017; reference:cve,2002-0232; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI overflow.cgi access"; flow:to_server,established; uricontent:"/overflow.cgi"; reference:bugtraq,6326; reference:cve,2002-1361; reference:nessus,11190; reference:url,www.cert.org/advisories/CA-2002-35.html; classtype:web-application-activity; sid:2052; rev:5;)

# NOTES: this signature looks for someone accessing the web application
# "way-board.cgi".  This application allows attackers to view arbitrary
# files that are readable with the privilages of the web server.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board.cgi access"; flow:to_server,established; uricontent:"/way-board.cgi"; nocase; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:3;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI process_bug.cgi access"; flow:to_server,established; uricontent:"/process_bug.cgi"; nocase; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2053; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; content:"who="; content:"|3B|"; distance:0; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-attack; sid:2054; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi access"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2055; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI parse_xml.cgi access"; flow:to_server,established; uricontent:"/parse_xml.cgi"; nocase; reference:bugtraq,6960; reference:cve,2003-0054; classtype:web-application-activity; sid:2085; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; nocase; reference:bugtraq,6960; reference:cve,2003-0054; classtype:web-application-activity; sid:2086; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI album.pl access"; flow:to_server,established; content:"/album.pl"; nocase; reference:bugtraq,7444; reference:nessus,11581; classtype:web-application-activity; sid:2115; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI chipcfg.cgi access"; flow:to_server,established; uricontent:"/chipcfg.cgi"; nocase; reference:bugtraq,2767; reference:cve,2001-1341; reference:url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html; classtype:web-application-activity; sid:2116; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ikonboard.cgi access"; flow:to_server,established; uricontent:"/ikonboard.cgi"; nocase; reference:bugtraq,7361; reference:nessus,11605; classtype:web-application-activity; sid:2127; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swsrv.cgi access"; flow:to_server,established; uricontent:"/swsrv.cgi"; nocase; reference:bugtraq,7510; reference:cve,2003-0217; reference:nessus,11608; classtype:web-application-activity; sid:2128; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CSMailto.cgi access"; flow:to_server,established; uricontent:"/CSMailto.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-0749; reference:nessus,11748; classtype:web-application-activity; sid:2194; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alert.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2195; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI catgy.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:bugtraq,3714; reference:bugtraq,4579; reference:cve,2001-1212; reference:nessus,11748; classtype:web-application-activity; sid:2196; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsview2.cgi access"; flow:to_server,established; uricontent:"/cvsview2.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2197; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvslog.cgi access"; flow:to_server,established; uricontent:"/cvslog.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2198; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI multidiff.cgi access"; flow:to_server,established; uricontent:"/multidiff.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2199; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dnewsweb.cgi access"; flow:to_server,established; uricontent:"/dnewsweb.cgi"; nocase; reference:bugtraq,1172; reference:bugtraq,4579; reference:cve,2000-0423; reference:nessus,11748; classtype:web-application-activity; sid:2200; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI download.cgi access"; flow:to_server,established; uricontent:"/download.cgi"; nocase; reference:bugtraq,4579; reference:cve,1999-1377; reference:nessus,11748; classtype:web-application-activity; sid:2201; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI edit_action.cgi access"; flow:to_server,established; uricontent:"/edit_action.cgi"; nocase; reference:bugtraq,3698; reference:bugtraq,4579; reference:cve,2001-1196; reference:nessus,11748; classtype:web-application-activity; sid:2202; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI everythingform.cgi access"; flow:to_server,established; uricontent:"/everythingform.cgi"; nocase; reference:bugtraq,2101; reference:bugtraq,4579; reference:cve,2001-0023; reference:nessus,11748; classtype:web-application-activity; sid:2203; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezadmin.cgi access"; flow:to_server,established; uricontent:"/ezadmin.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2204; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezboard.cgi access"; flow:to_server,established; uricontent:"/ezboard.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2205; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezman.cgi access"; flow:to_server,established; uricontent:"/ezman.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2206; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fileseek.cgi access"; flow:to_server,established; uricontent:"/fileseek.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6784; reference:cve,2002-0611; reference:nessus,11748; classtype:web-application-activity; sid:2207; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fom.cgi access"; flow:to_server,established; uricontent:"/fom.cgi"; nocase; reference:bugtraq,4579; reference:cve,2002-0230; reference:nessus,11748; classtype:web-application-activity; sid:2208; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI getdoc.cgi access"; flow:to_server,established; uricontent:"/getdoc.cgi"; nocase; reference:bugtraq,4579; reference:cve,2000-0288; reference:nessus,11748; classtype:web-application-activity; sid:2209; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI global.cgi access"; flow:to_server,established; uricontent:"/global.cgi"; nocase; reference:bugtraq,4579; reference:cve,2000-0952; reference:nessus,11748; classtype:web-application-activity; sid:2210; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI guestserver.cgi access"; flow:to_server,established; uricontent:"/guestserver.cgi"; nocase; reference:bugtraq,4579; reference:cve,2001-0180; reference:nessus,11748; classtype:web-application-activity; sid:2211; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imageFolio.cgi access"; flow:to_server,established; uricontent:"/imageFolio.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-1334; reference:nessus,11748; classtype:web-application-activity; sid:2212; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailfile.cgi access"; flow:to_server,established; uricontent:"/mailfile.cgi"; nocase; reference:bugtraq,1807; reference:bugtraq,4579; reference:cve,2000-0977; reference:nessus,11748; classtype:web-application-activity; sid:2213; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailview.cgi access"; flow:to_server,established; uricontent:"/mailview.cgi"; nocase; reference:bugtraq,1335; reference:bugtraq,4579; reference:cve,2000-0526; reference:nessus,11748; classtype:web-application-activity; sid:2214; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nsManager.cgi access"; flow:to_server,established; uricontent:"/nsManager.cgi"; nocase; reference:bugtraq,1710; reference:bugtraq,4579; reference:cve,2000-1023; reference:nessus,11748; classtype:web-application-activity; sid:2215; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI readmail.cgi access"; flow:to_server,established; uricontent:"/readmail.cgi"; nocase; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2216; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI printmail.cgi access"; flow:to_server,established; uricontent:"/printmail.cgi"; nocase; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2217; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI service.cgi access"; flow:to_server,established; uricontent:"/service.cgi"; nocase; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2218; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI setpasswd.cgi access"; flow:to_server,established; uricontent:"/setpasswd.cgi"; nocase; reference:bugtraq,2212; reference:bugtraq,4579; reference:cve,2001-0133; reference:nessus,11748; classtype:web-application-activity; sid:2219; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI simplestmail.cgi access"; flow:to_server,established; uricontent:"/simplestmail.cgi"; nocase; reference:bugtraq,2106; reference:bugtraq,4579; reference:cve,2001-0022; reference:nessus,11748; classtype:web-application-activity; sid:2220; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ws_mail.cgi access"; flow:to_server,established; uricontent:"/ws_mail.cgi"; nocase; reference:bugtraq,2861; reference:bugtraq,4579; reference:cve,2001-1343; reference:nessus,11748; classtype:web-application-activity; sid:2221; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-exploitscanget.cgi access"; flow:to_server,established; uricontent:"/nph-exploitscanget.cgi"; nocase; reference:bugtraq,7910; reference:bugtraq,7911; reference:bugtraq,7913; reference:cve,2003-0434; reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csNews.cgi access"; flow:to_server,established; uricontent:"/csNews.cgi"; nocase; reference:bugtraq,4994; reference:cve,2002-0923; reference:nessus,11726; classtype:web-application-activity; sid:2223; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI psunami.cgi access"; flow:to_server,established; uricontent:"/psunami.cgi"; nocase; reference:bugtraq,6607; reference:nessus,11750; classtype:web-application-activity; sid:2224; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gozila.cgi access"; flow:to_server,established; uricontent:"/gozila.cgi"; nocase; reference:bugtraq,6086; reference:cve,2002-1236; reference:nessus,11773; classtype:web-application-activity; sid:2225; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI quickstore.cgi access"; flow:to_server,established; uricontent:"/quickstore.cgi"; nocase; reference:bugtraq,9282; reference:nessus,11975; classtype:web-application-activity; sid:2323; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view_broadcast.cgi access"; flow:to_server,established; uricontent:"/view_broadcast.cgi"; nocase; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2387; rev:4;)
# when we get por lists... merge this with 2387...
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server view_broadcast.cgi access"; flow:to_server,established; uricontent:"/view_broadcast.cgi"; nocase; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2388; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CCBill whereami.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/whereami.cgi?g="; nocase; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-attack; sid:2396; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CCBill whereami.cgi access"; flow:to_server,established; uricontent:"/whereami.cgi"; nocase; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-activity; sid:2397; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3000 (msg:"WEB-CGI MDaemon form2raw.cgi overflow attempt"; flow:to_server,established; uricontent:"/form2raw.cgi"; nocase; pcre:"/\Wfrom=[^\x3b&\n]{100}/si"; reference:bugtraq,9317; reference:url,secunia.com/advisories/10512/; classtype:web-application-attack; sid:2433; rev:3;)
# the prevous rule looks for the attack, but we still want to catch the
# scanners.  if we had port lists, this rule would be HTTP_PORTS and 3000
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MDaemon form2raw.cgi access"; flow:to_server,established; content:"/form2raw.cgi"; nocase; reference:bugtraq,9317; reference:url,secunia.com/advisories/10512/; classtype:web-application-activity; sid:2434; rev:3;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail init.emu access"; flow:to_server,established; uricontent:"/init.emu"; nocase; reference:bugtraq,9861; reference:nessus,12095; classtype:web-application-activity; sid:2567; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail emumail.fcgi access"; flow:to_server,established; uricontent:"/emumail.fcgi"; nocase; reference:bugtraq,9861; reference:nessus,12095; classtype:web-application-activity; sid:2568; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pgpmail.pl access"; flow:to_server,established; uricontent:"/pgpmail.pl"; reference:bugtraq,3605; reference:cve,2001-0937; reference:nessus,11070; classtype:web-application-activity; sid:2670; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI processit access"; flow:to_server,established; uricontent:"/processit.pl"; nocase; reference:nessus,10649; classtype:web-application-activity; sid:2668; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI WhatsUpGold instancename overflow attempt"; flow:to_server,established; uricontent:"/_maincfgret.cgi"; nocase; pcre:"/instancename=[^&\x3b\r\n]{513}/smi"; reference:bugtraq,11043; reference:cve,2004-0798; classtype:web-application-attack; sid:2663; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ibillpm.pl access"; flow:to_server,established; uricontent:"/ibillpm.pl"; nocase; reference:bugtraq,3476; reference:nessus,11083; classtype:web-application-activity; sid:2669; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; uricontent:"/delhomepage.cgi"; reference:bugtraq,9791; classtype:web-application-activity; sid:3062; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailman directory traversal attempt"; flow:to_server,established; uricontent:"/mailman/"; uricontent:".../"; reference:cve,2005-0202; classtype:web-application-attack; sid:3131; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI awstats.pl command execution attempt"; flow:to_server,established; uricontent:"/awstats.pl?"; nocase; uricontent:"update="; pcre:"/update=[^\r\n\x26]+/Ui"; uricontent:"logfile="; nocase; pcre:"/awstats.pl?[^\r\n]*logfile=\x7C/Ui"; reference:bugtraq,12572; classtype:web-application-attack; sid:3464; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Ipswitch WhatsUp Gold dos attempt"; flow:to_server,established; uricontent:"/prn"; nocase; pcre:"/\/prn\.(asp|cgi|html?)/Ui"; reference:bugtraq,11110; reference:cve,2004-0799; reference:url,www.idefense.com/application/poi/display?id=142&type=vulnerabilities; reference:url,www.ipswitch.com/Support/WhatsUp/patch-upgrades.html; reference:url,www.secunia.com/advisories/12578/; classtype:attempted-dos; sid:3469; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI awstats access"; flow:to_server,established; uricontent:"/awstats.pl"; nocase; reference:bugtraq,12572; classtype:web-application-activity; sid:3463; rev:1;)