/etc/snort/rules/web-misc.rules is in snort-rules-default 2.9.2-3ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 | # Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules"). The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved. All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights). In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: web-misc.rules,v 1.118.2.8.2.6 2005/07/22 19:19:54 mwatchinski Exp $
#---------------
# WEB-MISC RULES
#---------------
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; byte_test:2,<,768,4; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,10; classtype:attempted-admin; sid:2657; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; byte_test:2,<,768,3; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,9; classtype:attempted-admin; sid:2656; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting attempt"; flow:to_server,established; content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting HTML Image tag set to javascript attempt"; flow:to_server,established; content:"img src=javascript"; nocase; reference:bugtraq,4858; reference:cve,2002-0902; classtype:web-application-attack; sid:1667; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco IOS HTTP configuration attempt"; flow:to_server,established; uricontent:"/level/"; uricontent:"/exec/"; reference:bugtraq,2936; reference:cve,2001-0537; classtype:web-application-attack; sid:1250; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise DOS"; flow:to_server,established; content:"REVLOG / "; depth:9; reference:bugtraq,2294; reference:cve,2001-0251; classtype:web-application-attack; sid:1047; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise directory listing attempt"; flow:to_server,established; content:"INDEX "; depth:6; reference:bugtraq,2285; reference:cve,2001-0250; classtype:web-application-attack; sid:1048; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet GETPROPERTIES attempt"; flow:to_server,established; content:"GETPROPERTIES"; depth:13; reference:bugtraq,2732; reference:cve,2001-0746; classtype:web-application-attack; sid:1050; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat view source attempt"; flow:to_server,established; uricontent:"%252ejsp"; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:1056; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp attempt"; flow:to_server,established; content:"ftp.exe"; nocase; classtype:web-application-activity; sid:1057; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:1058; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:1059; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:1060; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:1061; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nc.exe attempt"; flow:to_server,established; content:"nc.exe"; nocase; classtype:web-application-activity; sid:1062; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC wsh attempt"; flow:to_server,established; content:"wsh.exe"; nocase; classtype:web-application-activity; sid:1064; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rcmd attempt"; flow:to_server,established; uricontent:"rcmd.exe"; nocase; classtype:web-application-activity; sid:1065; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC telnet attempt"; flow:to_server,established; content:"telnet.exe"; nocase; classtype:web-application-activity; sid:1066; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC net attempt"; flow:to_server,established; content:"net.exe"; nocase; classtype:web-application-activity; sid:1067; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tftp attempt"; flow:to_server,established; content:"tftp.exe"; nocase; classtype:web-application-activity; sid:1068; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:1069; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite"; nocase; classtype:web-application-activity; sid:1977; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey"; nocase; classtype:web-application-activity; sid:1978; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV search access"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; reference:arachnids,474; reference:bugtraq,1756; reference:cve,2000-0951; classtype:web-application-activity; sid:1070; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:1071; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus Domino directory traversal"; flow:to_server,established; uricontent:".nsf/"; uricontent:"../"; nocase; reference:bugtraq,2173; reference:cve,2001-0009; reference:nessus,12248; classtype:web-application-attack; sid:1072; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webhits.exe access"; flow:to_server,established; uricontent:"/scripts/samples/search/webhits.exe"; nocase; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1073; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC queryhit.htm access"; flow:to_server,established; uricontent:"/samples/search/queryhit.htm"; nocase; reference:nessus,10370; classtype:web-application-activity; sid:1077; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC counter.exe access"; flow:to_server,established; uricontent:"/counter.exe"; nocase; reference:bugtraq,267; reference:cve,1999-1030; classtype:web-application-activity; sid:1078; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV propfind access"; flow:to_server,established; content:"propfind"; nocase; pcre:"/<a\x3a\s*propfind.*?xmlns\x3a\s*a=[\x21\x22]?DAV[\x21\x22]?>/iR"; reference:bugtraq,1656; reference:cve,2000-0869; classtype:web-application-activity; sid:1079; rev:13;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC unify eWave ServletExec upload"; flow:to_server,established; uricontent:"/servlet/com.unify.servletexec.UploadServlet"; nocase; reference:bugtraq,1868; reference:bugtraq,1876; reference:cve,2000-1024; reference:cve,2000-1025; reference:nessus,10570; classtype:web-application-attack; sid:1080; rev:15;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Servers suite DOS"; flow:to_server,established; uricontent:"/dsgw/bin/search?context="; nocase; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-attack; sid:1081; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC amazon 1-click cookie theft"; flow:to_server,established; content:"ref%3Cscript%20language%3D%22Javascript"; nocase; reference:bugtraq,1194; reference:cve,2000-0439; classtype:web-application-attack; sid:1082; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC unify eWave ServletExec DOS"; flow:to_server,established; uricontent:"/servlet/ServletExec"; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-activity; sid:1083; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRUN DOS attempt"; flow:to_server,established; uricontent:"servlet/......."; nocase; reference:bugtraq,2337; reference:cve,2000-1049; classtype:web-application-attack; sid:1084; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ICQ Webfront HTTP DOS"; flow:to_server,established; uricontent:"??????????"; reference:bugtraq,1463; reference:cve,2000-1078; classtype:web-application-attack; sid:1091; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Talentsoft Web+ Source Code view access"; flow:to_server,established; uricontent:"/webplus.exe?script=test.wml"; reference:bugtraq,1722; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-attack; sid:1095; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Talentsoft Web+ internal IP Address access"; flow:to_server,established; uricontent:"/webplus.exe?about"; reference:bugtraq,1720; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-activity; sid:1096; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SmartWin CyberOffice Shopping Cart access"; flow:to_server,established; uricontent:"_private/shopping_cart.mdb"; reference:bugtraq,1734; reference:cve,2000-0925; classtype:web-application-attack; sid:1098; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cybercop scan"; flow:to_server,established; uricontent:"/cybercop"; nocase; reference:arachnids,374; classtype:web-application-activity; sid:1099; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; reference:arachnids,310; classtype:web-application-activity; sid:1100; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; reference:arachnids,309; classtype:web-application-activity; sid:1101; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nessus 1.X 404 probe"; flow:to_server,established; uricontent:"/nessus_is_probing_you_"; depth:32; reference:arachnids,301; classtype:web-application-attack; sid:1102; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nessus 2.x 404 probe"; flow:to_server,established; uricontent:"/NessusTest"; nocase; reference:nessus,10386; classtype:attempted-recon; sid:2585; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape admin passwd"; flow:to_server,established; uricontent:"/admin-serv/config/admpw"; nocase; reference:bugtraq,1579; reference:nessus,10468; classtype:web-application-attack; sid:1103; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BigBrother access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC"; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:attempted-recon; sid:1105; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp.pl attempt"; flow:to_server,established; uricontent:"/ftp.pl?dir=../.."; nocase; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-attack; sid:1612; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp.pl access"; flow:to_server,established; uricontent:"/ftp.pl"; nocase; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-activity; sid:1107; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server snoop access"; flow:to_server,established; uricontent:"/jsp/snp/"; uricontent:".snp"; reference:bugtraq,1532; reference:cve,2000-0760; classtype:attempted-recon; sid:1108; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ROXEN directory list attempt"; flow:to_server,established; uricontent:"/%00"; reference:bugtraq,1510; reference:cve,2000-0671; classtype:attempted-recon; sid:1109; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache source.asp file access"; flow:to_server,established; uricontent:"/site/eg/source.asp"; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:1110; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server exploit access"; flow:to_server,established; uricontent:"/contextAdmin/contextAdmin.html"; nocase; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:1111; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content:"..|5C|"; reference:arachnids,298; classtype:attempted-recon; sid:1112; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ICQ webserver DOS"; flow:to_server,established; uricontent:".html/......"; nocase; reference:cve,1999-0474; reference:url,www.securiteam.com/exploits/2ZUQ1QAQOG.html; classtype:attempted-dos; sid:1115; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus DelDoc attempt"; flow:to_server,established; uricontent:"?DeleteDocument"; nocase; classtype:attempted-recon; sid:1116; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus EditDoc attempt"; flow:to_server,established; uricontent:"?EditDocument"; nocase; reference:url,www.securiteam.com/exploits/5NP080A1RE.html; classtype:attempted-recon; sid:1117; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:1118; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mlog.phtml access"; flow:to_server,established; uricontent:"/mlog.phtml"; nocase; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1119; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mylog.phtml access"; flow:to_server,established; uricontent:"/mylog.phtml"; nocase; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /etc/passwd"; flow:to_server,established; content:"/etc/passwd"; nocase; classtype:attempted-recon; sid:1122; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?PageServices access"; flow:to_server,established; uricontent:"?PageServices"; nocase; reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce check.txt access"; flow:to_server,established; uricontent:"/config/check.txt"; nocase; classtype:attempted-recon; sid:1124; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webcart access"; flow:to_server,established; uricontent:"/webcart/"; nocase; reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon; sid:1125; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC AuthChangeUrl access"; flow:to_server,established; uricontent:"_AuthChangeUrl?"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:attempted-recon; sid:1126; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC convert.bas access"; flow:to_server,established; uricontent:"/scripts/convert.bas"; nocase; reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cpshost.dll access"; flow:to_server,established; uricontent:"/scripts/cpshost.dll"; nocase; reference:bugtraq,1811; reference:bugtraq,4002; reference:cve,1999-0360; classtype:attempted-recon; sid:1128; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htaccess access"; flow:to_server,established; uricontent:".htaccess"; nocase; classtype:attempted-recon; sid:1129; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .wwwacl access"; flow:to_server,established; uricontent:".wwwacl"; nocase; classtype:attempted-recon; sid:1130; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .wwwacl access"; flow:to_server,established; uricontent:".www_acl"; nocase; classtype:attempted-recon; sid:1131; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cd.."; flow:to_server,established; content:"cd.."; nocase; classtype:attempted-recon; sid:1136; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC guestbook.pl access"; flow:to_server,established; uricontent:"/guestbook.pl"; nocase; reference:arachnids,228; reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053; reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC handler attempt"; flow:to_server,established; uricontent:"/handler"; uricontent:"|7C|"; nocase; reference:arachnids,235; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-attack; sid:1613; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC handler access"; flow:to_server,established; uricontent:"/handler"; nocase; reference:arachnids,235; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-activity; sid:1141; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /.... access"; flow:to_server,established; content:"/...."; classtype:attempted-recon; sid:1142; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; reference:nessus,11032; classtype:attempted-recon; sid:1143; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~root access"; flow:to_server,established; uricontent:"/~root"; nocase; classtype:attempted-recon; sid:1145; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~ftp access"; flow:to_server,established; uricontent:"/~ftp"; nocase; classtype:attempted-recon; sid:1662; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce import.txt access"; flow:to_server,established; uricontent:"/config/import.txt"; nocase; classtype:attempted-recon; sid:1146; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cat%20 access"; flow:to_server,established; content:"cat%20"; nocase; reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce import.txt access"; flow:to_server,established; uricontent:"/orders/import.txt"; nocase; classtype:attempted-recon; sid:1148; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino catalog.nsf access"; flow:to_server,established; uricontent:"/catalog.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1150; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino domcfg.nsf access"; flow:to_server,established; uricontent:"/domcfg.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1151; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino domlog.nsf access"; flow:to_server,established; uricontent:"/domlog.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1152; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino log.nsf access"; flow:to_server,established; uricontent:"/log.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1153; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino names.nsf access"; flow:to_server,established; uricontent:"/names.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1154; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mab.nsf access"; flow:to_server,established; uricontent:"/mab.nsf"; nocase; reference:bugtraq,4022; reference:nessus,10953; classtype:attempted-recon; sid:1575; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino cersvr.nsf access"; flow:to_server,established; uricontent:"/cersvr.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1576; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino setup.nsf access"; flow:to_server,established; uricontent:"/setup.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1577; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino statrep.nsf access"; flow:to_server,established; uricontent:"/statrep.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1578; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino webadmin.nsf access"; flow:to_server,established; uricontent:"/webadmin.nsf"; nocase; reference:bugtraq,9900; reference:bugtraq,9901; reference:nessus,10629; classtype:attempted-recon; sid:1579; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino events4.nsf access"; flow:to_server,established; uricontent:"/events4.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1580; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino ntsync4.nsf access"; flow:to_server,established; uricontent:"/ntsync4.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1581; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino collect4.nsf access"; flow:to_server,established; uricontent:"/collect4.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1582; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mailw46.nsf access"; flow:to_server,established; uricontent:"/mailw46.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1583; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino bookmark.nsf access"; flow:to_server,established; uricontent:"/bookmark.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1584; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino agentrunner.nsf access"; flow:to_server,established; uricontent:"/agentrunner.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1585; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mail.box access"; flow:to_server,established; uricontent:"/mail.box"; nocase; reference:bugtraq,881; reference:nessus,10629; classtype:attempted-recon; sid:1586; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce checks.txt access"; flow:to_server,established; uricontent:"/orders/checks.txt"; nocase; reference:bugtraq,2281; classtype:attempted-recon; sid:1155; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache directory disclosure attempt"; flow:to_server,established; content:"////////"; reference:bugtraq,2503; classtype:attempted-dos; sid:1156; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape PublishingXpert access"; flow:to_server,established; uricontent:"/PSUser/PSCOErrPage.htm"; nocase; reference:cve,2000-1196; reference:nessus,10364; classtype:web-application-activity; sid:1157; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC windmail.exe access"; flow:to_server,established; uricontent:"/windmail.exe"; nocase; reference:arachnids,465; reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webplus access"; flow:to_server,established; uricontent:"/webplus?script"; nocase; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon; sid:1159; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape dir index wp"; flow:to_server,established; uricontent:"?wp-"; nocase; reference:arachnids,270; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1160; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cart 32 AdminPwd access"; flow:to_server,established; uricontent:"/c32web.exe/ChangeAdminPassword"; nocase; reference:bugtraq,1153; reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC shopping cart access"; flow:to_server,established; uricontent:"/quikstore.cfg"; nocase; reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607; reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe attempt"; flow:to_server,established; uricontent:"/GWWEB.EXE?HELP="; nocase; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1614; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ws_ftp.ini access"; flow:to_server,established; uricontent:"/ws_ftp.ini"; nocase; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rpm_query access"; flow:to_server,established; uricontent:"/rpm_query"; nocase; reference:bugtraq,1036; reference:cve,2000-0192; reference:nessus,10340; classtype:attempted-recon; sid:1167; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mall log order access"; flow:to_server,established; uricontent:"/mall_log_files/order.log"; nocase; reference:bugtraq,2266; reference:cve,1999-0606; classtype:attempted-recon; sid:1168; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC architext_query.pl access"; flow:to_server,established; uricontent:"/ews/architext_query.pl"; nocase; reference:bugtraq,2248; reference:cve,1999-0279; reference:nessus,10064; reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt; classtype:attempted-recon; sid:1173; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC wwwboard.pl access"; flow:to_server,established; uricontent:"/wwwboard.pl"; nocase; reference:bugtraq,1795; reference:bugtraq,649; reference:cve,1999-0930; reference:cve,1999-0954; classtype:attempted-recon; sid:1175; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-verify-link"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1177; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC get32.exe access"; flow:to_server,established; uricontent:"/get32.exe"; nocase; reference:arachnids,258; reference:bugtraq,1485; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10011; classtype:attempted-recon; sid:1180; rev:13;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Annex Terminal DOS attempt"; flow:to_server,established; uricontent:"/ping?query="; reference:arachnids,260; reference:cve,1999-1070; reference:nessus,10017; classtype:attempted-dos; sid:1181; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgitest.exe attempt"; flow:to_server,established; uricontent:"/cgitest.exe|0D 0A|user"; nocase; reference:arachnids,265; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; classtype:web-application-attack; sid:1182; rev:17;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgitest.exe access"; flow:to_server,established; uricontent:"/cgitest.exe"; nocase; reference:arachnids,265; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; reference:nessus,11131; classtype:web-application-activity; sid:1587; rev:13;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-cs-dump"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1183; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-ver-info"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1184; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-ver-diff"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1186; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SalesLogix Eviewer web command attempt"; flow:to_server,established; uricontent:"/slxweb.dll/admin?command="; nocase; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-attack; sid:1187; rev:12;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SalesLogix Eviewer access"; flow:to_server,established; uricontent:"/slxweb.dll"; nocase; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-activity; sid:1588; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-start-ver"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1188; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-stop-ver"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1189; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-uncheckout"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1190; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-html-rend"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1191; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Trend Micro OfficeScan attempt"; flow:to_server,established; uricontent:"/officescan/cgi/jdkRqNotify.exe?"; nocase; uricontent:"domain="; nocase; uricontent:"event="; nocase; reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Trend Micro OfficeScan access"; flow:to_server,established; uricontent:"/officescan/cgi/jdkRqNotify.exe"; nocase; reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle web arbitrary command execution attempt"; flow:to_server,established; uricontent:"/ows-bin/"; nocase; uricontent:"?&"; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle web application server access"; flow:to_server,established; uricontent:"/ows-bin/"; nocase; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-activity; sid:1880; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-usr-prop"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:web-application-attack; sid:1198; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.vts access"; flow:to_server,established; uricontent:"/search.vts"; reference:bugtraq,162; classtype:attempted-recon; sid:1202; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC htgrep attempt"; flow:to_server,established; uricontent:"/htgrep"; content:"hdr=/"; reference:cve,2000-0832; classtype:web-application-attack; sid:1615; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC htgrep access"; flow:to_server,established; uricontent:"/htgrep"; reference:cve,2000-0832; classtype:web-application-activity; sid:1207; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .nsconfig access"; flow:to_server,established; uricontent:"/.nsconfig"; reference:url,www.osvdb.org/5709; classtype:attempted-recon; sid:1209; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Admin_files access"; flow:to_server,established; uricontent:"/admin_files"; nocase; classtype:attempted-recon; sid:1212; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC backup access"; flow:to_server,established; uricontent:"/backup"; nocase; classtype:attempted-recon; sid:1213; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC intranet access"; flow:to_server,established; uricontent:"/intranet/"; nocase; reference:nessus,11626; classtype:attempted-recon; sid:1214; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC filemail access"; flow:to_server,established; uricontent:"/filemail"; nocase; reference:cve,1999-1154; reference:cve,1999-1155; reference:url,www.securityfocus.com/archive/1/11175; classtype:attempted-recon; sid:1216; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC plusmail access"; flow:to_server,established; uricontent:"/plusmail"; nocase; reference:bugtraq,2653; reference:cve,2000-0074; reference:nessus,10181; classtype:attempted-recon; sid:1217; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC adminlogin access"; flow:to_server,established; uricontent:"/adminlogin"; nocase; reference:bugtraq,1164; reference:bugtraq,1175; reference:nessus,11748; classtype:attempted-recon; sid:1218; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ultraboard access"; flow:to_server,established; uricontent:"/ultraboard"; nocase; reference:bugtraq,1164; reference:bugtraq,1175; reference:nessus,11748; classtype:attempted-recon; sid:1220; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC musicat empower attempt"; flow:to_server,established; uricontent:"/empower?DB="; nocase; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-attack; sid:1589; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC musicat empower access"; flow:to_server,established; uricontent:"/empower"; nocase; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-activity; sid:1221; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ROADS search.pl attempt"; flow:to_server,established; uricontent:"/ROADS/cgi-bin/search.pl"; content:"form="; nocase; reference:bugtraq,2371; reference:cve,2001-0215; reference:nessus,10627; classtype:attempted-recon; sid:1224; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSave access"; flow:to_server,established; uricontent:"/FtpSave.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1230; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSaveCSP access"; flow:to_server,established; uricontent:"/FtpSaveCSP.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1234; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSaveCVP access"; flow:to_server,established; uricontent:"/FtpSaveCVP.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1235; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC weblogic/tomcat .jsp view source attempt"; flow:to_server,established; uricontent:".jsp"; nocase; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi"; reference:bugtraq,2527; classtype:web-application-attack; sid:1054; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SWEditServlet directory traversal attempt"; flow:to_server,established; uricontent:"/SWEditServlet"; content:"template=../../../"; reference:bugtraq,2868; reference:cve,2001-0555; classtype:attempted-user; sid:1241; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SWEditServlet access"; flow:to_server,established; uricontent:"/SWEditServlet"; reference:bugtraq,2868; classtype:attempted-recon; sid:1259; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC HP OpenView Manager DOS"; flow:to_server,established; uricontent:"/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid="; nocase; reference:bugtraq,2845; reference:cve,2001-0552; classtype:misc-activity; sid:1258; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC long basic authorization string"; flow:to_server,established; content:"Authorization|3A|"; pcre:"/^Authorization\x3a\s*Basic\s[^\n]{512}/smi"; reference:bugtraq,3230; reference:cve,2001-1067; classtype:attempted-dos; sid:1260; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sml3com access"; flow:to_server,established; uricontent:"/graphics/sml3com"; reference:bugtraq,2721; reference:cve,2001-0740; classtype:web-application-activity; sid:1291; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC carbo.dll access"; flow:to_server,established; uricontent:"/carbo.dll"; content:"icatcommand="; nocase; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC console.exe access"; flow:to_server,established; uricontent:"/cgi-bin/console.exe"; nocase; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1302; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cs.exe access"; flow:to_server,established; uricontent:"/cgi-bin/cs.exe"; nocase; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1303; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content:"../"; reference:arachnids,297; classtype:attempted-recon; sid:1113; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sadmind worm access"; flow:to_server,established; content:"GET x HTTP/1.0"; depth:15; reference:url,www.cert.org/advisories/CA-2001-11.html; classtype:attempted-recon; sid:1375; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC jrun directory browse attempt"; flow:to_server,established; uricontent:"/?.jsp"; reference:bugtraq,3592; classtype:web-application-attack; sid:1376; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mod-plsql administration access"; flow:to_server,established; uricontent:"/admin_/"; reference:bugtraq,3726; reference:bugtraq,3727; reference:cve,2001-1216; reference:cve,2001-1217; reference:nessus,10849; classtype:web-application-activity; sid:1385; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC viewcode.jse access"; flow:to_server,established; uricontent:"/viewcode.jse"; reference:bugtraq,3715; classtype:web-application-activity; sid:1389; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorecast remote code execution attempt"; flow:to_server,established; content:"includedir="; reference:bugtraq,3388; reference:cve,2001-1049; classtype:web-application-attack; sid:1391; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC viewcode access"; flow:to_server,established; uricontent:"/viewcode"; reference:cve,1999-0737; reference:nessus,10576; reference:nessus,12048; classtype:web-application-attack; sid:1403; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC showcode access"; flow:to_server,established; uricontent:"/showcode"; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; classtype:web-application-attack; sid:1404; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .history access"; flow:to_server,established; uricontent:"/.history"; classtype:web-application-attack; sid:1433; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .bash_history access"; flow:to_server,established; uricontent:"/.bash_history"; reference:bugtraq,337; reference:cve,1999-0408; classtype:web-application-attack; sid:1434; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~nobody access"; flow:to_server,established; uricontent:"/~nobody"; reference:nessus,10484; classtype:web-application-attack; sid:1489; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser directory traversal attempt"; flow:to_server,established; uricontent:"/newuser?Image=../.."; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-attack; sid:1492; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser access"; flow:to_server,established; uricontent:"/newuser"; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-activity; sid:1493; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC *%0a.pl access"; flow:to_server,established; uricontent:"/*|0A|.pl"; nocase; reference:nessus,11007; reference:url,www.securityfocus.com/archive/1/149482; classtype:web-application-attack; sid:1663; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkplog.exe access"; flow:to_server,established; uricontent:"/mkplog.exe"; nocase; classtype:web-application-activity; sid:1664; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc"; depth:36; nocase; reference:arachnids,300; reference:bugtraq,1557; reference:cve,2000-0707; reference:nessus,10783; classtype:web-application-attack; sid:509; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .DS_Store access"; flow:to_server,established; uricontent:"/.DS_Store"; reference:url,www.macintouch.com/mosxreaderreports46.html; classtype:web-application-activity; sid:1769; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .FBCIndex access"; flow:to_server,established; uricontent:"/.FBCIndex"; reference:url,www.securiteam.com/securitynews/5LP0O005FS.html; classtype:web-application-activity; sid:1770; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ExAir access"; flow:to_server,established; uricontent:"/exair/search/"; reference:bugtraq,193; reference:cve,1999-0449; reference:nessus,10002; reference:nessus,10003; reference:nessus,10004; classtype:web-application-activity; sid:1500; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache ?M=D directory list attempt"; flow:to_server,established; uricontent:"/?M=D"; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:1519; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-info access"; flow:to_server,established; uricontent:"/server-info"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-status access"; flow:to_server,established; uricontent:"/server-status"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ans.pl attempt"; flow:to_server,established; uricontent:"/ans.pl?p=../../"; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-attack; sid:1522; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ans.pl access"; flow:to_server,established; uricontent:"/ans.pl"; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-activity; sid:1523; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC AxisStorpoint CD attempt"; flow:to_server,established; uricontent:"/cd/../config/html/cnf_gi.htm"; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-attack; sid:1524; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Axis Storpoint CD access"; flow:to_server,established; uricontent:"/config/html/cnf_gi.htm"; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-activity; sid:1525; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC basilix sendmail.inc access"; flow:to_server,established; uricontent:"/inc/sendmail.inc"; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1526; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC basilix mysql.class access"; flow:to_server,established; uricontent:"/class/mysql.class"; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1527; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BBoard access"; flow:to_server,established; uricontent:"/servlet/sunexamples.BBoardServlet"; reference:bugtraq,1459; reference:cve,2000-0629; reference:nessus,10507; classtype:web-application-activity; sid:1528; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Catalyst command execution attempt"; flow:to_server,established; uricontent:"/exec/show/config/cr"; nocase; reference:bugtraq,1846; reference:cve,2000-0945; reference:nessus,10545; classtype:web-application-activity; sid:1544; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco /%% DOS attempt"; flow:to_server,established; uricontent:"/%%"; reference:bugtraq,1154; reference:cve,2000-0380; classtype:web-application-attack; sid:1546; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /CVS/Entries access"; flow:to_server,established; uricontent:"/CVS/Entries"; reference:nessus,10922; reference:nessus,11032; classtype:web-application-activity; sid:1551; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cvsweb version access"; flow:to_server,established; uricontent:"/cvsweb/version"; reference:cve,2000-0670; classtype:web-application-activity; sid:1552; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/packages access"; flow:to_server,established; uricontent:"/doc/packages"; nocase; reference:bugtraq,1707; reference:cve,2000-1016; reference:nessus,10518; reference:nessus,11032; classtype:web-application-activity; sid:1559; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/ access"; flow:to_server,established; uricontent:"/doc/"; nocase; reference:bugtraq,318; reference:cve,1999-0678; classtype:web-application-activity; sid:1560; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm attempt"; flow:to_server,established; uricontent:"/login.htm?password="; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1563; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm access"; flow:to_server,established; uricontent:"/login.htm"; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1564; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC DELETE attempt"; flow:to_server,established; content:"DELETE "; depth:7; nocase; reference:nessus,10498; classtype:web-application-activity; sid:1603; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /home/ftp access"; flow:to_server,established; uricontent:"/home/ftp"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1670; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /home/www access"; flow:to_server,established; uricontent:"/home/www"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1671; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC global.inc access"; flow:to_server,established; uricontent:"/global.inc"; nocase; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:1738; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok"; nocase; reference:bugtraq,4621; classtype:web-application-attack; sid:1744; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 arbitrary command execution attempt"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; reference:bugtraq,4673; reference:cve,2002-0734; reference:cve,2002-1466; reference:nessus,11667; classtype:web-application-attack; sid:1757; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.dll directory listing attempt"; flow:to_server,established; uricontent:"/search.dll"; content:"query=%00"; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-attack; sid:1766; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.dll access"; flow:to_server,established; uricontent:"/search.dll"; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-activity; sid:1767; rev:6;)
# The following signatures are for non-standard ports. When ports lists work,
# then these will be converted to use HTTP_PORTS & HTTP_SERVERS
alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"WEB-MISC PIX firewall manager directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:web-application-attack; sid:1498; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"WEB-MISC iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:cve,1999-0897; classtype:web-application-activity; sid:1604; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Delegate whois overflow attempt"; flow:to_server,established; content:"whois|3A|//"; nocase; reference:cve,2000-0165; classtype:web-application-activity; sid:1558; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"WEB-MISC nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; reference:nessus,10753; classtype:web-application-activity; sid:1518; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"WEB-MISC Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; reference:arachnids,180; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:8;)
# uricontent would be nice, but we can't be sure we are running http decoding
# on 2301. oh for rna integration...
alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"WEB-MISC Compaq Insight directory traversal"; flow:to_server,established; content:"../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:11;)
# when we get real ports list, we will merge these sigs. so for now, keep the
# message the same.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall catinfo access"; flow:to_server,established; uricontent:"/catinfo"; nocase; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1231; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"WEB-MISC VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; nocase; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1232; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:1809; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Chunked-Encoding transfer attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:1807; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC CISCO VoIP DOS ATTEMPT"; flow:to_server,established; uricontent:"/StreamingStatistics"; reference:bugtraq,4794; reference:cve,2002-0882; reference:nessus,11013; classtype:misc-attack; sid:1814; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC IBM Net.Commerce orderdspc.d2w access"; flow:established,to_server; uricontent:"/ncommerce3/ExecMacro/orderdspc.d2w"; reference:bugtraq,2350; reference:cve,2001-0319; reference:nessus,11020; classtype:web-application-activity; sid:1820; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WEB-INF access"; flow:established,to_server; uricontent:"/WEB-INF"; nocase; reference:bugtraq,1830; reference:bugtraq,5119; reference:cve,2000-1050; reference:cve,2001-0179; reference:nessus,11037; classtype:web-application-activity; sid:1826; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat servlet mapping cross site scripting attempt"; flow:established,to_server; uricontent:"/servlet/"; uricontent:"/org.apache."; reference:bugtraq,5193; reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack; sid:1827; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet Search directory traversal attempt"; flow:established,to_server; uricontent:"/search"; content:"NS-query-pat="; content:"../../"; reference:bugtraq,5191; reference:cve,2002-1042; reference:nessus,11043; classtype:web-application-attack; sid:1828; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat TroubleShooter servlet access"; flow:established,to_server; uricontent:"/examples/servlet/TroubleShooter"; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:1829; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat SnoopServlet servlet access"; flow:established,to_server; uricontent:"/examples/servlet/SnoopServlet"; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:1830; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC jigsaw dos attempt"; flow:established,to_server; uricontent:"/servlet/con"; reference:nessus,11047; classtype:web-application-attack; sid:1831; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Macromedia SiteSpring cross site scripting attempt"; flow:established,to_server; uricontent:"/error/500error.jsp"; nocase; uricontent:"et="; uricontent:"<script"; nocase; reference:bugtraq,5249; reference:cve,2002-1027; classtype:web-application-attack; sid:1835; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mailman cross site scripting attempt"; flow:established,to_server; uricontent:"/mailman/"; nocase; uricontent:"?"; uricontent:"info="; uricontent:"<script"; nocase; reference:bugtraq,5298; reference:cve,2002-0855; classtype:web-application-attack; sid:1839; rev:4;)
# NOTES: this signature looks for access to common webalizer output directories.
# Webalizer is a http server log reporting program. By allowing anyone on the
# internet to view the web access logs, attackers can gain information about
# your customers that probably should not be made public. webalizer had cross
# site scripting bugs prior to version 2.01-09.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webalizer access"; flow:established,to_server; uricontent:"/webalizer/"; nocase; reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:1847; rev:9;)
# NOTES: this signature looks for someone accessing the directory webcart-lite.
# webcart-lite allows users to access world readable plain text customer
# information databases. To correct this issue, users should make the
# data directories and databases not world readable, move the files outside of
# WEBROOT if possible, and verify that a compromise of customer information has
# not occured.
# SIMILAR RULES: sid:1125
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webcart-lite access"; flow:to_server,established; uricontent:"/webcart-lite/"; nocase; reference:cve,1999-0610; reference:nessus,10298; classtype:web-application-activity; sid:1848; rev:5;)
# NOTES: this signature looks for someone accessing the web application
# "webfind.exe". This application has a buffer overflow in the keywords
# argument. An attacker can use this vulnerability to execute arbitrary
# code on the web server.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webfind.exe access"; flow:to_server,established; uricontent:"/webfind.exe"; nocase; reference:bugtraq,1487; reference:cve,2000-0622; reference:nessus,10475; classtype:web-application-activity; sid:1849; rev:7;)
# NOTES: this signature looks for someone accessing the file "active.log" via
# a web server. By allowing anyone on the internet to view the web access
# logs, attackers can gain information about your customers that probably
# should not be made public.
#
# This logfile is made available from the WebActive webserver. This webserver
# is no longer maintained and should be replaced with an actively maintained
# webserver. If converting to another webserver is not possible, remove read
# access to this file.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC active.log access"; flow:to_server,established; uricontent:"/active.log"; nocase; reference:bugtraq,1497; reference:cve,2000-0642; reference:nessus,10470; classtype:web-application-activity; sid:1851; rev:6;)
# NOTES: this signature looks for someone accessing the file "robots.txt" via
# web server. This file is used to make web spider agents (including search
# engines) more efficient. robots.txt is often used to inform a web spider
# which directories that the spider should ignore because the content may be
# dynamic or restricted. An attacker can use this information to gain insite
# into directories that may have been deemed sensitive.
#
# Verify that the robots.txt does not include any sensitive information.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robot.txt access"; flow:to_server,established; uricontent:"/robot.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1857; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; content:"/pixfir~1/how_to_login.html"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:1858; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"WEB-MISC Sun JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; reference:cve,1999-0508; reference:nessus,10995; classtype:default-login-attempt; sid:1859; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; pcre:"/^Authorization\x3a\s*Basic\s+OmFkbWlu/smi"; reference:nessus,10999; classtype:default-login-attempt; sid:1860; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default username and password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46YWRtaW4/smi"; reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; nocase; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46cGFzc3dvcmQ/smi"; reference:nessus,11737; classtype:default-login-attempt; sid:2230; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle XSQLConfig.xml access"; flow:to_server,established; uricontent:"/XSQLConfig.xml"; reference:bugtraq,4290; reference:cve,2002-0568; reference:nessus,10855; classtype:web-application-activity; sid:1871; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle Dynamic Monitoring Services dms access"; flow:to_server,established; uricontent:"/dms0"; reference:nessus,10848; classtype:web-application-activity; sid:1872; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC globals.jsa access"; flow:to_server,established; uricontent:"/globals.jsa"; reference:bugtraq,4034; reference:cve,2002-0562; reference:nessus,10850; classtype:web-application-activity; sid:1873; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle Java Process Manager access"; flow:to_server,established; uricontent:"/oprocmgr-status"; reference:nessus,10851; classtype:web-application-activity; sid:1874; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bad HTTP/1.1 request, Potentially worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0D 0A 0D 0A|"; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker HEAD with large datagram"; flow:to_server,established,no_stream; dsize:>512; content:"HEAD"; depth:4; nocase; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1171; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker space splice attack"; flow:to_server,established; dsize:1; content:" "; reference:arachnids,296; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1104; rev:11;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker tab splice attack"; flow:to_server,established; dsize:<5; content:"|09|"; reference:arachnids,415; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1087; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:1808; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /Carello/add.exe access"; flow:to_server,established; uricontent:"/Carello/add.exe"; nocase; reference:bugtraq,1245; reference:cve,2000-0396; reference:nessus,11776; classtype:web-application-activity; sid:1943; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /ecscripts/ecware.exe access"; flow:to_server,established; uricontent:"/ecscripts/ecware.exe"; nocase; reference:bugtraq,6066; classtype:web-application-activity; sid:1944; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ion-p access"; flow:to_server,established; uricontent:"/ion-p"; nocase; reference:bugtraq,6091; reference:cve,2002-1559; classtype:web-application-activity; sid:1969; rev:3;)
# uricontent would be nice, but we can't be sure we are running http decoding
# on 8888. oh for rna integration...
alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC SiteScope Service access"; flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; reference:bugtraq,5383; reference:cve,2000-0696; classtype:web-application-activity; sid:1946; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1; reference:bugtraq,1556; reference:cve,2000-0697; classtype:web-application-attack; sid:1947; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC perl post attempt"; flow:to_server,established; content:"POST"; depth:4; uricontent:"/perl/"; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:1979; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC TRACE attempt"; flow:to_server,established; content:"TRACE"; depth:5; reference:bugtraq,9561; reference:nessus,11213; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; classtype:web-application-attack; sid:2056; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC helpout.exe access"; flow:to_server,established; uricontent:"/helpout.exe"; reference:bugtraq,6002; reference:cve,2002-1169; reference:nessus,11162; classtype:web-application-activity; sid:2057; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe attempt"; flow:to_server,established; uricontent:"/MsmMask.exe"; content:"mask="; reference:nessus,11163; classtype:web-application-attack; sid:2058; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe access"; flow:to_server,established; uricontent:"/MsmMask.exe"; reference:nessus,11163; classtype:web-application-activity; sid:2059; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC DB4Web access"; flow:to_server,established; uricontent:"/DB4Web/"; reference:nessus,11180; classtype:web-application-activity; sid:2060; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Tomcat null byte directory listing attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; classtype:web-application-attack; sid:2061; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC iPlanet .perf access"; flow:to_server,established; uricontent:"/.perf"; reference:nessus,11220; classtype:web-application-activity; sid:2062; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Demarc SQL injection attempt"; flow:to_server,established; uricontent:"/dm/demarc"; content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'"; distance:0; reference:bugtraq,4520; reference:cve,2002-0539; classtype:web-application-activity; sid:2063; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp"; content:".csp"; content:"."; within:1; reference:bugtraq,6841; classtype:web-application-attack; sid:2064; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp."; classtype:web-application-attack; sid:2065; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .pl script source download attempt"; flow:to_server,established; uricontent:".pl"; content:".pl"; content:"."; within:1; reference:bugtraq,6841; classtype:web-application-attack; sid:2066; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .exe script source download attempt"; flow:to_server,established; uricontent:".exe"; content:".exe"; content:"."; within:1; reference:bugtraq,6841; classtype:web-application-attack; sid:2067; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC BitKeeper arbitrary command attempt"; flow:to_server,established; uricontent:"/diffs/"; content:"'"; content:"|3B|"; distance:0; content:"'"; distance:1; reference:bugtraq,6588; classtype:web-application-attack; sid:2068; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC chip.ini access"; flow:to_server,established; uricontent:"/chip.ini"; reference:bugtraq,2755; reference:bugtraq,2775; reference:cve,2001-0749; reference:cve,2001-0771; classtype:web-application-activity; sid:2069; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe arbitrary command attempt"; flow:to_server,established; uricontent:"/post32.exe|7C|"; reference:bugtraq,1485; classtype:web-application-attack; sid:2070; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe access"; flow:to_server,established; uricontent:"/post32.exe"; reference:bugtraq,1485; classtype:web-application-activity; sid:2071; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC lyris.pl access"; flow:to_server,established; uricontent:"/lyris.pl"; reference:bugtraq,1584; reference:cve,2000-0758; classtype:web-application-activity; sid:2072; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC globals.pl access"; flow:to_server,established; uricontent:"/globals.pl"; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2073; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard.mdb access"; flow:to_server,established; uricontent:"/philboard.mdb"; reference:nessus,11682; classtype:web-application-activity; sid:2135; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard_admin.asp authentication bypass attempt"; flow:to_server,established; uricontent:"/philboard_admin.asp"; content:"Cookie"; nocase; content:"philboard_admin=True"; distance:0; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-attack; sid:2136; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard_admin.asp access"; flow:to_server,established; uricontent:"/philboard_admin.asp"; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-activity; sid:2137; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC logicworks.ini access"; flow:to_server,established; uricontent:"/logicworks.ini"; reference:bugtraq,6996; reference:nessus,11639; classtype:web-application-activity; sid:2138; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC /*.shtml access"; flow:to_server,established; uricontent:"/*.shtml"; reference:bugtraq,1517; reference:cve,2000-0683; reference:nessus,11604; classtype:web-application-activity; sid:2139; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC mod_gzip_status access"; flow:to_server,established; uricontent:"/mod_gzip_status"; reference:nessus,11685; classtype:web-application-activity; sid:2156; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC register.dll access"; flow:to_server,established; uricontent:"/register.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2231; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ContentFilter.dll access"; flow:to_server,established; uricontent:"/ContentFilter.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2232; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SFNofitication.dll access"; flow:to_server,established; uricontent:"/SFNofitication.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2233; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC TOP10.dll access"; flow:to_server,established; uricontent:"/TOP10.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2234; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SpamExcp.dll access"; flow:to_server,established; uricontent:"/SpamExcp.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2235; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC spamrule.dll access"; flow:to_server,established; uricontent:"/spamrule.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2236; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgiWebupdate.exe access"; flow:to_server,established; uricontent:"/cgiWebupdate.exe"; nocase; reference:bugtraq,3216; reference:cve,2001-1150; reference:nessus,11722; classtype:web-application-activity; sid:2237; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebLogic ConsoleHelp view source attempt"; flow:to_server,established; uricontent:"/ConsoleHelp/"; nocase; uricontent:".jsp"; nocase; reference:bugtraq,1518; reference:cve,2000-0682; reference:nessus,11724; classtype:web-application-attack; sid:2238; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC redirect.exe access"; flow:to_server,established; uricontent:"/redirect.exe"; nocase; reference:bugtraq,1256; reference:cve,2000-0401; classtype:web-application-activity; sid:2239; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC changepw.exe access"; flow:to_server,established; uricontent:"/changepw.exe"; nocase; reference:bugtraq,1256; reference:cve,2000-0401; classtype:web-application-activity; sid:2240; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cwmail.exe access"; flow:to_server,established; uricontent:"/cwmail.exe"; nocase; reference:bugtraq,4093; reference:cve,2002-0273; reference:nessus,11727; classtype:web-application-activity; sid:2241; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ddicgi.exe access"; flow:to_server,established; uricontent:"/ddicgi.exe"; nocase; reference:bugtraq,1657; reference:cve,2000-0826; reference:nessus,11728; classtype:web-application-activity; sid:2242; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ndcgi.exe access"; flow:to_server,established; uricontent:"/ndcgi.exe"; nocase; reference:bugtraq,3583; reference:cve,2001-0922; reference:nessus,11730; classtype:web-application-activity; sid:2243; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VsSetCookie.exe access"; flow:to_server,established; uricontent:"/VsSetCookie.exe"; nocase; reference:bugtraq,3784; reference:cve,2002-0236; reference:nessus,11731; classtype:web-application-activity; sid:2244; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Webnews.exe access"; flow:to_server,established; uricontent:"/Webnews.exe"; nocase; reference:bugtraq,4124; reference:cve,2002-0290; reference:nessus,11732; classtype:web-application-activity; sid:2245; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webadmin.dll access"; flow:to_server,established; uricontent:"/webadmin.dll"; nocase; reference:bugtraq,7438; reference:bugtraq,7439; reference:bugtraq,8024; reference:cve,2003-0471; reference:nessus,11771; classtype:web-application-activity; sid:2246; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle portal demo access"; flow:to_server,established; uricontent:"/pls/portal/PORTAL_DEMO"; nocase; reference:nessus,11918; classtype:web-application-activity; sid:2276; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PeopleSoft PeopleBooks psdoccgi access"; flow:to_server,established; uricontent:"/psdoccgi"; nocase; reference:bugtraq,9037; reference:bugtraq,9038; reference:cve,2003-0626; reference:cve,2003-0627; classtype:web-application-activity; sid:2277; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC client negative Content-Length attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,9098; reference:bugtraq,9476; reference:bugtraq,9576; reference:cve,2004-0095; classtype:misc-attack; sid:2278; rev:8;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2580; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bsml.pl access"; flow:to_server,established; uricontent:"/bsml.pl"; nocase; reference:bugtraq,9311; reference:nessus,11973; classtype:web-application-activity; sid:2327; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ISAPISkeleton.dll access"; flow:to_server,established; uricontent:"/ISAPISkeleton.dll"; nocase; reference:bugtraq,9516; classtype:web-application-activity; sid:2369; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BugPort config.conf file access"; flow:to_server,established; uricontent:"/config.conf"; nocase; reference:bugtraq,9542; classtype:attempted-recon; sid:2370; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Sample_showcode.html access"; flow:to_server,established; uricontent:"/Sample_showcode.html"; nocase; content:"fname"; reference:bugtraq,9555; classtype:web-application-activity; sid:2371; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC schema overflow attempt"; flow:to_server,established; uricontent:"|3A|//"; pcre:"/^[^\/]{14,}?\x3a\/\//U"; reference:bugtraq,9581; reference:cve,2004-0039; reference:nessus,12084; classtype:attempted-admin; sid:2381; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"WEB-MISC Compaq web-based management agent denial of service attempt"; flow:to_server,established; content:"<!"; depth:75; content:">"; within:50; reference:bugtraq,8014; classtype:web-application-attack; sid:2394; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC InteractiveQuery.jsp access"; flow:to_server,established; uricontent:"/InteractiveQuery.jsp"; nocase; reference:bugtraq,8938; reference:cve,2003-0624; classtype:web-application-activity; sid:2395; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC edittag.pl access"; flow:to_server,established; uricontent:"/edittag.pl"; nocase; reference:bugtraq,6675; classtype:web-application-activity; sid:2400; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC util.pl access"; flow:to_server,established; uricontent:"/util.pl"; nocase; reference:bugtraq,9748; classtype:web-application-activity; sid:2407; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Invision Power Board search.pl access"; flow:to_server,established; uricontent:"/search.pl"; content:"st="; nocase; reference:bugtraq,9766; classtype:web-application-activity; sid:2408; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 554 (msg:"WEB-MISC Real Server DESCRIBE buffer overflow attempt"; flow:to_server,established; content:"DESCRIBE"; nocase; content:"../"; distance:1; pcre:"/^DESCRIBE\s[^\n]{300}/smi"; reference:bugtraq,8476; reference:url,www.service.real.com/help/faq/security/rootexploit091103.html; classtype:web-application-attack; sid:2411; rev:5;)
# YES, the contents are logically backwards as to how the contents are seen on
# the wire. snort picks up the first of the longest pattern. login=0 happens
# MUCH less than Cookie. so we do this for speed.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC NetObserve authentication bypass attempt"; flow:to_server,established; content:"login=0"; nocase; content:"Cookie|3A|"; nocase; pcre:"/^Cookie\x3a[^\n]*?login=0/smi"; reference:bugtraq,9319; classtype:web-application-attack; sid:2441; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000:8001 (msg:"WEB-MISC Quicktime User-Agent buffer overflow attempt"; flow:to_server,established; content:"User-Agent|3A|"; nocase; pcre:"/^User-Agent\x3a[^\n]{244,255}/smi"; reference:bugtraq,9735; reference:cve,2004-0169; classtype:web-application-attack; sid:2442; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC source.jsp access"; flow:to_server,established; uricontent:"/source.jsp"; nocase; reference:nessus,12119; classtype:web-application-activity; sid:2484; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ServletManager access"; flow:to_server,established; uricontent:"/servlet/ServletManager"; nocase; reference:bugtraq,3697; reference:cve,2001-1195; reference:nessus,12122; classtype:web-application-activity; sid:2447; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC setinfo.hts access"; flow:to_server,established; uricontent:"/setinfo.hts"; nocase; reference:bugtraq,9973; reference:nessus,12120; classtype:web-application-activity; sid:2448; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2505; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2520; rev:10;)
alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2521; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2522; rev:10;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2515; rev:13;)
# one of these days, we will have port lists...
alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"WEB-MISC McAfee ePO file upload attempt"; flow:to_server,established; content:"/spipe/repl_file"; nocase; content:"Command=BEGIN"; nocase; reference:bugtraq,10200; reference:cve,2004-0038; classtype:attempted-admin; sid:2562; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cPanel resetpass access"; flow:to_server,established; uricontent:"/resetpass"; nocase; reference:bugtraq,9848; classtype:web-application-activity; sid:2569; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Invalid HTTP Version String"; flow:to_server,established; content:"HTTP/"; depth:300; nocase; isdataat:6,relative; content:!"|0A|"; within:5; reference:bugtraq,9809; reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:7;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Crystal Reports crystalimagehandler.aspx access"; flow:to_server,established; uricontent:"/crystalimagehandler.aspx"; nocase; reference:cve,2004-0204; reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx; classtype:web-application-activity; sid:2581; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt"; flow:to_server,established; uricontent:"/crystalimagehandler.aspx"; nocase; content:"dynamicimage=../"; nocase; reference:bugtraq,10260; reference:cve,2004-0204; reference:nessus,12271; reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx; classtype:web-application-attack; sid:2582; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Samba SWAT Authorization overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2597; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 901 (msg:"WEB-MISC Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2598; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2658; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC TLSv1 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2661; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2659; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sresult.exe access"; flow:to_server,established; uricontent:"/sresult.exe"; nocase; reference:bugtraq,10837; reference:nessus,14186; classtype:web-application-activity; sid:2672; rev:1;)
alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC SSLv2 Server_Hello request"; flow:from_server,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2660; rev:4;)
alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2662; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle iSQLPlus username overflow attempt"; flow:to_server,established; uricontent:"/isqlplus"; nocase; pcre:"/username=[^&\x3b\r\n]{255}/si"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2702; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; uricontent:"/login.uix"; nocase; pcre:"/username=[^&\x3b\r\n]{250}/smi"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2703; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle 10g iSQLPlus login.unix connectID overflow attempt"; flow:to_server,established; uricontent:"/login.uix"; nocase; pcre:"/connectID=[^&\x3b\r\n]{255}/smi"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2704; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle iSQLPlus sid overflow attempt"; flow:to_server,established; uricontent:"/isqlplus"; nocase; pcre:"/sid=[^&\x3b\r\n]{255}/si"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2701; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htgroup access"; flow:to_server,established; uricontent:".htgroup"; nocase; classtype:web-application-activity; sid:1374; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC TLS1 Client_Hello with pad via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tls1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|03 01|"; depth:2; offset:4; flowbits:set,tls1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3060; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3059; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt"; flow:to_server,established; uricontent:"/app_sta.stm"; nocase; reference:bugtraq,11408; classtype:web-application-activity; sid:3086; rev:1;)
|