emerging-exploit.rules

# Emerging Threats 
#
# This distribution may contain rules under two different licenses. 
#
#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
#  as follows:
#
#*************************************************************
#  Copyright (c) 2003-2019, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#*************************************************************
#
#
#
#

# This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced.

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption"; flow:established,to_server; content:"|4e 3d 2c 1b|"; depth:4; isdataat:2891,relative; reference:cve,2007-0449; reference:url,doc.emergingthreats.net/bin/view/Main/2003369; classtype:attempted-admin; sid:2003369; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 00 00 03|"; distance:8; within:4; content:"|00 00 00 08|"; distance:0; within:4; content:"|00 00 00 00|"; distance:0; within:4; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:8; within:32; reference:url,www.milw0rm.com/exploits/3248; reference:url,doc.emergingthreats.net/bin/view/Main/2003370; classtype:attempted-dos; sid:2003370; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow"; flow:established,to_server; content:"0000033000"; depth:10; isdataat:1000,relative; reference:url,www.milw0rm.com/exploits/3244; reference:url,doc.emergingthreats.net/bin/view/Main/2003378; classtype:attempted-admin; sid:2003378; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000048; classtype:attempted-admin; sid:2000048; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target BSD)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000031; classtype:attempted-admin; sid:2000031; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Solaris)"; flow: to_server,established; dsize: >512; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000049; classtype:attempted-admin; sid:2000049; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET EXPLOIT Catalyst SSH protocol mismatch"; flow: to_server,established; content:"|61 25 61 25 61 25 61 25 61 25 61 25 61 25|"; reference:url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000007; classtype:attempted-dos; sid:2000007; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Telnet Buffer Overflow"; flow: to_server,established; content:"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|"; threshold: type limit, track by_src, count 1, seconds 120; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000005; classtype:attempted-dos; sid:2000005; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT UPnP DLink M-Search Overflow Attempt"; content:"M-SEARCH "; depth:9; nocase; isdataat:500,relative; pcre:"/M-SEARCH\s+[^\n]{500}/i"; reference:url,www.eeye.com/html/research/advisories/AD20060714.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003039; classtype:attempted-user; sid:2003039; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 427 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - udp"; content:"language"; content:"|65 7a 69 70 3a 2f 2f 62 6c 61 2f 62 6c 61 3f 53 4e 3d 62 6c 61 3f 50 4e 3d 62 6c 61 3f 55 4e 3d 62 6c 61|"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0767; reference:url,doc.emergingthreats.net/bin/view/Main/2007876; classtype:successful-dos; sid:2007876; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1"; flow:established; content:"cwd"; depth:4; nocase; dsize:>74; pcre:"/(\/\.){70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; reference:url,doc.emergingthreats.net/bin/view/Main/2008776; classtype:web-application-attack; sid:2008776; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2"; flow:established; content:"list"; depth:5; nocase; dsize:>74; pcre:"/[\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; reference:url,doc.emergingthreats.net/bin/view/Main/2008777; classtype:web-application-attack; sid:2008777; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1530 (msg:"ET EXPLOIT HP Open View Data Protector Buffer Overflow Attempt"; flow:established,to_server; content:"|B6 29 8C 23 FF FF FF|"; pcre:"/\xB6\x29\x8C\x23\xFF\xFF\xFF[\xF8-\xFF]/"; reference:url,dvlabs.tippingpoint.com/advisory/TPTI-09-15; reference:url,doc.emergingthreats.net/2010546; reference:cve,2007-2281; classtype:attempted-admin; sid:2010546; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"ET EXPLOIT HP-UX Printer LPD Command Insertion"; flow:established,to_server; content:"|02|msf28|30|"; depth:7; content:"|60|"; distance:0; within:20; reference:cve,2005-3277; reference:bugtraq,15136; reference:url,doc.emergingthreats.net/bin/view/Main/2002852; classtype:attempted-user; sid:2002852; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit"; flow:established,to_server; content:"NLST "; nocase; content:"|2a 2f 2e 2e 2f|"; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009860; reference:cve,2009-3023; classtype:attempted-admin; sid:2009860; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: !M; fragoffset: >0; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - ACK reset"; fragbits: M; flags: !A,12; reference:url,doc.emergingthreats.net/bin/view/Main/2001023; classtype:bad-unknown; sid:2001023; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - illegal flags"; fragbits: M; flags: *FSR,12; reference:url,doc.emergingthreats.net/bin/view/Main/2001024; classtype:bad-unknown; sid:2001024; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance: 0; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001195; classtype:misc-activity; sid:2001195; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; reference:url,doc.emergingthreats.net/bin/view/Main/2001369; classtype:shellcode-detect; sid:2001369; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001363; classtype:shellcode-detect; sid:2001363; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt"; flow: established; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 4F 44 21|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001364; classtype:shellcode-detect; sid:2001364; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; byte_test:4, >, 256, 60, little; reference:url,www.sygate.com/alerts/SSR20041013-0001.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001374; classtype:misc-activity; sid:2001374; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little; reference:url,doc.emergingthreats.net/bin/view/Main/2001668; classtype:misc-attack; sid:2001668; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001848; classtype:misc-activity; sid:2001848; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 691 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (2)"; flow: to_server,established; content:"X-LSA-2"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001849; classtype:misc-activity; sid:2001849; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; flow: to_server, established; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; threshold: type limit, track by_src, count 1, seconds 60; flowbits:set,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001873; classtype:misc-activity; sid:2001873; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"ET EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags: R; flowbits:isset,msxlsa; flowbits: unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001874; classtype:misc-activity; sid:2001874; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT "; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; distance:21; content:"|01 00 00 00 00 00|"; distance:1; within:6; byte_test:2,=,17,0,little,relative; content:"|5C|MAILSLOT|5C|"; within:10; distance:2; reference:url,www.milw0rm.com/exploits/2057; reference:url,www.microsoft.com/technet/security/bulletin/MS06-035.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003067; classtype:attempted-dos; sid:2003067; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MSSQL Hello Overflow Attempt"; flow:established,to_server; dsize:>400; content:"|12 01 00 34 00 00 00 00|"; offset:0; depth:8; reference:cve,2002-1123; reference:bugtraq,5411; reference:url,doc.emergingthreats.net/bin/view/Main/2002845; classtype:attempted-admin; sid:2002845; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow: to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference:url,owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/bin/view/Main/2000488; classtype:attempted-user; sid:2000488; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection line comment"; flow: to_server,established; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000373; classtype:attempted-user; sid:2000373; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL heap overflow attempt"; content:"|08 3A 31|"; depth: 3; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000377; classtype:attempted-admin; sid:2000377; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08)"; dsize: >1; content:"|08|"; depth: 1; content:!"|3A|"; offset: 1; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000378; classtype:attempted-dos; sid:2000378; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08) 1 byte"; dsize: 1; content:"|08|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000379; classtype:attempted-dos; sid:2000379; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL Spike buffer overflow"; content:"|12 01 00 34|"; depth: 4; reference:bugtraq,5411; reference:url,doc.emergingthreats.net/bin/view/Main/2000380; classtype:attempted-admin; sid:2000380; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_servicecontrol access"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|c|00|o|00|n|00|t|00|r|00|o|00|l|00|"; nocase; reference:url,doc.emergingthreats.net/2009999; classtype:attempted-user; sid:2009999; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_fileexist access"; flow:to_server,established; content:"x|00|p|00|_|00|f|00|i|00|l|00|e|00|e|00|x|00|i|00|s|00|t|00|"; nocase; reference:url,doc.emergingthreats.net/2010000; classtype:attempted-user; sid:2010000; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit"; flow:established,to_server; content:"FLAGS BODY"; pcre:"/[0-9a-zA-Z]{200,}/R"; content:"|EB 06 90 90 8b 11 DC 64 90|"; distance:0; reference:url,www.milw0rm.com/exploits/5248; reference:bugtraq,28245; reference:url,doc.emergingthreats.net/bin/view/Main/2008063; reference:cve,2008-1358; classtype:successful-user; sid:2008063; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"ET EXPLOIT MySQL MaxDB Buffer Overflow"; flow: to_server,established; content:"GET"; content:"|31 c9 83 e9 af d9 ee|"; pcre:"/(GET).\/%.{1586,}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001988; classtype:attempted-admin; sid:2001988; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt"; flow:established,to_server; content:"|41 30 30 31|"; depth:4; content:"CREATE "; within:10; isdataat:500,relative; content:!"|0A|"; within:500; reference:url,www.exploit-db.com/exploits/14379/; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-129/; reference:url,www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7006374&sliceId=2&docTypeID=DT_TID_1_1&dialogID=155271264&stateId=0 0 155267598; reference:url,doc.emergingthreats.net/2011235; classtype:attempted-admin; sid:2011235; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_domain_index_metadata Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexMetadata"; nocase; content:"sys.dbms_export_extension.get_domain_index_metadata"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002886; classtype:attempted-admin; sid:2002886; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_domain_index_tables Access"; flow:established,to_server; content:"sys.dbms_export_extension.get_domain_index_tables"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002887; classtype:attempted-admin; sid:2002887; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_v2_domain_index_tables Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexUtilGetTableNames"; nocase; content:"sys.dbms_export_extension.get_v2_domain_index_tables"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002888; classtype:attempted-admin; sid:2002888; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt"; flow:established,to_server; content:"ctxsys|2E|drvxtabc|2E|create|5F|tables"; nocase; content:"dbms|5F|sql|2E|execute"; nocase; distance:0; pcre:"/ctxsys\x2Edrvxtabc\x2Ecreate\x5Ftables.+(SELECT|DELETE|CREATE|INSERT|UPDATE|OUTFILE)/si"; reference:url,www.securityfocus.com/bid/36748; reference:cve,2009-1991; reference:url,doc.emergingthreats.net/2010375; classtype:attempted-admin; sid:2010375; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP .message file write"; flow:to_server,established; content:"STOR "; nocase; depth:5; content:".message|0d 0a|"; distance:0; pcre:"/[^a-zA-Z0-9]+\.message/"; flowbits:set,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; reference:url,doc.emergingthreats.net/bin/view/Main/2003196; classtype:misc-attack; sid:2003196; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT ProFTPD .message file overflow attempt"; flowbits:isset,BE.ftp.message; flow:to_server,established; content:"CWD "; depth:4; nocase; flowbits:unset,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; reference:url,doc.emergingthreats.net/bin/view/Main/2003197; classtype:misc-attack; sid:2003197; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000565; classtype:suspicious-login; sid:2000565; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000566; classtype:suspicious-login; sid:2000566; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 445"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; reference:url,doc.emergingthreats.net/bin/view/Main/2000564; classtype:misc-attack; sid:2000564; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 139"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; reference:url,doc.emergingthreats.net/bin/view/Main/2000567; classtype:misc-attack; sid:2000567; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump.exe Service Started port 139"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001053; classtype:misc-activity; sid:2001053; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump.exe Service Started port 445"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001544; classtype:misc-activity; sid:2001544; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001052; classtype:misc-activity; sid:2001052; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001543; classtype:misc-activity; sid:2001543; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 139"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001753; classtype:suspicious-login; sid:2001753; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 445"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001754; classtype:suspicious-login; sid:2001754; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Possible Vulnerable Server Response"; flow:established; dsize:12; content:"RFB 003.00"; depth:11; flowbits:noalert; flowbits:set,BSposs.vuln.vnc.svr; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002912; classtype:misc-activity; sid:2002912; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Client response"; flowbits:isset,BSposs.vuln.vnc.svr; flow:established; dsize:12; content:"RFB 003.0"; depth:9; flowbits:noalert; flowbits:set,BSis.vnc.setup; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002913; classtype:misc-activity; sid:2002913; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:20; content:"|00 00 00 02|"; depth:4; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002914; classtype:misc-activity; sid:2002914; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer - No Challenge string"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:2; content:"|01 02|"; depth:2; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002918; classtype:misc-activity; sid:2002918; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server Not Requiring Authentication"; flowbits:isset,BSis.vnc.setup; flow:established; content:"|01 01|"; depth:2; flowbits:set,BSvnc.auth.offered; flowbits:unset,BSis.vnc.setup; flowbits:unset,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002924; classtype:misc-activity; sid:2002924; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server Not Requiring Authentication (case 2)"; flowbits:isset,BSis.vnc.setup; dsize:4; flow:established; content:"|00 00 00 01|"; depth:4; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002923; classtype:misc-activity; sid:2002923; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Good Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:2; content:"|02|"; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002919; classtype:attempted-admin; sid:2002919; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:16; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002915; classtype:attempted-admin; sid:2002915; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RealVNC Authentication Bypass Attempt"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:1; content:"|01|"; depth:1; flowbits:set,BSvnc.null.auth.sent; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002916; classtype:attempted-admin; sid:2002916; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT RealVNC Server Authentication Bypass Successful"; flowbits:isset,BSvnc.null.auth.sent; flow:established; dsize:4; content:"|00 00 00 00|"; depth:4; flowbits:unset,BSis.vnc.setup; flowbits:unset,BSvnc.auth.offered; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002917; classtype:successful-admin; sid:2002917; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Multiple Authentication Failures"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:<50; content:"|00 00 00 02|"; depth:4; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002921; classtype:attempted-admin; sid:2002921; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT SQL sp_configure - configuration change"; flow:to_server,established; content:"s|00|p|00|_|00|c|00|o|00|n|00|f|00|i|00|g|00|u|00|r|00|e|00|"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2008517; classtype:attempted-user; sid:2008517; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT SQL sp_configure attempt"; flow:to_server,established; content:"sp_configure"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2008518; classtype:attempted-user; sid:2008518; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 (msg:"ET EXPLOIT SecurityGateway 1.0.1 Remote Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/SecurityGateway.dll"; nocase; distance:0; content:"logon"; nocase; distance:0; content:"&username"; nocase; distance:0; pcre:"/\x3d[^\x26]{720}/R"; reference:url,frsirt.com/english/advisories/2008/1717; reference:url,milw0rm.com/exploits/5718; reference:url,doc.emergingthreats.net/bin/view/Main/2008426; reference:cve,2008-4193; classtype:misc-attack; sid:2008426; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ShixxNote buffer-overflow + remote shell attempt"; flow: established,to_server; content:"|68 61 63 6b 75|"; offset: 126; depth: 5; content:"|68 61 63 6b 90 61 61 61 61|"; offset: 519; depth: 9; reference:url,aluigi.altervista.org/adv/shixxbof-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2001385; classtype:shellcode-detect; sid:2001385; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Solaris TTYPROMPT environment variable set"; flow: established,to_server; content:"|00 54 54 59 50 52 4F 4D 50 54|"; reference:url,online.securityfocus.com/archive/1/293844; reference:url,doc.emergingthreats.net/bin/view/Main/2001780; classtype:attempted-admin; sid:2001780; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Solaris telnet USER environment vuln Attack inbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; reference:url,doc.emergingthreats.net/bin/view/Main/2003411; reference:cve,2007-0882; classtype:attempted-user; sid:2003411; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Solaris telnet USER environment vuln Attack outbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; reference:url,doc.emergingthreats.net/bin/view/Main/2003412; reference:cve,2007-0882; classtype:attempted-user; sid:2003412; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; classtype:attempted-user; sid:2010877; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible Sendmail SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010941; classtype:attempted-user; sid:2010941; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"ET EXPLOIT Squid NTLM Auth Overflow Exploit"; flow: to_server; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; offset: 96; reference:url,www.idefense.com/application/poi/display?id=107; reference:cve,CAN-2004-0541; reference:url,doc.emergingthreats.net/bin/view/Main/2000342; classtype:misc-attack; sid:2000342; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2967:2968 (msg:"ET EXPLOIT Symantec Remote Management RTVScan Exploit"; flow:established,to_server; content:"|10|"; depth:2; content:"|00 24 00|"; distance:0; within:20; content:"|5c|"; distance:0; isdataat:380,relative; reference:cve,2006-3455; reference:url,research.eeye.com/html/advisories/published/AD20060612.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003250; classtype:attempted-admin; sid:2003250; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Get"; content:"|01|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003198; classtype:non-standard-protocol; sid:2003198; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Put"; content:"|02|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003199; classtype:non-standard-protocol; sid:2003199; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TAC Attack Directory Traversal"; flow:established,to_server; uricontent:"/ISALogin.dll?"; nocase; pcre:"/Template=.*\.\./UGi"; reference:cve,2005-3040; reference:url,secunia.com/advisories/16854; reference:url,cirt.dk/advisories/cirt-37-advisory.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002406; classtype:attempted-recon; sid:2002406; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 14942 (msg:"ET EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt"; flow:established,to_server; content:"splx_2376_info"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=477; reference:url,www.trendmicro.com/download/product.asp?productid=20; reference:url,doc.emergingthreats.net/bin/view/Main/2003434; classtype:attempted-admin; sid:2003434; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT M3U File Request Flowbit Set"; flow:to_server,established; content:"GET "; depth:4; uricontent:".m3u"; flowbits:set,ET.m3u.download; flowbits:noalert; reference:url,doc.emergingthreats.net/2011241; classtype:not-suspicious; sid:2011241; rev:2; metadata:created_at 2010_07_30, updated_at 2019_08_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (outbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002062; classtype:attempted-admin; sid:2002062; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon"; flow:established,from_server; content:"|00 00 05 02|"; offset:16; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; reference:url,www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2002068; classtype:attempted-recon; sid:2002068; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt"; flow:to_server,established; flowbits:isnotset,SID2002181; content:"|0000 0000 0000 0901 0000 0000 0000 0000 0000 0002 0000 0004 726f 6f74 b4b8 0f26 205c 4234 03fc aeee 8f91 3d6f|"; offset:8; depth:52; flowbits:set,SID2002181; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002181; classtype:default-login-attempt; sid:2002181; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable"; flow:from_server,established; flowbits:isset,SID2002181; content:"|0000 0001 0000 0901|"; offset:8; depth:16; content:"|0000 0000 0000 0000|"; distance:4; within:12; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002182; classtype:misc-attack; sid:2002182; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference:url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002734; classtype:attempted-user; sid:2002734; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; reference:url,www.securityfocus.com/bid/38010; reference:url,doc.emergingthreats.net/2010759; classtype:attempted-admin; sid:2010759; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; reference:url,doc.emergingthreats.net/bin/view/Main/2002316; classtype:misc-attack; sid:2002316; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; reference:url,doc.emergingthreats.net/bin/view/Main/2002315; classtype:misc-attack; sid:2002315; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection running SQL statements line comment"; flow: to_server,established; content:"|3b 00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000372; classtype:attempted-user; sid:2000372; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2775 (msg:"ET EXPLOIT Now SMS/MMS Gateway SMPP BOF Vulnerability"; flow:established,to_server; content:"|00 00 00 04|"; content:"|00 00 00 01|"; distance:1; pcre:"/[a-zA-Z0-9]{1000,}/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007875; classtype:web-application-attack; sid:2007875; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 445 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 445"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000563; classtype:misc-attack; sid:2000563; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 139 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 139"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000568; classtype:misc-attack; sid:2000568; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated script"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/\xbc[\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003400; classtype:web-application-attack; sid:2003400; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript download file"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/\xae[\xef\xcf][\xf0\xd0][\xe5\xc5][\xee\xce]\xa0\xa2[\xe7\xc7][\xe5\xc5][\xf4\xd4]\xa2/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003401; classtype:web-application-attack; sid:2003401; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript execute command"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/[\xf3\xd3][\xe8\xc8][\xe5\xc5][\xec\xcc][\xec\xcc][\xe5\xc5][\xf8\xd8][\xe5\xc5][\xe3\xc3][\xf5\xd5][\xf4\xd4][\xe5\xc5]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003402; classtype:web-application-attack; sid:2003402; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/[\xf6\xd6][\xe2\xc2][\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003403; classtype:web-application-attack; sid:2003403; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java runtime.exec() call"; flow:from_server,established; content:"|52 75 6e 74 69 6d 65 3b 01 00 04 65 78 65 63 01 00|"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002783; classtype:trojan-activity; sid:2002783; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java private function call sun.misc.unsafe"; flow:from_server,established; content:"sun/misc/Unsafe"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002784; classtype:trojan-activity; sid:2002784; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT GsecDump executed"; flow:to_server,established; content:"|67 00 73 00 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-gsecdump.html; reference:url,doc.emergingthreats.net/2010783; classtype:suspicious-filename-detect; sid:2010783; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 50002 (msg:"ET EXPLOIT Possible Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"<!DOCTYPE"; nocase; distance:0; content:"<!ENTITY"; nocase; distance:0; content:"<soapenv|3A|Envelope"; nocase; distance:0; content:"<ns1|3A|Username>"; nocase; distance:0; flowbits:set,ET.etrust.fieldis; metadata: former_category EXPLOIT; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011502; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command"; flow:established,to_server; content:"SITE "; nocase; isdataat:150,relative; content:!"|0d 0a|"; within:150; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009828; reference:cve,2009-3023; classtype:attempted-admin; sid:2009828; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT GuppY error.php POST Arbitrary Remote Code Execution"; flow: to_server,established; content:"POST"; http_method; nocase; content:"/error.php?"; nocase; http_uri; content:"err="; nocase; http_uri; pcre:"/Cookie\:\ +REMOTE_ADDR=/i"; reference:bugtraq,15609; reference:url,doc.emergingthreats.net/bin/view/Main/2003332; classtype:web-application-attack; sid:2003332; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"ET EXPLOIT Symantec Scan Engine Request Password Hash"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/xml.xml"; nocase; http_uri;  content:"<request"; nocase; http_client_body; content:"<key "; nocase; http_client_body; reference:cve,2006-0230; reference:bugtraq,17637; reference:url,doc.emergingthreats.net/bin/view/Main/2002896; classtype:attempted-recon; sid:2002896; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8800 (msg:"ET EXPLOIT Now SMS/MMS Gateway HTTP BOF Vulnerability"; flow:established,to_server; content:"GET "; depth:4; content:"Authorization|3a|"; distance:0; content:"Basic"; distance:0; pcre:"/Authorization\x3a\s*Basic\s*[a-zA-Z0-9]{255,}==/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007874; classtype:web-application-attack; sid:2007874; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http any any -> $HOME_NET 8765 (msg:"ET EXPLOIT JDownloader Webinterface Source Code Disclosure"; flow:established,to_server; content:"|2f|index|2e|tmpl"; depth:80; nocase; pcre:"/\x2findex\x2etmpl(\x3a\x3a\x24DATA|\x2f|\x2e)\x0d\x0a/i"; reference:url,packetstormsecurity.org/files/view/96126/jdownloader-disclose.txt; classtype:attempted-recon; sid:2012055; rev:2; metadata:created_at 2010_12_15, updated_at 2010_12_15;)

#alert http $EXTERNAL_NET any -> $HOME_NET 8307 (msg:"ET EXPLOIT VMware 2 Web Server Directory Traversal"; flow:established,to_server; content:"|2f 2e 2e 2f 2e 2e 2f 2e 2e 2f|"; depth:60; reference:url,www.exploit-db.com/exploits/15617/; classtype:attempted-recon; sid:2012057; rev:2; metadata:created_at 2010_12_15, updated_at 2010_12_15;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP LaserJet PLJ Interface Directory Traversal"; flow:established,to_server; content:"|1b 25 2d|"; depth:3; content:"|20 28 29 20 50 4a 4c 20|"; distance:0; within:25; content:"FSDIRLIST|20|NAME="; nocase; content:"|22|0|3a 5c 2e 2e 5c 2e 2e 5c 2e 2e|"; distance:0; within:25; reference:url,www.exploit-db.com/exploits/15631/; reference:bugtraq,44882; reference:cve,2010-4107; classtype:misc-attack; sid:2012058; rev:1; metadata:created_at 2010_12_15, updated_at 2010_12_15;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 1"; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; content:"|FE|"; byte_test:1,>,11,0,relative; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012154; rev:2; metadata:created_at 2011_01_06, updated_at 2011_01_06;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2"; content:"|FE|"; byte_test:1,>,11,0,relative; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012155; rev:2; metadata:created_at 2011_01_06, updated_at 2011_01_06;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 2"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:"/OvCgi/snmpviewer.exe"; nocase; content:"app="; nocase; content:"act="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/act\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012683; rev:5; metadata:created_at 2010_09_25, updated_at 2019_08_22;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"GPL EXPLOIT xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:2101987; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:2101900; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:2101901; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101894; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101895; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101896; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101897; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt 2"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101898; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt 3"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101899; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:2101808; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22 60|"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:2101821; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"GPL EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:2101838; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"GPL EXPLOIT cachefsd buffer overflow attempt"; flow:to_server,established; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:2101751; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"GPL EXPLOIT xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2101759; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:2101661; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT formmail arbitrary command execution attempt"; flow:to_server,established; content:"/formmail"; nocase; http_uri; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:2101610; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"GPL EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:2100312; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via GET"; flow:established,to_server; content:"/xslt?PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_uri; content:"&PASSWORD="; http_uri; distance:0; content:"&PASSWORD_CONF="; http_uri; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013165; rev:2; metadata:created_at 2011_07_01, updated_at 2011_07_01;)

#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via POST"; flow:established,to_server; content:"/xslt"; http_uri; content:"PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_client_body; content:"&PASSWORD="; http_client_body; distance:0; content:"&PASSWORD_CONF="; http_client_body; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013166; rev:2; metadata:created_at 2011_07_01, updated_at 2011_07_01;)

#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VSFTPD Backdoor User Login Smiley"; flow:established,to_server; content:"USER "; depth:5; content:"|3a 29|"; distance:0; classtype:attempted-admin; sid:2013188; rev:5; metadata:created_at 2011_07_05, updated_at 2011_07_05;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"/OvCgi/Toolbar.exe?"; http_uri; content:"/OvCgi/Toolbar.exe?"; isdataat:1024,relative; content:!"|0A|"; within:1024; reference:url,exploit-db.com/exploits/17536/; classtype:web-application-attack; sid:2013288; rev:3; metadata:created_at 2011_07_19, updated_at 2011_07_19;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 13364 (msg:"ET EXPLOIT RXS-3211 IP Camera Password Information Disclosure Attempt"; content:"|FF FF FF FF FF FF 00 06 FF F9|"; reference:bid,47976; classtype:attempted-admin; sid:2012866; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)

#alert ssh $HOME_NET any -> any any (msg:"ET EXPLOIT FreeBSD OpenSSH 3.5p1 possible vulnerable server"; flow:established,from_server; content:"SSH-1.99-OpenSSH_3.5p1 FreeBSD-200"; reference:url,packetstormsecurity.org/files/view/102683/ssh_preauth_freebsd.txt; reference:url,seclists.org/2011/Jul/6; classtype:misc-activity; sid:2013167; rev:4; metadata:created_at 2011_07_01, updated_at 2011_07_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Alternate Data streams ASP file access attempt"; flow:to_server,established; content:".asp|3A 3A 24|DATA"; nocase; http_uri; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q188806; classtype:web-application-attack; sid:2100975; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_20;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible BSNL Router DNS Change Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/dnscfg.cgi"; http_uri; content:"dnsPrimary="; http_client_body; content:"&dnsSecondary="; http_client_body; content:"&dnsDynamic="; http_client_body; content:"&dnsRefresh="; http_client_body; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2013918; rev:3; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"GPL EXPLOIT Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:2103453; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP OpenView Network Node Manager OvJavaLocale Cookie Value Buffer Overflow Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/OvCgi/webappmon.exe"; http_uri; nocase; content:"ins=nowait"; nocase; http_uri; content:"cache="; nocase; content:"OvJavaLocale="; nocase; within:15; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow; reference:bugtraq,42154; reference:cve,2010-2709; classtype:web-application-attack; sid:2011328; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL EXPLOIT CVS non-relative path access attempt"; flow:to_server,established; content:"Argument "; content:"Directory"; distance:0; pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102318; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"GPL EXPLOIT rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2102113; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL EXPLOIT portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102092; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|";  fast_pattern:32,4; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102090; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL EXPLOIT rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2102047; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2102039; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102552; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102553; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102554; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102555; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; nocase; isdataat:432,relative; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102556; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102557; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102558; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102559; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102560; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 bf 00 00 00 00 00 00 00 00|"; distance:4; within:12; reference:url,www.milw0rm.com/exploits/3604; reference:url,doc.emergingthreats.net/bin/view/Main/2003518; classtype:attempted-admin; sid:2003518; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe caloggerd DoS"; flow:established,to_server; content:"|00 06 09 82|"; offset:16; depth:4; content:"|00 00 00 01 00 00 00 00 00 00 00 00|"; within:12; reference:url,www.milw0rm.com/exploits/3939; reference:url,doc.emergingthreats.net/bin/view/Main/2003750; classtype:attempted-dos; sid:2003750; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 7e 00 00 00 00 00 00 00 00|"; within:12; reference:url, www.milw0rm.com/exploits/3940; reference:url,doc.emergingthreats.net/bin/view/Main/2003751; classtype:attempted-dos; sid:2003751; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"ET EXPLOIT TrendMicro ServerProtect Exploit possible worma(little-endian DCERPC Request)"; flow:established,to_server; dsize:>1000; content:"|05|"; depth:1; content:"|10 00 00 00|"; distance:3; within:4; content:"|00 00 88 88 28 25 5b bd d1 11 9d 53 00 80 c8 3a 5c 2c 04 00 03 00|"; distance:14; within:22; content:"|1c 13 74 65|"; distance:500; reference:url,isc.sans.org/diary.html?storyid=3310; reference:url,doc.emergingthreats.net/bin/view/Main/2007584; classtype:misc-attack; sid:2007584; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link bsc_wlan.php Security Bypass"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/bsc_wlan.php"; nocase; http_uri; content:"ACTION_POST=final&"; nocase; http_client_body; content:"&f_ssid="; nocase; http_client_body; content:"&f_authentication=7&"; nocase; http_client_body; within:135; content:"f_cipher=2&"; nocase; http_client_body; content:"f_wep_len=&f_wep_format=&f_wep_def_key=&"; nocase; http_client_body; within:40; content:"&f_wep=&f_wpa_psk_type=1&f_wpa_psk="; nocase; http_client_body; content:"&f_radius_ip1=&f_radius_port1=&f_radius_secret1="; nocase; http_client_body; within:70; reference:url,packetstormsecurity.org/files/view/96100/dlinkwlan-bypass.txt; classtype:web-application-attack; sid:2012103; rev:5; metadata:created_at 2010_12_27, updated_at 2010_12_27;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; content:".pdf|00|"; http_uri; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; reference:url,doc.emergingthreats.net/bin/view/Main/2001217; classtype:attempted-admin; sid:2001217; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54g Authentication Bypass Attempt"; flow:established,to_server; content:"/Security.tri"; http_uri; nocase; content:"SecurityMode=0"; nocase; reference:url,secunia.com/advisories/21372/; reference:url,doc.emergingthreats.net/bin/view/Main/2003072; classtype:attempted-admin; sid:2003072; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> $HOME_NET 3389 (msg:"ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|7f 65 82 01 94|"; distance:24; within:5; content:"|30 19|"; distance:9; within:2; byte_test:1,<,6,3,relative; reference:url,msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; classtype:attempted-admin; sid:2014383; rev:2; metadata:created_at 2012_03_13, updated_at 2012_03_13;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"ET EXPLOIT Arkeia full remote access without password or authentication"; flow:to_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:"/OvCgi/snmpviewer.exe"; nocase; content:"act="; nocase; content:"app="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/app\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012682; rev:6; metadata:created_at 2010_09_25, updated_at 2019_08_22;)

alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to_server,established; content:"|4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 50 00 57 00 44 00 55 00 4D 00 50 00 34 00 2E 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-pwdump4.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008444; classtype:suspicious-filename-detect; sid:2008444; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to_server,established; content:"|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64|"; reference:url,xinn.org/Snort-pwdump6.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008445; classtype:suspicious-filename-detect; sid:2008445; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"ET EXPLOIT VLC web interface buffer overflow attempt"; flow:to_server,established; content:"|2F|requests|2F|status|2E|xml|3F|"; http_uri; nocase; content:"input|3D|smb|3A 2F|"; http_uri; nocase; pcre:"/\x2Frequests\x2Fstatus\x2Exml\x3F[^\x0A\x0D]*input\x3D[^\x0A\x0D\x26\x3B]{1000}/iU"; reference:url,milw0rm.org/exploits/9029; reference:url,doc.emergingthreats.net/2009511; classtype:web-application-attack; sid:2009511; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp|3A|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; reference:url,doc.emergingthreats.net/2011242; classtype:attempted-user; sid:2011242; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100571; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client; content:"|0d 0a 0d 0a|BM"; fast_pattern; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002803; classtype:attempted-user; sid:2002803; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit nsswitch.conf Upload"; flow:established,to_server; content:"STOR "; content:"nsswitch.conf|0d 0a|"; distance:0; pcre:"/^\s*?STOR\s+[^\r\n]*?nsswitch\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015514; rev:2; metadata:created_at 2012_07_23, updated_at 2012_07_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific config files upload"; flow:established,to_server; content:"STOR "; content:".conf|0d 0a|"; distance:0; fast_pattern; pcre:"/^\s*?STOR\s+[^\r\n]*?\x2f(tgt|trace|rbp(c|p))\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015513; rev:3; metadata:created_at 2012_07_23, updated_at 2012_07_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific (CHMOD 777)"; flow:established,to_server; content:"SITE CHMOD 777 NONEXISTANT"; depth:26; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015515; rev:2; metadata:created_at 2012_07_23, updated_at 2012_07_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL EXPLOIT EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:2100600; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100679; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100676; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100695; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL EXPLOIT xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2100687; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"GPL EXPLOIT login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:2103274; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .ida access"; flow:to_server,established; content:".ida"; nocase; http_uri; pcre:"/\.ida$/iU"; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101242; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT formmail access"; flow:to_server,established; content:"/formmail"; nocase; http_uri; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:2100884; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2102486; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102380; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102376; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102379; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102414; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102377; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102415; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:2100319; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:2101340; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100982; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .ida attempt"; flow:to_server,established; content:".ida?"; nocase; http_uri; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:2101243; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT php.cgi access"; flow:to_server,established; content:"/php.cgi"; nocase; http_uri; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:2100824; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip any any -> any any (msg:"GPL EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102464; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102462; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102463; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT administrators.pwd access"; flow:to_server,established; content:"/administrators.pwd"; nocase; http_uri; reference:bugtraq,1205; classtype:web-application-activity; sid:2100953; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT .cnf access"; flow:to_server,established; content:".cnf"; nocase; http_uri; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100977; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT .htr access"; flow:to_server,established; content:".htr"; nocase; http_uri; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:2100987; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT /iisadmpwd/aexp2.htr access"; flow:to_server,established; content:"/iisadmpwd/aexp2.htr"; http_uri; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:2101487; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT /msadc/samples/ access"; flow:to_server,established; content:"/msadc/samples/"; http_uri; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:2101401; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:2101256; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .idq access"; flow:to_server,established; content:".idq"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101245; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .idq attempt"; flow:to_server,established; content:".idq?"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:2101244; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; http_header; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2102386; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT fpcount access"; flow:to_server,established; content:"/fpcount.exe"; nocase; http_uri; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:2101013; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT iisadmpwd attempt"; flow:to_server,established; content:"/iisadmpwd/aexp"; nocase; http_uri; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:2101018; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT iissamples access"; flow:to_server,established; content:"/iissamples/"; nocase; http_uri; reference:nessus,11032; classtype:web-application-attack; sid:2101402; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; http_uri; classtype:web-application-attack; sid:2101003; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:2101111; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"GPL EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:2100315; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:2101059; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; metadata: former_category EXPLOIT; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100570; rev:11; metadata:created_at 2010_09_23, updated_at 2017_06_29;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"GPL EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:2101261; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL EXPLOIT rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:2100607; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:2100302; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"GPL EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:2101398; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT .cmd executable file parsing attack"; flow:established,to_server; content:".cmd|22|"; nocase; http_uri; pcre:"/\.cmd\x22.*?\x26/Ui"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:2103193; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability"; flow:established; content:"|21 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007933; classtype:misc-attack; sid:2007933; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101327; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT site/iisamples access"; flow:to_server,established; content:"/site/iisamples"; nocase; http_uri; reference:nessus,10370; classtype:web-application-activity; sid:2101046; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; http_raw_uri; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100981; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; http_raw_uri; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100983; rev:19; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003145; classtype:web-application-attack; sid:2003145; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003146; classtype:web-application-attack; sid:2003146; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003148; classtype:web-application-attack; sid:2003148; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003147; classtype:web-application-attack; sid:2003147; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103199; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability"; flow:established; content:"|61 00 09 00 08 00 07 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007934; classtype:misc-attack; sid:2007934; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2102123; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"SELECT data FROM"; nocase; distance:0; content:"INTO DUMPFILE"; nocase; distance:0; content:"c|3a|/windows/system32/"; nocase; fast_pattern; content:".exe"; nocase; distance:0; pcre:"/SELECT data FROM [^\x20]+?\x20INTO DUMPFILE [\x27\x22]c\x3a\/windows\/system32\/[a-z0-9_-]+?\.exe[\x27\x22]/i"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015995; rev:4; metadata:created_at 2012_12_05, updated_at 2012_12_05;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded"; flow:established,to_client; file_data; content:"PK"; within:2; content:"msf|2f|x|2f|"; distance:0; classtype:bad-unknown; sid:2016028; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_12_12, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-0422 Landing Page"; flow:established,from_server; file_data; content:"<title>Loading, Please Wait...</title>"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_17, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"|12 06 41 46 50 33 2e 31|"; pcre:"/[a-zA-Z0-9]{5}/i"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; reference:url,doc.emergingthreats.net/bin/view/Main/2007877; classtype:successful-dos; sid:2007877; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 71 75 65 73 74|"; pcre:"/[0-9a-zA-Z]{50}/R"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"ET EXPLOIT Siemens Gigaset SE361 WLAN Data Flood Denial of Service Vulnerability"; flow:to_server; content:"|90 90 90 90 90|"; depth:5; content:"|90 90 90 90 90|"; distance:0; content:"|90 90 90 90 90|"; distance:0; pcre:"/\x90{200}/"; reference:cve,CVE-2009-3322; reference:bugtraq,36366; reference:url,www.milw0rm.com/exploits/9646; reference:url,doc.emergingthreats.net/2009976; classtype:denial-of-service; sid:2009976; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/^\s+A{500}/R"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:5; metadata:created_at 2012_12_03, updated_at 2012_12_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit js_property_spray sprayHeap"; flow:established,from_server; file_data; content:"sprayHeap"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016519; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_03_04, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit mstime_malloc no-spray"; flow:established,from_server; file_data; content:"mstime_malloc"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016824; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_05_06, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI"; flow:to_server,established; content:"java.lang.Runtime@getRuntime().exec("; http_uri; nocase; classtype:attempted-user; sid:2016953; rev:3; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in client body"; flow:to_server,established; content:"memberAccess"; http_client_body; nocase; content:"allowStaticMethodAccess"; http_client_body; nocase; classtype:attempted-user; sid:2016954; rev:3; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in URI"; flow:to_server,established; content:"memberAccess"; http_uri; nocase; content:"allowStaticMethodAccess"; http_uri; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016956; rev:3; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec in client body"; flow:to_server,established; content:"java.lang.Runtime@getRuntime().exec("; http_client_body; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016957; rev:3; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in client_body"; flow:to_server,established; content:"java.io.FileOutputStream"; http_client_body; nocase; content:".write"; distance:0; nocase; http_client_body; content:"sun.misc.BASE64Decoder"; nocase; http_client_body; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016958; rev:3; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in URI"; flow:to_server,established; content:"java.io.FileOutputStream"; http_uri; nocase; content:".write"; distance:0; nocase; http_uri; content:"sun.misc.BASE64Decoder"; nocase; http_uri; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016959; rev:3; metadata:created_at 2013_05_31, updated_at 2013_05_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,to_client; file_data; content:"ScriptBridge.ScriptBridge"; content:"|00|h|00|t|00|t|00|p|00 3a 00 2f 00 2f 00|"; content:"|2f 00|v|00|w|00|.|00|p|00|h|00|p|00|?|00|i|00|="; distance:0; fast_pattern; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017006; rev:5; metadata:created_at 2013_06_11, updated_at 2013_06_11;)

alert udp any any -> $HOME_NET [623,664] (msg:"ET EXPLOIT IPMI Cipher 0 Authentication mode set"; content:"|07 06 10 00 00 00 00 00 00 00 00|"; offset:3; depth:11; content:"|00 00|"; distance:2; within:2; content:"|00 00 00 08 00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00|"; distance:6; within:24; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; reference:url,community.rapid7.com/community/metasploit/blog/2013/06/23/a-penetration-testers-guide-to-ipmi; classtype:attempted-admin; sid:2017094; rev:3; metadata:created_at 2013_07_03, updated_at 2013_07_03;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder URI"; flow:to_server,established; content:"java.lang.ProcessBuilder("; http_uri; nocase; classtype:attempted-user; sid:2017172; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body"; flow:to_server,established; content:"java.lang.ProcessBuilder("; http_client_body; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2017173; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_server; content:"WScript.Shell"; nocase; content:".Run"; nocase; within:100; pcre:"/[\r\n\s]+(?P<var1>([a-z]([a-z0-9_])*|_+([a-z0-9])([a-z0-9_])*))[\r\n\s]*\x3d[\r\n\s]*CreateObject\(\s*[\x22\x27]Wscript\.Shell[\x27\x22]\s*\).+?(?P=var1)\.run/si"; classtype:attempted-user; sid:2017205; rev:2; metadata:created_at 2013_07_26, updated_at 2013_07_26;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS  [25,587] (msg:"ET EXPLOIT Microsoft Outlook/Crypto API X.509 oid id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt"; flow:to_server,established; content:"multipart/signed|3B|"; nocase; content:"application/pkcs7-signature|3B|"; nocase; distance:0; content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; distance:0; reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin; sid:2017712; rev:10; metadata:created_at 2013_11_13, updated_at 2013_11_13;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT JavaX Toolkit Posting Plugin-Detect Data"; flow:established,to_server; content:"/post.php?referanceMod="; http_uri; nocase; content:"java"; http_uri; nocase; reference:url,github.com/MrXors/Javax/; classtype:attempted-user; sid:2017730; rev:4; metadata:created_at 2013_11_19, updated_at 2013_11_19;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Zollard PHP Exploit UA"; flow:established,to_server; content:"Zollard"; http_user_agent; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:2017798; rev:2; metadata:created_at 2013_12_04, updated_at 2013_12_04;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 1"; flow:established,to_server; content:"Jm9zX2ZsYXZvcj"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017896; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_12_23, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 2"; flow:established,to_server; content:"Zvc19mbGF2b3I9"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017897; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_12_23, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 3"; flow:established,to_server; content:"mb3NfZmxhdm9yP"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017898; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_12_23, updated_at 2016_07_01;)

alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Little Endian)"; flow:established,to_server; content:"MMcS"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017923; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)

alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Big Endian)"; flow:established,to_server; content:"ScMM"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017924; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)

alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass fw_sys_up.cgi"; flow:to_server,established; content:"GET"; http_method; nocase;  content:"/cgi-bin/fw_sys_up.cgi"; http_uri; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018156; rev:2; metadata:created_at 2014_02_18, updated_at 2014_02_18;)

alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass override.cgi"; flow:to_server,established; content:"GET";  http_method; nocase; content:"/cgi-bin/override.cgi"; http_uri; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018157; rev:2; metadata:created_at 2014_02_18, updated_at 2014_02_18;)

alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass share_editor.cgi"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/cgi-bin/share_editor.cgi"; http_uri; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018158; rev:2; metadata:created_at 2014_02_18, updated_at 2014_02_18;)

alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass switch_boot.cgi"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/cgi-bin/switch_boot.cgi"; http_uri; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018159; rev:3; metadata:created_at 2014_02_18, updated_at 2014_02_18;)

alert http $HOME_NET 8083 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys Failed Upgrade BackDoor Access (Server Response)"; flow:from_server,established; file_data; content:"Utopia_Init|3a 20|SUCCEEDED"; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018160; rev:3; metadata:created_at 2014_02_18, updated_at 2014_02_18;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|09 01|"; offset:18; depth:2; content:"|00 03|"; distance:10; within:2; byte_jump:2,2,relative,big; content:"|00 00|"; within:2; byte_test:2,>,512,0,relative,big; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002061; classtype:attempted-admin; sid:2002061; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Width exceeds limit"; flow:established,from_server; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001191; classtype:misc-activity; sid:2001191; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/jammail.pl?"; nocase; http_uri; fast_pattern:only; pcre:"/[\?&]mail=[^&]+?[\x3b\x2c\x7c\x27]/Ui"; reference:bugtraq,13937; reference:url,doc.emergingthreats.net/bin/view/Main/2001990; classtype:web-application-attack; sid:2001990; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 4"; flow:established,to_server; content:"/wsman/simple_auth.passwd"; http_uri; fast_pattern:5,20; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018588; rev:4; metadata:created_at 2014_06_20, updated_at 2014_06_20;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Technique)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"INSERT INTO"; nocase; distance:0; content:"#pragma namespace("; nocase; distance:0; content:"|5c 5c 5c|.|5c 5c 5c 5c|root|5c 5c 5c 5c|"; nocase; distance:0; content:"__EventFilter"; nocase; distance:0; content:" __InstanceModificationEvent"; nocase; distance:0; content:"TargetInstance"; nocase; distance:0; content:"Win32_LocalTime"; nocase; distance:0; content:"ActiveScriptEventConsumer"; nocase; distance:0; content:"JScript"; nocase; distance:0; content:"WScript.Shell"; nocase; distance:0; content:"WSH.run"; nocase; distance:0; content:".exe"; distance:0; content:"__FilterToConsumerBinding"; pcre:"/WSH\.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?\.exe/"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015996; rev:3; metadata:created_at 2012_12_05, updated_at 2012_12_05;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT libpng tRNS overflow attempt"; flow: established,to_client; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:cve,CAN-2004-0597; reference:url,doc.emergingthreats.net/bin/view/Main/2001058; classtype:attempted-admin; sid:2001058; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Tools Update OS Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"exec|3A|"; nocase; content:"args|3A|"; nocase; distance:0; content:"UpgradeTools_Task"; distance:0; reference:url,www.exploit-db.com/exploits/15717/; reference:cve,2010-4297; classtype:attempted-admin; sid:2012045; rev:5; metadata:created_at 2010_12_10, updated_at 2010_12_10;)

#alert http $EXTERNAL_NET any -> $HOME_NET 8899 (msg:"ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt"; flow: to_server,established; content:"POST"; http_method; content:"|0d 0a 0d 0a 3c 3f|xml|20|version"; nocase; content:"|3c|methodCall|3e|"; distance:0; content:"|3c|methodName|3e|"; distance:0; within:25; content:"|3c|params|3e|"; content:"|3c 2f|value|3e|"; distance:0; within:400; content:"|3c|param| 3e|"; distance:0; content:"|3c|value|3e|"; within:50; content:"|3c|string|3e|"; content:"|27|"; distance:0; within:50; content:"|3b|"; within:10; content:"|3b|"; content:"|27|"; distance:0; within:100; reference:url,exploit-db.com/exploits/15244/; classtype:attempted-user; sid:2012101; rev:3; metadata:created_at 2010_12_27, updated_at 2010_12_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Random Base CharCode JS Encoded String"; flow:from_server,established; file_data; content:"String.fromCharCode("; pcre:"/^(?=(?:(:?0x[a-f0-9]{2}|0+?\d{1,3})\s*?,\s*?)*?\d{1,3})(?=(?:(:?0x[a-f0-9]{2}|\d{1,3})\s*?,\s*?)*?0+?\d{1,3})(?=(?:(:?0+?\d{1,3}|\d{1,3})\s*?,\s*?)*?0x[a-f0-9]{2})(?:(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?,\s*?)+(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?\)/Rsi"; classtype:trojan-activity; sid:2019091; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2014_08_29, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit FireFox WebIDL Privileged Javascript Injection"; flow:from_server,established; file_data; content:".atob(String.fromCharCode("; pcre:"/^(?:90|0x5a|0+?132)\s*?,\s*?(?:71|0x47|0+?107)\s*?,\s*?(?:70|0x46|0+?106)\s*?,\s*?(?:48|0x30|0+?60)\s*?,\s*?(?:89|0x59|0+?131)\s*?,\s*?(?:84|0x54|0+?124)\s*?,\s*?(?:112|0x70|0+?160)/Rsi"; reference:url,www.exploit-db.com/exploits/34448/; classtype:trojan-activity; sid:2019085; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2014_08_29, updated_at 2016_07_01;)

alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful TCP Map to External Network"; dsize:16; content:"|82 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019491; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)

alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful UDP Map to External Network"; dsize:16; content:"|81 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019492; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; http_method; urilen:10; content:"/login.cgi"; http_uri; content:"GO=&jump="; http_client_body; depth:9; isdataat:1380,relative; reference:cve,CVE-2014-1635; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2019686; rev:3; metadata:created_at 2014_11_10, updated_at 2014_11_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct"; flow:to_client,established; file_data; content:"chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)"; reference:cve,2014-6332; classtype:attempted-user; sid:2019734; rev:3; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct Hex Encode"; flow:to_client,established; file_data; content:"chrw|25|"; pcre:"/^(?:25)?282176\x25(?:25)?29\x25(?:25)?26chrw\x25(?:25)?2801/Rs"; reference:cve,2014-6332; classtype:attempted-user; sid:2019735; rev:3; metadata:created_at 2014_11_18, updated_at 2014_11_18;)

alert tcp any 2067 -> $EXTERNAL_NET any (msg:"ET EXPLOIT DLSw Information Disclosure CVE-2014-7992"; flow:established,from_server; content:"Cisco"; nocase; pcre:"/^(?: Systems|\.com\/techsupport)/Ri"; threshold:type both,count 1,seconds 60,track by_dst; reference:url,www.fishnetsecurity.com/6labs/blog/cisco-dlsw-leakage-allows-retrieval-packet-contents-remote-routers; reference:url,github.com/tatehansen/dlsw_exploit; reference:cve,2014-7992; classtype:trojan-activity; sid:2019778; rev:2; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Outbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017800; rev:2; metadata:created_at 2013_12_04, updated_at 2013_12_04;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Inbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017799; rev:2; metadata:created_at 2013_12_04, updated_at 2013_12_04;)

alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible PYKEK Priv Esc in-use"; flow:established,to_server; content:"|a4 11 18 0f|19700101000000Z|a5 11 18 0f|19700101000000Z|a6 11 18 0f|19700101000000Z"; content:"|a8 05 30 03 02 01 17|"; distance:8; within:7; threshold: type limit, track by_src, seconds 60, count 1; reference:url,github.com/bidord/pykek; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019897; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)

alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; distance:0; isdataat:!1,relative; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:2; metadata:created_at 2014_12_11, updated_at 2019_09_28;)

alert http any any -> any [$HTTP_PORTS,7547] (msg:"ET EXPLOIT Possible Misfortune Cookie - SET"; flow:established,to_server; content:"Cookie|3a| C"; nocase; pcre:"/^[0-9][^=]/R"; flowbits:set,ET.Misfortune_Cookie; flowbits:noalert; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020100; rev:2; metadata:created_at 2015_01_06, updated_at 2015_01_06;)

alert http any [$HTTP_PORTS,7547] -> any any (msg:"ET EXPLOIT Possible Misfortune Cookie RomPager Server banner"; flow:established,from_server; flowbits:isset,ET.Misfortune_Cookie; content:"Server|3a| RomPager"; nocase; http_header; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020101; rev:2; metadata:created_at 2015_01_06, updated_at 2015_01_06;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (HELO)"; flow:to_server,established; content:"HELO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020325; rev:2; metadata:created_at 2015_01_28, updated_at 2015_01_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (EHLO)"; flow:to_server,established; content:"EHLO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020326; rev:4; metadata:created_at 2015_01_28, updated_at 2015_01_28;)

alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT PCMan FTP Server 2.0.7 Remote Command Execution"; flow:to_server,established; content:"|65 82 a5 7c|"; fast_pattern; content:"|90 90 90 90 90|"; distance:0; within:10; reference:url,exploit-db.com/exploits/36078; classtype:attempted-admin; sid:2020585; rev:2; metadata:created_at 2015_03_02, updated_at 2015_03_02;)

alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 19|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020661; rev:3; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect"; flow:from_server,established; file_data; content:"misc_addons_detect.hasSilverlight"; classtype:trojan-activity; sid:2017810; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_12_06, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 4"; flow:established,to_server; content:"POST"; http_method; content:"b3NfbmFtZT"; depth:10; http_client_body; pcre:"/^b3NfbmFtZT[A-Za-z0-9+/]{2}(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020751; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_03_25, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 5"; flow:established,to_server; content:"POST"; http_method; content:"Jm9zX3ZlbmRvcj"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020752; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_03_25, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 6"; flow:established,to_server; content:"POST"; http_method; content:"Zvc192ZW5kb3I9"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020753; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_03_25, updated_at 2016_07_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 7"; flow:established,to_server; content:"POST"; http_method; content:"mb3NfdmVuZG9yP"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020754; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_03_25, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect 2"; flow:from_server,established; file_data; content:"var os_name|3b|"; content:"var os_vendor|3b|"; content:"var os_device|3b|"; content:"var os_flavor|3b|"; classtype:trojan-activity; sid:2020755; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_03_25, updated_at 2016_07_01;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL (Linux) Database Privilege Elevation (Exploit Specific)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |27|TYPE=TRIGGERS|27| into outfile|27|"; nocase; pcre:"/\s*?\/.+?\.TRG\x27\s*?LINES TERMINATED BY \x27\x5fntriggers=/Ri"; content:"CREATE DEFINER=|60|root|60|@|60|localhost|60|"; nocase; distance:0; pcre:"/\s+?trigger\s+?[^\x20]+?\s+?after\s+?insert\s+?on\s+?/Ri"; content:"UPDATE mysql.user"; nocase; fast_pattern:only; reference:cve,2012-5613; reference:url,seclists.org/fulldisclosure/2012/Dec/6; classtype:attempted-user; sid:2015992; rev:7; metadata:created_at 2012_12_05, updated_at 2012_12_05;)

#alert tcp $HOME_NET 50002 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flowbits:isset,ET.etrust.fieldis; flow:established,from_server; content:"<soap|3A|faultstring>Unknown user"; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011503; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Motorola SBG900 Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/goformFOO/AlFrame?"; http_uri; content:"/goformFOO/AlFrame?"; http_uri; distance:0; content:"Gateway.Wan.dnsAddress1="; http_uri; distance:0; reference:url,github.com/hkm/routerpwn.com/blob/master/index.html; classtype:attempted-admin; sid:2020861; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 1"; flow:to_server,established; content:"GET"; http_method; content:"/start_apply.htm?"; http_uri; content:"wan_dns1="; http_uri; distance:0; content:"action_mode=apply"; http_uri; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020862; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 2"; flow:to_server,established; content:"GET"; http_method; content:"/start_apply.htm?"; http_uri; content:"wan_dns1_x="; http_uri; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020863; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/cgi-bin/webcm?"; http_uri; fast_pattern; content:"getpage="; http_uri; distance:0; content:"|2e 2e|/html/menus/menu2.html"; http_raw_uri; content:"&var|3a|lang="; http_uri; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020868; rev:3; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear WNDR Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:26; content:"/apply.cgi?/BAS_update.htm"; http_uri; content:"submit_flag=ether"; http_client_body; depth:17; fast_pattern; content:"&ether_dnsaddr1="; http_client_body; distance:0; nocase; content:"&Apply=Apply"; http_client_body; distance:0; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020859; rev:3; metadata:created_at 2015_04_07, updated_at 2015_04_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 3"; flow:to_server,established; content:"GET"; http_method; content:"/start_apply.htm?"; http_uri; fast_pattern; content:"dnsserver="; http_uri; distance:0; content:"&dnsserver2="; http_uri; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020871; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Known Malicious Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/basic/uiViewIPAddr="; fast_pattern; http_uri; content:"&uiViewDns1Mark="; http_uri; distance:0; content:"&uiViewDns2Mark="; http_uri; distance:0; reference:url,pastebin.com/u0MRLmjp; classtype:attempted-admin; sid:2020872; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-link DI604 Known Malicious Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/prim.htm?"; http_uri; depth:10; fast_pattern; nocase; content:"i00110004="; http_uri; distance:0; content:"&i00110005="; http_uri; distance:0; nocase; content:"&i00035007="; http_uri; distance:0; nocase; reference:url,www.gnucitizen.org/blog/router-hacking-challenge; classtype:attempted-admin; sid:2020873; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Belkin G F5D7230-4 Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/setup_dns.stm?page=setup_dns"; http_uri; content:"&dns1_1="; http_uri; reference:url,www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-4; classtype:attempted-admin; sid:2020875; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR841N Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/userRpm/LanDhcpServerRpm.htm?"; http_uri; fast_pattern; content:"dhcpserver=1"; http_uri; content:"&dnsserver="; http_uri; content:"&Save="; http_uri; reference:url,www.exploit-db.com/exploits/34584; classtype:attempted-admin; sid:2020878; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54GL DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/Basic.tri?"; http_uri; fast_pattern; content:"&dns0_0="; http_uri; content:"&dns0_1="; http_uri; reference:url,sebug.net/paper/Exploits-Archives/2008-exploits/0803-exploits/linksys-bypass.txt; classtype:attempted-admin; sid:2020879; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR750N DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/userRpm/WanStaticIpCfgRpm.htm"; http_uri; fast_pattern; content:"&dnsserver="; http_uri; content:"&Save=Save"; http_uri; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2020880; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)

alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M1"; content:"|01 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021572; rev:3; metadata:created_at 2015_08_01, updated_at 2015_08_01;)

alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M3"; content:"|00 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021574; rev:3; metadata:created_at 2015_08_01, updated_at 2015_08_01;)

alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M4"; content:"|00 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021575; rev:4; metadata:created_at 2015_08_01, updated_at 2015_08_01;)

alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M2"; content:"|01 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021573; rev:4; metadata:created_at 2015_08_01, updated_at 2015_08_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M1"; flow:established,from_server; file_data; content:"|76 69 65 77 2d 73 6f 75 72 63 65 3a|"; nocase; content:"|61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 6f 7a 2d 70 6c 61 79 70 72 65 76 69 65 77 2d 70 64 66 6a 73|"; fast_pattern:15,20; nocase; content:"|73 61 6e 64 62 6f 78 43 6f 6e 74 65 78 74|"; nocase; content:"return "; pcre:"/\We[\s\x22\x27,+]*?v[\s\x22\x27,+]*?a[\s\x22\x27,+]*?l\W/"; reference:cve,2015-4495; classtype:attempted-user; sid:2021601; rev:2; metadata:created_at 2015_08_10, updated_at 2015_08_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M2"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 73 5f 73 65 61 72 63 68 5f 61 6e 64 5f 75 70 6c 6f 61 64 5f 69 6e 5f 61 70 70 5f 64 61 74 61 5f 62 79 5f 64 69 73 6b|"; nocase; content:"|64 71 2e 61 77 61 69 74 41 6c 6c 28 63 61 6c 6c 62 61 63 6b 29|"; nocase; reference:url,nakedsecurity.sophos.com/2015/08/07/firefox-zero-day-hole-used-against-windows-and-linux-to-steal-passwords/; reference:cve,2015-4495; classtype:attempted-user; sid:2021606; rev:2; metadata:created_at 2015_08_11, updated_at 2015_08_11;)

alert http any any -> any 8081 (msg:"ET EXPLOIT Websense Content Gateway submit_net_debug.cgi cmd_param Param Buffer Overflow Attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/submit_net_debug.cgi"; nocase; http_uri; content:"cmd_param="; nocase; http_client_body; isdataat:500,relative; content:!"|0A|"; within:500; http_client_body; pcre:"/[\?\&]cmd_param=[^\&\r\n]{500}/Psi"; reference:cve,2015-5718; reference:url,seclists.org/fulldisclosure/2015/Aug/8; classtype:web-application-attack; sid:2021644; rev:3; metadata:created_at 2015_08_18, updated_at 2015_08_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"|3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e|"; nocase; fast_pattern:13,20; reference:cve,2015-2444; classtype:attempted-user; sid:2021713; rev:3; metadata:created_at 2015_08_25, updated_at 2015_08_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FireEye Appliance Unauthorized File Disclosure"; flow:established,to_server; content:"/NEI_ModuleDispatch.php"; http_uri; content:"module=NEI_AdvancedConfig"; distance:0; http_uri; content:"&function=HapiGetFileContents"; http_uri; fast_pattern:10,19; distance:0; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/Ii"; reference:url,www.exploit-db.com/exploits/38090/; classtype:trojan-activity; sid:2021756; rev:3; metadata:created_at 2015_09_09, updated_at 2015_09_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - ROP"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"|98 2A 00 B0 B3 38 00 B0|"; fast_pattern; content:"|00 10 00 00 07 00 00 00 03 D0 00 D0 04 D0 00 D0 44 11 00 B0|"; distance:4; within:20; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021758; rev:2; metadata:created_at 2015_09_10, updated_at 2015_09_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC"; flow:established,from_server; file_data; content:"stsc|00 00 00 00 C0 00 00 03|"; fast_pattern; content:!"|00 00 00 00|"; within:4; pcre:"/^(?P<addr1>.{4})(?P<addr2>.{4})(?P=addr2)(?P=addr1)/Rsi"; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021759; rev:2; metadata:created_at 2015_09_10, updated_at 2015_09_10;)

#alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"ET EXPLOIT malformed Sack - Snort DoS-by-$um$id"; seq:0; ack:0; window:65535; dsize:0; reference:url,doc.emergingthreats.net/bin/view/Main/2002656; classtype:attempted-dos; sid:2002656; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"rO0ABXNyA"; content:"jb21tb25zLmNvbGxlY3Rpb25z"; fast_pattern; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022114; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"commons.collections"; nocase; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022115; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"java/io/Serializable"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022116; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Groovy Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.codehaus.groovy.runtime.ConversionHandler"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022117; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Spring Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.springframework.core.SerializableTypeWrapper"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022118; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)

alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Juniper ScreenOS telnet Backdoor Default Password Attempt"; flow:established,to_server; content:"|3c 3c 3c 20 25 73 28 75 6e 3d 27 25 73 27 29 20 3d 20 25 75|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:cve,2015-7755; reference:url,community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor; classtype:attempted-admin; sid:2022291; rev:1; metadata:created_at 2015_12_21, updated_at 2015_12_21;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Foxit PDF Reader Authentication Bypass Attempt"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"Type/Action"; distance:0; nocase; content:"Launch"; nocase; within:40; content:"NewWindow true"; nocase; distance:0; pcre:"/Type\x2FAction.+Launch.+\x28\x2F[a-z]\x2F[a-z].+NewWindow\x20true/si"; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0836; reference:url,doc.emergingthreats.net/2010878; classtype:attempted-user; sid:2010878; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|47 CA FF|"; content:"|3E C6 FF|"; distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows Common Control Library Heap Buffer Overflow"; flow:established,from_server; content:"Content-Type|3a| image/svg|2b|xml"; nocase; file_data; content:"|3c|svg xmlns="; nocase; distance:0; content:"style|3d 22|fill|3a 20 23|ffffff|22|"; nocase; distance:0; content:"transform"; nocase; distance:0; pcre:"/^=\s*\x22\s*[^\s\x22\x28]{1000}/iR"; reference:bugtraq,43717; reference:url,www.microsoft.com/technet/security/bulletin/MS10-081.mspx; classtype:attempted-admin; sid:2012174; rev:9; metadata:created_at 2011_01_12, updated_at 2011_01_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit Specific"; flow:established,from_server; file_data; content:"|3c|applet archive=|22|"; distance:0; content:".jar|22|"; distance:0; within:14; content:"code=|22|msf.x.Exploit.class|22|"; distance:0; fast_pattern:6,19; reference:cve,CVE-2012-0507; reference:url,www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray; classtype:bad-unknown; sid:2014461; rev:8; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_04_04, updated_at 2016_07_01;)

alert ssh any $SSH_PORTS -> any any (msg:"ET EXPLOIT Possible CVE-2016-0777 Server Advertises Suspicious Roaming Support"; flow:established,to_client; content:"|14|"; offset:6; content:"resume@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022369; rev:2; metadata:created_at 2016_01_14, updated_at 2016_01_14;)

alert tcp any any -> any $SSH_PORTS (msg:"ET EXPLOIT Possible CVE-2016-0777 Client Sent Roaming Resume Request"; flow:established,to_server; content:"|14|"; offset:6; content:"roaming@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022370; rev:2; metadata:created_at 2016_01_14, updated_at 2016_01_14;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 03|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020630; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020668; rev:2; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 28|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020664; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 14|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020660; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 06|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020631; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 17|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020669; rev:2; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 29|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020665; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0E|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020633; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 08|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020632; rev:5; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 11|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020659; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 27|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020663; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2A|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020666; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020667; rev:4; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 26|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020662; rev:5; metadata:created_at 2015_03_10, updated_at 2015_03_10;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 63|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021124; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 65|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021125; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Heap based buffer overrun Exploit Specific"; flow:to_server,established; byte_test:3,>,10000,0,little; content:"|00 03|"; offset:3; depth:2; pcre:"/^(USE|PASS|SELECT|UPDATE|INSERT|ASCII|SHOW|CREATE|DESCRIBE|DROP|ALTER)\s+?(.{1})\2{300}/Ri"; reference:url,archives.neohapsis.com/archives/fulldisclosure/2012-12/0006.html; classtype:attempted-user; sid:2015987; rev:3; metadata:created_at 2012_12_04, updated_at 2012_12_04;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102413; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS"; flow:established,to_server; content:"|ff ff ff ff|"; offset:16; depth:4; reference:url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003379; classtype:attempted-dos; sid:2003379; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DCS-930L Remote Command Execution attempt"; flow:to_server,established; urilen:17; content:"POST"; nocase; http_method; content:"/setSystemCommand"; nocase; http_uri; content:"SystemCommand="; nocase; http_client_body; reference:url,www.exploit-db.com/exploits/39437/; classtype:web-application-attack; sid:2022518; rev:2; metadata:created_at 2016_02_12, updated_at 2016_02_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS16-009 IE MSHTML Form Element Type Confusion (CVE-2016-0061)"; flow:from_server,established; file_data; content:"opener"; nocase; fast_pattern; pcre:"/^\s*\[\s*[\x22\x27]\\u[a-f0-9]{4}\\u[a-f0-9]{4}/Rsi"; reference:cve,2016-0061; classtype:attempted-user; sid:2022524; rev:4; metadata:created_at 2016_02_16, updated_at 2016_02_16;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 Malformed Server response"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:8; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^[^\x00]+\x00\x00\x01/R"; reference:cve,2015-7547; classtype:attempted-user; sid:2022531; rev:1; metadata:created_at 2016_02_17, updated_at 2016_02_17;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 PoC Server Response"; flow:from_server; content:"|83 80 00 01 00 00 00 00 00 00|"; offset:2; depth:10; isdataat:2049; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022542; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 01 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022543; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 1c 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022544; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:10; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022545; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set)"; flow:established,to_server; byte_test:2,<,513,0; byte_test:1,!&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01 00 00 00 00 00 00|"; offset:6; depth:8; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; flowbits:set,ET.CVE20157547.primer; flowbits:noalert; reference:cve,2015-7547; classtype:attempted-user; sid:2022546; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert tcp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query"; flow:established,from_server; flowbits:isset,ET.CVE20157547.primer; byte_test:2,>,2048,0; byte_test:1,&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01|"; offset:6; depth:2; reference:cve,2015-7547; classtype:attempted-user; sid:2022547; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js (Remote Debugger)"; flow:from_server,established; file_data; content:"/json/new/"; content:"javascript|3a|require"; distance:0; content:"child_process"; fast_pattern; distance:0; content:"spawnSync"; distance:0; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=773; classtype:trojan-activity; sid:2022693; rev:2; metadata:created_at 2016_03_31, updated_at 2016_03_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router Information Disclosure Exploit Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/data.ria?CfgType=get_homeCfg&file="; http_uri; fast_pattern; depth:35; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022698; rev:2; metadata:created_at 2016_04_05, updated_at 2016_04_05;)

alert udp $EXTERNAL_NET any -> $HOME_NET 39889 (msg:"ET EXPLOIT Quanta LTE Router UDP Backdoor Activation Attempt"; flow:to_server; content:"HELODBG"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022699; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 1 (ping)"; flow:to_server,established; content:"POST"; http_method; content:"/webpost.cgi"; http_uri; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 70 69 6e 67 22 2c 22 63 6d 64 22 3a 22 70 69 6e 67 22 2c 22 75 72 6c 22 3a 22|"; http_client_body; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/PRi"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022700; rev:2; metadata:created_at 2016_04_05, updated_at 2016_04_05;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 2 (traceroute)"; flow:to_server,established; content:"POST"; http_method; content:"/webpost.cgi"; http_uri; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 74 72 61 63 65 72 74 22 2c 22 63 6d 64 22 3a 22 74 72 61 63 65 72 74 22 2c 22 75 72 6c 22 3a 22|"; http_client_body; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/PRi"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022701; rev:3; metadata:created_at 2016_04_05, updated_at 2016_04_05;)

alert tcp any any -> any 6129 (msg:"ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)"; flow:established,to_server; content:"|44 9c 00 00|"; depth:4; content:"|90 90 90 90 90 90 90 90|"; distance:0; content:"|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|"; distance:0; reference:cve,2016-2345; reference:url,www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345; classtype:attempted-admin; sid:2022712; rev:1; metadata:created_at 2016_04_06, updated_at 2016_04_06;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT CVE-2016-1287 Public Exploit ShellCode"; content:"|60 c7 02 90 67 b9 09 8b 45 f8 8b 40 5c 8b 40 04 8b 40 08 8b 40 04 8b 00 85 c0 74 3b 50 8b 40 08 8b 40 04 8d 98 d8 00 00 00 58 81 3b d0 d4 00 e1 75 e4 83 7b 04 31 74 de 89 d8 2d 00 01 00 00 c7 40 04 03 01 00 00 c7 40 0c d0 00 00 00 c7 80 f8|"; reference:url,github.com/exodusintel/disclosures/blob/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022820; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Veritas backupexec_agent exploit"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; offset:12; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; byte_jump: 4, 32; byte_test: 4,>,3000,0,relative; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,doc.emergingthreats.net/bin/view/Main/2002065; reference:cve,2004-1172; classtype:misc-attack; sid:2002065; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M1"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F 91 03 00 00|"; content:!"|00 00|"; distance:503; within:2; content:"|00 00 BA 0F 16 01 00 00|"; distance:913; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022923; rev:2; metadata:created_at 2016_06_29, updated_at 2016_06_29;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M2"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F A9 03 00 00|"; content:!"|00 00|"; distance:50; within:2; content:"|00 00 BA 0F 2E 01 00 00|"; distance:937; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022924; rev:2; metadata:created_at 2016_06_29, updated_at 2016_06_29;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow"; flow:established,from_server; file_data; content:"|4d 53 43 46|"; depth:4; byte_jump:4,8,little; isdataat:1; reference:cve,2016-2211; reference:cve,CVE-2014-9732; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022930; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M2"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022932; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M1"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022933; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M3"; flow:established,to_server;  content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022935; rev:1; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M4"; flow:established,to_client;  content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022936; rev:1; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M3"; flow:established,to_client;  content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022937; rev:1; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M4"; flow:established,to_server;  content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022938; rev:1; metadata:created_at 2016_06_30, updated_at 2016_06_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M1"; flow:established,from_server; file_data; content:"%u0008%u4141%u4141%u4141"; nocase; content:"redim"; nocase; content:"Preserve"; content:"2000"; distance:0; pcre:"/^\s*?\x29/Rs";  content:"%u400C%u0000%u0000%u0000"; nocase; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022971; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag CVE_2016_0189, signature_severity Major, created_at 2016_07_15, performance_impact Low, updated_at 2016_07_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M2"; flow:established,from_server; file_data; content:"triggerBug"; nocase; content:"Dim "; nocase; distance:0; content:".resize"; nocase; pcre:"/^\s*\x28/Rs";  content:"Mid"; pcre:"/^\s*?\(x\s*,\s*1,\s*24000\s*\x29/Rs"; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022972; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_15, performance_impact Low, updated_at 2016_07_15;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:2103461; rev:1; metadata:created_at 2016_08_04, updated_at 2016_08_04;)

alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA PMCHECK Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ac 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023070; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2016_08_17, performance_impact Low, updated_at 2016_08_17;)

alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA AAAADMINAUTH Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ad 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023071; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2016_08_17, performance_impact Low, updated_at 2016_08_17;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET EXPLOIT CISCO FIREWALL SNMP Buffer Overflow Extrabacon (CVE-2016-6366)"; content:"|06 01 04 01 09 09 83 6B|"; pcre:"/^(?:\x01(?:(?:\x01(?:(?:\x04(?:(?:\x03(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x04(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?|\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?))?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|\x02(?:[\x01\x02\x03\x04])?|\x03(?:[\x01\x02])?))?|\x03(?:(?:\x03(?:\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e])?)?)?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13])?|\x02(?:[\x01\x02])?))?|\x05(?:(?:\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07])?)?|\x01(?:[\x01\x02\x03])?))?|\x02(?:(?:[\x01\x02]|\x03(?:\x01(?:[\x01\x02\x03])?)?))?|\x06(?:\x01(?:[\x01\x02\x03\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x07(?:[\x01\x02])?|\x04))?|\x02(?:(?:\x02(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|(?:\x01)?\x01))?)/Rsi"; content:"|81 10 81 10 81 10 81 10 81 10 81 10 81 10 81 10|"; within:160; fast_pattern; reference:cve,2016-6366; classtype:misc-attack; sid:2023086; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2016_08_25, performance_impact Low, updated_at 2016_08_25;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Challack Tool in use"; flow:no_stream,to_server; flags:R; dsize:1; content:"x"; threshold: type both, track by_dst, seconds 1, count 90; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023140; rev:2; metadata:affected_product Linux, attack_target Server, deployment Datacenter, signature_severity Major, created_at 2016_08_29, performance_impact Significant, updated_at 2016_08_29;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RST Flood With Window"; flow:no_stream,to_server; flags:R; window:!0; threshold: type both, track by_dst, seconds 1, count 101; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023141; rev:2; metadata:affected_product Linux, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2016_08_29, performance_impact Significant, updated_at 2016_08_29;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) Set"; flow:established,from_server; file_data; content:"ftyp"; fast_pattern; offset:4; depth:4; content:"|00|"; distance:5; within:1; flowbits:set,ET.MP4Stagefright; flowbits:noalert; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023184; rev:2; metadata:tag Android_Exploit, created_at 2016_09_12, updated_at 2016_09_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) ROP"; flow:established,from_server; content:"ID3"; content:!"|FF|"; within:1; content:"|41 d8 41 d8 41 dc 41 d8 41 d8 41 dc|"; fast_pattern; within:800; pcre:"/^(\x41\xd8\x41\xd8\x41\xdc){2,}\x41\x00/R"; flowbits:isset,ET.MP4Stagefright; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023185; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android_Exploit, signature_severity Major, created_at 2016_09_12, performance_impact Low, updated_at 2016_09_12;)

alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"unhex"; nocase; distance:0; content:"67656e6572616c5f6c6f675f66696c65"; distance:0; nocase; content:"2e636e66"; nocase; content:"6e6d616c6c6f635f6c6962"; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023201; rev:1; metadata:affected_product MySQL, attack_target Server, deployment Datacenter, created_at 2016_09_13, updated_at 2016_09_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2015-2419 As observed in Magnitude EK"; flow:established,from_server; file_data; content:"|5b 30 78 35 33 2c 20 30 78 35 35 2c 20 30 78 35 36 2c 20 30 78 65 38 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 35 65 2c 20 30 78 35 64 2c 20 30 78 35 62 2c 20 30 78 38 62 2c 20 30 78 36 33 2c 20 30 78 30 63 2c 20 30 78 63 32 2c 20 30 78 30 63 2c 20 30 78 30 30 2c 20 30 78 39 30 5d|"; nocase; content:"|30 78 31 32 38 65 30 30 32 30|"; nocase; content:"|4a 53 4f 4e|"; nocase; content:"|73 74 72 69 6e 67 69 66 79|"; nocase; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2023253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Magnitude_EK, signature_severity Major, created_at 2016_09_21, malware_family Magnitude, updated_at 2016_09_21;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible Cisco IKEv1 Information Disclosure Vulnerability CVE-2016-6415"; dsize:>828; content:"|00 00 00 00 00 00 00 00 01 10|"; offset:8; depth:10; content:"|80 02 00|"; distance:30; byte_test:1,<,3,0,relative; byte_test:1,>,0,0,relative; content:"|80 04 00 01 00 06|"; distance:1; within:6; fast_pattern; byte_test:2,>,768,0,relative; reference:cve,2016-6415; classtype:attempted-user; sid:2023311; rev:1; metadata:affected_product Cisco_PIX, attack_target Networking_Equipment, deployment Datacenter, signature_severity Major, created_at 2016_09_29, performance_impact Low, updated_at 2016_09_29;)

alert udp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT BIND9 msg->reserved Assertion DoS Packet Inbound (CVE-2016-2776)"; dsize:>512; content:"|00 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|00 00 01 00 01|"; distance:0; content:"|00 00 FA|"; distance:0; reference:cve,cve-2016-2776; reference:url,blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html; classtype:attempted-dos; sid:2023317; rev:3; metadata:affected_product BIND, attack_target Server, deployment Datacenter, signature_severity Major, created_at 2016_10_04, updated_at 2016_10_05;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/Forms/dns_1?"; http_uri; fast_pattern; content:"Enable_DNSFollowing=1"; http_uri; distance:0; content:"dnsPrimary="; http_uri; distance:0; reference:url,www.exploit-db.com/exploits/35917; classtype:attempted-admin; sid:2023466; rev:3; metadata:created_at 2015_01_29, updated_at 2016_10_31;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT COMTREND ADSL Router CT-5367 Remote DNS Change Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/dnscfg.cgi?"; http_uri; fast_pattern; nocase; content:"dnsPrimary="; http_uri; content:"dnsDynamic="; http_uri; nocase; content:"dnsRefresh="; http_uri; nocase; reference:url,www.expku.com/remote/5853.html; classtype:attempted-admin; sid:2023467; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_31, updated_at 2016_10_31;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution"; flow:established,to_server; content:"POST"; http_method; content:"SOAPAction|3a|"; http_header; content:"http|3a|//purenetworks.com/HNAP1/"; fast_pattern; http_header; pcre:"/^SOAPAction\x3a\s+?[^\r\n]*?http\x3a\/\/purenetworks\.com\/HNAP1\/([^\x2f]+?[\x2f])?[^\x2f]/Hmi"; reference:url,devttys0.com/2015/04/hacking-the-d-link-dir-890l/; reference:cve,2016-6563; classtype:attempted-admin; sid:2020899; rev:4; metadata:created_at 2015_04_13, updated_at 2016_11_10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attemted SSH Authorized Key Writing Attempt"; flow:established,to_server; content:"*"; depth:1; content:"config"; content:"set"; distance:0; content:"|0D 0A|dbfilename|0D 0A|"; distance:0; content:"|0D 0A|authorized_keys|0D 0A|"; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023511; rev:1; metadata:attack_target Client_Endpoint, deployment Datacenter, tag SCAN_Redis_SSH, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attempted SSH Key Upload"; flow:established,to_server; content:"*"; depth:1; content:"|0D 0A|set|0D 0A|"; content:"ssh-rsa "; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023512; rev:1; metadata:attack_target Client_Endpoint, deployment Datacenter, tag SCAN_Redis_SSH, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M1"; flow:established,from_server; file_data; content:"|66 69 6e 64 50 6f 70 52 65 74|"; nocase; content:"|66 69 6e 64 53 74 61 63 6b 50 69 76 6f 74|"; nocase; content:"|56 69 72 74 75 61 6c 41 6c 6c 6f 63|"; nocase; content:"|72 6f 70 43 68 61 69 6e|"; nocase; content:"|6b 65 72 6e 65 6c 33 32 2e 64 6c 6c|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023559; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2016_11_30, performance_impact Low, updated_at 2016_11_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M2"; flow:established,from_server; file_data; content:"|72 6f 70 43 68 61 69 6e 28 72 6f 70 42 61 73 65 2c 76 74 61 62 6c 65 5f 6f 66 66 73 65 74 2c 31 30 2c 72 6f 70 41 72 72 42 75 66 29 3b|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023560; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2016_11_30, performance_impact Low, updated_at 2016_11_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65|"; nocase; content:"|73 70 72 61 79 48 65 61 70|"; nocase; content:"|73 65 74 41 64 64 72 65 73 73|"; nocase; content:"|30 78 63 36 62 65 63|"; nocase; content:"|30 78 46 46 46 46 30 30 30 30|"; nocase; classtype:attempted-admin; sid:2023568; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_11_30, updated_at 2016_11_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|"; classtype:attempted-admin; sid:2023569; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major, created_at 2016_11_30, updated_at 2016_11_30;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear R7000 Command Injection Exploit"; flow:established,to_server; content:"/cgi-bin/"; http_uri; depth:9; content:"$IFS"; http_uri; fast_pattern; distance:0; content:"|3b|"; http_uri; reference:url,www.kb.cert.org/vuls/id/582384; classtype:attempted-user; sid:2023628; rev:2; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_12_12, performance_impact Low, updated_at 2016_12_12;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2016-10033 PHPMailer RCE Attempt"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b|"; http_header; content:"<?php"; http_client_body; fast_pattern; content:"|5c 22 20|"; http_client_body; content:"-X"; http_client_body; content:".php"; http_client_body; content:"@"; http_client_body; reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html; reference:url,github.com/opsxcq/exploit-CVE-2016-10033; classtype:attempted-user; sid:2023686; rev:2; metadata:affected_product PHPMailer, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2016_12_27, performance_impact Low, updated_at 2016_12_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 1"; flow:established,to_client; file_data; content:"0x1DA2F5"; fast_pattern; nocase; content:"0x1DA2CB"; nocase; distance:0; content:"getPrototypeOf"; nocase; content:".__proto__"; nocase; content:"Symbol.species"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023700; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Critical, created_at 2017_01_06, updated_at 2017_01_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 2"; flow:established,to_client; file_data; content:"rop.length"; fast_pattern; nocase; content:"Write64"; nocase; distance:0; pcre:"/^\s*\x28\s*retPtrAddr\.add\s*\x28\s*i\s*\*\s*8\s*\x29\s*,\s*rop\s*\x5b/Rsi"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023701; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Critical, created_at 2017_01_06, updated_at 2017_01_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B642"; flow:established,from_server; file_data; content:"RyaWdnZXJGaWxsRnJvbVByb3RvdHlwZXNCdW"; classtype:trojan-activity; sid:2023703; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Critical, created_at 2017_01_06, updated_at 2017_01_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B643"; flow:established,from_server; file_data; content:"UcmlnZ2VyRmlsbEZyb21Qcm90b3R5cGVzQnVn"; classtype:trojan-activity; sid:2023704; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Critical, created_at 2017_01_06, updated_at 2017_01_06;)

alert udp $HOME_NET 5351 -> [!224.0.0.1,$EXTERNAL_NET] any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response to External Network"; dsize:12; content:"|80 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019490; rev:3; metadata:created_at 2014_10_22, updated_at 2017_01_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 3"; flow:established,from_server; file_data; content:"|66 75 6e 63 74 69 6f 6e 20 54 72 69 67 67 65 72 46 69 6c 6c 46 72 6f 6d 50 72 6f 74 6f 74 79 70 65 73 42 75 67 28 6c 6f 2c 20 68 69 29|"; nocase; content:"|63 68 61 6b 72 61 42 61 73 65 2e 61 64 64|"; nocase; content:"|73 68 63 6f 64 65 41 64 64 72 2e 61 6e 64|"; nocase; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2023699; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Critical, created_at 2017_01_06, updated_at 2017_01_06;)

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Ticketbleed Client Hello (CVE-2016-9244)"; flow:established,from_client; content:"|16 03|"; depth:2; content:"|01|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; byte_test:1,<,32,32,relative; byte_test:1,>,1,32,relative; flowbits:set,ET.ticketbleed; flowbits:noalert; reference:cve,2016-9244; reference:url,filippo.io/Ticketbleed; classtype:misc-attack; sid:2023896; rev:3; metadata:affected_product HTTP_Server, attack_target Server, deployment Datacenter, signature_severity Major, created_at 2017_02_10, performance_impact Moderate, updated_at 2017_02_13;)

#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Ticketbleed Server Hello (CVE-2016-9244)"; flow:established,to_client; content:"|16 03|"; depth:2; content:"|02|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; content:"|20|"; distance:32; within:1; flowbits:isset,ET.ticketbleed; reference:url,filippo.io/Ticketbleed; reference:cve,2016-9244; classtype:misc-attack; sid:2023897; rev:3; metadata:affected_product HTTP_Server, attack_target Server, deployment Datacenter, signature_severity Major, created_at 2017_02_10, performance_impact Moderate, updated_at 2017_02_13;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK DNS Change GET Request (DNSChanger EK)"; flow:to_server,established; content:"GET"; http_method; content:"/userRpm/"; http_uri; depth:9; fast_pattern; content:"&dnsserver="; http_uri; threshold:type both,track by_dst,count 3, seconds 90; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2023995; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internet, signature_severity Major, created_at 2017_02_17, performance_impact Moderate, updated_at 2017_02_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 2381 (msg:"ET EXPLOIT HP Smart Storage Administrator Remote Command Injection"; flow:to_server,established; content:"echo -n|20|"; pcre:"/^\s*(?:f0VMR|9FTE|\/RUxG)/R"; metadata: former_category EXPLOIT; reference:cve,2016-8523; classtype:attempted-user; sid:2024063; rev:2; metadata:affected_product HP_Smart_Storage_Administrator, attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2017_03_15, performance_impact Low, updated_at 2017_03_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-LINK DIR-615 Cross-Site Request Forgery (CVE-2017-7398)"; flow:from_server,established; file_data; content:"/form2WlanBasicSetup.cgi"; fast_pattern; nocase; content:"method"; nocase; distance:0; pcre:"/^\s*=\s*[\x27\x22]\s*POST/Rsi"; content:"ssid"; nocase; content:"save"; nocase; content:"Apply"; nocase; distance:0; metadata: former_category EXPLOIT; reference:cve,CVE-2017-7398; classtype:attempted-user; sid:2024181; rev:2; metadata:affected_product D_Link_DIR_615, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_05, performance_impact Low, updated_at 2017_04_05;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link Archer C2 and Archer C20i Remote Code Execution"; flow:to_server,established; content:"POST"; http_method; content:"/cgi?"; http_uri; nocase; content:"/mainFrame.htm"; http_header; content:"IPPING"; nocase; http_client_body; content:"X_TP_ConnName=ewan_ipoe_s"; fast_pattern; http_client_body; metadata: former_category EXPLOIT; reference:url,github.com/reverse-shell/routersploit/blob/master/routersploit/modules/exploits/tplink/archer_c2_c20i_rce.py; classtype:attempted-recon; sid:2024191; rev:2; metadata:affected_product TPLINK, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_07, performance_impact Low, updated_at 2017_04_07;)

alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Catalyst Remote Code Execution (CVE-2017-3881)"; flow:to_server,established; content:"|ff fa 24 00 03|CISCO_KITS"; content:"|3a|"; distance:2; within:1; isdataat:160,relative; content:!"|3a|"; within:160; metadata: former_category EXPLOIT; reference:url,artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/; classtype:attempted-user; sid:2024194; rev:1; metadata:affected_product CISCO_Catalyst, attack_target IoT, deployment Datacenter, signature_severity Critical, created_at 2017_04_10, performance_impact Low, updated_at 2017_04_10;)

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010"; flow:from_server,established; content:"|FF|SMB|25 05 00 00 80|"; offset:4; depth:9; content:"LSbfLScnLSepLSlfLSmf"; distance:0; fast_pattern; content:"LSrfLSsrLSscLSblLSss"; within:20; content:"LSshLStrLStcLSopLScd"; within:20; flowbits:set,ETPRO.ETERNALROMANCE; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024208; rev:1; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_04_17;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Successful ETERNALROMANCE MS17-010 - Windows Executable Observed"; flow:to_server,established; flowbits:isset,ETPRO.ETERNALROMANCE; content:"|FF|SMB|26 00 00 00 00|"; offset:4; depth:9; content:"|4d 5a|"; distance:0; content:"This program cannot be run"; nocase; distance:0; fast_pattern:6,20; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024207; rev:2; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_04_17;)

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible DOUBLEPULSAR Beacon Response"; flow:from_server,established; content:"|00 00 00 23 ff|SMB2|02 00 00 c0 98 07 c0 00 00|"; depth:18; content:"|00 00 00 08 ff fe 00 08|"; distance:8; within:8; fast_pattern; pcre:"/^[\x50-\x59]/R"; content:"|00 00 00|"; distance:1; within:3; isdataat:!1,relative; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024216; rev:1; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2019_09_28;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING RPCTOUCH MS08-067"; flow:to_server,established;  content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"NTLMSSP|00 03 00 00 00 01 00 01 00|"; distance:0; fast_pattern; content:"|00 00 00 00 49 00 00 00|"; distance:4; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 49 00 00 00|"; within:8; content:"|00 00 00 00 00 00 00 00 00|"; distance:4; within:9; isdataat:!1,relative; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024214; rev:1; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2019_09_28;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 ff ff ff ff 08 00|"; distance:30; within:10; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; fast_pattern; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; isdataat:800,relative; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024215; rev:1; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_04_17;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Request (set)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; content:"|00 00 00 00 ff ff ff ff 00 00|"; distance:17; within:10; content:"|5c 00 50 00 49 00 50 00 45 00 5c 00 4c 00 41 00 4e 00 4d 00 41 00 4e 00 00 00|"; distance:13; within:26; content:"|82 00|zb12g12DWrLehig24"; within:19; fast_pattern; flowbits:set,ET.ETERNALCHAMPIONsync; flowbits:noalert; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024212; rev:2; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_04_17;)

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Response"; flow:from_server,established; flowbits:isset,ET.ETERNALCHAMPIONsync; content:"|ff|SMB|25 00 00 00 00 98 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; fast_pattern:4,20; content:"|7c 00|"; distance:32; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; isdataat:!1,relative; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024213; rev:2; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2019_09_28;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18|"; offset:4; depth:10; content:"|07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08|"; fast_pattern; within:16; content:"|00 08|"; distance:2; within:2; content:"|0e 00 00 40 00|"; distance:2; within:5; content:"|00 00 00 00 00 00 01 00 00 00 00 00 00 00 00|"; distance:2; within:15; content:"|00 00 00 00 00 00 00 00 00|"; isdataat:!1,relative; threshold: type threshold, track by_src, count 20, seconds 1; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024219; rev:1; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible EXPLODINGCAN IIS5.0/6.0 Exploit Attempt"; flow:to_server,established; urilen:1; content:"PROPFIND"; http_method; content:"Content-Length|3a 20|0|0d 0a|Host|3a 20|"; http_header; depth:25; content:"|0d 0a|If|3a 20|<http"; fast_pattern; http_header; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024222; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Critical, created_at 2017_04_18, updated_at 2017_04_18;)

alert http any any -> $HOME_NET 8082 (msg:"ET EXPLOIT BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/report-email/send"; nocase; http_uri; content:"/dev-report-overview.html"; nocase; http_client_body; content:"|3B|"; http_client_body; distance:0; pcre:"/\/dev-report-overview\.html[^\"]*?\x3b/Pi"; metadata: former_category EXPLOIT; reference:cve,2016-9091; reference:url,www.exploit-db.com/exploits/41785/; reference:url,bto.bluecoat.com/security-advisory/sa138; classtype:web-application-attack; sid:2024234; rev:2; metadata:affected_product HTTP_Server, attack_target Web_Server, deployment Internal, signature_severity Major, created_at 2017_04_21, performance_impact Moderate, updated_at 2017_04_21;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound"; flow:to_server; content:"|84 00 00|"; byte_test:1,<,9,0,relative; byte_jump:1,0,relative,post_offset -4; content:"|00 00 00|"; within:3; byte_test:1,<,8,0,relative; metadata: former_category EXPLOIT; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022506; rev:3; metadata:created_at 2016_02_11, updated_at 2017_05_02;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 2"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,9,12,relative; metadata: former_category EXPLOIT; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022515; rev:2; metadata:created_at 2016_02_12, updated_at 2017_05_02;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 3"; flow:to_server; content:"|84 10|"; depth:2; offset:16; byte_test:2,<,9,12,relative; metadata: former_category EXPLOIT; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022516; rev:2; metadata:created_at 2016_02_12, updated_at 2017_05_02;)

#alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Foofus.net Password dumping dll injection"; flow:to_server,established; content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|"; metadata: former_category EXPLOIT; reference:url,xinn.org/Snort-fgdump.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008476; classtype:suspicious-filename-detect; sid:2008476; rev:4; metadata:created_at 2010_07_30, updated_at 2017_05_08;)

alert http any any -> $HOME_NET [16992,16993,623,664] (msg:"ET EXPLOIT Intel AMT Login Attempt Detected (CVE 2017-5689)"; flow:to_server,established; content:"Authorization|3a 20|Digest"; http_header; content:"username=|22|"; http_header; content:"response="; http_header; fast_pattern; pcre:"/^\s*\x22{2}/HR"; metadata: former_category EXPLOIT; reference:url,mjg59.dreamwidth.org/48429.html; reference:url,www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability; reference:cve,2017-5689; classtype:attempted-admin; sid:2024287; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Major, created_at 2017_05_10, performance_impact Moderate, updated_at 2017_05_10;)

alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-01 - Unauthed RCE via bprd"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; pcre:"/^.*?[\x24\x60]/R"; metadata: former_category EXPLOIT; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024308; rev:1; metadata:attack_target Server, deployment Internal, signature_severity Major, created_at 2017_05_17, performance_impact Moderate, updated_at 2017_05_17;)

alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-02 - Possible Unauthed RCE via nbbsdtar"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"/bin/"; distance:0; metadata: former_category EXPLOIT; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024309; rev:1; metadata:attack_target Server, deployment Internal, signature_severity Major, created_at 2017_05_17, performance_impact Moderate, updated_at 2017_05_17;)

alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-04 - Possible Unauthed RCE via whitelist bypass"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"BPCD_WHITELIST_PATH"; distance:0; metadata: former_category EXPLOIT; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024310; rev:1; metadata:attack_target Server, deployment Internal, signature_severity Major, created_at 2017_05_17, performance_impact Moderate, updated_at 2017_05_17;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|2d 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|12 00|"; distance:40; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; metadata: former_category EXPLOIT; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024335; rev:1; metadata:attack_target SMB_Server, deployment Datacenter, signature_severity Critical, created_at 2017_05_25, performance_impact Low, updated_at 2017_05_25;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|a2 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; metadata: former_category EXPLOIT; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024336; rev:1; metadata:attack_target SMB_Server, deployment Datacenter, signature_severity Critical, created_at 2017_05_25, performance_impact Low, updated_at 2017_05_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible $MFT NTFS Device Access in HTTP Response"; flow:from_server,established; content:"file://"; content:"/$MFT/"; distance:0; fast_pattern; content:"src"; pcre:"/^\s*=\s*[^>]*file\x3a[^>]*\/\x24MFT\//Ris"; metadata: former_category EXPLOIT; reference:url,www.securitytracker.com/id/1038575; classtype:trojan-activity; sid:2024337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_30, performance_impact Moderate, updated_at 2017_05_30;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|05 00|"; distance:8; within:2; content:"|00 2e 00 73 00 6f 00|"; distance:0; fast_pattern; isdataat:!1,relative; metadata: former_category EXPLOIT; reference:cve,2017-7494; classtype:attempted-admin; sid:2024384; rev:1; metadata:affected_product Linux, attack_target Server, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2017_06_16, performance_impact Moderate, updated_at 2019_09_28;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible SharePoint XSS (CVE-2017-8514) Inbound"; flow:to_server,established; content:"FollowSite="; http_uri; nocase; fast_pattern; content:"SiteName="; http_uri; nocase; content:"-confirm"; http_uri; nocase; distance:0; metadata: former_category EXPLOIT; reference:url,respectxss.blogspot.fr/2017/06/a-look-at-cve-2017-8514-sharepoints.html; classtype:attempted-user; sid:2024412; rev:2; metadata:affected_product HTTP_Server, attack_target Server, deployment Internal, signature_severity Major, created_at 2017_06_19, performance_impact Moderate, updated_at 2017_06_19;)

alert tcp any any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP Printer Attempted Path Traversal via PJL"; flow:to_server,established; content:"@PJL FS"; depth:7;  content:"NAME="; distance:0; pcre:"/^\s*[\x22\x27][^\x22\x27]{0,128}\x2e\x2e/Ri"; metadata: former_category EXPLOIT; reference:url,www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution; reference:cve,2017-2741; classtype:attempted-admin; sid:2024404; rev:2; metadata:attack_target IoT, deployment Internal, signature_severity Major, created_at 2017_06_16, performance_impact Moderate, updated_at 2017_06_20;)

alert tcp $HOME_NET any -> $HOME_NET 42 (msg:"ET EXPLOIT Possible WINS Server Remote Memory Corruption Vulnerability"; flow:to_server,established; dsize:48; content:"|00 00 78 00|"; offset:4; depth:4; content:"|00 00 00 05|"; offset:16; depth:4; fast_pattern; threshold: type both, count 3, seconds 1, track by_src; metadata: former_category EXPLOIT; reference:url,blog.fortinet.com/2017/06/14/wins-server-remote-memory-corruption-vulnerability-in-microsoft-windows-server; classtype:attempted-user; sid:2024435; rev:1; metadata:affected_product Windows_DNS_server, attack_target DNS_Server, deployment Datacenter, signature_severity Major, created_at 2017_06_29, performance_impact Low, updated_at 2017_06_29;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (CVE-2009-3103)"; flow:to_server,established; content:"|FF 53 4d 42 72|"; offset:4; depth:5; content:"|00 26|"; distance:7; within:2; metadata: former_category NETBIOS; reference:url,www.exploit-db.com/exploits/14674/; reference:url,www.microsoft.com/technet/security/bulletin/ms09-050.mspx; reference:cve,2009-3103; classtype:attempted-user; sid:2012063; rev:3; metadata:created_at 2010_12_16, updated_at 2017_06_27;)

alert tcp any any -> any 445 (msg:"ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010"; flow:established,to_server; content:"|8000a80000000000000000000000000000000000ffff000000000000ffff0000000000000000000000000000000000000000000000f1dfff000000000000000020f0dfff00f1dfffffffffff600004100000000080efdfff|"; metadata: former_category CURRENT_EVENTS; reference:cve,CVE-2017-0143; classtype:attempted-admin; sid:2024297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_16, performance_impact Low, updated_at 2017_07_06;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Exploit M3 MS17-010"; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative; threshold: type both, track by_src, count 10, seconds 1; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024430; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, signature_severity Critical, created_at 2017_06_27, updated_at 2017_07_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|application/hta|0d 0a|"; http_header; file_data; content:"|7b 5c 72 74|"; distance:1; content:"|7b 5c|"; distance:0; content:"|7b 5c|"; distance:0;  metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024192; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, cve 2017_0199, signature_severity Major, created_at 2017_04_10, performance_impact Low, updated_at 2017_08_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound M2"; flow:established,from_server; content:"Content-Type|3a 20|application/hta|0d 0a|"; http_header; file_data; content:"|2e 65 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 41 50 50 44 41 54 41 25 22 29 20|"; content:"|4d 65 6e 75 5c 50 72 6f 67 72 61 6d 73 5c 53 74 61 72 74 75 70 5c|";  metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024193; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, cve 2017_0199, signature_severity Major, created_at 2017_04_10, performance_impact Low, updated_at 2017_08_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt"; flow:to_server,established; content:"GET"; nocase; http_method; urilen:7; content:"/status"; http_uri; fast_pattern; content:"Host|3a|"; nocase; http_header; content:"|3b|"; http_header; within:50; distance:0; pcre:"/^Host\x3a[^\n]{0,50}?\x3b/Hmi"; metadata: former_category EXPLOIT; reference:url,cxsecurity.com/issue/WLB-2017080038; classtype:web-application-attack; sid:2024548; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_08_14, performance_impact Moderate, updated_at 2017_08_14;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder)"; flow:to_server,established; content:"java.lang.ProcessBuilder"; nocase; http_client_body; fast_pattern; content:"<command"; nocase; distance:0; http_client_body; pcre:"/^[\s>]/RPs"; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024663; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Perimeter, signature_severity Critical, created_at 2017_09_06, performance_impact Low, updated_at 2017_09_06;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec)"; flow:to_server,established; content:"java.lang.Runtime"; nocase; http_client_body; fast_pattern; content:".exec"; distance:0; http_client_body; content:"<command"; nocase; distance:0; http_client_body; pcre:"/^[\s>]/RPs"; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024664; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Perimeter, signature_severity Critical, created_at 2017_09_06, performance_impact Low, updated_at 2017_09_06;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1"; flow:to_server,established; content:"POST"; http_method; content:"eXNvc2VyaWFsL"; http_client_body; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024668; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2"; flow:to_server,established; content:"POST"; http_method; content:"lzb3NlcmlhbC"; http_client_body; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024669; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 3"; flow:to_server,established; content:"POST"; http_method; content:"5c29zZXJpYWwv"; http_client_body; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024670; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 4"; flow:to_server,established; content:"POST"; http_method; content:"|79 76 36 36 76|"; http_client_body; content:"/struts2-rest-showcase/orders/3"; http_uri; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024671; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 5"; flow:to_server,established; content:"POST"; http_method; content:"|72 2b 75 72|"; http_client_body; content:"/struts2-rest-showcase/orders/3"; http_uri; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024672; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 6"; flow:to_server,established; content:"POST"; http_method; content:"|4b 2f 72 71 2b|"; http_client_body; content:"/struts2-rest-showcase/orders/3"; http_uri; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024673; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (Runtime.Exec)"; flow:to_server,established; content:"POST"; http_method; content:"java.lang.Runtime"; nocase; http_client_body; fast_pattern; content:"/struts2-rest-showcase/orders/3"; http_uri; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024674; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder)"; flow:to_server,established; content:"POST"; http_method; content:"java.lang.ProcessBuilder"; nocase; http_client_body; fast_pattern; content:"/struts2-rest-showcase/orders/3"; http_uri; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024675; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_09_07, updated_at 2017_09_07;)

#alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; metadata: former_category EXPLOIT; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, deployment Internet, signature_severity Major, created_at 2017_09_25, performance_impact Low, updated_at 2017_09_28;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP POST)"; flow:to_server,established; content:"POST"; http_method; content:"newcollection/config"; http_uri; content:"Content-Type|3a 20|application/json"; http_header; content:"|22|add-listener|22|"; http_client_body; content:"|22|event|22 3a 22|postCommit|22|"; http_client_body; content:"|22|class|22|"; http_client_body; content:"RunExecutableListener|22 2c|"; fast_pattern; http_client_body; content:"|22|exe|22|"; http_client_body; content:"|22|dir|22|"; http_client_body; content:"|22|args|22|"; http_client_body; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024884; rev:2; metadata:affected_product Apache_Solr, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_20, updated_at 2017_10_20;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 XXE Exploit Attempt (URI)"; flow:to_server,established; content:"?q=|7b 21|xmlparser"; http_uri; content:"|3d 27 3c 21|DOCTYPE"; nocase; distance:0; http_uri; fast_pattern; pcre:"/^(?:(?!\x0d\x0a).)+\x22(?:https?|file):\x2f\x2f/UR"; flowbits:set,ET.CVE-2017-12629; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024885; rev:2; metadata:affected_product Apache_Solr, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_20, updated_at 2017_10_20;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP GET 1)"; flow:to_server,established; content:"GET"; http_method; content:"newcollection/config"; http_uri; content:"|22|add-listener|22 3a|"; http_uri; distance:0; content:"|22|event|22 3a 22|postCommit|22|"; http_uri; distance:0; content:"|22|class|22|"; distance:0; http_uri; content:"RunExecutableListener|22 2c 22|exe|22|"; distance:0; fast_pattern; http_uri; content:"|22|dir|22|"; http_uri; content:"|22|args|22|"; http_uri; flowbits:isset,ET.CVE-2017-12629; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024886; rev:2; metadata:affected_product Apache_Solr, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_20, updated_at 2017_10_20;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP GET 2)"; flow:to_server,established; content:"GET"; http_method; content:"?q="; http_uri; content:"update?"; distance:0; http_uri; content:"stream.body="; http_uri; content:"commit="; http_uri; content:"overwrite="; http_uri; flowbits:isset,ET.CVE-2017-12629; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024887; rev:2; metadata:affected_product Apache_Solr, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_20, updated_at 2017_10_20;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link 850L Password Extract Attempt"; flow:to_server,established; urilen:11; content:"POST"; http_method; content:"/hedwig.cgi"; http_uri; fast_pattern; content:"DEVICE.ACCOUNT"; http_client_body; metadata: former_category EXPLOIT; reference:url,blogs.securiteam.com/index.php/archives/3364; classtype:attempted-recon; sid:2024913; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2017_10_25, updated_at 2017_10_25;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Vacron NVR Remote Command Execution"; flow:to_server,established; content:"/board.cgi?cmd="; depth:15; http_uri; metadata: former_category EXPLOIT; reference:url,blogs.securiteam.com/index.php/archives/3445; classtype:attempted-recon; sid:2024915; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN Remote Command Execution"; flow:to_server,established; content:"/setup.cgi?next_file="; nocase; http_uri; content:"&todo=syscmd&cmd="; nocase; distance:0; http_uri; content:"currentsetting.htm"; nocase; fast_pattern; http_uri; metadata: former_category EXPLOIT; reference:url,seclists.org/bugtraq/2013/Jun/8; classtype:attempted-recon; sid:2024916; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Unauthenticated Command Injection in DVR Devices"; flow:to_server,established; content:"/Search.cgi?action=cgi_query"; nocase; fast_pattern; http_uri; content:"&username="; nocase; distance:0; http_uri; content:"&password="; nocase; distance:0; http_uri; metadata: former_category EXPLOIT; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024917; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in CloudSetup.cgi"; flow:to_server,established; content:"/cgi-bin/supervisor/CloudSetup.cgi?exefile="; nocase; depth:43; fast_pattern; http_uri; metadata: former_category EXPLOIT; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024918; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in adcommand.cgi"; urilen:33; flow:to_server,established; content:"POST"; http_method; content:"/cgi-bin/supervisor/adcommand.cgi"; nocase; fast_pattern; http_uri; content:"DoShellCmd"; nocase; http_client_body; metadata: former_category EXPLOIT; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024919; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in PwdGrp.cgi"; flow:to_server,established; content:"/cgi-bin/supervisor/PwdGrp.cgi?action="; nocase; depth:38; fast_pattern; http_uri; metadata: former_category EXPLOIT; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024920; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ET.ETERNALBLUE; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024218; rev:2; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_11_27;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)"; flow:to_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:set,ET.ETERNALBLUE; flowbits:noalert; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024220; rev:2; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_11_27;)

alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Exim4 UAF Attempt (BDAT with non-printable chars)"; flow:established,to_server; content:"BDAT"; depth:5; pcre:"/^\s*\d*[^\x20-\x7e\r\n\t]/R"; metadata: former_category EXPLOIT; reference:url,lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html; classtype:attempted-admin; sid:2025063; rev:3; metadata:attack_target SMTP_Server, deployment Internal, deployment Datacenter, signature_severity Major, created_at 2017_11_27, performance_impact Moderate, updated_at 2017_11_28;)

alert http any any -> any any (msg:"ET EXPLOIT Netgear passwordrecovered.cgi attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/passwordrecovered.cgi?id="; nocase; http_uri; metadata: former_category CURRENT_EVENTS; reference:url,www.securityfocus.com/archive/1/530743/30/0/threaded; reference:url,www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911; reference:cve,2017-5521; classtype:attempted-admin; sid:2017969; rev:4; metadata:created_at 2014_01_14, updated_at 2017_11_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)"; flow:established,to_server; urilen:6; content:"/rom-0"; http_uri; nocase; metadata: former_category CURRENT_EVENTS; reference:url,www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf; classtype:attempted-admin; sid:2018232; rev:3; metadata:created_at 2014_03_07, updated_at 2017_11_28;)

alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M1"; flow:established,to_server; content:"QwestM0dem"; fast_pattern; metadata: former_category EXPLOIT; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2025080; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_11_28, malware_family Mirai, performance_impact Low, updated_at 2017_11_29;)

alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M2"; flow:established,to_server; content:"CenturyL1nk"; fast_pattern; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2024980; rev:3; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Critical, created_at 2017_11_13, malware_family Mirai, performance_impact Low, updated_at 2017_11_29;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M1"; flow:established,to_server; content:"="; http_uri; content:"%"; http_uri; distance:0; content:"{"; http_uri; distance:0; content:"ProcessBuilder"; http_uri; nocase; distance:0; fast_pattern; content:"java"; nocase; http_uri; content:"lang"; http_uri; nocase; pcre:"/=\s*\x25\s*\{\s*.+?\bProcessBuilder\b/Ui"; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2024814; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_06, updated_at 2017_10_06;)

alert http any any -> $HOME_NET 52869 (msg:"ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361"; flow:established,to_server; urilen:12; content:"POST"; http_method; content:"/picdesc.xml"; http_uri; content:"SOAPAction|3a 20|urn|3a|schemas-upnp-org|3a|service|3a|WANIPConnection|3a|"; http_header; metadata: former_category EXPLOIT; reference:url,blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/; reference:cve,CVE-2014-8361; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb; reference:url,www.exploit-db.com/exploits/37169/; classtype:attempted-user; sid:2025132; rev:2; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; metadata: former_category ATTACK_RESPONSE; reference:url,doc.emergingthreats.net/2010001; classtype:attempted-user; sid:2010001; rev:4; metadata:created_at 2010_07_30, updated_at 2018_01_09;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_readerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|a|00|d|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; metadata: former_category ATTACK_RESPONSE; reference:url,doc.emergingthreats.net/2010002; classtype:attempted-user; sid:2010002; rev:5; metadata:created_at 2010_07_30, updated_at 2018_01_09;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumdsn access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|d|00|s|00|n|00|"; nocase; metadata: former_category ATTACK_RESPONSE; reference:url,doc.emergingthreats.net/2010003; classtype:attempted-user; sid:2010003; rev:5; metadata:created_at 2010_07_30, updated_at 2018_01_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MeltDown PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|57 53 41 50 41 51|"; content:"|0F AE F0|"; distance:50; within:53; content:"|0F AE|"; distance:15; within:12; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|0F AE F0 0F 31|"; distance:45; within:25; content:"|0F AE F0 0F 31|"; distance:17; within:12; metadata: former_category EXPLOIT; reference:cve,2017-5754; classtype:attempted-admin; sid:2025195; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_10, malware_family MeltDown_Exploit, performance_impact Low, updated_at 2018_02_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Spectre PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|E7 03 00 00|"; content:"|48 0F AE|"; distance:17; within:9; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|48 0F AE 3D|"; distance:41; within:10; content:"|48 98|"; distance:64; within:22; content:"|0F 01 F9|"; distance:50; within:9; content:"|0F 01 F9|"; distance:30; within:9; metadata: former_category EXPLOIT; reference:cve,2017-5753; reference:cve,2017-5715; classtype:attempted-admin; sid:2025196; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_10, malware_family Spectre_Exploit, performance_impact Low, updated_at 2018_02_02;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MikroTik RouterOS Chimay Red Remote Code Execution Probe"; flow:to_server,established; content:"POST"; http_method; urilen:8; content:"/jsproxy"; http_uri; fast_pattern; content:"Content-Length|3a 20|"; http_header; depth:16; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/44284/; reference:url,www.exploit-db.com/exploits/44283/; classtype:attempted-admin; sid:2025426; rev:2; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Minor, created_at 2018_03_13, performance_impact Moderate, updated_at 2018_03_13;)

alert tcp any any -> $HOME_NET 25 (msg:"ET EXPLOIT [PT Security] Exim <4.90.1 Base64 Overflow RCE (CVE-2018-6789)"; flow: established,to_server,only_stream; content:"|0D 0A|AUTH"; pcre:"/AUTH\s+\S+\s+(?:[a-zA-Z0-9\+\/=]{4})*+[a-zA-Z0-9\+\/=]{3}\s/"; metadata: former_category EXPLOIT; reference:cve,2018-6789; reference:url,devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/; reference:url,github.com/ptresearch/AttackDetection/blob/master/CVE-2018-6789/cve-2018-6789.rules; classtype:attempted-admin; sid:2025427; rev:1; metadata:attack_target SMTP_Server, deployment Perimeter, signature_severity Minor, created_at 2018_03_13, performance_impact Moderate, updated_at 2018_03_13;)

alert tcp any any -> $HOME_NET 4786 (msg:"ET EXPLOIT Possible CVE-2018-0171 Exploit (PoC based)"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 07|"; depth:12; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:12; within:36; content:"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"; distance:4; within:44; metadata: former_category EXPLOIT; reference:cve,2018-0171; reference:url,embedi.com/blog/cisco-smart-install-remote-code-execution/; classtype:attempted-admin; sid:2025472; rev:1; metadata:affected_product Cisco_ASA, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2018_04_06, updated_at 2018_04_06;)

alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - Update Ios and Execute"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 02 00 00 01 c4|"; depth:16; content:"://"; distance:0; metadata: former_category EXPLOIT; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025520; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_04_20, updated_at 2018_04_20;)

alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - ChangeConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 03 00 00 01 28|"; depth:16; content:"://"; distance:0; metadata: former_category EXPLOIT; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025521; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_04_20, updated_at 2018_04_20;)

alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - GetConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 08 00 00 04 08|"; depth:16; content:"copy|20|"; distance:0; metadata: former_category EXPLOIT; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025522; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_04_20, updated_at 2018_04_20;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT HackingTrio UA (Hello, World)"; flow:established,to_server; content:"POST"; http_method; content:"Hello, World"; http_user_agent; fast_pattern; isdataat:!1,relative; metadata: former_category EXPLOIT; reference:cve,2018-10561; reference:cve,2018-10562; reference:url,github.com/f3d0x0/GPON; classtype:attempted-admin; sid:2025576; rev:2; metadata:attack_target IoT, deployment Perimeter, tag GPON, signature_severity Major, created_at 2018_05_11, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT phpLDAPadmin LDAP Injection"; flow:to_server,established; content:"!(()&&!|7c|*|7c|*|7c|"; nocase; http_uri; metadata: former_category EXPLOIT; classtype:web-application-attack; sid:2025733; rev:2; metadata:affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_22, performance_impact Low, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Command Execution"; flow:to_server,established; content:"/wps.setup.json"; fast_pattern; nocase; http_uri; content:"operation=write"; http_client_body; content:"option=connect"; http_client_body; content:"wps_setup_pin="; http_client_body; content:"%2Fbin%2Fsh"; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44912/; classtype:web-application-attack; sid:2025735; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_22, performance_impact Low, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT phpMyAdmin 4.8.1 - Local File Inclusion"; flow:to_server,established; content:"db_sql.php"; http_uri; nocase; content:"|2e 2e 2f|"; http_raw_uri; metadata: former_category EXPLOIT; classtype:web-application-attack; sid:2025734; rev:2; metadata:affected_product PHP, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_22, performance_impact Low, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ecessa WANWorx WVR-30 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"user_username"; content:"user_passwd"; content:"checked"; content:"savecrtcfg"; fast_pattern; metadata: former_category EXPLOIT; classtype:web-application-attack; sid:2025737; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_25, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Intex Router N-150 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"PPW"; content:"submit"; content:"SSID"; content:"isp"; content:"WAN"; content:"wirelesspassword"; fast_pattern; content:"name"; content:"value"; metadata: former_category EXPLOIT; classtype:web-application-attack; sid:2025739; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_25, performance_impact Low, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT AsusWRT RT-AC750GF Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"<form action=|22|http://router.asus.com/findasus.cgi|22 20|method=|22|POST|22|>"; nocase; content:"name=|22|action_mode|22 20|value=|22|refresh_networkmap|22|"; nocase; distance:0; content:"start_apply.htm?productid="; nocase; distance:0; content:"&current_page=Advanced_System_Content.asp";  nocase; distance:0; content:"&next_page=Advanced_System_Content.asp"; nocase; distance:0; fast_pattern; content:"&action_mode=apply"; nocase; distance:0; content:"&http_username="; nocase; distance:0; content:"&http_passwd="; nocase; distance:0; content:"&sshd_enable="; nocase; distance:0; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/44937/; classtype:web-application-attack; sid:2025736; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2018_06_25, updated_at 2018_07_18;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (WiFi Password Change)"; flow:established,to_server; content:"/cgi?2"; http_uri; isdataat:!1,relative; content:"/mainFrame.htm"; http_header; content:"LAN_WLAN"; fast_pattern; http_client_body; content:"IEEE11iAuthenticationMode"; http_client_body; content:"IEEE11iEncryptionModes"; http_client_body; content:"X_TP_PreSharedKey="; http_client_body; content:"X_TP_GroupKeyUpdateInterval"; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44781/; classtype:web-application-attack; sid:2025755; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2019_09_28;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (DMZ enable and Disable)"; flow:established,to_server; content:"/cgi?2"; http_uri; isdataat:!1,relative; content:"/mainFrame.htm"; http_header; content:"DMZ_HOST_CFG"; fast_pattern; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025751; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2019_09_28;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Enable Guest Network)"; flow:established,to_server; content:"/cgi?2&2&2&2&2"; http_uri; content:"/mainFrame.htm"; http_header; content:"LAN_WLAN_MULTISSID"; fast_pattern; http_client_body; content:"multiSSIDEnable"; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025752; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2018_07_18;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Reboot Router)"; flow:established,to_server; content:"/cgi?7"; http_uri; content:"mainFrame.htm"; http_header; content:"ACT_REBOOT"; http_client_body; fast_pattern; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025754; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2018_07_18;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Add Port Forwarding)"; flow:established,to_server; content:"/cgi?3"; http_uri; isdataat:!1,relative; content:"/mainFrame.htm"; http_header; content:"IP_CONN_PORTTRIGGERING"; http_client_body; content:"openProtocol"; http_client_body; content:"openPort="; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025750; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2019_09_28;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (GET conf.bin)"; flow:established,to_server; content:"/cgi/conf.bin"; http_uri; content:"/mainFrame.htm"; http_header; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025753; rev:2; metadata:affected_product TPLINK, attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2018_07_18;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2750B - OS Command Injection"; flow:established,to_server; content:"/login.cgi?cli="; http_uri; pcre:"/^[ a-zA-Z0-9+_]*[\x27\x3b]/URi"; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44760/; classtype:attempted-user; sid:2025756; rev:2; metadata:attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_06_27, performance_impact Low, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Exec Backdoor"; flow:established,to_server; content:"X-Auth-Token|3a| AuroraSdnToken"; http_header; content:"|7b 22|action|22 3a 20 22|exec|22 2c 20 22|name|22 3a 20 22|"; fast_pattern; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025761; rev:2; metadata:attack_target Networking_Equipment, deployment Datacenter, signature_severity Major, created_at 2018_06_28, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Install Backdoor"; flow:established,to_server; content:"X-Auth-Token|3a| AuroraSdnToken"; http_header; content:"|7b 22|action|22 3a 20 22|install|22 2c 20 22|name|22 3a 20 22|"; fast_pattern; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025762; rev:2; metadata:attack_target Networking_Equipment, deployment Datacenter, signature_severity Major, created_at 2018_06_28, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor"; flow:established,to_server; content:"/upload"; http_uri; isdataat:!1,relative; content:"X-Auth-Token|3a| AuroraSdnToken"; http_header; content:"!<arch>|0a|debian-binary"; http_client_body; fast_pattern; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025763; rev:2; metadata:attack_target Networking_Equipment, deployment Datacenter, signature_severity Major, created_at 2018_06_28, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco Adaptive Security Appliance - Path Traversal"; flow:established,to_server; content:"../"; http_raw_uri; content:"+CSCOE+/files/file_list.json?path=+CSCOE+"; fast_pattern; http_uri; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44956/; reference:cve,2018-0296; classtype:attempted-user; sid:2025764; rev:1; metadata:affected_product Cisco_ASA, attack_target Networking_Equipment, deployment Datacenter, signature_severity Major, created_at 2018_06_29, performance_impact Low, updated_at 2018_07_18;)

alert udp any 67 -> any 68 (msg:"ET EXPLOIT DynoRoot DHCP - Client Command Injection"; content:"|02|"; depth:1; content:"|35 01 05 fc|"; distance:0; content:"|2f|bin|2f|sh"; fast_pattern; distance:0; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44652/; reference:cve,2018-1111; classtype:attempted-admin; sid:2025765; rev:2; metadata:attack_target Networking_Equipment, deployment Datacenter, signature_severity Critical, created_at 2018_06_29, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"ET EXPLOIT CloudMe Sync Buffer Overflow"; flow:established,to_server; content:"|fe e7 d1 61 a8 98 03 69 10 06 e7 6f 6f 0a c4 61 5a ea c8 68 e1 52 d6 68 a2 7c fa 68 ff fd ff ff|"; fast_pattern; distance:0; content:"|92 70 b4 6e 47 27 d5 68 ff ff ff ff bc 48 f9 68|"; distance:0; content:"|3c 06 f8 68 72 a4 f9 68 c0 ff ff ff 92 70 b4 6e|"; distance:0; content:"|ab 57 f0 61 a3 ef b5 6e  d1 14 dc 61 0c ed b4 64 45 62 ba 61|"; distance:0; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44784/; reference:cve,2018-6892; classtype:attempted-admin; sid:2025766; rev:2; metadata:attack_target Server, deployment Perimeter, signature_severity Major, created_at 2018_06_29, performance_impact Low, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection"; flow:established,to_server; content:"/scripts/ajaxPortal.lua"; http_uri; fast_pattern; content:"destination="; http_client_body; content:"source="; http_client_body; content:"test="; http_client_body; content:"&requestTimeout="; http_client_body; content:"auth_token="; http_client_body; content:"cmd=run_diagnostic"; http_client_body; pcre:"/destination=[^&]*\x24\x28/Pi"; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025767; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_02, performance_impact Low, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection 2"; flow:established,to_server; content:"/scripts/ajaxPortal.lua"; http_uri; fast_pattern; content:"name="; http_client_body; content:"source="; http_client_body; content:"test="; http_client_body; content:"&requestTimeout="; http_client_body; content:"auth_token="; http_client_body; content:"cmd=run_diagnostic"; http_client_body; pcre:"/name=[^&]*\x24\x28/Pi"; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025768; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_02, performance_impact Low, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Geutebruck Remote Command Execution"; flow:established,to_server; content:"/uapi-cgi/viewer/simple_loglistjs.cgi?"; http_uri; fast_pattern; content:"/bin/sh"; http_uri; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44957/; reference:cve,2018-7520; classtype:attempted-user; sid:2025769; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2018_07_02, performance_impact Low, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection"; flow:established,to_server; content:"/nagiosim.php?mode=resolve&host=|27|"; http_uri; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025772; rev:1; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_02, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution"; flow:established,to_server; content:"/ajaxhelper.php?cmd=getxicoreajax"; http_uri; fast_pattern; content:"&opts=%7b%22func%22%3a%22get_hoststatus_table%22%7d"; http_raw_uri; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025774; rev:1; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_02, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 2"; flow:established,to_server; content:"/graphApi.php?host="; fast_pattern; http_uri; content:"%3bsudo%20../profile/getprofile.sh%20%23"; http_raw_uri; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025773; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_02, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 3"; flow:established,to_server; content:"/index.php?cmd=submitcommand&command="; http_uri;  content:"&command_data=$("; http_uri; fast_pattern; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025776; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_03, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection 2"; flow:established,to_server; content:"/admin/helpedit.php"; http_uri; fast_pattern; content:"selInfoKey1="; http_client_body; pcre:"/^[^&]+\x2527(?:UNION|SELECT)/PRi"; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025775; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_03, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Set DB User Root"; flow:established,to_server; content:"/admin/settings.php"; http_uri; content:"txtRootPath="; http_client_body; content:"&txtBasePath="; http_client_body; content:"&selProtocol="; http_client_body; content:"&txtTempdir="; http_client_body; content:"&selLanguage="; http_client_body; content:"&txtEncoding="; http_client_body; content:"&txtDBserver="; http_client_body; content:"&txtDBport="; http_client_body; content:"&txtDBname="; http_client_body; content:"&txtDBuser=root"; fast_pattern; http_client_body; content:"&txtDBpass="; http_client_body; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025777; rev:1; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_03, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Adding Administrative User"; flow:established,to_server; content:"/api/v1/system/user"; http_uri; content:"username="; http_client_body; content:"&password="; http_client_body; content:"&name="; http_client_body; content:"&email="; http_client_body; content:"&auth_level=admin&force_pw_change=0"; fast_pattern; http_client_body; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025778; rev:1; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_03, updated_at 2018_07_18;)

alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FTPShell client Stack Buffer Overflow"; flow:established,from_server; content:"220|20 22|"; isdataat:400,relative; content:!"|00|"; within:400; content:!"|22|"; within:400; content:!"|0b|"; within:400; content:!"|0a|"; within:400; content:!"|0d|"; within:400; content:"|ed 2e 45 22 20|"; fast_pattern; distance:400; metadata: former_category EXPLOIT; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-7573; reference:url,exploit-db.com/exploits/44968/; classtype:attempted-user; sid:2025779; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_03, performance_impact Low, updated_at 2018_07_18;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ModSecurity 3.0.0 Cross-Site Scripting"; flow:established,from_server; file_data; content:"onError"; content:"prompt"; fast_pattern; content:"img"; pcre:"/^\s*((?!>).)+?\s*src\s*=\s*[\x22\x27]\s*[^\x27\x28]+?[\x22\x27]\s*onError\s*=\s*prompt\s*\x28\s*[^)]*?(?:document|s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Rsi"; metadata: former_category EXPLOIT; reference:cve,2018-13065; reference:url,exploit-db.com/exploits/44970/; classtype:attempted-user; sid:2025781; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Critical, created_at 2018_07_03, performance_impact Moderate, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ADB Broadband Authorization Bypass"; flow:established,to_server; content:"/ui/dboard/settings/management/"; http_uri; fast_pattern; content:"/management//"; http_raw_uri; metadata: former_category EXPLOIT; reference:cve,2018-13109; reference:url,exploit-db.com/exploits/44982/; classtype:web-application-attack; sid:2025785; rev:1; metadata:attack_target IoT, deployment Datacenter, signature_severity Critical, created_at 2018_07_05, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET EXPLOIT Oracle Weblogic Server Deserialization Remote Command Execution"; flow:established,to_server; content:"java.rmi.registry.Registry"; fast_pattern; content:"java.lang.reflect.Proxy"; content:"java.rmi.server.RemoteObjectInvocationHandler"; content:"UnicastRef"; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44553/; reference:cve,2018-2628; classtype:attempted-user; sid:2025788; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_05, performance_impact Low, updated_at 2018_07_18;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Exim Internet Mailer Remote Code Execution"; flow:established,to_server; content:"JHtydW57L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3Av"; metadata: former_category EXPLOIT; reference:cve,2018-6789; reference:url,exploit-db.com/exploits/44571/; classtype:attempted-user; sid:2025793; rev:2; metadata:attack_target SMTP_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_09, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET EXPLOIT xdebug OS Command Execution "; flow:established,to_server; content:"eval -i 1 --|0d 0a|ZmlsZV9wdXRfY29udGVudH"; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44568/; classtype:attempted-user; sid:2025794; rev:2; metadata:attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2018_07_09, performance_impact Low, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vYmluL2Jhc2"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025806; rev:2; metadata:attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vKjw/cGhwI"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025809; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"MeW84UDNCb2ND"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025812; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"c3lzdGVtKCIgcGhw"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025795; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"N5c3RlbSgiIHBoc"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025796; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"zeXN0ZW0oIiBwaH"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025797; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"c3lzdGVtKCJwaH"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025798; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"N5c3RlbSgicGhw"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025799; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"zeXN0ZW0oInBoc"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025800; rev:2; metadata:created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"ZmlsZV9wdXRfY29udGVudH"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025801; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"ZpbGVfcHV0X2NvbnRlbnRz"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025802; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"maWxlX3B1dF9jb250ZW50c"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025803; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"L2Jpbi9iYXNo"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025804; rev:2; metadata:attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"9iaW4vYmFza"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025805; rev:2; metadata:attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"Lyo8P3BocC"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025807; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"8qPD9waHAg"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025808; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"THlvOFAzQm9jQ"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025810; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"x5bzhQM0JvY0"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025811; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"OHFQRDl3YUhBZ"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025813; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"hxUEQ5d2FIQW"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025814; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"4cVBEOXdhSEFn"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025815; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 7"; flow:established,to_server; content:"dktqdy9jR2h3S"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025816; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 8"; flow:established,to_server; content:"ZLancvY0dod0"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025817; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 9"; flow:established,to_server; content:"2S2p3L2NHaHdJ"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025818; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, created_at 2018_07_09, updated_at 2018_07_18;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DIR601 2.02 Credential Disclosure"; flow:established,to_server; content:"/my_cgi.cgi"; http_uri; content:"request=no_auth"; http_client_body; content:"request=load_settings"; http_client_body; content:"table_name=admin_user"; fast_pattern; http_client_body; content:"table_name=user_user"; http_client_body; content:"table_name=wireless_settings"; http_client_body; content:"table_name=wireless_security"; http_client_body; content:"table_name=wireless_wpa_settings"; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/45002/; classtype:attempted-recon; sid:2025823; rev:2; metadata:attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_07_10, performance_impact Low, updated_at 2018_07_18;)

alert udp any any -> $HOME_NET 4070 (msg:"ET EXPLOIT HID VertX and Edge door controllers command_blink_on Remote Command Execution"; content:"command_blink_on|3b|"; fast_pattern; content:"|60|"; within:44; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44992/; classtype:attempted-user; sid:2025821; rev:2; metadata:attack_target IoT, deployment Datacenter, created_at 2018_07_10, updated_at 2018_07_18;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; offset:4; depth:30; fast_pattern:10,20; content:"|00 09 00 00 00 10|"; distance:1; within:6; content:"|00 00 00 00 00 00 00 10|"; within:8; content:"|00 00 00 10|"; distance:4; within:4; pcre:"/^[a-zA-Z0-9+/]{1000,}/R"; threshold: type both, track by_src, count 3, seconds 30; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024217; rev:3; metadata:attack_target SMB_Server, deployment Internal, signature_severity Critical, created_at 2017_04_17, updated_at 2017_05_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IBM QRadar SIEM Unauthenticated Remote Code Execution"; flow:established,to_server; content:"/ForensicsAnalysisServlet/?"; http_uri; fast_pattern; content:"[pcap]=$("; http_uri; content:"/bin/bash"; http_uri; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/45005/; classtype:attempted-user; sid:2025826; rev:1; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_11, performance_impact Low, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution"; flow:established,to_server; content:"/init.do?"; http_uri; content:"java.util"; http_uri; content:"Runtime.getRuntime().exec"; fast_pattern; http_uri; content:"cmd"; http_uri; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/44292/; reference:cve,2018-2380; classtype:attempted-user; sid:2025835; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_07_12, performance_impact Low, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution"; flow:established,to_server; content:"/amf"; http_uri; content:"sun.rmi.server.UnicastRef"; http_client_body; content:"|f9 6a 76 7b 7c de 68 4f 76 d8 aa 3d 00 00 01 5b b0 4c 1d 81 80 01 00|"; fast_pattern; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/43993/; reference:cve,2017-3066; classtype:attempted-user; sid:2025836; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_13, performance_impact Low, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Unix"; flow:established,to_server; content:"/CoordinatorPortType"; http_uri; content:"<soapenv:"; http_client_body; content:"java.lang.ProcessBuilder"; http_client_body; content:"<string>/bin/sh"; http_client_body; content:"<string>-c</string>"; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025837; rev:1; metadata:attack_target Server, deployment Datacenter, created_at 2018_07_13, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Windows"; flow:established,to_server;content:"/CoordinatorPortType"; http_uri; content:"<soapenv:"; http_client_body; content:"java.lang.ProcessBuilder"; http_client_body; content:"<string>cmd</string>"; http_client_body; content:"<string>/c</string>"; http_client_body; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025838; rev:1; metadata:attack_target Server, deployment Datacenter, created_at 2018_07_13, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bash"; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; fast_pattern; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025861; rev:1; metadata:attack_target Server, deployment Datacenter, created_at 2018_07_17, updated_at 2018_07_18;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bat"; content:"706f7765727368656c6c2e657865"; fast_pattern; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025862; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2018_07_17, updated_at 2018_07_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MVPower DVR Shell UCE MSF Check"; flow:to_server,established; content:"/shell?echo+"; http_uri; depth:12; fast_pattern; http_header_names; content:!"Referer"; metadata: former_category EXPLOIT; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025882; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2018_07_23, malware_family Mirai, updated_at 2018_07_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MVPower DVR Shell UCE"; flow:to_server,established; content:"/shell?"; http_uri; depth:7; fast_pattern; http_header_names; content:!"Referer"; metadata: former_category EXPLOIT; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025883; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2018_07_23, malware_family Mirai, updated_at 2018_07_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Multiple CCTV-DVR Vendors RCE"; flow:to_server,established; content:"/language/Swedish${IFS}&&"; http_uri; depth:25; fast_pattern; http_header_names; content:!"Referer"; metadata: former_category EXPLOIT; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025884; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2018_07_23, malware_family Mirai, updated_at 2018_07_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge"; flow:from_server,established; content:"CNXN|00 00 00 01 00 10 00 00 07 00 00 00 32 02 00 00 BC B1 A7 B1|host|3a 3a|"; distance:40; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025887; rev:1; metadata:created_at 2018_07_24, updated_at 2018_07_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge 2"; flow:from_server,established; content:"OPENX|02 00 00 00 00 00 00 F2 17 4A 00 00 B0 AF BA B1|shell|3a|>/sdcard/Download/f|20|&&|20|cd|20|/sdcard/Download/|3b 20|>/dev/f|20|&&|20|cd|20|/dev/|3b 20|>/data/local/tmp/f|20|&&|20|cd|20|/data/local/tmp/|3b 20|busybox|20|wget|20|http|3a|//"; fast_pattern; metadata: former_category EXPLOIT; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025888; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_24, updated_at 2018_07_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic Unrestricted File Upload (CVE-2018-2894)"; flow:to_server,established; content:"POST"; http_method; content:"/ws_utc/resources/setting/keystore"; http_uri; fast_pattern; content:"ks_filename="; http_client_body; metadata: former_category EXPLOIT; reference:url,github.com/LandGrey/CVE-2018-2894/blob/master/CVE-2018-2894.py; reference:cve,2018-2894; classtype:attempted-admin; sid:2025907; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_07_25, updated_at 2018_07_25;)

alert tcp-pkt any 445 -> $HOME_NET any (msg:"ET EXPLOIT SMB Null Pointer Dereference PoC Inbound (CVE-2018-0833)"; flow:from_server,established; content:"|FD 53 4D 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; offset:4; metadata: former_category EXPLOIT; reference:url,krbtgt.pw/smbv3-null-pointer-dereference-vulnerability/; reference:cve,2018-0833; classtype:attempted-admin; sid:2025983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2018_08_08, updated_at 2018_08_08;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 01 28|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:2; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; isdataat:!1,relative; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category EXPLOIT; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025649; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, tag Metasploit, tag ETERNALBLUE, signature_severity Major, created_at 2018_07_11, updated_at 2019_09_28;)

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010"; flow:from_server,established; content:"|ff|SMB|25 05 02 00 c0 98 01|"; offset:4; depth:11; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:3; within:10; content:"|00 00 00|"; distance:8; within:3; isdataat:!1,relative; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category EXPLOIT; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025650; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, tag Metasploit, tag ETERNALBLUE, signature_severity Major, created_at 2018_07_11, updated_at 2019_09_28;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:5; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; isdataat:!1,relative; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category EXPLOIT; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025992; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_15, malware_family ETERNALBLUE, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI M2"; flow:to_server,established; content:"java.lang.Runtime|25|40getRuntime().exec("; http_uri; nocase; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2026024; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2018_08_23, updated_at 2018_08_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M1"; flow:to_server,established; content:"memberAccess"; http_uri; content:"allowStaticMethodAccess"; http_uri; distance:0; content:"java.lang.Runtime|25|40getRuntime().exec("; http_uri; nocase; fast_pattern; distance:0; content:".getInputStream()"; http_uri; content:"java.io.InputStreamReader("; http_uri; content:"java.io.BufferedReader("; http_uri; content:".read("; http_uri; content:"org.apache.struts2.ServletActionContext"; http_uri; content:"getResponse().getWriter()"; http_uri; metadata: former_category EXPLOIT; reference:url,github.com/jas502n/St2-057/blob/master/README.md; reference:cve,2018-11776; classtype:attempted-user; sid:2026025; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2018_08_23, updated_at 2018_08_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M2"; flow:to_server,established; content:"memberAccess"; http_uri; content:"allowStaticMethodAccess"; http_uri; distance:0; content:"java.lang.Runtime@getRuntime().exec("; http_uri; nocase; fast_pattern; distance:0; content:".getInputStream"; http_uri; content:"java.io.InputStreamReader"; http_uri; content:"java.io.BufferedReader"; http_uri; content:".read"; http_uri; content:"@org.apache.struts2.ServletActionContext@getResponse"; http_uri; metadata: former_category EXPLOIT; reference:url,github.com/jas502n/St2-057/blob/master/README.md; reference:cve,2018-11776; classtype:attempted-user; sid:2026026; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2018_08_23, updated_at 2018_08_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Root Command Injection (Unix)"; flow:established,to_server; content:"X-Auth-Token|3a| AuroraSdnToken"; http_header; fast_pattern; content:"|7b 22|action|22 3a 22|uninstall|22 2c 22|name|22 3a 22|--pre-invoke="; http_client_body; content:"|5c 5c|x73|5c 5c|x68|5c 5c|x20|5c 5c|x2d|5c 5c|x63"; metadata: former_category EXPLOIT; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026028; rev:1; metadata:attack_target Client_Endpoint, deployment Datacenter, signature_severity Major, created_at 2018_08_24, updated_at 2018_08_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Root Command Injection (Linux)"; flow:established,to_server; content:"X-Auth-Token|3a| AuroraSdnToken"; http_header; fast_pattern; content:"|7b 22|action|22 3a 22|uninstall|22 2c 22|name|22 3a 22|--pre-invoke="; http_client_body; content:".deb"; http_client_body; content:"/var/lib/sdn/uploads"; http_client_body; metadata: former_category EXPLOIT; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026029; rev:1; metadata:attack_target Client_Endpoint, deployment Datacenter, signature_severity Major, created_at 2018_08_24, updated_at 2018_08_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor 2"; flow:established,to_server; content:"/upload"; http_uri; isdataat:!1,relative; content:"X-Auth-Token|3a| AuroraSdnToken"; http_header; fast_pattern; content:".deb|0d 0a|"; http_header; content:"|7f|ELF"; http_client_body; depth:4; metadata: former_category SCAN; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026030; rev:2; metadata:attack_target Client_Endpoint, deployment Datacenter, signature_severity Major, created_at 2018_08_24, updated_at 2019_09_28;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript invalidcheck escape attempt (SMTP)"; flow:to_server,established; file_data; content:"legal"; content:"restore"; distance:0; content:"currentdevice"; content:"putdeviceprops"; pcre:"/legal[^x7B]*\x7B[^\x7D]*restore/smi"; metadata: former_category EXPLOIT; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026084; rev:2; metadata:attack_target SMTP_Server, deployment Datacenter, signature_severity Major, created_at 2018_09_05, updated_at 2018_09_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript invalidcheck escape attempt"; flow:to_client,established; file_data; content:"legal"; content:"restore"; distance:0; content:"currentdevice"; content:"putdeviceprops"; pcre:"/legal[^x7B]*\x7B[^\x7D]*restore/smi"; metadata: former_category EXPLOIT; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026085; rev:1; metadata:attack_target Client_Endpoint, deployment Datacenter, signature_severity Informational, created_at 2018_09_05, updated_at 2018_09_05;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript illegal read undefinedfilename attempt (SMTP)"; flow:to_server,established; file_data; content:"undefinedfilename"; fast_pattern; content:"errordict"; content:"invalidfileaccess"; content:"typecheck"; pcre:"/errordict\s+\x2Finvalidfileaccess/smi"; metadata: former_category EXPLOIT; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026086; rev:2; metadata:attack_target SMTP_Server, deployment Datacenter, signature_severity Informational, created_at 2018_09_05, updated_at 2018_09_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript illegal read undefinedfilename attempt"; flow:to_client,established; file_data; content:"undefinedfilename"; fast_pattern; content:"errordict"; content:"invalidfileaccess"; content:"typecheck"; pcre:"/errordict\s+\x2Finvalidfileaccess/smi"; metadata: former_category EXPLOIT; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026087; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2018_09_05, updated_at 2018_09_05;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript illegal delete bindnow attempt (SMTP)"; flow:to_server,established; file_data; content:"unlink("; fast_pattern; content:"|2E|bindnow"; content:"stopped"; distance:0; pcre:"/\x2Ebindnow[^\x7D]*\x7D\s*stopped/smi"; metadata: former_category EXPLOIT; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026088; rev:2; metadata:attack_target SMTP_Server, deployment Datacenter, signature_severity Informational, created_at 2018_09_05, updated_at 2018_09_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript illegal delete bindnow attempt"; flow:to_client,established; file_data; content:"unlink("; fast_pattern; content:"|2E|bindnow"; content:"stopped"; distance:0; pcre:"/\x2Ebindnow[^\x7D]+\x7D\s*stopped/smi"; metadata: former_category EXPLOIT; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026089; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2018_09_05, updated_at 2018_09_05;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript setpattern type confusion attempt (SMTP)"; flow:to_server,established; file_data; content:"16#"; content:"setpattern"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; metadata: former_category EXPLOIT; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026090; rev:2; metadata:attack_target SMTP_Server, deployment Datacenter, signature_severity Informational, created_at 2018_09_05, updated_at 2018_09_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript setpattern type confusion attempt"; flow:to_client,established; file_data; content:"16#"; content:"setpattern"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; metadata: former_category EXPLOIT; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026091; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2018_09_05, updated_at 2018_09_05;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt (SMTP)"; flow:to_server,established; file_data; content:"LockDistillerParams"; content:"16#"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; metadata: former_category EXPLOIT; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026092; rev:2; metadata:attack_target SMTP_Server, deployment Datacenter, signature_severity Informational, created_at 2018_09_05, updated_at 2018_09_05;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt"; flow:to_client,established; file_data; content:"LockDistillerParams"; content:"16#"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; metadata: former_category EXPLOIT; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026093; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2018_09_05, updated_at 2018_09_05;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts memberAccess and getWriter inbound OGNL injection remote code execution attempt"; flow:to_server,established; content:"|23|_memberAccess"; fast_pattern; http_uri; content:".getWriter"; nocase; http_uri; metadata: former_category EXPLOIT; reference:cve,2018-11776; classtype:attempted-admin; sid:2026094; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, deployment Datacenter, signature_severity Informational, created_at 2018_09_05, updated_at 2018_09_05;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts memberAccess and opensymphony inbound OGNL injection remote code execution attempt"; flow:to_server,established; content:"|23|_memberAccess"; fast_pattern; http_uri; content:"com|2E|opensymphony"; nocase; http_uri; metadata: former_category EXPLOIT; reference:cve,2018-11776; classtype:attempted-admin; sid:2026095; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, deployment Datacenter, signature_severity Informational, created_at 2018_09_05, updated_at 2018_09_05;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts getWriter and opensymphony inbound OGNL injection remote code execution attempt"; flow:to_server,established; content:"|2E|getWriter"; fast_pattern; http_uri; content:"symphony|2E|"; nocase; http_uri; metadata: former_category EXPLOIT; reference:cve,2018-11776; classtype:attempted-admin; sid:2026096; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, deployment Datacenter, signature_severity Informational, created_at 2018_09_05, updated_at 2018_09_05;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SonicWall Global Management System - XMLRPC set_time_zone Command Injection (CVE-2018-9866)"; flow:established,to_server; content:"<methodName>set_time_"; http_client_body; fast_pattern; content:"<string>|22 60|"; http_client_body; distance:0; metadata: former_category EXPLOIT; reference:url,exploit-db.com/exploits/45124/; reference:cve,2018-9866; classtype:attempted-user; sid:2026023; rev:3; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_08_23, performance_impact Low, updated_at 2018_09_10;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Vacron NVR Remote Command Execution M2"; flow:to_server,established; content:"/board.cgi"; http_uri; fast_pattern; content:"cmd="; http_client_body; depth:4; pcre:"/[^&]*(?:\x60|\x24)/RP"; metadata: former_category EXPLOIT; reference:url,blogs.securiteam.com/index.php/archives/3445; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026103; rev:2; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Minor, created_at 2018_09_10, updated_at 2018_09_10;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT EnGenius EnShare IoT Gigabit Cloud Service RCE"; flow:to_server,established; content:"/usbinteract.cgi"; http_uri; content:"action=7&path="; fast_pattern; http_client_body; depth:14; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026104; rev:2; metadata:created_at 2018_09_10, updated_at 2018_09_10;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel Command Injection RCE (CVE-2017-6884)"; flow:to_server,established; content:"/cgi-bin/luci/"; http_uri; content:"stok="; http_uri; content:"/nslookup?nslookup_button=nslookup_button&"; http_uri; fast_pattern; metadata: former_category EXPLOIT; reference:cve,2017-6884; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026105; rev:2; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Minor, created_at 2018_09_10, updated_at 2018_09_10;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NetGain Enterprise Manager 7.2.562 Ping Command Injection"; flow:to_server,established; content:"/exec.jsp"; http_uri; content:"command=cmd"; http_client_body; fast_pattern; content:"ping&argument="; http_client_body; distance:0; metadata: former_category EXPLOIT; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026106; rev:2; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Minor, created_at 2018_09_10, updated_at 2018_09_10;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NUUO OS Command Injection"; flow:to_server,established; content:"/handle_iscsi.php"; http_uri; content:"act=discover&address="; http_client_body; fast_pattern;  pcre:"/[^&]*(?:\x60|\x24)/RP"; metadata: former_category EXPLOIT; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026107; rev:2; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Minor, created_at 2018_09_10, updated_at 2018_09_10;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NUUO OS Command Injection M2"; flow:to_server,established; content:"/cgi_system?cmd=saveconfig"; http_uri; content:"bfolder="; http_client_body; pcre:"/(?:\x60|\x24)/P"; metadata: former_category EXPLOIT; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026108; rev:2; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2018_09_10, updated_at 2018_09_10;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Mikrotik Winbox RCE Attempt (CVE-2018-14847)"; flow:established,to_server; content:"|680100664d320500ff010600ff09050700ff090701000021352f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f666c6173682f72772f73746f72652f757365722e6461740200ff88020000000000080000000100ff8802000200000002000000|"; offset:0; metadata: former_category EXPLOIT; reference:url,github.com/mrmtwoj/0day-mikrotik; reference:url,www.helpnetsecurity.com/2018/08/03/mikrotik-cryptojacking-campaign; reference:cve,2018-14847; classtype:attempted-admin; sid:2025972; rev:3; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2018_08_06, updated_at 2018_09_11;)

alert icmp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible CVE-2018-4407 - Apple ICMP DoS PoC"; itype:12; icode:0; content:"AAAAAAAA"; fast_pattern; metadata: former_category EXPLOIT; reference:url,lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407; reference:url,twitter.com/ihackbanme/status/1057811965945376768; classtype:attempted-user; sid:2026567; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Internal, signature_severity Major, created_at 2018_11_01, updated_at 2018_11_01;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Cisco RV320 RCE Attempt (CVE-2019-1652)"; flow:established,to_server; content:"POST"; http_method; content:"/certificate_handle2.htm?type="; http_uri; content:"page=self_generator.htm&totalRules="; http_client_body; depth:35; fast_pattern; content:"|25 32 37 25 32 34 25 32 38|"; http_client_body; distance:0; metadata: former_category EXPLOIT; reference:url,seclists.org/fulldisclosure/2019/Jan/54; classtype:trojan-activity; sid:2026860; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, cve 2019_1652, signature_severity Major, created_at 2019_01_29, performance_impact Low, updated_at 2019_01_29;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 44818 (msg:"ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE-2017-7924)"; flow:to_server,established; content:"|4b 02 20 67 24 01|"; content:"|a2|"; distance:0; content:"|05 47|"; distance:1; within:2; metadata: former_category EXPLOIT; reference:cve,2017-7924; reference:url,rapid7.com/db/modules/auxiliary/dos/scada/allen_bradley_pccc; classtype:attempted-dos; sid:2026917; rev:1; metadata:deployment Perimeter, signature_severity Major, created_at 2019_02_18, performance_impact Moderate, updated_at 2019_02_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nuuo NVR RCE Attempt (CVE-2018-15716)"; flow:established,to_server; content:"GET"; http_method; content:"_handle.php?cmd=getupgradinginfo"; http_uri; fast_pattern; isdataat:!1,relative; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2026982; rev:1; metadata:deployment Perimeter, cve 2018_15716, signature_severity Major, created_at 2019_02_26, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)"; flow:established,to_server; content:"POST"; http_method; content:"?images/"; http_uri; content:"XWebPageName=diag&diag"; http_client_body; depth:22; fast_pattern; pcre:"/(?:\/GponForm\/diag_FORM\?images\/|\.html\?images\/)/Ui"; metadata: former_category EXPLOIT; reference:url,www.vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:attempted-admin; sid:2027063; rev:1; metadata:attack_target IoT, deployment Perimeter, cve 2018_10561, signature_severity Major, created_at 2019_03_06, performance_impact Low, updated_at 2019_03_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M2"; flow:from_server,established; file_data; content:"|68546147567362474e765a4756425a475279554746795957|"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2027070; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_03_11, performance_impact Moderate, updated_at 2019_03_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M1"; flow:from_server,established; file_data; content:"|4b464e6f5a5778735932396b5a55466b5a484a5159584a6862|"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2027069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_03_11, performance_impact Moderate, updated_at 2019_03_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M3"; flow:from_server,established; file_data; content:"|6f5532686c6247786a6232526c5157526b636c4268636d4674|"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2027071; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_03_11, performance_impact Moderate, updated_at 2019_03_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible WePresent WIPG1000 OS Command Injection"; flow:established,to_server; content:"GET"; http_method; content:"/cgi-bin/rdfs.cgi"; http_uri; depth:17; isdataat:!1,relative; fast_pattern; content:"Client="; http_client_body; depth:7; content:"|3b|"; http_client_body; distance:0; content:"&Download="; http_client_body; distance:0; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2027090; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_03_18, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible WePresent WIPG1000 File Inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/cgi-bin/login.cgi"; http_uri; depth:18; isdataat:!1,relative; content:"&src=|2e 2e 2f 2e 2e 2f 2e 2e 2f|"; fast_pattern; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2027091; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_03_18, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/ViewLog.asp"; http_uri; depth:20; isdataat:!1,relative; content:"remote_submit_Flag="; http_client_body; depth:19; content:"&remote_host="; http_client_body; distance:0; content:"&remoteSubmit=Save"; http_client_body; distance:0; isdataat:!1,relative; fast_pattern; metadata: former_category EXPLOIT; reference:url,seclists.org/fulldisclosure/2017/Jan/40; classtype:attempted-user; sid:2027092; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_03_18, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6077)"; flow:established,to_server; content:"POST"; http_method; content:"/ping.cgi"; http_uri; depth:9; isdataat:!1,relative; content:"DIAG_diag.htm|0d 0a|"; http_header; fast_pattern; content:"&ping_IPAddr="; http_client_body; content:"|3b|"; http_client_body; distance:0; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/41394; reference:cve,2017-6077; classtype:attempted-user; sid:2027093; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_03_18, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)"; flow:established,to_server; content:"POST"; http_method; content:"/dnslookup.cgi"; http_uri; depth:14; isdataat:!1,relative; content:"DIAG_diag.htm|0d 0a|"; http_header; fast_pattern; content:"host_name="; http_client_body; depth:10; content:"|3b|"; http_client_body; distance:0; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/41394; reference:cve,2017-6334; classtype:attempted-user; sid:2027094; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_03_18, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WAP54Gv3 Remote Debug Root Shell Exploitation Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/debug.cgi"; http_uri; depth:10; isdataat:!1,relative; content:"data1=|3b|"; http_client_body; depth:7; fast_pattern; content:"&command="; http_client_body; distance:0; metadata: former_category EXPLOIT; reference:url,seclists.org/bugtraq/2010/Jun/93; classtype:attempted-user; sid:2027095; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2019_03_18, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)"; flow:established,to_server; content:"POST"; http_method; content:"/ping.cgi"; http_uri; depth:9; isdataat:!1,relative; content:"pingstr="; http_client_body; depth:8; fast_pattern; content:"|3b|"; http_client_body; distance:0; within:25; metadata: former_category EXPLOIT; reference:cve,2013-3568; reference:url,www.exploit-db.com/exploits/28484; classtype:attempted-user; sid:2027097; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_03_19, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZTE ZXV10 H108L Router Root RCE Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/getpage.gch?pid="; http_uri; depth:17; content:"&Host=|3b|"; http_uri; distance:0; fast_pattern; content:"&DataBlockSize="; http_uri; distance:0; metadata: former_category EXPLOIT; reference:url,github.com/stasinopoulos/ZTExploit/blob/master/ZTExploit_Source/ztexploit.py; classtype:attempted-user; sid:2027098; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_03_19, performance_impact Low, updated_at 2019_03_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys E1500/E2500 apply.cgi RCE Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/apply.cgi"; http_uri; depth:10; content:"submit_button="; http_client_body; depth:14; content:"&submit_type=start_ping"; http_client_body; distance:0; fast_pattern; content:"&ping_size="; http_client_body; distance:0; content:"|3b|"; http_client_body; distance:0; within:30; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/24936; classtype:attempted-user; sid:2027099; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_03_19, performance_impact Low, updated_at 2019_03_19;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys E-Series Device RCE Attempt"; flow:to_server,established; content:"POST"; http_method; content:".cgi"; http_uri; content:"ttcp_ip="; http_client_body; content:"-h"; http_client_body; distance:0; content:"&ttcp_num="; http_client_body; fast_pattern; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/31683/; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026102; rev:3; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Informational, created_at 2018_09_10, malware_family Mirai, updated_at 2019_03_25;)

alert http any any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound"; flow:to_server,established; content:"POST"; http_method; content:".cgi"; http_uri; content:"ttcp_ip="; http_client_body; content:"-h"; http_client_body; distance:0; content:"&ttcp_num="; http_client_body; fast_pattern; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/31683/; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2027153; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_04_04, performance_impact Low, updated_at 2019_04_04;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Unk.IoT IPCamera Exploit Attempt Inbound"; flow:established,to_server; content:"POST"; http_method; content:"/sysTimeCfgEx"; http_uri; fast_pattern; isdataat:!1,relative; content:"systemdate="; http_client_body; depth:11; nocase; content:"&systemtime="; http_client_body; nocase; content:"&dwTimeZone"; http_client_body; nocase; content:"&updatemode="; http_client_body; nocase; content:"&ntpHost="; http_client_body; nocase; content:"&ntpPort="; http_client_body; nocase; content:"&timezonecon="; http_client_body; nocase; http_header_names; content:!"Referer"; metadata: former_category EXPLOIT; reference:url,twitter.com/zom3y3/status/1115481065701830657/photo/1; classtype:trojan-activity; sid:2027194; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_04_12, malware_family Mirai, performance_impact Moderate, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WinRAR WinAce Containing CVE-2018-20250 Inbound - Path Traversal leading to RCE"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"**ACE**"; offset:7; depth:7; fast_pattern; content:"|00|"; distance:0; pcre:"/^(?:(\S\:\\){2,}|\S\:\\\S\:\S\:|S\:\\\\\\([0-9]{1,3}\.){3}[0-9]{1,3}|\S\:\\\\\\([a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/R"; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2027310; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, cve 2018_20250, tag WinRAR, tag ACE, signature_severity Major, created_at 2019_05_01, performance_impact Moderate, updated_at 2019_05_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys Smart WiFi Information Disclosure Attempt Inbound"; flow:established,to_server; content:"POST"; http_method; content:"/JNAP/"; http_uri; depth:6; content:"X-JNAP-Action|3a 20|http|3a 2f 2f|"; http_header; fast_pattern; pcre:"/^(?:www\.)?(cisco|linksys)\.com\/jnap\//HRi"; content:"|7b 7d|"; http_client_body; depth:2; metadata: former_category EXPLOIT; reference:url,raw.githubusercontent.com/zeropwn/Linksys-Smart-WiFi-Information-Disclosure/master/nss.py; classtype:attempted-recon; sid:2027357; rev:2; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2019_05_16, performance_impact Low, updated_at 2019_05_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CyberArk Enterprise Password Vault XXE Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/PasswordVault/auth/saml/"; http_uri; fast_pattern; isdataat:!1,relative; content:"SAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1F"; http_client_body; depth:41; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/46828; classtype:attempted-admin; sid:2027358; rev:2; metadata:deployment Perimeter, signature_severity Major, created_at 2019_05_16, performance_impact Low, updated_at 2019_09_28;)

alert tcp any any -> any 3389 (msg:"ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 f0|"; distance:2; within:2; content:"|00 05 00 14 7c 00 01|"; within:512; content:"|03 c0|"; distance:3; within:384; content:"MS_T120|00|"; distance:6; within:372; nocase; fast_pattern; threshold: type limit, track by_src, count 2, seconds 600; metadata: former_category EXPLOIT; reference:cve,2019,0708; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2019_05_rdp_cve_2019_0708.txt; classtype:attempted-admin; sid:2027369; rev:3; metadata:attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, signature_severity Major, created_at 2019_05_21, malware_family Bluekeep, updated_at 2019_05_21;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Eir D1000 Remote Command Injection Attempt Inbound"; flow:established,to_server; content:"POST"; http_method; content:"/UD/act?1"; http_uri; depth:9; nocase; content:"<u|3a|GetSecurityKeys|20|"; http_client_body; fast_pattern; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/40740; classtype:attempted-admin; sid:2027375; rev:1; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2019_05_23, performance_impact Low, updated_at 2019_05_23;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Eir D1000 Remote Command Injection Attempt Outbound"; flow:established,to_server; content:"POST"; http_method; content:"/UD/act?1"; http_uri; depth:9; nocase; content:"<u|3a|GetSecurityKeys|20|"; http_client_body; fast_pattern; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/40740; classtype:attempted-admin; sid:2027376; rev:1; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2019_05_23, performance_impact Low, updated_at 2019_05_23;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/file_transfer.cgi"; http_uri; isdataat:!1,relative; content:"file_transfer="; http_client_body; depth:14; content:"&dir=|27|Pa_Note"; http_client_body; distance:0; fast_pattern; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027450; rev:1; metadata:attack_target IoT, deployment Perimeter, cve 2019_3929, signature_severity Major, created_at 2019_06_11, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2019-3929)"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/file_transfer.cgi"; http_uri; isdataat:!1,relative; content:"file_transfer="; http_client_body; depth:14; content:"&dir=|27|Pa_Note"; http_client_body; distance:0; fast_pattern; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027451; rev:1; metadata:attack_target IoT, deployment Perimeter, cve 2019_3929, signature_severity Major, created_at 2019_06_11, performance_impact Low, updated_at 2019_09_28;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2018-7841)"; flow:established,to_server; content:"POST"; http_method; content:"/track_import_export.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"op="; http_client_body; depth:3; content:"&object_id=|60|"; http_client_body; distance:0; within:100; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027454; rev:1; metadata:deployment Perimeter, cve 2018_7841, signature_severity Major, created_at 2019_06_11, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2018-7841)"; flow:established,to_server; content:"POST"; http_method; content:"/track_import_export.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"op="; http_client_body; depth:3; content:"&object_id=|60|"; http_client_body; distance:0; within:100; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027455; rev:1; metadata:deployment Perimeter, cve 2018_7841, signature_severity Major, created_at 2019_06_11, performance_impact Low, updated_at 2019_09_28;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Outbound"; flow:established,to_server; content:"POST"; http_method; content:"/krashrpt.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"kuid=|60|"; http_client_body; depth:6; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027456; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_06_11, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Inbound"; flow:established,to_server; content:"POST"; http_method; content:"/krashrpt.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"kuid=|60|"; http_client_body; depth:6; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027457; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_06_11, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible OpenDreamBox Attempted Remote Command Injection Inbound"; flow:established,to_server; content:"POST"; http_method; content:"/webadmin/script?command="; http_uri; fast_pattern; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-14135; classtype:attempted-admin; sid:2027453; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_06_11, performance_impact Low, updated_at 2019_06_11;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible OpenDreamBox Attempted Remote Command Injection Outbound"; flow:established,to_server; content:"POST"; http_method; content:"/webadmin/script?command="; http_uri; fast_pattern; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-14135; classtype:attempted-admin; sid:2027452; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_06_11, performance_impact Low, updated_at 2019_06_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Inbound"; flow:established,to_server; content:"POST"; http_method; content:"/testaction.cgi"; http_uri; isdataat:!1,relative; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; http_header; fast_pattern; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027459; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_06_11, performance_impact Low, updated_at 2019_09_28;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Outbound"; flow:established,to_server; content:"POST"; http_method; content:"/testaction.cgi"; http_uri; isdataat:!1,relative; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; http_header; fast_pattern; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027458; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_06_11, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Hootoo TripMate Attempted Remote Command Injection Inbound"; flow:established,to_server; content:"POST"; http_method; content:"/protocol.csp?function="; http_uri; depth:23; fast_pattern; content:"&mac=|7c|"; http_uri; distance:0; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-20841; classtype:attempted-admin; sid:2027461; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_06_11, performance_impact Low, updated_at 2019_06_11;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Hootoo TripMate Attempted Remote Command Injection Outbound"; flow:established,to_server; content:"POST"; http_method; content:"/protocol.csp?function="; http_uri; depth:23; fast_pattern; content:"&mac=|7c|"; http_uri; distance:0; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-20841; classtype:attempted-admin; sid:2027460; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_06_11, performance_impact Low, updated_at 2019_06_11;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution"; flow:to_server,established; content:"/upgrade_handle.php?cmd=writeuploaddir&uploaddir=|25|27"; depth:52; http_uri; metadata: former_category EXPLOIT; reference:url,blogs.securiteam.com/index.php/archives/3409; reference:cve,CVE-2017-18377; classtype:attempted-recon; sid:2024914; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2017_10_25, updated_at 2017_10_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Inbound (CVE-2019-12780)"; flow:established,to_server; content:"POST"; http_method; content:"/upnp/control/basicevent1"; http_uri; depth:25; isdataat:!1,relative; content:"SOAPAction|3a 20|"; http_header; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; http_header; distance:0; within:48; fast_pattern; content:"|3c|SmartDevURL|3e 60|"; http_client_body; metadata: former_category EXPLOIT; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027486; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_06_18, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Outbound (CVE-2019-12780)"; flow:established,to_server; content:"POST"; http_method; content:"/upnp/control/basicevent1"; http_uri; depth:25; isdataat:!1,relative; content:"SOAPAction|3a 20|"; http_header; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; http_header; distance:0; within:48; content:"|3c|SmartDevURL|3e 60|"; http_client_body; metadata: former_category EXPLOIT; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027487; rev:1; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_06_18, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)"; flow:established,to_server; content:"POST"; http_method; content:"/upnp/control/hag"; http_uri; depth:17; isdataat:!1,relative; fast_pattern; content:"SOAPAction|3a 20|"; http_header; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; http_header; distance:0; within:67; content:"|3c|Code|3e|os|2e|execute|28 60|"; http_client_body; metadata: former_category EXPLOIT; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027488; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_06_18, malware_family Mirai, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)"; flow:established,to_server; content:"POST"; http_method; content:"/upnp/control/hag"; http_uri; depth:17; isdataat:!1,relative; fast_pattern; content:"SOAPAction|3a 20|"; http_header; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; http_header; distance:0; within:67; content:"|3c|Code|3e|os|2e|execute|28 60|"; http_client_body; metadata: former_category EXPLOIT; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027489; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_06_18, malware_family Mirai, performance_impact Low, updated_at 2019_09_28;)

alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149)"; flow:established,to_server; content:"RCPT|20|TO"; content:"|24 7b|run|7b|"; distance:0; within:12; fast_pattern; content:"|7d 7d 40|"; distance:0; metadata: former_category EXPLOIT; reference:url,www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt; classtype:attempted-admin; sid:2027442; rev:3; metadata:attack_target SMTP_Server, deployment Perimeter, cve 2019_10149, signature_severity Major, created_at 2019_06_07, performance_impact Low, updated_at 2019_06_21;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FCM-MB40 Attempted Remote Command Execution as Root"; flow:established,to_server; content:"GET"; http_method; content:"/cgi-bin/camctrl_save_profile.cgi"; http_uri; depth:33; fast_pattern; content:"num="; http_uri; distance:0; content:"name="; http_uri; distance:0; content:"a|20|-e|20|s|2f 5e|"; http_uri; distance:0; content:"|20 2e 2e|/cgi-bin/ddns.cgi|20|"; http_uri; distance:0; content:"&save=profile"; http_uri; distance:0; metadata: former_category EXPLOIT; reference:url,xor.cat/2019/06/19/fortinet-forticam-vulns/; classtype:attempted-admin; sid:2027513; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_06_24, performance_impact Low, updated_at 2019_06_24;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin Vulnerability (CVE-2017-9805)"; flow:to_server,established; content:"GET"; http_method; content:"/struts2"; http_uri; http_content_type; content:"|25 7b 28 23|"; isdataat:500,relative; content:"cmd.exe"; fast_pattern; content:"@java.lang.System@getProperty(|27|os.name|27|)"; metadata: former_category EXPLOIT; reference:cve,2017-9805; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027516; rev:1; metadata:affected_product Apache_Struts2, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_06_26, performance_impact Moderate, updated_at 2019_06_26;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Tomcat File Upload Payload Request (CVE-2017-12615)"; flow:to_server,established; content:"GET"; http_method; content:".jsp?wiew="; http_uri; fast_pattern; content:"&os="; http_uri; distance:0; content:"&address="; http_uri; distance:0; metadata: former_category EXPLOIT; reference:cve,2017-12615; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027517; rev:1; metadata:deployment Perimeter, signature_severity Major, created_at 2019_06_26, performance_impact Moderate, updated_at 2019_06_26;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ThinkPHP Attempted Bypass and Payload Retrieval"; flow:to_server,established; content:"GET"; http_method; content:"/public/hydra.php?xcmd=cmd.exe"; http_uri; metadata: former_category EXPLOIT; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027518; rev:1; metadata:attack_target Server, deployment Perimeter, signature_severity Major, created_at 2019_06_26, performance_impact Moderate, updated_at 2019_06_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Zoom Client Auto-Join (CVE-2019-13450)"; flow:established,to_client; file_data; content:"localhost|3a|19421/launch?action=join&confno="; metadata: former_category EXPLOIT; reference:url,medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5; reference:cve,2019-13450; classtype:attempted-user; sid:2027696; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_07_10, performance_impact Moderate, updated_at 2019_07_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<script language=|22|"; content:"VBScript"; within:8; nocase; content:"|2e|scrollLeft"; distance:0; content:"|26|h4003|09 27 20|VT_BYREF|20 7c 20|VT_I4"; distance:0; fast_pattern; content:"|28 28 28 28 5c 2e 2e 5c|"; distance:0; content:"Powershell"; within:10; nocase; content:"|26|h40|2c 20 22 23 3e 24|"; distance:0; within:400; metadata: former_category EXPLOIT; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-github-intensifies-slack-use; reference:url,www.zerodayinitiative.com/blog/2019/5/21/rce-without-native-code-exploitation-of-a-write-what-where-in-internet-explorer; reference:cve,CVE-2019-0752; classtype:attempted-admin; sid:2027721; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_07_17, performance_impact Low, updated_at 2019_07_17;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Palo Alto SSL VPN sslmgr Format String Vulnerability (Inbound)"; flow:to_server,established; content:"POST"; http_method; content:"/sslmgr"; isdataat:!1,relative; nocase; http_uri; content:"scep-profile-name=%"; depth:19; http_client_body; fast_pattern; pcre:"/^[0-9]+/PR"; metadata: former_category EXPLOIT; reference:url,blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html; classtype:attempted-admin; sid:2027723; rev:2; metadata:attack_target Server, deployment Perimeter, signature_severity Major, created_at 2019_07_18, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WebShell GIF Upload"; flow:established,to_server; content:"POST"; http_method; content:"GIF89a"; http_client_body; depth:6; content:"<%eval|20|request|28 22|"; http_client_body; distance:0; fast_pattern; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2027736; rev:1; metadata:attack_target Web_Server, deployment Perimeter, tag WebShell, signature_severity Major, created_at 2019_07_22, performance_impact Low, updated_at 2019_07_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WebShell JPEG Upload"; flow:established,to_server; content:"POST"; http_method; content:"|FF D8 FF E0|"; http_client_body; depth:4; content:"JFIF"; http_client_body; distance:2; within:4; content:"<%eval|20|request|28 22|"; http_client_body; distance:0; fast_pattern; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2027737; rev:1; metadata:attack_target Web_Server, deployment Perimeter, tag WebShell, signature_severity Major, created_at 2019_07_22, performance_impact Low, updated_at 2019_07_22;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound"; flow:established,to_server; content:"POST"; http_method; content:"SOAPAction|3a 20|urn|3a|schemas-upnp-org|3a|service|3a|WANIPConnection|3a|"; http_header; fast_pattern; content:"|3c|u|3a|AddPortMapping"; http_client_body; content:"|3c|NewRemoteHost|3e|"; http_client_body; distance:0; content:"|3c|NewInternalClient"; http_client_body; distance:0; content:"|3c 2f|NewInternalClient|3e|"; http_client_body; distance:0; content:"NewEnabled|3e|1"; http_client_body; distance:0; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2027339; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_05_08, performance_impact Low, updated_at 2019_07_26;)

#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Urgent Flag"; flags:U+; metadata: former_category EXPLOIT; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027768; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_07_31, updated_at 2019_07_31;)

#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Illegal Urgent Flag"; flags:SUF+; metadata: former_category EXPLOIT; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027770; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_08_01, updated_at 2019_08_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Inbound Flash Exploit (CVE-2018-15982)"; flow:established,from_server; content:"200"; http_stat_code; http_content_type; content:"application|2f|x-shockwave-flash"; file_data; content:"FWS"; depth:3; content:"cmd.exe|20 2f|c"; distance:0; nocase; fast_pattern; metadata: former_category EXPLOIT; reference:url,www.malware-traffic-analysis.net/2019/08/01/index.html; classtype:attempted-user; sid:2027789; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_08_02, performance_impact Low, updated_at 2019_08_02;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Inbound Flash Exploit with Stack-Based wininet"; flow:established,from_server; content:"200"; http_stat_code; http_content_type; content:"application|2f|x-shockwave-flash"; file_data; content:"FWS"; depth:3; content:"hnet|00|hwini"; fast_pattern; distance:0; nocase; within:1000; content:".exe|00|"; pcre:"/^.{1,10}(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/R"; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2027790; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, deployment Perimeter, tag Exploit, signature_severity Major, created_at 2019_08_02, performance_impact Low, updated_at 2019_08_02;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Inbound (CVE-2019-6277)"; flow:to_server,established; content:"GET"; http_method; content:"/cgi-bin/|3b|wget"; http_uri; depth:14; fast_pattern; content:"|7c|sh"; http_uri; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/41598; reference:cve,CVE-2016-6277; classtype:attempted-admin; sid:2027881; rev:2; metadata:affected_product Netgear_Router, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_08_13, malware_family Mirai, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Outbound (CVE-2019-6277)"; flow:to_server,established; content:"GET"; http_method; content:"/cgi-bin/|3b|wget"; http_uri; depth:14; fast_pattern; content:"|7c|sh"; http_uri; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/41598; reference:cve,CVE-2016-6277; classtype:attempted-admin; sid:2027882; rev:2; metadata:affected_product Netgear_Router, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_08_13, malware_family Mirai, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Pre-Auth Messages Payload Buffer Overflow (CVE-2018-13381)"; flow:established,to_server; content:"&msg=%26%23%3c"; http_client_body; fast_pattern; nocase; pcre:"/(?:\%3C){1000}/RPi"; http_start; content:"POST /message HTTP/1.1"; metadata: former_category EXPLOIT; reference:cve,CVE-2018-13381; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027884; rev:2; metadata:affected_product Fortigate, attack_target Networking_Equipment, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, created_at 2019_08_14, performance_impact Low, updated_at 2019_08_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Remote Code Execution (CVE-2018-13383)"; flow:established,to_client; content:"200"; http_stat_code; content:"|3c|a href=|22|javascript:void|28|0|29 3b|AAA"; http_server_body; depth:33; fast_pattern; pcre:"/A{1000}/RQ"; content:"python -c"; http_server_body; distance:0; content:"socket"; http_server_body; distance:0; metadata: former_category EXPLOIT; reference:cve,CVE-2018-13383; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027891; rev:2; metadata:affected_product Fortigate, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2019_08_14, performance_impact Low, updated_at 2019_08_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Information Disclosure (CVE-2018-13379)"; flow:established,to_server; content:"GET"; http_method; content:"/remote/fgt_lang?lang=/../"; http_uri; depth:35; isdataat:30,relative; fast_pattern; metadata: former_category EXPLOIT; reference:cve,CVE-2018-13379; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027883; rev:2; metadata:affected_product Fortigate, attack_target Networking_Equipment, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, created_at 2019_08_14, performance_impact Low, updated_at 2019_08_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Improper Authorization Vulnerability (CVE-2018-13382)"; flow:established,to_server; content:"POST"; http_method; content:"/remote/logincheck"; http_uri; depth:18; fast_pattern; isdataat:!1,relative; content:"ajax=1"; http_client_body; content:"&username="; http_client_body; content:"&credential="; http_client_body; content:"&magic="; http_client_body; metadata: former_category EXPLOIT; reference:cve,CVE-2018-13382; reference:url,github.com/milo2012/CVE-2018-13382/blob/master/CVE-2018-13382.py; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027885; rev:2; metadata:affected_product Fortigate, attack_target Networking_Equipment, deployment Perimeter, deployment SSLDecrypt, signature_severity Critical, created_at 2019_08_14, performance_impact Low, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 1"; flow:established; file_data; content:"bdd1f04b-858b-11d1-b16a-00c0f0283628"; nocase; content:"0M8R4KGxGu"; metadata: former_category CURRENT_EVENTS; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017409; rev:3; metadata:created_at 2013_09_03, updated_at 2013_09_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 2"; flow:established; file_data; content:"996BF5E0-8044-4650-ADEB-0B013914E99C"; nocase; content:"0M8R4KGxGu"; metadata: former_category CURRENT_EVENTS; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017410; rev:3; metadata:created_at 2013_09_03, updated_at 2013_09_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 3"; flow:established; file_data; content:"C74190B6-8589-11d1-B16A-00C0F0283628"; nocase; content:"0M8R4KGxGu"; metadata: former_category CURRENT_EVENTS; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017411; rev:3; metadata:created_at 2013_09_03, updated_at 2013_09_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct (Reversed)"; flow:established,from_server; file_data; content:"(wrhc&)6712(wrhc&)10"; metadata: former_category CURRENT_EVENTS; reference:cve,2014-6332; classtype:attempted-user; sid:2019806; rev:3; metadata:created_at 2014_11_25, updated_at 2014_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECC"; flow:established,from_server; file_data; content:"99,104,114,119,40,48,49,41,38,99,104,114,119,40,50,49,55,54,41,38,99,104,114,119,40,48,49,41,38,99,104,114,119,40,48,48,41"; metadata: former_category CURRENT_EVENTS; reference:cve,2014-6332; classtype:attempted-user; sid:2019796; rev:3; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECCS"; flow:established,from_server; file_data; content:"99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 50, 49, 55, 54, 41, 38, 99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 48, 48, 41"; metadata: former_category CURRENT_EVENTS; reference:cve,2014-6332; classtype:attempted-user; sid:2019797; rev:3; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEX"; flow:established,from_server; file_data; content:"63687277283031292663687277283231373629266368727728303129266368727728303029"; metadata: former_category CURRENT_EVENTS; reference:cve,2014-6332; classtype:attempted-user; sid:2019793; rev:3; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXC"; flow:established,from_server; file_data; content:"63,68,72,77,28,30,31,29,26,63,68,72,77,28,32,31,37,36,29,26,63,68,72,77,28,30,31,29,26,63,68,72,77,28,30,30,29"; metadata: former_category CURRENT_EVENTS; reference:cve,2014-6332; classtype:attempted-user; sid:2019794; rev:3; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXCS"; flow:established,from_server; file_data; content:"63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 32, 31, 37, 36, 29, 26, 63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 30, 30, 29"; metadata: former_category CURRENT_EVENTS; reference:cve,2014-6332; classtype:attempted-user; sid:2019795; rev:3; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct URLENCODE"; flow:established,from_server; file_data; content:"%63%68%72%77%28%30%31%29%26%63%68%72%77%28%32%31%37%36%29%26%63%68%72%77%28%30%31%29%26%63%68%72%77%28%30%30%29"; metadata: former_category CURRENT_EVENTS; reference:cve,2014-6332; classtype:attempted-user; sid:2019792; rev:3; metadata:created_at 2014_11_24, updated_at 2014_11_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Java CVE-2013-1488 java.sql.Drivers Service Object in JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/java.sql.Drivers"; fast_pattern:14,20; content:"META-INF/services/java.lang.Object"; metadata: former_category CURRENT_EVENTS; reference:cve,2013-1488; reference:url,www.contextis.com/research/blog/java-pwn2own/; reference:url,www.rapid7.com/db/modules/exploit/multi/browser/java_jre17_driver_manager; classtype:attempted-user; sid:2017557; rev:4; metadata:created_at 2013_10_03, updated_at 2013_10_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2465/2463"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/MultiPixelPacked"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2017773; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2471/2472/2473"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/SinglePixelPacked"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2017772; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|application/hta|0d 0a|"; http_header; fast_pattern:9,20; nocase;  metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2024197; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, cve 2017_0199, signature_severity Major, created_at 2017_04_11, performance_impact Low, updated_at 2017_08_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; metadata: former_category CURRENT_EVENTS; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:3; metadata:created_at 2012_09_21, updated_at 2012_09_21;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; metadata: former_category CURRENT_EVENTS; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:3; metadata:created_at 2012_09_21, updated_at 2012_09_21;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CVE-2012-4792 EIP in URI M1"; flow:established,to_server; content:"/%E0%B4%8C%E1%88%92"; http_raw_uri; fast_pattern; content:"MSIE 8.0|3b|"; http_header; metadata: former_category CURRENT_EVENTS; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016137; rev:3; metadata:created_at 2012_12_31, updated_at 2012_12_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CVE-2012-4792 EIP in URI M2"; flow:established,to_server; content:"/%E0%B4%8C%E1%82%AB"; http_raw_uri; fast_pattern; content:"MSIE 8.0|3b|"; http_header; metadata: former_category CURRENT_EVENTS; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016170; rev:4; metadata:created_at 2013_01_08, updated_at 2013_01_08;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server;  content:"/%E0%AC%B0%E0%B0%8C"; http_raw_uri; fast_pattern; content:"MSIE 8.0|3b|"; http_header; metadata: former_category CURRENT_EVENTS; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_12_31, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 1"; flow:from_client,established; content:"XGxpc3RvdmVycmlkZWNvdW50"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"MQ"; within:2; content:!"MV"; within:2; content:!"MT"; within:2; content:!"MH"; within:2; content:!"MF"; within:2; content:!"ME"; within:2; content:!"OQ"; within:2; content:!"OX"; within:2; content:!"MA"; within:2; content:!"MS"; within:2; content:!"MX"; within:2; metadata: former_category CURRENT_EVENTS; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018314; rev:9; metadata:created_at 2014_03_24, updated_at 2014_03_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 2"; flow:from_client,established; content:"xsaXN0b3ZlcnJpZGVjb3Vud"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"DE"; within:2; content:!"DF"; within:2; content:!"Dk"; within:2; content:!"Dl"; within:2; content:!"DA"; within:2; content:!"DB"; within:2; content:!"DV"; within:2; metadata: former_category CURRENT_EVENTS; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018308; rev:8; metadata:created_at 2014_03_24, updated_at 2014_03_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 3"; flow:from_client,established; content:"cbGlzdG92ZXJyaWRlY291bn"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"Qx"; within:2; content:!"Q5"; within:2; content:!"Qw"; within:2; metadata: former_category CURRENT_EVENTS; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018309; rev:6; metadata:created_at 2014_03_24, updated_at 2014_03_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 4"; flow:from_client,established; content:"x1LTU1N"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){5}/Rs"; metadata: former_category CURRENT_EVENTS; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018310; rev:6; metadata:created_at 2014_03_24, updated_at 2014_03_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 5"; flow:from_client,established; content:"XHUtNTU0"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; metadata: former_category CURRENT_EVENTS; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018311; rev:5; metadata:created_at 2014_03_24, updated_at 2014_03_24;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 6"; flow:from_client,established; content:"cdS01NT"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; metadata: former_category CURRENT_EVENTS; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018312; rev:5; metadata:created_at 2014_03_24, updated_at 2014_03_24;)

alert tcp $HOME_NET !$HTTP_PORTS -> any any (msg:"ET EXPLOIT Malformed HeartBeat Response"; flow:established,from_server; flowbits:isset,ET.MalformedTLSHB; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; threshold:type limit,track by_src,count 1,seconds 120; metadata: former_category CURRENT_EVENTS; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018373; rev:4; metadata:created_at 2014_04_08, updated_at 2014_04_08;)

alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET EXPLOIT Malformed HeartBeat Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_extract:2,3,record_len; byte_test:2,>,2,3; byte_test:2,>,record_len,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; metadata: former_category CURRENT_EVENTS; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018372; rev:3; metadata:created_at 2014_04_08, updated_at 2014_04_08;)

alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET EXPLOIT Malformed HeartBeat Request method 2"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; flowbits:noalert; metadata: former_category CURRENT_EVENTS; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018374; rev:3; metadata:created_at 2014_04_08, updated_at 2014_04_08;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TLS HeartBeat Request (Server Initiated) fb set"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Request.SI; flowbits:noalert; metadata: former_category CURRENT_EVENTS; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018375; rev:4; metadata:created_at 2014_04_09, updated_at 2014_04_09;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Request.CI; flowbits:noalert; metadata: former_category CURRENT_EVENTS; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018376; rev:5; metadata:created_at 2014_04_09, updated_at 2014_04_09;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.CI; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Response.CI; flowbits:unset,ET.HB.Request.CI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; metadata: former_category CURRENT_EVENTS; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018377; rev:4; metadata:created_at 2014_04_09, updated_at 2014_04_09;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.SI; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Response.SI; flowbits:unset,ET.HB.Request.SI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; metadata: former_category CURRENT_EVENTS; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018378; rev:6; metadata:created_at 2014_04_09, updated_at 2014_04_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)"; flow:established,from_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_src,count 1,seconds 120; metadata: former_category CURRENT_EVENTS; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018383; rev:9; metadata:created_at 2014_04_11, updated_at 2014_04_11;)

alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 4 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; byte_test:1,<,4,0,relative; content:"|00 03 01|"; distance:1; within:3; byte_test:2,>,150,0,relative; isdataat:!18,relative; threshold:type limit,track by_src,count 1,seconds 120; metadata: former_category CURRENT_EVENTS; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018388; rev:3; metadata:created_at 2014_04_14, updated_at 2014_04_14;)

alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,0,relative; content:!"|00 03|"; distance:1; within:2; byte_extract:2,1,rec_len,relative; content:"|01|"; within:1; byte_test:2,>,150,0,relative; byte_test:2,>,rec_len,0,relative; threshold:type limit,track by_src,count 1,seconds 120; metadata: former_category CURRENT_EVENTS; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018389; rev:4; metadata:created_at 2014_04_14, updated_at 2014_04_14;)

alert tcp $HOME_NET [443,465,993,995,25] -> $EXTERNAL_NET any (msg:"ET EXPLOIT SSL excessive fatal alerts (possible POODLE attack against server)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_src, count 50, seconds 300; metadata: former_category CURRENT_EVENTS; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:attempted-recon; sid:2019418; rev:6; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Metasploit Java CVE-2013-2465 Class Name Sub Algo"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:".classPK"; content:"$"; distance:-21; within:1; content:".classPK"; distance:0; content:"$"; distance:-21; within:1; pcre:"/\b(?P<xps>[a-zA-Z]{7})\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK/s"; metadata: former_category CURRENT_EVENTS; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_storeimagearray.rb; classtype:attempted-user; sid:2017568; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_10_08, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla 3.2.1 SQL injection attempt"; flow:established,to_server; content:"weblinks-categories?"; nocase; fast_pattern; http_uri; content:"id="; nocase; distance:0; http_uri; content:"select password"; nocase; http_uri; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018288; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2014_03_17, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla 3.2.1 SQL injection attempt 2"; flow:established,to_server; content:"weblinks-categories?"; nocase; fast_pattern; http_uri; content:"id="; nocase; distance:0; http_uri; pcre:"/id\=[^\r\n]*?(?:select|delete|union|update|insert)/Ui"; metadata: former_category CURRENT_EVENTS; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018289; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2014_03_17, updated_at 2016_07_01;)

alert tcp $HOME_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_dst,count 1,seconds 120; metadata: former_category CURRENT_EVENTS; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018382; rev:9; metadata:created_at 2014_04_11, updated_at 2014_04_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read (CVE-2019-11510)"; flow:established,to_server; content:"GET"; http_method; content:"/dana-na/../dana/html5acc/guacamole/../"; http_uri; depth:39; fast_pattern; isdataat:10,relative; reference:url,packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html; reference:cve,CVE-2019-11510; classtype:trojan-activity; sid:2027904; rev:2; metadata:created_at 2019_08_22, updated_at 2019_08_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Router DNS Changer Exploit Attempt"; flow:established,to_server; content:"/dnscfg.cgi?dnsPrimary="; http_uri; fast_pattern; content:"&dnsSecondary="; http_uri; distance:0; content:"&dnsDynamic=0&dnsRefresh=1"; distance:0; http_uri; isdataat:!1,relative; metadata: former_category EXPLOIT; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027906; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_08_23, performance_impact Moderate, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ARG-W4 ASDL Router DNS Changer Exploit Attempt"; flow:established,to_server; content:"/form2dns.cgi?dnsmode=1&dns1="; http_uri; content:"&dns2="; http_uri; distance:0; content:"&dns3="; distance:0; http_uri; content:"&submit.htm?dns.htm=send&save=apply"; http_uri; fast_pattern; isdataat:!1,relative; distance:0; metadata: former_category EXPLOIT; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027907; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2019_08_23, performance_impact Moderate, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DSLink 260E Router DNS Changer Exploit Attempt"; flow:established,to_server; content:"/action?dns_status=1&dns_poll_timeout="; http_uri; fast_pattern; content:"&id="; http_uri; distance:0; content:"&dns_serv_ip_1="; http_uri; distance:0; content:"&dns_serv_ip_2="; http_uri; distance:0; content:"&dns_serv_ip_3="; http_uri; distance:0; content:"&dns_serv_ip_4="; http_uri; distance:0; content:"&priority=1&cmdadd=add"; http_uri; distance:0; isdataat:!1,relative; metadata: former_category EXPLOIT; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027908; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_08_23, performance_impact Moderate, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Secutech Router DNS Changer Exploit Attempt"; flow:established,to_server; content:"/wan_dns.asp?go=wan_dns.asp&reboottag=&dsen=1&dnsen=on&ds1="; http_uri; fast_pattern; content:"&ds2="; http_uri; distance:0; metadata: former_category EXPLOIT; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027909; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_08_23, performance_impact Moderate, updated_at 2019_08_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router DNS Changer Exploit Attempt"; flow:established,to_server; content:"/boafrm/formbasetcpipsetup?dnsmode=dnsmanual&dns1="; http_uri; fast_pattern; content:"&dns2="; http_uri; distance:0; content:"&dns3="; http_uri; distance:0; content:"&dnsrefresh=1"; http_uri; distance:0; isdataat:!1,relative; metadata: former_category EXPLOIT; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027910; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_08_23, performance_impact Moderate, updated_at 2019_09_28;)

alert tls any any -> any any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846) M2"; flow:established,to_server; ssl_state:client_hello; tls_sni; content:"|5c 00|"; fast_pattern; metadata: former_category EXPLOIT; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027960; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_09_06, updated_at 2019_09_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HiSilicon DVR - Application Credential Disclosure (CVE-2018-9995)"; flow:established,to_server; content:"GET"; http_method; content:"/device.rsp?opt=user&cmd=list"; http_uri; depth:29; fast_pattern; content:"uid=admin"; http_cookie; nocase; metadata: former_category EXPLOIT; reference:url,github.com/ezelf/CVE-2018-9995_dvr_credentials; reference:cve,2018-9995; classtype:attempted-admin; sid:2027971; rev:2; metadata:affected_product DVR, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_09_09, updated_at 2019_09_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HiSilicon DVR - Buffer Overflow in Builtin Web Server"; flow:established,to_server; urilen:>200; http_start; content:"GET|20 01 10 8f e2 11 ff|"; depth:10; fast_pattern; content:"aaaaaaaa"; distance:0; metadata: former_category EXPLOIT; reference:url,github.com/tothi/pwn-hisilicon-dvr/blob/master/pwn_hisilicon_dvr.py; classtype:attempted-admin; sid:2027972; rev:2; metadata:affected_product DVR, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_09_09, updated_at 2019_09_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound"; flow:established,to_server; content:"xc3511"; fast_pattern; metadata: former_category EXPLOIT; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027973; rev:2; metadata:affected_product DVR, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_09_09, updated_at 2019_09_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [554,9527] (msg:"ET EXPLOIT HiSilicon DVR - Default Application Backdoor Password"; flow:established,to_server; content:"I0TO5Wv9"; fast_pattern; metadata: former_category EXPLOIT; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027974; rev:2; metadata:affected_product DVR, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_09_09, performance_impact Low, updated_at 2019_09_09;)

alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; within:1; content:"|5c 00|"; fast_pattern; distance:0; pcre:"/[\x20-\x7e]{5,}\x5c\x00[\x20-\x7e]{5,}/"; metadata: former_category EXPLOIT; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027959; rev:2; metadata:created_at 2019_09_06, performance_impact Significant, updated_at 2019_09_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DLink DNS 320 Remote Code Execution (CVE-2019-16057)"; flow:established,to_server; content:"GET"; http_method; content:"/cgi-bin/login_mgr.cgi"; http_uri; fast_pattern; content:"cmd|3d|login"; http_uri; distance:0; content:"&port="; http_uri; distance:0; pcre:"/^\d{2,5}+(?!\&|\d)/RU"; metadata: former_category EXPLOIT; reference:cve,2019-16057; reference:url,blog.cystack.net/d-link-dns-320-rce/; classtype:attempted-admin; sid:2028603; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2019_09_18, performance_impact Low, updated_at 2019_09_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759) M1"; flow:established,to_server; content:"POST"; http_method; content:"routestring"; http_client_body; fast_pattern; content:"ajax"; http_client_body; distance:0; within:100; content:"render"; http_client_body; within:9; content:"widget_php"; http_client_body; within:13; content:"widgetConfig"; http_client_body; nocase; content:"code"; http_client_body; within:7; content:"echo"; http_client_body; distance:0; nocase; content:"shell_exec"; http_client_body; nocase; within:13; metadata: former_category EXPLOIT; reference:url,seclists.org/fulldisclosure/2019/Sep/31; classtype:attempted-admin; sid:2028621; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, created_at 2019_09_25, performance_impact Low, updated_at 2019_09_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WAP54G debug.cgi Shell Access as Gemtek"; flow:established,to_server; content:"Authorization|3a| Basic R2VtdGVrOmdlbXRla3N3ZA==|0d 0a|"; http_header; content:"/debug.cgi"; http_uri; reference:url,seclists.org/fulldisclosure/2010/Jun/176; reference:url,doc.emergingthreats.net/2011669; classtype:attempted-admin; sid:2011669; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Password Change GET Request (DNSChanger EK)"; flow:to_server,established; content:"GET"; http_method; content:"/router/UserPassSet.cgi?"; http_uri; depth:24; fast_pattern; content:"new_user_name="; http_uri; content:"password1="; http_uri; threshold:type limit,track by_dst,count 3, seconds 90; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2023996; rev:3; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Internal, signature_severity Major, created_at 2017_02_17, performance_impact Moderate, updated_at 2019_09_26;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M2"; flow:established,to_server; content:"="; http_uri; content:"%"; http_uri; distance:0; content:"{"; http_uri; distance:0; content:"getRunTime"; http_uri; nocase; distance:0; fast_pattern; content:"exec"; nocase; http_uri; pcre:"/=\s*\x25\s*\{\s*(?=.+?\bgetRunTime\b).+?\bexec\b/Ui"; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2024815; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_10_06, updated_at 2019_09_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown Exploit Pack URL Detected"; flow:to_server,established; content:"/imgurl"; nocase; http_uri; content:".php"; nocase; http_uri; content:"hl="; nocase; http_uri; classtype:bad-unknown; sid:2012324; rev:5; metadata:created_at 2011_02_21, updated_at 2019_09_27;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wireless G Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:22; content:"/cgi-bin/setup_dns.exe"; http_uri; content:"getpage=|2e 2e|/html/setup/dns.htm"; http_client_body; depth:29; fast_pattern:9,20; content:"resolver|3a|settings/nameserver1="; http_client_body; distance:0; reference:url,www.exploit-db.com/exploits/3605; classtype:attempted-admin; sid:2020857; rev:5; metadata:created_at 2015_04_07, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B641"; flow:established,from_server; file_data; content:"VHJpZ2dlckZpbGxGcm9tUHJvdG90eXBlc0J1Z"; classtype:trojan-activity; sid:2023702; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Critical, created_at 2017_01_06, updated_at 2019_09_27;)

alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)"; flow:established,to_server; content:"EHLO "; depth:5; isdataat:5000,relative; content:!"|0a|"; within:500; metadata: former_category EXPLOIT; reference:cve,2019-16928; reference:url,bugs.exim.org/show_bug.cgi?id=2449; reference:url,git.exim.org/exim.git/patch/478effbfd9c3cc5a627fc671d4bf94d13670d65f; classtype:attempted-admin; sid:2028636; rev:3; metadata:attack_target SMTP_Server, deployment Perimeter, deployment Internal, signature_severity Critical, created_at 2019_09_30, updated_at 2019_10_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern; reference:arachnids,387; classtype:attempted-admin; sid:2100604; rev:7; metadata:created_at 2010_09_23, updated_at 2019_10_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution"; flow:to_server,established; content:"${IFS}"; fast_pattern; content:"mail from|3a|"; nocase; pcre:"/^[^\r\n]*?\x60[^\x60]*?\$\{IFS\}/R"; reference:url,redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution; classtype:attempted-admin; sid:2016835; rev:3; metadata:created_at 2013_05_08, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit Specific"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; content:"db.php?j="; distance:0; content:"msnmusax.ninn"; fast_pattern; classtype:attempted-user; sid:2017008; rev:6; metadata:created_at 2013_06_11, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:"<jnlp"; nocase; content:"initial-heap-size"; nocase; content:"max-heap-size"; content:"-XXaltjvm"; nocase; fast_pattern; reference:cve,2012-1533; classtype:trojan-activity; sid:2017013; rev:3; metadata:created_at 2013_06_13, updated_at 2019_10_07;)

#alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM WHMCS CURL Multi-part Boundary Issue"; flow:established,to_server; content:"POST"; http_method; content:"/rootpassword.php?"; http_uri; fast_pattern; content:"name=action"; content:"name=action"; distance:0; content:"name=action"; distance:0; metadata: former_category EXPLOIT; reference:url,localhost.re/p/solusvm-whmcs-module-316-vulnerability; classtype:trojan-activity; sid:2017063; rev:4; metadata:created_at 2013_06_24, updated_at 2019_10_07;)

alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 Access to solusvmc-node setuid bin"; flow:established,to_server; content:"solusvmc-node"; fast_pattern; pcre:"/\bsolusvmc-node\b/"; classtype:trojan-activity; sid:2017061; rev:4; metadata:created_at 2013_06_24, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,from_client; content:"/vw.php?i="; http_uri; fast_pattern; pcre:"/\/vw\.php\?i=[a-fA-F0-9]+?\-[a-fA-F0-9]+?$/U"; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017007; rev:7; metadata:created_at 2013_06_11, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-3205 Exploit Specific"; flow:established,to_client; file_data; content:"function putPayload("; nocase; fast_pattern; classtype:attempted-user; sid:2017510; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_09_23, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Adobe PDF CVE-2013-0640"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".keep.previous"; nocase; fast_pattern; content:".resolveNode"; nocase; pcre:"/^[\r\n\s]*?\\?\(.+?\\?\)\.keep\.previous[\r\n\s]*?=[\r\n\s]*?[\x22\x27]contentArea/Rsi"; reference:url,www.exploit-db.com/exploits/29881/; classtype:attempted-user; sid:2017790; rev:3; metadata:created_at 2013_11_29, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 1"; flow:established,to_server; content:"/PSBlock"; http_uri; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018585; rev:5; metadata:created_at 2014_06_20, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 2"; flow:established,to_server; content:"/PSStore"; http_uri; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018586; rev:6; metadata:created_at 2014_06_20, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 3"; flow:established,to_server; content:"/PMConfig.dat"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018587; rev:5; metadata:created_at 2014_06_20, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Zollard PHP Exploit UA Outbound"; flow:established,to_server; content:"Zollard"; nocase; fast_pattern; http_user_agent;  reference:cve,2012-1823; reference:url,blogs.cisco.com/security/the-internet-of-everything-including-malware/; classtype:trojan-activity; sid:2017825; rev:4; metadata:created_at 2013_12_09, updated_at 2019_10_07;)

alert tcp any 873 -> any any (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful exfiltration"; flow:from_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019089; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_07;)

alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful upload"; flow:to_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019090; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_07;)

alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi access attempt"; flow:to_server,established; dsize:4; content:"cmi|0a|"; fast_pattern; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019087; rev:5; metadata:created_at 2014_08_29, updated_at 2019_10_07;)

alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys access attempt"; flow:to_server,established; content:"cmi/var/ssh/root/authorized_keys"; fast_pattern; flowbits:set,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019088; rev:4; metadata:created_at 2014_08_29, updated_at 2019_10_07;)

alert udp any 67 -> any 68 (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK"; content:"|02 01|"; depth:2; content:"|28 29 20 7b|"; fast_pattern; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019237; rev:5; metadata:created_at 2014_09_25, updated_at 2019_10_07;)

alert udp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019289; rev:4; metadata:created_at 2014_09_26, updated_at 2019_10_07;)

alert tcp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019290; rev:3; metadata:created_at 2014_09_26, updated_at 2019_10_07;)

alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^mail\s*?from\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b/mi"; reference:url,marc.info/?l=qmail&m=141183309314366&w=2; classtype:attempted-admin; sid:2019293; rev:3; metadata:created_at 2014_09_29, updated_at 2019_10_07;)

alert udp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019322; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_07;)

alert tcp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server,established; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019323; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_07;)

alert tcp any any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible Pure-FTPd CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b 20|"; fast_pattern; reference:url,gist.github.com/jedisct1/88c62ee34e6fa92c31dc; reference:cve,2014-6271; classtype:attempted-admin; sid:2019335; rev:2; metadata:created_at 2014_10_01, updated_at 2019_10_07;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 malicious DNS response"; byte_test:1,&,128,2; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019402; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_07;)

alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DNS"; byte_test:1,&,128,4; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019403; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"; flow:established,to_server; content:"name["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019422; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2"; flow:established,to_server; content:"name%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019423; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 3"; flow:established,to_server; content:"nam%65["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019424; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 4"; flow:established,to_server; content:"nam%65%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019425; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 5"; flow:established,to_server; content:"na%6de["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019426; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 6"; flow:established,to_server; content:"na%6de%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019427; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 7"; flow:established,to_server; content:"na%6d%65["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019428; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 8"; flow:established,to_server; content:"na%6d%65%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019429; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 9"; flow:established,to_server; content:"n%61me["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019430; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 10"; flow:established,to_server; content:"n%61me%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019431; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 11"; flow:established,to_server; content:"n%61m%65["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019432; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 12"; flow:established,to_server; content:"n%61m%65%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019433; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 13"; flow:established,to_server; content:"n%61%6de["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019434; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 14"; flow:established,to_server; content:"n%61%6de%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019435; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 15"; flow:established,to_server; content:"n%61%6d%65["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019436; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 16"; flow:established,to_server; content:"n%61%6d%65%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019437; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 17"; flow:established,to_server; content:"%6eame["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019438; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 18"; flow:established,to_server; content:"%6eame%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019439; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 19"; flow:established,to_server; content:"%6eam%65["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019440; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 20"; flow:established,to_server; content:"%6eam%65%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019441; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 21"; flow:established,to_server; content:"%6ea%6de["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019442; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 22"; flow:established,to_server; content:"%6ea%6de%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019443; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 23"; flow:established,to_server; content:"%6ea%6d%65["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019444; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 24"; flow:established,to_server; content:"%6ea%6d%65%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019445; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 25"; flow:established,to_server; content:"%6e%61me["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019446; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 26"; flow:established,to_server; content:"%6e%61me%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019447; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27"; flow:established,to_server; content:"%6e%61m%65["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 28"; flow:established,to_server; content:"%6e%61m%65%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019449; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 29"; flow:established,to_server; content:"%6e%61%6de["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019450; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 30"; flow:established,to_server; content:"%6e%61%6de%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019451; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 31"; flow:established,to_server; content:"%6e%61%6d%65["; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019452; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 32"; flow:established,to_server; content:"%6e%61%6d%65%5b"; nocase; fast_pattern; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019453; rev:3; metadata:created_at 2014_10_16, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1599)"; flow:established,to_server; content:"GET"; http_method; content:"/cgi-bin/rtpd.cgi?"; http_uri; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019801; rev:3; metadata:created_at 2014_11_25, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1600)"; flow:established,to_server; urilen:17; content:"GET"; http_method; content:"/upnp/asf-mp4.asf"; http_uri; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019802; rev:3; metadata:created_at 2014_11_25, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1601)"; flow:established,to_server; urilen:12; content:"GET"; http_method; content:"/md/lums.cgi"; http_uri; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019803; rev:3; metadata:created_at 2014_11_25, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name"; flow:to_client,established; file_data; content:"function"; pcre:"/^(?:\x25(?:25)*?20|\s)*?runmumaa\W/Rs"; content:"runmumaa"; fast_pattern; reference:cve,2014-6332; classtype:attempted-user; sid:2019733; rev:6; metadata:created_at 2014_11_18, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible dlink-DSL2640B DNS Change Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/ddnsmngr.cmd?action=apply"; http_uri; fast_pattern; content:"dnsPrimary="; http_uri; content:"&dnsSecondary="; http_uri; content:"&dnsDynamic="; http_uri; content:"&dnsRefresh="; http_uri; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020485; rev:3; metadata:created_at 2015_02_19, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ShuttleTech 915WM DNS Change Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/dnscfg.cgi?"; http_uri; fast_pattern; content:"dnsPrimary="; http_uri; content:"&dnsSecondary="; http_uri; content:"&dnsDynamic="; http_uri; content:"&dnsRefresh="; http_uri; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020486; rev:3; metadata:created_at 2015_02_19, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"dnsPrimary="; http_uri; fast_pattern; content:"&dnsSecondary="; http_uri; content:"&dnsDynamic="; http_uri; content:"&dnsRefresh="; http_uri; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020487; rev:3; metadata:created_at 2015_02_19, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; content:"dnsPrimary="; http_client_body; fast_pattern; content:"dnsSecondary="; http_client_body; content:"dnsDynamic="; http_client_body; content:"dnsRefresh="; http_client_body; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2020488; rev:3; metadata:created_at 2015_02_19, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (ping.ccp) 2015-1187"; flow:to_server,established; content:"POST"; http_method; urilen:9; content:"/ping.ccp"; http_uri; fast_pattern; content:"ccp_act=ping_v6&ping_addr="; http_client_body; depth:26; pcre:"/ping_addr=[\d.]*[^\d.]/P"; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020590; rev:3; metadata:created_at 2015_03_03, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (fwupdate.cpp) 2015-1187"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/fwupgrade.ccp"; http_uri; fast_pattern; content:"|0d 0a|fwupgrade"; http_client_body; content:"|0d 0a|resolv.conf"; nocase; http_client_body; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020603; rev:3; metadata:created_at 2015_03_03, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Seagate Business NAS Unauthenticated Remote Command Execution"; flow:to_server,established; content:"POST"; http_method; content:"/index.php/mv_system/get_general_setup?_=1413463189043"; http_uri; fast_pattern; content:"set_general"; http_client_body; reference:url,beyondbinary.io/advisory/seagate-nas-rce; classtype:attempted-admin; sid:2020583; rev:4; metadata:created_at 2015_03_02, updated_at 2019_10_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/cgi-bin/webcm"; http_uri; fast_pattern; content:"getpage="; http_client_body; depth:10; content:"errorpage="; http_client_body; distance:0; content:"/html/index.html&login|3a|command"; http_client_body; distance:0; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020867; rev:4; metadata:created_at 2015_04_08, updated_at 2019_10_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/setup.cgi?todo=wan_dns1="; http_uri; fast_pattern; reference:url,www.rapid7.com/db/modules/exploit/linux/http/netgear_dgn1000b_setup_exec; classtype:attempted-admin; sid:2020874; rev:4; metadata:created_at 2015_04_08, updated_at 2019_10_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/apply.cgi?wan_primary_dns="; http_uri; fast_pattern; content:"&wan_secondary_dns="; http_uri; reference:url,malwr.com/analysis/MGY1ZDFhYjE1MzQ4NDAwM2EyZTI5YmY3MWZjMWE5OGM; classtype:attempted-admin; sid:2020876; rev:3; metadata:created_at 2015_04_08, updated_at 2019_10_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Known Malicious Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/router/add_dhcp_segment.cgi?"; http_uri; fast_pattern; content:"is_router_as_dns=1"; http_uri; content:"&dns1="; http_uri; content:"submitbutton="; http_uri; reference:url,wepawet.cs.ucsb.edu/view.php?hash=5e14985415814ed1e107c0583a27a1a2&t=1384961238&type=js; classtype:attempted-admin; sid:2020877; rev:3; metadata:created_at 2015_04_08, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 302"; flow:from_server,established; content:"302"; http_stat_code; content:"Found"; http_stat_msg; content:"Location|3a 20|file|3a 2f 2f|"; http_header; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020916; rev:3; metadata:created_at 2015_04_15, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 301"; flow:from_server,established; content:"301"; http_stat_code; content:"Location|3a 20|file|3a 2f 2f|"; http_header; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020917; rev:3; metadata:created_at 2015_04_15, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 307"; flow:from_server,established; content:"307"; http_stat_code; content:"Location|3a 20|file|3a 2f 2f|"; http_header; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/; classtype:attempted-user; sid:2020976; rev:3; metadata:created_at 2015_04_23, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 303"; flow:from_server,established; content:"303"; http_stat_code; content:"Location|3a 20|file|3a 2f 2f|"; http_header; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020977; rev:3; metadata:created_at 2015_04_23, updated_at 2019_10_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT WNR2000v4 HTTP POST RCE Attempt Via Timestamp Discovery"; flow:to_server,established; content:"POST"; http_method; content:"/apply_noauth.cgi"; http_uri; fast_pattern; content:"timestamp="; http_client_body; threshold: type both, track by_dst, count 10, seconds 60; reference:url,seclists.org/fulldisclosure/2015/Apr/72; classtype:attempted-admin; sid:2021018; rev:3; metadata:created_at 2015_04_27, updated_at 2019_10_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AirLive RCI HTTP Request"; flow:to_server,established; content:"GET"; http_method; content:"/cgi_test.cgi?write_"; http_uri; fast_pattern; pcre:"/\?write_(?:m(?:ac|sn)|hdv|pid|tan)&[^&]*\x3b/Ui"; reference:url,packetstormsecurity.com/files/132585/CORE-2015-0012.txt; classtype:attempted-admin; sid:2021408; rev:3; metadata:created_at 2015_07_13, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"/system/bin/sh"; fast_pattern; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021757; rev:3; metadata:created_at 2015_09_10, updated_at 2019_10_07;)

alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Postfix CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^[a-z-]+\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b.*\x3b.*\x7d\s*\x3b(?!=[\r\n])/mi"; reference:url,exploit-db.com/exploits/34896/; reference:cve,2014-6271; classtype:attempted-admin; sid:2019389; rev:5; metadata:created_at 2014_10_10, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli)"; flow:established,to_server; content:"JDatabaseDriverMysqli"; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*JDatabaseDriverMysqli/Hmi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022261; rev:3; metadata:created_at 2015_12_14, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE M2 (Serialized PHP in UA)"; flow:established,to_server; content:"O|3a|"; http_header; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/Hmi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022263; rev:3; metadata:created_at 2015_12_15, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE M3 (Serialized PHP in XFF)"; flow:established,to_server; content:"O|3a|"; http_header; fast_pattern; pcre:"/^X-Forwarded-For\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/Hmi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022268; rev:3; metadata:created_at 2015_12_15, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (openUrlInDefaultBrowser)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/openUrlInDefaultBrowser?"; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022352; rev:3; metadata:created_at 2016_01_12, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (showSB)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/showSB?url="; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022353; rev:3; metadata:created_at 2016_01_13, updated_at 2019_10_07;)

alert http any any -> $HOME_NET 8080 (msg:"ET EXPLOIT Linksys Router Unauthenticated Remote Code Execution"; flow:to_server,established; content:"POST"; http_method; content:".cgi"; http_uri; nocase; content:"%74%74%63%70%5f%69%70%3d%2d%68%20%60"; http_client_body; fast_pattern; content:"Authorization|3a 20|Basic"; http_header; reference:url,sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902; classtype:attempted-user; sid:2022758; rev:3; metadata:created_at 2016_04_25, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2"; flow:established,from_server; file_data; content:"redim"; nocase; fast_pattern; content:"Preserve"; nocase; content:"VBScript"; nocase; content:"chrw"; content:"32767"; distance:0; content:"chrw"; content:"2176"; distance:0; classtype:attempted-admin; sid:2022797; rev:3; metadata:created_at 2016_05_06, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LastPass RCE Attempt"; flow:from_server,established; file_data; content:"getBoundingClientRect"; nocase; content:"MouseEvent"; fast_pattern; content:"dispatchEvent"; nocase; pcre:"/^\s*\x28\s*new\s*MouseEvent\s*\x28\s*[\x22\x27]\s*click/Rsi"; content:"addEventListener"; nocase; pcre:"/^\s*\x28\s*[\x22\x27]\s*message/Rsi"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=884; classtype:trojan-activity; sid:2022989; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_28, performance_impact Low, updated_at 2019_10_07;)

alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL cnf overwrite CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"global_log_dir"; nocase; distance:0; content:".cnf"; nocase; distance:0; content:"nmalloc_lib"; fast_pattern; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023202; rev:2; metadata:affected_product MySQL, attack_target Server, deployment Datacenter, created_at 2016_09_13, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS Pegasus Safari Exploit (CVE-2016-4657)"; flow:established,from_server; file_data; content:"+="; pcre:"/^\s*?\x27try\s*?{}\s*?catch\x28e\x29\s*?{}\x3b/Rsi"; content:"Object"; pcre:"/^(?:\.|\[\s*?[\x22\x27])defineProperties\s*?\x28/Rsi"; content:"defineProperties"; fast_pattern; reference:cve,2016-4657; reference:url,blog.lookout.com/blog/2016/11/02/trident-pegasus-technical-details/; classtype:attempted-admin; sid:2023484; rev:3; metadata:affected_product iOS, affected_product Safari, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_11_07, performance_impact Low, updated_at 2019_10_07;)

alert http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE "; flow:to_server,established; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; http_header; fast_pattern; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023548; rev:4; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_11_28, updated_at 2019_10_07;)

alert http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit Retrieving Wifi Key"; flow:to_server,established; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; http_header; fast_pattern; content:"|3c 75 3a 47 65 74 53 65 63 75 72 69 74 79 4b 65 79 73|"; http_client_body; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023549; rev:4; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_11_28, performance_impact Low, updated_at 2019_10_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET EXPLOIT IBM WebSphere - RCE Java Deserialization"; flow:to_server,established; content:"SOAPAction|3a 20||22|urn:AdminService|22|"; content:"<objectname xsi|3a|type=|22|ns1|3a|javax.management.ObjectName|22|>"; content:"vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbn"; fast_pattern; metadata: former_category EXPLOIT; reference:cve,2015-7450; classtype:attempted-user; sid:2024062; rev:3; metadata:affected_product IBM_Websphere, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2017_03_15, performance_impact Low, updated_at 2019_10_07;)

alert udp any any -> $HOME_NET 50000  (msg:"ET EXPLOIT Win32/Industroyer DDOS Siemens SIPROTEC (CVE-2015-5374)"; dsize:18; content:"|11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E|"; fast_pattern; metadata: former_category EXPLOIT; reference:url,www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-dos; sid:2024376; rev:2; metadata:attack_target Client_and_Server, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2017_06_12, performance_impact Low, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Oracle Identity Manager Attempt to Logon with default account"; flow:to_server,established; content:"=OIMINTERNAL"; fast_pattern; http_client_body; metadata: former_category EXPLOIT; reference:cve,CVE-2017-10151; reference:url,oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html; classtype:attempted-admin; sid:2024941; rev:3; metadata:affected_product Oracle_Identity_Manager, attack_target Web_Server, deployment Datacenter, signature_severity Critical, created_at 2017_11_01, performance_impact Low, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 SQL injection"; flow:established,to_server; content:"POST"; http_method; content:"/centralbackup.php?"; http_uri; fast_pattern; content:"_v="; content:"deleteid="; classtype:trojan-activity; sid:2017060; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2013_06_24, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Belkin N600DB Wireless Router Request Forgery Attempt"; flow:to_server,established; content:"/proxy.cgi?chk&url="; http_uri; fast_pattern; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025223; rev:2; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2018_01_19, performance_impact Low, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change Request"; flow:to_server,established; content:"dnsPrimary="; http_uri; fast_pattern; content:"dnsSecondary="; http_uri; content:"Enable_DNSFollowing=1"; http_uri; metadata: former_category EXPLOIT; classtype:attempted-user; sid:2025222; rev:3; metadata:affected_product D_Link_DSL_2640R, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2018_01_19, performance_impact Low, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock CVE-2014-6271"; flow:established,to_server; content:"authLogin.cgi"; http_uri; content:"|28 29 20 7b|"; http_header; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019904; rev:4; metadata:created_at 2014_12_10, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock script retrieval"; flow:established,from_server; file_data; content:"|2f|share|2f|MD0_DATA|2f|optware|2f|.xpl|2f|"; fast_pattern; content:"unset HISTFIE"; metadata: former_category CURRENT_EVENTS; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019905; rev:4; metadata:created_at 2014_12_10, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Javadoc API Redirect CVE-2013-1571"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?//"; http_header; fast_pattern; pcre:"/^Referer\x3a\x20[^\r\n]+\/((index|toc)\.html?)?\?\/\//Hmi"; metadata: former_category CURRENT_EVENTS; reference:cve,2013-1571; classtype:bad-unknown; sid:2017037; rev:4; metadata:created_at 2013_06_20, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible CVE-2012-1533 altjvm (jvm.dll) Requested Over WebDAV"; flow:established,to_server; content:"/jvm.dll"; http_uri; fast_pattern; pcre:"/\/jvm\.dll$/U"; metadata: former_category CURRENT_EVENTS; reference:cve,2012-1533; classtype:trojan-activity; sid:2017012; rev:6; metadata:created_at 2013_06_13, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Exodus Intel IE HTML+TIME EIP Control Technique"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"CollectGarbage"; nocase; content:"try"; distance:0; nocase; content:".values"; distance:0; nocase; pcre:"/^[\r\n\s\+]*?=.+?\}[\r\n\s]*?catch/Rsi"; metadata: former_category CURRENT_EVENTS; reference:cve,2012-4792; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016138; rev:6; metadata:created_at 2013_01_03, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Lexmark Printer RDYMSG Cross Site Scripting Attempt"; flow:established,to_server; content:"pjl_ready_message="; http_uri; nocase; fast_pattern; pcre:"/pjl\x5Fready\x5Fmessage\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,packetstormsecurity.org/files/view/97265/lexmark-xss.txt; classtype:web-application-attack; sid:2012193; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_01_15, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; fast_pattern; classtype:web-application-attack; sid:2101334; rev:11; metadata:created_at 2010_09_23, updated_at 2019_10_07;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR340G Router DNS Change GET Request"; flow:to_server,established; content:"GET"; http_method; content:"/userRpm/WanDynamicIpCfgRpm.htm?"; http_uri; depth:32; content:"&dnsserver="; http_uri; content:"&Save=Save"; http_uri; fast_pattern; reference:url,www.exploit-db.com/exploits/34583; classtype:attempted-admin; sid:2020856; rev:4; metadata:created_at 2015_04_07, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759) M2"; flow:established,to_server; content:"POST"; http_method; content:"routestring"; http_uri; fast_pattern; content:"ajax"; http_uri; distance:0; within:7; content:"render"; http_uri; within:9; content:"widget_php"; http_uri; within:13; content:"widgetConfig"; http_client_body; nocase; content:"code"; http_client_body; within:7; content:"echo"; http_client_body; distance:0; nocase; content:"shell_exec"; http_client_body; nocase; within:13; metadata: former_category EXPLOIT; reference:url,seclists.org/fulldisclosure/2019/Sep/31; reference:url,unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/; classtype:attempted-admin; sid:2028825; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759) M3"; flow:established,to_server; content:"GET"; http_method; content:"?routestring"; http_uri; fast_pattern; content:"ajax"; http_uri; distance:0; within:7; content:"render"; http_uri; within:9; content:"widget_php"; http_uri; within:13; content:"&widgetConfig"; http_uri; nocase; content:"code"; http_uri; within:7; content:"echo"; http_uri; distance:0; nocase; content:"shell_exec"; http_uri; nocase; within:13; metadata: former_category EXPLOIT; reference:url,seclists.org/fulldisclosure/2019/Sep/31; reference:url,unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/; classtype:attempted-admin; sid:2028826; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT VMware VeloCloud Authorization Bypass (CVE-2019-5533)"; flow:established,to_server; content:"|7b 22|jsonrpc|22 3a 22|"; http_client_body; depth:12; content:"/getEnterpriseUser|22|"; http_client_body; distance:0; fast_pattern; content:",|22|params|22 3a 7b 22|id|22 3a|"; http_client_body; distance:0; pcre:"/^(?P<num_value>\d+)\x7d,\x22id\x22\x3a(?P=num_value)/PR"; content:"POST"; http_method; metadata: former_category EXPLOIT; reference:cve,2019-5533; classtype:attempted-admin; sid:2028928; rev:2; metadata:deployment Perimeter, signature_severity Major, created_at 2019_10_31, performance_impact Low, updated_at 2019_10_31;)

alert http any any -> any any (msg:"ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC (CVE-2019-16662)"; flow:established,to_server; content:"GET"; http_method; content:"/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname="; http_uri; fast_pattern; content:"exec"; distance:0; http_uri; metadata: former_category EXPLOIT; reference:url,packetstormsecurity.com/files/154999/rConfig-3.9.2-Remote-Code-Execution.html; reference:cve,2019-16662; classtype:attempted-admin; sid:2028933; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2019_11_04, updated_at 2019_11_04;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)"; flow:established,to_server; http_request_line; content:"GET|20|"; depth:4; content:"/get_getnetworkconf.cgi|20|HTTP/1.1"; distance:0; fast_pattern; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category EXPLOIT; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials; reference:cve,2018-20377; classtype:trojan-activity; sid:2029091; rev:2; metadata:affected_product Router, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_12_03, updated_at 2019_12_03;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/pages/sytemcall.php?command=|7c|"; http_uri; depth:30; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029153; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/pages/sytemcall.php?command=|7c|"; http_uri; depth:30; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029152; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-118396/CVE-2017-14127 (Outbound)"; flow:established,to_server; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; http_uri; depth:46; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029154; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-118396/CVE-2017-14127 (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; http_uri; depth:46; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029155; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Outbound)"; flow:established,to_server; content:"POST"; http_method; content:"/login.action?redirect:${%23a%3d(new%20java.lang.%22"; http_uri; depth:52; fast_pattern; content:"http"; distance:0; http_uri; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029156; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Inbound)"; flow:established,to_server; content:"POST"; http_method; content:"/login.action?redirect:${%23a%3d(new%20java.lang.%22"; http_uri; depth:52; fast_pattern; content:"http"; distance:0; http_uri; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029157; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; http_uri; depth:106; fast_pattern; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029158; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Inbound)"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; http_uri; depth:106; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029159; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?plot=|3b|"; http_uri; depth:17; fast_pattern; content:"http"; distance:0; http_uri; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029160; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?plot=|3b|"; http_uri; depth:17; fast_pattern; content:"http"; distance:0; http_uri; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029161; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Outbound)"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/global_data/"; http_uri; fast_pattern; content:"`"; http_cookie; content:"http"; http_cookie; distance:0; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029164; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Inbound)"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/global_data/"; http_uri; fast_pattern; content:"`"; http_cookie; content:"http"; http_cookie; distance:0; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029165; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/VhttpdMgr?action=importFile&fileName="; http_uri; depth:38; fast_pattern; content:"http"; http_uri; distance:0; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029166; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/VhttpdMgr?action=importFile&fileName="; http_uri; depth:38; fast_pattern; content:"http"; http_uri; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029167; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT ACTi ASOC 2200 Web Configurators versions <2.6 RCE (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/cgi-bin/test?iperf=|3b|"; http_uri; depth:21; fast_pattern; content:"http"; http_uri; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029168; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT ACTi ASOC 2200 Web Configurators versions <2.6 RCE (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/cgi-bin/test?iperf=|3b|"; http_uri; depth:21; fast_pattern; content:"http"; http_uri; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029169; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT 3Com Office Connect Remote Code Execution (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/utility.cgi?testType=1&IP="; http_uri; depth:27; fast_pattern; content:"http"; http_uri; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029170; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT 3Com Office Connect Remote Code Execution (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/utility.cgi?testType=1&IP="; http_uri; depth:27; fast_pattern; content:"http"; http_uri; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029171; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; http_uri; depth:44; fast_pattern; content:"http"; http_uri; distance:0; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029172; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; http_uri; depth:44; fast_pattern; content:"http"; http_uri; distance:0; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029173; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CCBill Online Payment Systems RCE (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/ccbill/whereami.cgi?g="; http_uri; within:40; fast_pattern; content:"http"; http_uri; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029174; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT CCBill Online Payment Systems RCE (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/ccbill/whereami.cgi?g="; http_uri; within:40; fast_pattern; content:"http"; http_uri; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029175; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT NetGain Systems Enterprise Manager CVE-2017-16602 (Outbound)"; flow:established,to_server; content:"POST"; http_method; content:"/u/jsp/tools/exec.jsp?command=cmd+%2Fc+ping&argument="; http_uri; depth:53; fast_pattern; content:"http"; distance:0; http_uri; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-16602; classtype:attempted-admin; sid:2029162; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT NetGain Systems Enterprise Manager CVE-2017-16602 (Inbound)"; flow:established,to_server; content:"POST"; http_method; content:"/u/jsp/tools/exec.jsp?command=cmd+%2Fc+ping&argument="; http_uri; depth:53; fast_pattern; content:"http"; distance:0; http_uri; metadata: former_category EXPLOIT; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-16602; classtype:attempted-admin; sid:2029163; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_12_16, updated_at 2019_12_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Archer C5 v4 (CVE-2019-7405)"; flow:established,to_server; content:"/cgi/setPwd?pwd="; http_uri; isdataat:14; content:"Referer|3a 20|tplinkwifi.net|0d 0a|"; http_header; fast_pattern; metadata: former_category EXPLOIT; reference:cve,2019-7405; reference:url,securityintelligence.com/posts/tp-link-archer-router-vulnerability-voids-admin-password-can-allow-remote-takeover/; classtype:attempted-admin; sid:2029181; rev:2; metadata:affected_product Router, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2019_12_17, performance_impact Low, updated_at 2019_12_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; content:"/card_scan_decoder.php?No="; depth:26; http_uri; metadata: former_category EXPLOIT; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029207; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_12_30, updated_at 2019_12_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE-2019-7256)"; flow:established,to_server; content:"/card_scan_decoder.php?No="; depth:26; http_uri; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029213; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_12_31, updated_at 2019_12_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound"; flow:established,to_server; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; depth:49; http_uri; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2029215; rev:1; metadata:affected_product Netgear_Router, attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_12_31, updated_at 2019_12_31;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)"; flow:established,to_server; content:"/vpns/"; http_uri; fast_pattern; content:"/../"; http_raw_uri; metadata: former_category EXPLOIT; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029206; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, created_at 2019_12_30, updated_at 2020_01_21;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE-2020-0618)"; flow:established,to_server; urilen:37; content:"POST"; http_method; content:"/ReportServer/pages/ReportViewer.aspx"; http_uri; content:"NavigationCorrector|24|PageState|3d|NeedsCorrection|26|NavigationCorrector|24|ViewState|3d|"; depth:76; fast_pattern; http_client_body; content:"|26 5f 5f|VIEWSTATE|3d|"; distance:0; isdataat:!1,relative; http_client_body; http_header_names; content:!"Referer|0d 0a|"; metadata: former_category ATTACK_RESPONSE; reference:url,github.com/euphrat1ca/CVE-2020-0618; classtype:web-application-attack; sid:2029476; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_02_18, updated_at 2020_02_18;)

alert http $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE-2018-17173)"; flow:established,to_server; content:"GET"; http_method; content:"/qsrserver/device/getThumbnail?sourceUri=|22|"; depth:42; fast_pattern; http_uri; content:"|3b|"; http_uri; distance:0; within:40; content:"&targetUri="; http_uri; distance:0; content:"&scaleType="; http_uri; distance:0; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2027089; rev:3; metadata:attack_target IoT, deployment Perimeter, signature_severity Major, created_at 2019_03_18, performance_impact Low, updated_at 2020_02_19;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request"; flow:to_server,established; content:"POST"; http_method; urilen:10; content:"/apply.cgi"; http_uri; isdataat:!1,relative; content:"submit_button=index"; http_client_body; depth:19; content:"&action=Apply"; http_client_body; distance:0; nocase; content:"&lan_dns0="; http_client_body; distance:0; fast_pattern; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020858; rev:3; metadata:created_at 2015_04_07, updated_at 2020_02_21;)

alert tcp any any -> $HOME_NET 8009 (msg:"ET EXPLOIT [401TRG] GhostCat LFI Attempt Inbound (CVE-2020-1938)"; flow:established,to_server; content:"|12 34|"; depth:2; content:"|00 08|HTTP/1.1|00|"; distance:0; content:"javax.servlet.include.path_info|00|"; nocase; distance:0; content:"javax.servlet.include.request_uri|00|"; content:"javax.servlet.include.servlet_path|00|"; metadata: former_category EXPLOIT; reference:cve,2020-1938; reference:url,www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487; classtype:attempted-admin; sid:2029533; rev:2; metadata:affected_product Apache_Tomcat, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2020_02_25, updated_at 2020_02_25;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Unknown Router Remote DNS Change Attempt"; flow:established,to_server; urilen:10; content:"POST"; http_method; content:"/setup.htm"; http_uri; nocase; content:"wan_proto=dhcp"; nocase; http_client_body; content:"dhcps_dns_1="; http_client_body; nocase; fast_pattern; content:"dhcps_mode=enabled"; http_client_body; nocase; content:"lan_proto=enable"; http_client_body; nocase; http_header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; classtype:attempted-admin; sid:2023468; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_31, updated_at 2020_02_28;)

alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12635)"; flow:established,to_server,only_stream; content:"PUT"; http_method; content:"/_users/"; http_uri; content:"_admin"; http_client_body; fast_pattern; metadata: former_category EXPLOIT; reference:cve,2017-12635; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025435; rev:3; metadata:attack_target Server, deployment Datacenter, signature_severity Major, created_at 2018_03_19, malware_family CoinMiner, updated_at 2020_03_04;)

alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12636)"; flow: established,to_server,only_stream; urilen:26; content:"PUT"; http_method; content:"/_config/query_servers/cmd"; http_uri; pcre:"/^\s*[\x22\x27]/P"; content:"Authorization|3a 20|Basic"; http_header; metadata: former_category EXPLOIT; reference:cve,2017-12636; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025432; rev:3; metadata:deployment Datacenter, signature_severity Major, created_at 2018_03_13, performance_impact Moderate, updated_at 2020_03_04;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)"; flow:to_server,established; content:"/lang_check.html"; http_uri; content:"timestamp="; http_uri; content:"&hidden_lang_avi="; http_client_body; isdataat:36,relative; content:!"|00|"; within:36; http_client_body; content:!"|25|"; within:36; http_client_body; content:!"|26|"; within:36; http_client_body; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2024121; rev:5; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_30, performance_impact Low, updated_at 2020_03_05;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Equation Group EGREGIOUSBLUNDER Fortigate Exploit Attempt"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/index"; http_uri; http_start; content:"Content-length|3a 20|0|0d 0a|Cookie|3a 20|APSCOOKIE=Era=0&Payload="; fast_pattern; pcre:"/^[A-Za-z0-9+/]{0,4}?[^\x20-\x7e]/R"; http_header_names; content:"|0d 0a|Host|0d 0a|Content-length|0d 0a|"; depth:24; content:!"User-Agent|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:attempted-admin; sid:2023075; rev:3; metadata:affected_product Fortigate, attack_target Server, deployment Datacenter, signature_severity Major, created_at 2016_08_17, performance_impact Low, updated_at 2020_03_05;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FireEye Detection Evasion %temp% attempt - Inbound"; flow:to_server,established; content:"%"; http_raw_uri; content:"temp%"; nocase; http_raw_uri; fast_pattern; within:7; pcre:"/\%(?:25)?temp\%/Ii"; reference:url,labs.bluefrostsecurity.de/advisories/bfs-sa-2016-001/; classtype:misc-attack; sid:2022554; rev:4; metadata:created_at 2016_02_22, updated_at 2020_03_05;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Potential Internet Explorer Use After Free CVE-2013-3163 Exploit URI Struct 1"; flow:established,to_server; content:"/vid.aspx?id="; http_uri; nocase; fast_pattern; pcre:"/^[a-zA-Z0-9]+$/URi"; http_header_names; content:!"Cookie|0d 0a|"; metadata: former_category CURRENT_EVENTS; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017131; rev:6; metadata:created_at 2013_07_11, updated_at 2020_03_09;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL"; flow:established,to_server; content:"POST"; http_method; content:"|20|type="; http_client_body; nocase; fast_pattern; content:"symbol"; distance:0; nocase; http_client_body; pcre:"/<[^>]*\stype\s*=\s*[\x22\x27]symbol[\x22\x27]/Pi"; http_content_type; pcre:"/^(?:application\/(?:x-)?|text\/)xml/"; metadata: former_category CURRENT_EVENTS; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-activity; sid:2016176; rev:5; metadata:created_at 2013_01_09, updated_at 2020_03_09;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML"; flow:established,to_server; content:"POST"; http_method; content:" type="; http_client_body; nocase; fast_pattern; content:"yaml"; distance:0; nocase; http_client_body; pcre:"/<[^>]*\stype\s*=\s*[\x22\x27]yaml[\x22\x27]/Pi"; http_content_type; pcre:"/^(?:application\/(?:x-)?|text\/)xml/"; metadata: former_category CURRENT_EVENTS; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016175; rev:5; metadata:created_at 2013_01_09, updated_at 2020_03_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M1"; flow:established,to_server; content:"GET"; http_method; content:"/adv,/cgi-bin/weblogin.cgi?username="; http_uri; depth:36; fast_pattern; content:"|27 3b|"; http_uri; within:20; metadata: former_category EXPLOIT; reference:cve,2020-9054; reference:url,www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml; reference:url,www.kb.cert.org/vuls/id/498544/; classtype:attempted-admin; sid:2029616; rev:2; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2020_03_12, updated_at 2020_03_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M2"; flow:established,to_server; content:"POST"; http_method; content:"/adv,/cgi-bin/weblogin.cgi"; http_uri; depth:26; fast_pattern; content:"username="; http_client_body; depth:9; content:"|27 3b|"; http_client_body; within:20; metadata: former_category EXPLOIT; reference:cve,2020-9054; reference:url,www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml; reference:url,www.kb.cert.org/vuls/id/498544/; classtype:attempted-admin; sid:2029617; rev:2; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2020_03_12, updated_at 2020_03_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManageEngine Desktop Central RCE Inbound (CVE-2020-10189)"; flow:established,to_server; content:"POST"; http_method; content:"/mdm/client/v1/mdmLogUploader?udid=si|5c|..|5c|..|5c|..|5c|webapps|5c|DesktopCentral|5c|_chart&filename="; http_uri; depth:86; fast_pattern; content:"|ac ed 00 05 73 72 00 17 6a 61 76 61 2e 75 74 69 6c 2e 50 72 69 6f 72 69 74 79 51 75 65 75 65 94|"; http_client_body; depth:32; metadata: former_category EXPLOIT; reference:url,twitter.com/steventseeley/status/1235635108498948096; reference:cve,2020-10189; reference:url,www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html; classtype:attempted-admin; sid:2029618; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, created_at 2020_03_12, performance_impact Low, updated_at 2020_03_12;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54G Version 3.1 Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"Authorization|3a 20|Basic|20|"; http_header; content:"/apply.cgi"; http_uri; depth:10; content:"change_action=gozila_cgi"; http_client_body; fast_pattern; content:"submit_type=language"; http_client_body; content:"&ui_language="; http_client_body; pcre:"/^[(?:\x60|%60)(?:\x27|%27)]/PR"; metadata: former_category EXPLOIT; reference:url,nstarke.github.io/0034-linksys-wrt54g-v3.1-writeup.html; classtype:attempted-admin; sid:2029734; rev:2; metadata:created_at 2020_03_24, updated_at 2020_03_24;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2"; flow:established,to_server; content:"/vpns/"; http_uri; fast_pattern; content:"|0d 0a|NSC_USER|3a 20|"; http_header; nocase; content:"|0d 0a|NSC_NONCE|3a 20|"; http_header; nocase; content:"/../"; http_header; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029255; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Perimeter, signature_severity Critical, created_at 2020_01_13, updated_at 2020_03_25;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Telerik UI CVE-2019-18935 File Upload Attempt M1"; flow:to_server,established; content:"POST"; http_method; content:"/Telerik.Web.UI.WebResource.axd"; http_uri; fast_pattern; content:"type=rau"; nocase; http_uri; distance:0; content:"rauPostData"; nocase; http_client_body; metadata: former_category EXPLOIT; reference:url,github.com/noperator/CVE-2019-18935; reference:cve,2019-18935; classtype:web-application-attack; sid:2029761; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Minor, created_at 2020_03_30, updated_at 2020_03_30;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Telerik UI CVE-2019-18935 File Upload Attempt M2"; content:"GET"; http_method; content:"/Telerik.Web.UI.WebResource.axd?dp="; fast_pattern; http_uri; metadata: former_category EXPLOIT; reference:url,www.exploit-db.com/exploits/43874; classtype:web-application-attack; sid:2029762; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Minor, created_at 2020_03_30, updated_at 2020_03_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/mainfunction.cgi?action=login&keyPath="; http_uri; depth:47; fast_pattern; content:"&loginUser="; http_uri; distance:0; content:"&loginPwd="; http_uri; distance:0; metadata: former_category EXPLOIT; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029804; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2020_04_03, updated_at 2020_04_03;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/mainfunction.cgi?action=login&keyPath="; http_uri; depth:47; fast_pattern; content:"&loginUser="; http_uri; distance:0; content:"&loginPwd="; http_uri; distance:0; metadata: former_category EXPLOIT; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029805; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Perimeter, signature_severity Minor, created_at 2020_04_03, updated_at 2020_04_03;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/mainfunction.cgi"; http_uri; isdataat:!1,relative; content:"action=login&keyPath="; http_client_body; fast_pattern; content:"&loginUser="; http_client_body; distance:0; content:"&loginPwd="; http_client_body; distance:0; metadata: former_category EXPLOIT; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029806; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2020_04_03, updated_at 2020_04_03;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/mainfunction.cgi"; http_uri; isdataat:!1,relative; content:"action=login&keyPath="; http_client_body; fast_pattern; content:"&loginUser="; http_client_body; distance:0; content:"&loginPwd="; http_client_body; distance:0; metadata: former_category EXPLOIT; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029807; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, deployment Perimeter, signature_severity Minor, created_at 2020_04_03, updated_at 2020_04_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netlink GPON Remote Code Execution Attempt (Inbound)"; flow:established,to_server; content:"POST"; http_method; content:"/boaform/admin/formPing"; http_uri; depth:23; isdataat:!1,relative; fast_pattern; content:"target_addr=|3b|"; depth:13; http_client_body; metadata: former_category EXPLOIT; reference:url,blog.netlab.360.com/multiple-fiber-routers-are-being-compromised-by-botnets-using-0-day-en/; reference:url,www.exploit-db.com/exploits/48225; classtype:attempted-admin; sid:2029976; rev:2; metadata:affected_product Router, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2020_04_20, performance_impact Low, updated_at 2020_04_20;)