/etc/snort/rules/community-web-misc.rules is in snort-rules-default 2.9.6.0-0ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 | # Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# These rules are licensed under the GNU General Public License.
# Please see the file LICENSE in this directory for more details.
# $Id: community-web-misc.rules,v 1.45 2007/04/20 13:28:50 akirk Exp $
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Test Script Access"; flow:to_server,established; uricontent:"/test"; nocase; pcre:"/test\.(pl|php|cgi|asp|jsp)/Ui"; classtype:web-application-activity; sid:100000121; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY WEB-MISC mod_jrun overflow attempt"; flow:to_server,established; content:"|3A|"; pcre:"/^.*\x3a[^\n]{1000}/sm"; reference:bugtraq,11245; reference:cve,2004-0646; classtype:web-application-attack; sid:100000122; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS"; flow:to_server,established; uricontent:"?/ "; reference:bugtraq,10014; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; classtype:successful-dos; sid:100000129; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS"; flow:to_server,established; uricontent:"/Filelist.html"; nocase; reference:bugtraq,12778; classtype:attempted-dos; sid:100000130; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access"; flow:to_server,established; uricontent:"/A|3A|"; nocase; pcre:"/A\x3A[^\r\n]?\.[^\r\n]?[\r\n]/Ui"; reference:bugtraq,12778; classtype:attempted-dos; sid:100000131; rev:1;)
# Following rule submitted by Alexandru Ionica <gremlin@networked.ro>, and revised by Jason Haar <Jason.Haar@trimble.co.nz>
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC Proxy Server Access"; flow:established,from_server; content:"Proxy-Connection"; nocase; content:"Via"; nocase; content:"HTTP"; nocase; content: !"ERR_ACCESS_DENIED"; nocase; classtype:misc-activity; sid:100000132; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request"; flow:to_server,established; pcre:"/GET \/\?{250,}/i"; reference:bugtraq,7398; reference:url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1; classtype:attempted-dos; sid:100000133; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow"; flow:to_server,established; content:"GET"; nocase; depth:3; content:"/%"; distance:0; pcre:"/^GET\s+\/\%[^\r\n]{215,}/smi"; reference:cve,2005-0684; reference:url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities; classtype:attempted-admin; sid:100000140; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt"; flow:to_server,established; content:".jsp"; pcre:"/.jsp\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000141; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt"; flow:to_server,established; content:".jpg"; pcre:"/.jpg\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000142; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt"; flow:to_server,established; content:".gif"; pcre:"/.gif\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000143; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt"; flow:to_server,established; content:".wav"; pcre:"/.wav\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252;classtype:attempted-recon; sid:100000144; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt"; flow:to_server,established; content:".css"; pcre:"/.css\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000145; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt"; flow:to_server,established; content:".htm"; pcre:"/.htm\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000146; rev:1;)
#Rules submitted by rmkml
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000 (msg:"COMMUNITY WEB-MISC Barracuda img.pl attempt"; flow:to_server,established; uricontent:"/cgi-bin/img.pl?f=.."; reference:bugtraq,14712; reference:bugtraq,14710; reference:cve,2005-2848; classtype:web-application-attack; sid:100000148; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC Jboss % attempt"; flow:to_server,established; content:"GET %"; reference:bugtraq,13985; reference:cve,2005-2006; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17403; classtype:attempted-recon; sid:100000149; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; content:"chunked"; content:"Content-Length|3A|"; nocase; reference:bugtraq,13873; reference:bugtraq,14106; reference:cve,2005-2088; reference:cve,2005-2089; reference:cve,2005-2090; reference:cve,2005-2091; reference:cve,2005-2092; reference:cve,2005-2093; reference:cve,2005-2094; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17738; reference:nessus,18337; classtype:attempted-admin; sid:100000150; rev:1;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt"; flow:to_server,established; uricontent:"/apply.cgi"; content:"Content-Length|3A|"; pcre:"/Content-Length\x3A\s*[^\r\n]{1000,}/smi"; reference:bugtraq,14822; reference:cve,2005-2799; reference:nessus,20096; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19389; classtype:web-application-attack; sid:100000177; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt"; flow:to_server,established; uricontent:"..\:..\:..\:.."; reference:bugtraq,15225; reference:nessus,20097; classtype:attempted-dos; sid:100000178; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 898 (msg:"COMMUNITY WEB-MISC SMC TRACE access"; flow:to_server,established; content:"TRACE"; depth:5; reference:url,www.kb.cert.org/vuls/id/867593; classtype:attempted-recon; sid:100000179; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"COMMUNITY WEB-MISC JBoss JMXInvokerServlet access"; flow:to_server,established; uricontent:"/invoker/JMXInvokerServlet"; reference:url,online.securityfocus.com/archive/1/415707; classtype:misc-activity; sid:100000184; rev:1;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC apache directory list attempt"; flow:to_client,established; content:"HTTP/1.1 200 OK"; depth:15; content:"Index of /"; nocase; within:200; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:100000185; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 41080 (msg:"COMMUNITY WEB-MISC Symantec Brightmail Antispam default login attempt"; flow:to_server,established; uricontent:"/brightmail/viewLogin.do"; nocase; uricontent:"user|3D|admin"; nocase; uricontent:"pass|3D|symantec"; nocase; reference:nessus,19598; reference:url,securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html; classtype:web-application-attack; sid:100000200; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command execution attempt"; flow:to_server,established; uricontent:"/flsearch.pl"; nocase; uricontent:"cmd|3D|exec_flsearch"; nocase; reference:bugtraq,14367; reference:cve,2005-2420; reference:nessus,19300; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=18305; classtype:web-application-attack; sid:100000209; rev:2;)
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC generic cmd pipe after = attempt"; flow:to_server,established; uricontent:"|3D 7C|"; nocase; classtype:web-application-attack; sid:100000210; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access"; flow:to_server,established; content:"POST"; nocase; depth:4; uricontent:"/ControlManager/cgi-bin/VA/isaNVWRequest.dll"; nocase; reference:cve,2005-1929; reference:url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities; classtype:web-application-attack; sid:100000216; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC man2web cmd exec attempt"; flow:to_server,established; uricontent:"/man2web"; nocase; uricontent:"|2D|P"; reference:cve,2005-2812; reference:bugtraq,14747; reference:nessus,19591; classtype:web-application-attack; sid:100000217; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASPSurvey Login_Validate.asp Password param access"; flow:to_server,established; uricontent:"/Login_Validate.asp"; nocase; uricontent:"Password|3D|"; nocase; reference:cve,2006-0192; classtype:web-application-activity; sid:100000225; rev:1;)
#Rule to detect use of Google's translation feature to bypass content monitor submitted by David Bianco
alert tcp any any -> any $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Proxy Bypass Via Google Translation Same To And From Language"; flow:established, to_server; uricontent:"/translate?"; pcre:"/translate\?.*langpair=([a-zA-Z]+)(%7C|\|)\1\&/Ui"; classtype: policy-violation; reference:url,www.boingboing.net/2006/02/22/argonne_national_lab.html; sid:100000237; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sRedirectUrl parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sRedirectUrl="; nocase; pcre:"/sRedirectUrl=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000302; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sCancelURL parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sCancelURL="; nocase; pcre:"/sCancelURL=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000303; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21700 (msg:"COMMUNITY WEB-MISC 3Com Network Supervisor directory traversal"; flow:to_server,established; content:"GET"; nocase; pcre:"/GET[^\r\n]*?\x2e\x2e(\x2f|\x5c)[^\r\n]*?HTTP[^\r\n]*?\r\n/msi"; reference:bugtraq,14715; reference:cve,2005-2020; classtype:web-application-attack; sid:100000313; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MediaWiki parser script insertion attempt"; flow:to_server,established; content:"POST"; nocase; content:"|7B 7B 7B|"; pcre:"/\x7B\x7B\x7B[^\r\n]*\x3C[^\r\n]*\x7C[^\r\n]*\x3E[^\r\n]*\x7D\x7D\x7D/"; reference:cve,2006-2611; classtype:attempted-user; sid:100000314; rev:1;)
#Rules for detecting HTTP PUT requests, successful or not, submitted by David Bianco; enable only after reading the rule documentation for these two SIDs
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP PUT Request"; flow:to_server,established; content:"PUT "; depth:4; flowbits:set,http.put; flowbits:noalert; classtype:misc-activity; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000315; rev:1;)
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC HTTP PUT Request Successful"; flow:from_server,established; flowbits:isset,http.put; content:"HTTP/"; nocase; depth:5; content:"200"; within:7; classtype:web-application-attack; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000316; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar classified_right.php remote file include"; flow:to_server,established; uricontent:"/classified_right.php"; nocase; uricontent:"language_dir="; nocase; pcre:"/language_dir=(https?|ftp)/Ui"; reference:bugtraq,18052; classtype:web-application-attack; sid:100000317; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar admin.php unauthorized administrative access"; flow:to_server,established; uricontent:"/admin/admin.php"; nocase; uricontent:"action=edit_member&value=1"; nocase; reference:bugtraq,18053; reference:cve,2006-2527; classtype:web-application-attack; sid:100000318; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ActualScripts direct.php remote file include"; flow:to_server,established; uricontent:"/direct.php"; nocase; uricontent:"rf="; nocase; pcre:"/rf=(https?|ftp)/Ui"; reference:bugtraq,17597; classtype:web-application-attack; sid:100000319; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews functions.php remote file include"; flow:to_server,established; uricontent:"/functions.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000320; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews help.php remote file include"; flow:to_server,established; uricontent:"/help.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000321; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews mail.php remote file include"; flow:to_server,established; uricontent:"/mail.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000322; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews news.php remote file include"; flow:to_server,established; uricontent:"/news.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000323; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000324; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_cats.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_cats.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000325; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_edit.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_edit.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000326; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_import.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_import.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000327; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_templates.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_templates.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000328; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board class_post.php remote file include"; flow:to_server,established; uricontent:"/classes/post/class_post.php"; nocase; uricontent:"post_icon="; nocase; pcre:"/post_icon=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000329; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board moderate.php remote file include"; flow:to_server,established; uricontent:"/action_public/moderate.php"; nocase; uricontent:"df="; nocase; pcre:"/df=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000330; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ZixForum settings.asp access"; flow:to_server,established; uricontent:"/settings.asp"; nocase; uricontent:"layid="; nocase; reference:bugtraq,18043; classtype:web-application-attack; sid:100000331; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"email="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000332; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"logfile="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000333; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars reconfig.php remote file include"; flow:to_server,established; uricontent:"/reconfig.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000334; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars srxclr.php remote file include"; flow:to_server,established; uricontent:"/srxclr.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000335; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory footer.php remote file include"; flow:to_server,established; uricontent:"/footer.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000336; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory defaults_setup.php remote file include"; flow:to_server,established; uricontent:"/defaults_setup.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000337; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory header.php remote file include"; flow:to_server,established; uricontent:"/header.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000338; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail core.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3/core.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000339; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail pop3.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000340; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS help.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/help.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000341; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS business.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/business.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000342; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS credits.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/credits.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000343; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000344; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail inc-common.php remote file include"; flow:to_server,established; uricontent:"/inc-common.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000345; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Plume CMS prepend.php remote file include"; flow:to_server,established; uricontent:"/manager/frontinc/prepend.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config[manager_path]=(https?|ftp)/Ui"; reference:bugtraq,16662; classtype:web-application-attack; sid:100000346; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro form.php remote file include"; flow:to_server,established; uricontent:"/form.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000347; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro customize.php remote file include"; flow:to_server,established; uricontent:"/customize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000348; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro initialize.php remote file include"; flow:to_server,established; uricontent:"/initialize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000349; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads ubbt.inc.php remote file include"; flow:to_server,established; uricontent:"/ubbt.inc.php"; nocase; uricontent:"GLOBALS[thispath]="; nocase; pcre:"/GLOBALS[thispath]=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000350; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads config[cookieprefix] remote file include"; flow:to_server,established; uricontent:"/includepollresults.php?config[cookieprefix]"; nocase; uricontent:"w3t_language="; nocase; pcre:"/w3t_language=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000351; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Blend Portal blend_common.php remote file include"; flow:to_server,established; uricontent:"/blend_data/blend_common.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18153; reference:url,www.nukedx.com/?viewdoc=41; classtype:web-application-attack; sid:100000352; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC tinyBB footers.php remote file include"; flow:to_server,established; uricontent:"/footers.php"; nocase; uricontent:"tinybb_footers="; nocase; pcre:"/tinybb_footers=(https?|ftp)/Ui"; reference:bugtraq,18147; classtype:web-application-attack; sid:100000353; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB-Amod lang_activity.php remote file include"; flow:to_server,established; uricontent:"/lang_activity.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18155; classtype:web-application-attack; sid:100000354; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC eSyndiCat cron.php remote file include"; flow:to_server,established; uricontent:"/admin/cron.php"; nocase; uricontent:"path_to_config="; nocase; pcre:"/path_to_config=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20218/; classtype:web-application-attack; sid:100000355; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_qry_common.php remote file include"; flow:to_server,established; uricontent:"/base_qry_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000356; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_stat_common.php remote file include"; flow:to_server,established; uricontent:"/base_stat_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000357; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_include.inc.php remote file include"; flow:to_server,established; uricontent:"/base_include.inc.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000358; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken.php remote file include"; flow:to_server,established; uricontent:"/drucken.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000359; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken2.php remote file include"; flow:to_server,established; uricontent:"/drucken2.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000360; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS email_an_benutzer.php remote file include"; flow:to_server,established; uricontent:"/email_an_benutzer.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000361; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS rechnung.php remote file include"; flow:to_server,established; uricontent:"/rechnung.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000362; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000363; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000364; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke index.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/index.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000365; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ug_auth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ug_auth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000366; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_board.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_board.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000367; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_disallow.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_disallow.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000368; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forumauth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forumauth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000369; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_groups.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_groups.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000370; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ranks.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ranks.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000371; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_styles.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_styles.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000372; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_user_ban.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_user_ban.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000373; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_words.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_words.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000374; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_avatar.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_avatar.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000375; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_db_utilities.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_db_utilities.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000376; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forum_prune.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forum_prune.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000377; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forums.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forums.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000378; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_mass_email.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_mass_email.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000379; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_smilies.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_smilies.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000380; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_users.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_users.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000382; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OsTicket open_form.php remote file include"; flow:to_server,established; uricontent:"/open_form.php"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=(https?|ftp)/Ui"; reference:bugtraq,18190; classtype:web-application-attack; sid:100000383; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000384; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman error.php remote file include"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000385; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman main_class.php remote file include"; flow:to_server,established; uricontent:"/classes/main_class.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000386; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia index.php remote file include"; flow:to_server,established; uricontent:"/orid/index.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000387; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia topman.php remote file include"; flow:to_server,established; uricontent:"/orid/topman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000388; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/orid/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000389; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadmb.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadmb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000390; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadma.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadma.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000391; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadm.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadm.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000392; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia start.php remote file include"; flow:to_server,established; uricontent:"/orid/start.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000393; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia search.php remote file include"; flow:to_server,established; uricontent:"/orid/search.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000394; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia posts.php remote file include"; flow:to_server,established; uricontent:"/orid/posts.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000395; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia options.php remote file include"; flow:to_server,established; uricontent:"/orid/options.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000396; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia login.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/login.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000397; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia frchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/frchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000398; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia flbchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/flbchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000399; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia fileman.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/fileman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000400; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia faq.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/faq.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000401; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia event.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/event.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000402; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia directory.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/directory.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000403; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia articles.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/articles.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000404; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia artedit.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/artedit.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000405; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000406; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia calday.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/calday.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000407; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD cache_mngt.php remote file include"; flow:to_server,established; uricontent:"/cache_mngt.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000408; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD gallery_functions.php remote file include"; flow:to_server,established; uricontent:"/gallery_functions.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000409; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/image_resize/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000410; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/simple_user/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000411; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/stats/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000412; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/import_export/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000413; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO community.inc.php remote file include"; flow:to_server,established; uricontent:"/include/pages/community.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000414; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Bytehoard server.php remote file include"; flow:to_server,established; uricontent:"/includes/webdav/server.php"; nocase; uricontent:"bhconfig[bhfilepath]="; nocase; pcre:"/bhconfig[bhfilepath]=(https?|ftp)/Ui"; reference:bugtraq,18234; classtype:web-application-attack; sid:100000415; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000416; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie scode.php remote file include"; flow:to_server,established; uricontent:"/scode.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000417; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashheadlines.php remote file include"; flow:to_server,established; uricontent:"/ashheadlines.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000418; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashnews.php remote file include"; flow:to_server,established; uricontent:"/ashnews.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000419; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Informium common-menu.php remote file include"; flow:to_server,established; uricontent:"/admin/common-menu.php"; nocase; uricontent:"CONF[local_path]="; nocase; pcre:"/CONF[local_path]=(https?|ftp)/Ui"; reference:bugtraq,18249; classtype:web-application-attack; sid:100000420; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Igloo wiki.php remote file include"; flow:to_server,established; uricontent:"/wiki.php"; nocase; uricontent:"c_node[class_path]="; nocase; pcre:"/c_node[class_path]=(https?|ftp)/Ui"; reference:bugtraq,18250; classtype:web-application-attack; sid:100000421; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"page="; nocase; pcre:"/page=(https?|ftp)/Ui"; reference:bugtraq,18255; classtype:web-application-attack; sid:100000422; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000423; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS feedback.php remote file include"; flow:to_server,established; uricontent:"/feedback.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000424; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS printfriendly.php remote file include"; flow:to_server,established; uricontent:"/printfriendly.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000425; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotClear prepend.php remote file include"; flow:to_server,established; uricontent:"/prepend.php"; nocase; uricontent:"blog_dc_path="; nocase; pcre:"/blog_dc_path=(https?|ftp)/Ui"; reference:bugtraq,18259; classtype:web-application-attack; sid:100000426; rev:2;)
# JBoss Rules from Jon Hart <jhart@spoofed.org>
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss jmx-console html adaptor access"; flow:to_server,established; uricontent:"/jmx-console/HtmlAdaptor"; reference:url,jboss.org/wiki/Wiki.jsp?page=JMXConsole; classtype:misc-activity; sid:100000427; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:100000428; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss web-console access"; flow:to_server,established; uricontent:"/web-console"; reference:url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole; classtype:misc-activity; sid:100000429; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Faq.class.php remote file include"; flow:to_server,established; uricontent:"/applications/faq/Bs_Faq.class.php"; nocase; uricontent:"APP[path][applications]="; nocase; pcre:"/APP\[path\]\[applications\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000430; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes fileBrowserInner.php remote file include"; flow:to_server,established; uricontent:"/applications/filebrowser/fileBrowserInner.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000431; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes file.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/file.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000432; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes viewer.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/viewer.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000433; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_ImageArchive.class.php remote file include"; flow:to_server,established; uricontent:"/applications/imagearchive/Bs_ImageArchive.class.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000434; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Ml_User.class.php remote file include"; flow:to_server,established; uricontent:"/applications/mailinglist/Bs_Ml_User.class.php"; nocase; uricontent:"GLOBALS[APP][path][core]="; nocase; pcre:"/GLOBALS\[APP\]\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000435; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Wse_Profile.class.php remote file include"; flow:to_server,established; uricontent:"/applications/websearchengine/Bs_Wse_Profile.class.php"; nocase; uricontent:"APP[path][plugins]="; nocase; pcre:"/APP\[path\]\[plugins\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000436; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CS-Cart class.cs_phpmailer.php remote file include"; flow:to_server,established; uricontent:"/class.cs_phpmailer.php"; nocase; uricontent:"classes_dir="; nocase; pcre:"/classes_dir=(https?|ftp)/Ui"; reference:bugtraq,18263; classtype:web-application-attack; sid:100000437; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline mambo.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/mambo.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000438; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline postnuke.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/postnuke.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000439; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CyBoards common.php remote file include"; flow:to_server,established; uricontent:"/include/common.php"; nocase; uricontent:"script_path="; nocase; pcre:"/script_path=(https?|ftp)/Ui"; reference:bugtraq,18272; classtype:web-application-attack; sid:100000440; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Wikiwig wk_lang.php remote file include"; flow:to_server,established; uricontent:"/wk_lang.php"; nocase; uricontent:"WK[wkpath]="; nocase; pcre:"/WK\[wkpath\]=(https?|ftp)/Ui"; reference:bugtraq,18291; classtype:web-application-attack; sid:100000441; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie pcltar.lib.php remote file include"; flow:to_server,established; uricontent:"/pcltar.lib.php"; nocase; uricontent:"g_pcltar_lib_dir="; nocase; pcre:"/g_pcltar_lib_dir=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000442; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galimage.lib.php remote file include"; flow:to_server,established; uricontent:"/galimage.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000443; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galsecurity.lib.php remote file include"; flow:to_server,established; uricontent:"/galsecurity.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000444; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"sqlType="; nocase; pcre:"/sqlType(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000448; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow files.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/files.asp"; nocase; uricontent:"Project="; nocase; pcre:"/Project(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000449; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VanillaSoft Helpdesk default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"username="; nocase; pcre:"/username(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18368; classtype:web-application-attack; sid:100000450; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"cat="; nocase; pcre:"/cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000451; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"albumid="; nocase; pcre:"/albumid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000452; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"apage="; nocase; pcre:"/apage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000453; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"New Category="; nocase; pcre:"/New Category(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000454; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Axent Forum viewposts.cfm xss attempt"; flow:to_server,established; uricontent:"/viewposts.cfm"; nocase; uricontent:"startrow="; nocase; pcre:"/startrow(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18473; classtype:web-application-attack; sid:100000455; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SSPwiz index.cfm xss attempt"; flow:to_server,established; uricontent:"/index.cfm"; nocase; uricontent:"message="; nocase; pcre:"/message(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18482; classtype:web-application-attack; sid:100000456; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASP Stats pages.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/pages.asp"; nocase; uricontent:"order="; nocase; pcre:"/order(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18512; classtype:web-application-attack; sid:100000457; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DPVision Tradingeye Shop details.cfm xss attempt"; flow:to_server,established; uricontent:"/details.cfm"; nocase; uricontent:"image="; nocase; pcre:"/image(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18526; classtype:web-application-attack; sid:100000458; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WeBBoA yeni_host.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"host/yeni_host.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18564; classtype:web-application-attack; sid:100000459; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AZureus index.tmpl xss attempt"; flow:to_server,established; uricontent:"/index.tmpl"; nocase; uricontent:"search="; nocase; pcre:"/search(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18596; classtype:web-application-attack; sid:100000460; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"To="; nocase; pcre:"/To(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000461; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"From="; nocase; pcre:"/From(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000462; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO gbrowse.php SQL injection attempt"; flow:to_server,established; uricontent:"/gbrowse.php"; nocase; uricontent:"cat_id="; nocase; pcre:"/cat_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000694; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO rating.php SQL injection attempt"; flow:to_server,established; uricontent:"/rating.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000695; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO create.php SQL injection attempt"; flow:to_server,established; uricontent:"/create.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000696; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"event_id="; nocase; pcre:"/event_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000697; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BXCP index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"where="; nocase; pcre:"/where(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18765; classtype:web-application-attack; sid:100000698; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000699; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"disable="; nocase; pcre:"/disable(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000700; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WordPress index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"paged="; nocase; pcre:"/paged(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18779; classtype:web-application-attack; sid:100000701; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Webvizyon SayfalaAltList.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/SayfalaAltList.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18899; classtype:web-application-attack; sid:100000702; rev:1;)
# Rules submitted by rmkml
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"COMMUNITY WEB-MISC Webmin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000890; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 20000 (msg:"COMMUNITY WEB-MISC Usermin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000891; rev:1;)
# Rule submitted by Avinash Shenoi (Cenzic Inc. CIA Research Team)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-description xss attempt"; flow:to_server; content:"blog-category-description"; nocase; pcre:"/blog-category-description(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000895; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-entry-title xss attempt"; flow:to_server; content:"blog-entry-title"; nocase; pcre:"/blog-entry-title(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000896; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog rss-enclosure-url xss attempt"; flow:to_server; content:"rss-enclosure-url"; nocase; pcre:"/rss-enclosure-url(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000897; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog technorati-tags xss attempt"; flow:to_server; content:"technorati-tags"; nocase; pcre:"/technorati-tags(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000898; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-name xss attempt"; flow:to_server; content:"blog-category-name"; nocase; pcre:"/blog-category-name(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000899; rev:1;)
|