/etc/snort/gen-msg.map is in snort-rules-default 2.9.6.0-0ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 | # $Id$
# GENERATORS -> msg map
# Format: generatorid || alertid || MSG
1 || 1 || snort general alert
2 || 1 || tag: Tagged Packet
3 || 1 || snort dynamic alert
100 || 1 || spp_portscan: Portscan Detected
100 || 2 || spp_portscan: Portscan Status
100 || 3 || spp_portscan: Portscan Ended
101 || 1 || spp_minfrag: minfrag alert
102 || 1 || http_decode: Unicode Attack
102 || 2 || http_decode: CGI NULL Byte Attack
102 || 3 || http_decode: large method attempted
102 || 4 || http_decode: missing uri
102 || 5 || http_decode: double encoding detected
102 || 6 || http_decode: illegal hex values detected
102 || 7 || http_decode: overlong character detected
103 || 1 || spp_defrag: Fragmentation Overflow Detected
103 || 2 || spp_defrag: Stale Fragments Discarded
104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded
104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted
105 || 1 || spp_bo: Back Orifice Traffic Detected
105 || 2 || spp_bo: Back Orifice Client Traffic Detected
105 || 3 || spp_bo: Back Orifice Server Traffic Detected
105 || 4 || spp_bo: Back Orifice Snort Buffer Attack
106 || 1 || spp_rpc_decode: Fragmented RPC Records
106 || 2 || spp_rpc_decode: Multiple Records in one packet
106 || 3 || spp_rpc_decode: Large RPC Record Fragment
106 || 4 || spp_rpc_decode: Incomplete RPC segment
106 || 5 || spp_rpc_decode: Zero-length RPC Fragment
110 || 1 || spp_unidecode: CGI NULL Attack
110 || 2 || spp_unidecode: Directory Traversal
110 || 3 || spp_unidecode: Unknown Mapping
110 || 4 || spp_unidecode: Invalid Mapping
111 || 1 || spp_stream4: Stealth Activity Detected
111 || 2 || spp_stream4: Evasive Reset Packet
111 || 3 || spp_stream4: Retransmission
111 || 4 || spp_stream4: Window Violation
111 || 5 || spp_stream4: Data on SYN Packet
111 || 6 || spp_stream4: Full XMAS Stealth Scan
111 || 7 || spp_stream4: SAPU Stealth Scan
111 || 8 || spp_stream4: FIN Stealth Scan
111 || 9 || spp_stream4: NULL Stealth Scan
111 || 10 || spp_stream4: NMAP XMAS Stealth Scan
111 || 11 || spp_stream4: VECNA Stealth Scan
111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection
111 || 13 || spp_stream4: SYN FIN Stealth Scan
111 || 14 || spp_stream4: TCP forward overlap detected
111 || 15 || spp_stream4: TTL Evasion attempt
111 || 16 || spp_stream4: Evasive retransmitted data attempt
111 || 17 || spp_stream4: Evasive retransmitted data with the data split attempt
111 || 18 || spp_stream4: Multiple acked
111 || 19 || spp_stream4: Shifting to Emergency Session Mode
111 || 20 || spp_stream4: Shifting to Suspend Mode
111 || 21 || spp_stream4: TCP Timestamp option has value of zero
111 || 22 || spp_stream4: Too many overlapping TCP packets
111 || 23 || spp_stream4: Packet in established TCP stream missing ACK
111 || 24 || spp_stream4: Evasive FIN Packet
111 || 25 || spp_stream4: SYN on established
112 || 1 || spp_arpspoof: Directed ARP Request
112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC
112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST
112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack
113 || 1 || spp_frag2: Oversized Frag
113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack
113 || 3 || spp_frag2: TTL evasion detected
113 || 4 || spp_frag2: overlap detected
113 || 5 || spp_frag2: Duplicate first fragments
113 || 6 || spp_frag2: memcap exceeded
113 || 7 || spp_frag2: Out of order fragments
113 || 8 || spp_frag2: IP Options on Fragmented Packet
113 || 9 || spp_frag2: Shifting to Emegency Session Mode
113 || 10 || spp_frag2: Shifting to Suspend Mode
114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected
114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected
114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected
114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected
115 || 1 || spp_asn1: Indefinite ASN.1 length encoding
115 || 2 || spp_asn1: Invalid ASN.1 length encoding
115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow
115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow
115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length
116 || 1 || snort_decoder: WARNING: Not IPv4 datagram
116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN
116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len
116 || 4 || snort_decoder: WARNING: Bad IPv4 Options
116 || 5 || snort_decoder: WARNING: Truncated IPv4 Options
116 || 6 || snort_decoder: WARNING: IP dgm len > captured len
116 || 45 || snort_decoder: WARNING: TCP packet len is smaller than 20 bytes
116 || 46 || snort_decoder: WARNING: TCP Data Offset is less than 5
116 || 47 || snort_decoder: WARNING: TCP Data Offset is longer than payload
116 || 54 || snort_decoder: WARNING: Tcp Options found with bad lengths
116 || 55 || snort_decoder: WARNING: Truncated Tcp Options
116 || 56 || snort_decoder: WARNING: T/TCP Detected
116 || 57 || snort_decoder: WARNING: Obsolete TCP options
116 || 58 || snort_decoder: WARNING: Experimental TCP options
116 || 59 || snort_decoder: WARNING: TCP Window Scale Option Scale Invalid (> 14)
116 || 95 || snort_decoder: WARNING: Truncated UDP Header
116 || 96 || snort_decoder: WARNING: Invalid UDP header, length field < 8
116 || 97 || snort_decoder: WARNING: Short UDP packet, length field > payload length
116 || 98 || snort_decoder: WARNING: Long UDP packet, length field < payload length
116 || 105 || snort_decoder: WARNING: ICMP Header Truncated
116 || 106 || snort_decoder: WARNING: ICMP Timestamp Header Truncated
116 || 107 || snort_decoder: WARNING: ICMP Address Header Truncated
116 || 108 || snort_decoder: WARNING: Unknown Datagram decoding problem
116 || 109 || snort_decoder: WARNING: Truncated ARP Packet
116 || 110 || snort_decoder: WARNING: Truncated EAP Header
116 || 111 || snort_decoder: WARNING: EAP Key Truncated
116 || 112 || snort_decoder: WARNING: EAP Header Truncated
116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected
116 || 130 || snort_decoder: WARNING: Bad VLAN Frame
116 || 131 || snort_decoder: WARNING: Bad LLC header
116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info
116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header
116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info
116 || 140 || snort_decoder: WARNING: Bad Token Ring Header
116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header
116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header
116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header
116 || 150 || snort_decoder: WARNING: Bad Traffic Loopback IP
116 || 151 || snort_decoder: WARNING: Bad Traffic Same Src/Dst IP
116 || 160 || snort_decoder: WARNING: GRE header length > payload length
116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet
116 || 162 || snort_decoder: WARNING: Invalid GRE version
116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header
116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header
116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length
116 || 170 || snort_decoder: WARNING: Bad MPLS Frame
116 || 171 || snort_decoder: WARNING: MPLS Label 0 Appears in Nonbottom Header
116 || 172 || snort_decoder: WARNING: MPLS Label 1 Appears in Bottom Header
116 || 173 || snort_decoder: WARNING: MPLS Label 2 Appears in Nonbottom Header
116 || 174 || snort_decoder: WARNING: Bad use of label 3
116 || 175 || snort_decoder: WARNING: MPLS Label 4, 5,.. or 15 Appears in Header
116 || 176 || snort_decoder: WARNING: Too Many MPLS headers
116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated
116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4
116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length
116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits
116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes
116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0
116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit
116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6
116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header
116 || 273 || snort_decoder: WARNING: IPV6 truncated header
116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len
116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len
116 || 276 || snort_decoder: WARNING: IPv6 packet with destination address ::0
116 || 277 || snort_decoder: WARNING: IPv6 packet with multicast source address
116 || 278 || snort_decoder: WARNING: IPv6 packet with reserved multicast destination address
116 || 279 || snort_decoder: WARNING: IPv6 header includes an undefined option type
116 || 280 || snort_decoder: WARNING: IPv6 address includes an unassigned multicast scope value
116 || 281 || snort_decoder: WARNING: IPv6 header includes an invalid value for the "next header" field
116 || 282 || snort_decoder: WARNING: IPv6 header includes a routing extension header followed by a hop-by-hop header
116 || 283 || snort_decoder: WARNING: IPv6 header includes two routing extension headers
116 || 285 || snort_decoder: WARNING: ICMPv6 packet of type 2 (message too big) with MTU field < 1280
116 || 286 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code
116 || 287 || snort_decoder: WARNING: ICMPv6 router solicitation packet with a code not equal to 0
116 || 288 || snort_decoder: WARNING: ICMPv6 router advertisement packet with a code not equal to 0
116 || 289 || snort_decoder: WARNING: ICMPv6 router solicitation packet with the reserved field not equal to 0
116 || 290 || snort_decoder: WARNING: ICMPv6 router advertisement packet with the reachable time field set > 1 hour
116 || 291 || snort_decoder: WARNING: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack
116 || 292 || snort_decoder: WARNING: IPv6 header has destination options followed by a routing header
116 || 293 || snort_decoder: WARNING: Two or more IP (v4 and/or v6) encapsulation layers present
116 || 294 || snort_decoder: WARNING: truncated Encapsulated Security Payload (ESP) header
116 || 295 || snort_decoder: WARNING: IPv6 header includes an option which is too big for the containing header.
116 || 296 || snort_decoder: WARNING: IPv6 packet includes out-of-order extension headers
116 || 297 || snort_decoder: WARNING: Two or more GTP encapsulation layers are present
116 || 298 || snort_decoder: WARNING: GTP header length is invalid
116 || 400 || snort_decoder: WARNING: XMAS Attack Detected
116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected
116 || 402 || snort_decoder: WARNING: DOS NAPTHA Vulnerability Detected
116 || 403 || snort_decoder: WARNING: Bad Traffic SYN to multicast address
116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL
116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set)
116 || 406 || snort_decoder: WARNING: Invalid IPv6 UDP packet, checksum zero
116 || 407 || snort_decoder: WARNING: IPV4 packet frag offset + length exceed maximum
116 || 408 || snort_decoder: WARNING: IPV4 packet from 'current net' source address
116 || 409 || snort_decoder: WARNING: IPV4 packet to 'current net' dest address
116 || 410 || snort_decoder: WARNING: IPV4 packet from multicast source address
116 || 411 || snort_decoder: WARNING: IPV4 packet from reserved source address
116 || 412 || snort_decoder: WARNING: IPV4 packet to reserved dest address
116 || 413 || snort_decoder: WARNING: IPV4 packet from broadcast source address
116 || 414 || snort_decoder: WARNING: IPV4 packet to broadcast dest address
116 || 415 || snort_decoder: WARNING: ICMP4 packet to multicast dest address
116 || 416 || snort_decoder: WARNING: ICMP4 packet to broadcast dest address
116 || 417 || snort_decoder: WARNING: ICMP4 source quence
116 || 418 || snort_decoder: WARNING: ICMP4 type other
116 || 419 || snort_decoder: WARNING: TCP urgent pointer exceeds payload length or no payload
116 || 420 || snort_decoder: WARNING: TCP SYN with FIN
116 || 421 || snort_decoder: WARNING: TCP SYN with RST
116 || 422 || snort_decoder: WARNING: TCP PDU missing ack for established session
116 || 423 || snort_decoder: WARNING: TCP has no SYN, ACK, or RST
116 || 424 || snort_decoder: WARNING: truncated eth header
116 || 425 || snort_decoder: WARNING: truncated IP4 header
116 || 426 || snort_decoder: WARNING: truncated ICMP4 header
116 || 427 || snort_decoder: WARNING: truncated ICMP6 header
116 || 428 || snort_decoder: WARNING: IPV4 packet below TTL limit
116 || 429 || snort_decoder: WARNING: IPV6 packet has zero hop limit
116 || 430 || snort_decoder: WARNING: IPV4 packet both DF and offset set
116 || 431 || snort_decoder: WARNING: ICMP6 type not decoded
116 || 432 || snort_decoder: WARNING: ICMP6 packet to multicast address
116 || 433 || snort_decoder: WARNING: DDOS shaft synflood
116 || 434 || snort_decoder: WARNING: ICMP PING NMAP
116 || 435 || snort_decoder: WARNING: ICMP icmpenum v1.1.1
116 || 436 || snort_decoder: WARNING: ICMP redirect host
116 || 437 || snort_decoder: WARNING: ICMP redirect net
116 || 438 || snort_decoder: WARNING: ICMP traceroute ipopts
116 || 439 || snort_decoder: WARNING: ICMP Source Quench
116 || 440 || snort_decoder: WARNING: Broadscan Smurf Scanner
116 || 441 || snort_decoder: WARNING: ICMP Destination Unreachable Communication Administratively Prohibited
116 || 442 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited
116 || 443 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited
116 || 444 || snort_decoder: WARNING: MISC IP option set
116 || 445 || snort_decoder: WARNING: MISC Large UDP Packet
116 || 446 || snort_decoder: WARNING: BAD-TRAFFIC TCP port 0 traffic
116 || 447 || snort_decoder: WARNING: BAD-TRAFFIC UDP port 0 traffic
116 || 448 || snort_decoder: WARNING: BAD-TRAFFIC IP reserved bit set
116 || 449 || snort_decoder: WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol
116 || 450 || snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol
116 || 451 || snort_decoder: WARNING: ICMP PATH MTU denial of service attempt
116 || 452 || snort_decoder: WARNING: BAD-TRAFFIC linux ICMP header dos attempt
116 || 453 || snort_decoder: WARNING: IPV6 ISATAP spoof
116 || 454 || snort_decoder: WARNING: PGM NAK overflow
116 || 455 || snort_decoder: WARNING: IGMP options dos
116 || 456 || snort_decoder: WARNING: too many IPV6 extension headers
116 || 457 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code
116 || 458 || snort_decoder: WARNING: bogus fragmentation packet. Possible BSD attack
116 || 459 || snort_decoder: WARNING: zero length fragment
116 || 460 || snort_decoder: WARNING: ICMPv6 node info query/response packet with a code greater than 2
116 || 461 || snort_decoder: WARNING: Deprecated IPv6 Type 0 Routing Header
116 || 462 || snort_decoder: WARNING: ERSpan Header version mismatch
116 || 463 || snort_decoder: WARNING: captured < ERSpan Type2 Header Length
116 || 464 || snort_decoder: WARNING: captured < ERSpan Type3 Header Length
117 || 1 || spp_portscan2: Portscan detected
118 || 1 || spp_conversation: Bad IP protocol
119 || 1 || http_inspect: ASCII ENCODING
119 || 2 || http_inspect: DOUBLE DECODING ATTACK
119 || 3 || http_inspect: U ENCODING
119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
119 || 5 || http_inspect: BASE36 ENCODING
119 || 6 || http_inspect: UTF-8 ENCODING
119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
119 || 8 || http_inspect: MULTI_SLASH ENCODING
119 || 9 || http_inspect: IIS BACKSLASH EVASION
119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
119 || 11 || http_inspect: DIRECTORY TRAVERSAL
119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
119 || 14 || http_inspect: NON-RFC DEFINED CHAR
119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL
119 || 19 || http_inspect: LONG HEADER
119 || 20 || http_inspect: MAX HEADERS
119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS
119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED
119 || 23 || http_inspect: INVALID IP IN TRUE-CLIENT-IP/XFF HEADER
119 || 24 || http_inspect: MULTIPLE HOST HEADERS DETECTED
119 || 25 || http_inspect: HOSTNAME EXCEEDS 255 CHARACTERS
119 || 26 || http_inspect: HEADER PARSING SPACE SATURATION
119 || 27 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
119 || 28 || http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS
119 || 29 || http_inspect: MULTIPLE TRUE IPS IN A SESSION
119 || 30 || http_inspect: BOTH TRUE_CLIENT_IP AND XFF HDRS PRESENT
119 || 31 || http_inspect: UNKNOWN METHOD
119 || 32 || http_inspect: SIMPLE REQUEST
119 || 33 || http_inspect: UNESCAPED SPACE IN HTTP URI
119 || 34 || http_inspect: TOO MANY PIPELINED REQUESTS
120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE
120 || 3 || http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
120 || 4 || http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
120 || 5 || http_inspect: HTTP RESPONSE HAS UTF-7 CHARSET
120 || 6 || http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED
120 || 7 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
120 || 8 || http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
120 || 9 || http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
120 || 10 || http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
120 || 11 || http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
122 || 1 || portscan: TCP Portscan
122 || 2 || portscan: TCP Decoy Portscan
122 || 3 || portscan: TCP Portsweep
122 || 4 || portscan: TCP Distributed Portscan
122 || 5 || portscan: TCP Filtered Portscan
122 || 6 || portscan: TCP Filtered Decoy Portscan
122 || 7 || portscan: TCP Filtered Portsweep
122 || 8 || portscan: TCP Filtered Distributed Portscan
122 || 9 || portscan: IP Protocol Scan
122 || 10 || portscan: IP Decoy Protocol Scan
122 || 11 || portscan: IP Protocol Sweep
122 || 12 || portscan: IP Distributed Protocol Scan
122 || 13 || portscan: IP Filtered Protocol Scan
122 || 14 || portscan: IP Filtered Decoy Protocol Scan
122 || 15 || portscan: IP Filtered Protocol Sweep
122 || 16 || portscan: IP Filtered Distributed Protocol Scan
122 || 17 || portscan: UDP Portscan
122 || 18 || portscan: UDP Decoy Portscan
122 || 19 || portscan: UDP Portsweep
122 || 20 || portscan: UDP Distributed Portscan
122 || 21 || portscan: UDP Filtered Portscan
122 || 22 || portscan: UDP Filtered Decoy Portscan
122 || 23 || portscan: UDP Filtered Portsweep
122 || 24 || portscan: UDP Filtered Distributed Portscan
122 || 25 || portscan: ICMP Sweep
122 || 26 || portscan: ICMP Filtered Sweep
122 || 27 || portscan: Open Port
123 || 1 || frag3: IP Options on fragmented packet
123 || 2 || frag3: Teardrop attack
123 || 3 || frag3: Short fragment, possible DoS attempt
123 || 4 || frag3: Fragment packet ends after defragmented packet
123 || 5 || frag3: Zero-byte fragment
123 || 6 || frag3: Bad fragment size, packet size is negative
123 || 7 || frag3: Bad fragment size, packet size is greater than 65536
123 || 8 || frag3: Fragmentation overlap
123 || 9 || frag3: IPv6 BSD mbufs remote kernel buffer overflow
123 || 10 || frag3: Bogus fragmentation packet. Possible BSD attack
123 || 11 || frag3: TTL value less than configured minimum, not using for reassembly
123 || 12 || frag3: Number of overlapping fragments exceed configured limit
123 || 13 || frag3: Fragments smaller than configured min_fragment_length
124 || 1 || smtp: Attempted command buffer overflow
124 || 2 || smtp: Attempted data header buffer overflow
124 || 3 || smtp: Attempted response buffer overflow
124 || 4 || smtp: Attempted specific command buffer overflow
124 || 5 || smtp: Unknown command
124 || 6 || smtp: Illegal command
124 || 7 || smtp: Attempted header name buffer overflow
124 || 8 || smtp: Attempted X-Link2State command buffer overflow
124 || 9 || smtp: No memory available for decoding. Max Mime Mem exceeded.
124 || 10 || smtp: Base64 Decoding failed
124 || 11 || smtp: Quoted-Printable Decoding failed
124 || 12 || smtp: Non-Encoded MIME attachment Extraction failed
124 || 13 || smtp: Unix-to-Unix Decoding failed
124 || 14 || smtp: Cyrus SASL authentication attack
125 || 1 || ftp_pp: Telnet command on FTP command channel
125 || 2 || ftp_pp: Invalid FTP command
125 || 3 || ftp_pp: FTP parameter length overflow
125 || 4 || ftp_pp: FTP malformed parameter
125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter
125 || 6 || ftp_pp: FTP response length overflow
125 || 7 || ftp_pp: FTP command channel encrypted
125 || 8 || ftp_pp: FTP bounce attack
125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel
126 || 1 || telnet_pp: Telnet consecutive AYT overflow
126 || 2 || telnet_pp: Telnet data encrypted
126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End
128 || 1 || ssh: Gobbles exploit
128 || 2 || ssh: SSH1 CRC32 exploit
128 || 3 || ssh: Server version string overflow
128 || 4 || ssh: Protocol mismatch
128 || 5 || ssh: Bad message direction
128 || 6 || ssh: Payload size incorrect for the given payload
128 || 7 || ssh: Failed to detect SSH version string
129 || 1 || stream5: SYN on established session
129 || 2 || stream5: Data on SYN packet
129 || 3 || stream5: Data sent on stream not accepting data
129 || 4 || stream5: TCP Timestamp is outside of PAWS window
129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
129 || 6 || stream5: Window size (after scaling) larger than policy allows
129 || 7 || stream5: Limit on number of overlapping TCP packets reached
129 || 8 || stream5: Data sent on stream after TCP Reset
129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address
129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address
129 || 11 || stream5: TCP Data with no TCP Flags set
129 || 12 || stream5: TCP Small Segment Threshold Exceeded
129 || 13 || stream5: TCP 4-way handshake detected
129 || 14 || stream5: TCP Timestamp is missing
129 || 15 || stream5: Reset outside window
129 || 16 || stream5: FIN number is greater than prior FIN
129 || 17 || stream5: ACK number is greater than prior FIN
129 || 18 || stream5: Data sent on stream after TCP Reset received
129 || 19 || stream5: TCP window closed before receiving data
129 || 20 || stream5: TCP session without 3-way handshake
130 || 1 || dcerpc: Maximum memory usage reached
131 || 1 || dns: Obsolete DNS RData Type
131 || 2 || dns: Experimental DNS RData Type
131 || 3 || dns: Client RData TXT Overflow
133 || 1 || dcerpc2: Memory cap exceeded
133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type
133 || 3 || dcerpc2: SMB - Bad SMB message type
133 || 4 || dcerpc2: SMB - Bad SMB Id (not "\xffSMB" for SMB1 or not "\xfeSMB" for SMB2)
133 || 5 || dcerpc2: SMB - Bad word count or structure size for command
133 || 6 || dcerpc2: SMB - Bad byte count for command
133 || 7 || dcerpc2: SMB - Bad format type for command
133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command
133 || 9 || dcerpc2: SMB - Zero total data count in command
133 || 10 || dcerpc2: SMB - NetBIOS data length less than SMB header length
133 || 11 || dcerpc2: SMB - Remaining NetBIOS data length less than command length
133 || 12 || dcerpc2: SMB - Remaining NetBIOS data length less than command byte count
133 || 13 || dcerpc2: SMB - Remaining NetBIOS data length less than command data size
133 || 14 || dcerpc2: SMB - Remaining total data count less than this command data size
133 || 15 || dcerpc2: SMB - Total data sent greater than command total data expected
133 || 16 || dcerpc2: SMB - Byte count less than command data size
133 || 17 || dcerpc2: SMB - Invalid command data size for byte count
133 || 18 || dcerpc2: SMB - Excessive Tree Connect requests with pending Tree Connect responses
133 || 19 || dcerpc2: SMB - Excessive Read requests with pending Read responses
133 || 20 || dcerpc2: SMB - Excessive command chaining
133 || 21 || dcerpc2: SMB - Multiple chained login requests
133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests
133 || 23 || dcerpc2: SMB - Chained/Compounded login followed by logoff
133 || 24 || dcerpc2: SMB - Chained/Compounded tree connect followed by tree disconnect
133 || 25 || dcerpc2: SMB - Chained/Compounded open pipe followed by close pipe
133 || 26 || dcerpc2: SMB - Invalid share access
133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version
133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version
133 || 29 || dcerpc2: Connection-oriented DCE/RPC - Invalid pdu type
133 || 30 || dcerpc2: Connection-oriented DCE/RPC - Fragment length less than header size
133 || 31 || dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed
133 || 32 || dcerpc2: Connection-oriented DCE/RPC - No context items specified
133 || 33 || dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified
133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client
133 || 35 || dcerpc2: Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size
133 || 36 || dcerpc2: Connection-oriented DCE/RPC - Alter Context byte order different from Bind
133 || 37 || dcerpc2: Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request
133 || 38 || dcerpc2: Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request
133 || 39 || dcerpc2: Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request
133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version
133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type
133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size
133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number
#133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen
#133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen
#133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding
#133 || 47 || dcerpc2: SMB - Excessive command compounding
133 || 48 || dcerpc2: SMB - Zero data count
133 || 49 || dcerpc2: SMB - Data count mismatch
133 || 50 || dcerpc2: SMB - Maximum number of outstanding requests exceeded
133 || 51 || dcerpc2: SMB - Outstanding requests with the same MID
133 || 52 || dcerpc2: SMB - Deprecated dialect negotiated
133 || 53 || dcerpc2: SMB - Deprecated command used
133 || 54 || dcerpc2: SMB - Unusual command used
133 || 55 || dcerpc2: SMB - Invalid setup count
133 || 56 || dcerpc2: SMB - Client attempted multiple dialect negotiations on session
133 || 57 || dcerpc2: SMB - Client attempted to create or set a file's attributes to readonly/hidden/system
134 || 1 || ppm: rule tree disabled
134 || 2 || ppm: rule tree enabled
134 || 3 || ppm: packet aborted
135 || 1 || internal: syn received
135 || 2 || internal: session established
135 || 3 || internal: session cleared
136 || 1 || reputation: Packet is blacklisted
136 || 2 || reputation: Packet is whitelisted
137 || 1 || ssp_ssl: Invalid Client HELLO after Server HELLO Detected
137 || 2 || ssp_ssl: Invalid Server HELLO without Client HELLO Detected
138 || 2 || sensitive_data: sensitive data - Credit card numbers
138 || 3 || sensitive_data: sensitive data - U.S. social security numbers with dashes
138 || 4 || sensitive_data: sensitive data - U.S. social security numbers without dashes
138 || 5 || sensitive_data: sensitive data - eMail addresses
138 || 6 || sensitive_data: sensitive data - U.S. phone numbers
139 || 1 || sensitive_data: sensitive data global threshold exceeded
140 || 1 || sip: Maximum sessions reached
140 || 2 || sip: Empty request URI
140 || 3 || sip: URI is too long
140 || 4 || sip: Empty call-Id
140 || 5 || sip: Call-Id is too long
140 || 6 || sip: CSeq number is too large or negative
140 || 7 || sip: Request name in CSeq is too long
140 || 8 || sip: Empty From header
140 || 9 || sip: From header is too long
140 || 10 || sip: Empty To header
140 || 11 || sip: To header is too long
140 || 12 || sip: Empty Via header
140 || 13 || sip: Via header is too long
140 || 14 || sip: Empty Contact
140 || 15 || sip: Contact is too long
140 || 16 || sip: Content length is too large or negative
140 || 17 || sip: Multiple SIP messages in a packet
140 || 18 || sip: Content length mismatch
140 || 19 || sip: Request name is invalid
140 || 20 || sip: Invite replay attack
140 || 21 || sip: Illegal session information modification
140 || 22 || sip: Response status code is not a 3 digit number
140 || 23 || sip: Empty Content type
140 || 24 || sip: SIP version other than 2.0, 1.0, and 1.1 are invalid
140 || 25 || sip: Mismatch in Method of request and the CSEQ header
140 || 26 || sip: The method is unknown
140 || 27 || sip: Maximum dialogs in a session reached
141 || 1 || imap: Unknown IMAP4 command
141 || 2 || imap: Unknown IMAP4 response
141 || 3 || imap: No memory available for decoding. Memcap exceeded.
141 || 4 || imap: Base64 Decoding failed
141 || 5 || imap: Quoted-Printable Decoding failed
141 || 6 || imap: Non-Encoded MIME attachment Extraction failed
141 || 7 || imap: Unix-to-Unix Decoding failed
142 || 1 || pop: Unknown POP3 command
142 || 2 || pop: Unknown POP3 response
142 || 3 || pop: No memory available for decoding. Memcap exceeded.
142 || 4 || pop: Base64 Decoding failed
142 || 5 || pop: Quoted-Printable Decoding failed
142 || 6 || pop: Non-Encoded MIME attachment Extraction failed
142 || 7 || pop: Unix-to-Unix Decoding failed
143 || 1 || gtp: Message length is invalid
143 || 2 || gtp: Information element length is invalid
143 || 3 || gtp: Information elements are out of order
144 || 1 || modbus: Length in Modbus MBAP header does not match the length needed for the given Modbus function.
144 || 2 || modbus: Modbus protocol ID is non-zero.
144 || 3 || modbus: Reserved Modbus function code in use.
145 || 1 || dnp3: DNP3 Link-Layer Frame contains bad CRC.
145 || 2 || dnp3: DNP3 Link-Layer Frame was dropped.
145 || 3 || dnp3: DNP3 Transport-Layer Segment was dropped during reassembly.
145 || 4 || dnp3: DNP3 Reassembly Buffer was cleared without reassembling a complete message.
145 || 5 || dnp3: DNP3 Link-Layer Frame uses a reserved address.
145 || 6 || dnp3: DNP3 Application-Layer Fragment uses a reserved function code.
|