emerging-scan.rules

# Emerging Threats 
#
# This distribution may contain rules under two different licenses. 
#
#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
#  as follows:
#
#*************************************************************
#  Copyright (c) 2003-2019, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#*************************************************************
#
#
#
#

# This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap TCP Service Scan Detected"; flow:to_server; flags:PA; content:"service|3A|thc|3A 2F 2F|"; depth:105; content:"service|3A|thc"; within:40; reference:url,freeworld.thc.org/thc-amap/; reference:url,doc.emergingthreats.net/2010371; classtype:attempted-recon; sid:2010371; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap UDP Service Scan Detected"; dsize:<135; content:"THCTHCTHCTHCTHC|20 20 20|"; reference:url,freeworld.thc.org/thc-amap/; reference:url,doc.emergingthreats.net/2010372; classtype:attempted-recon; sid:2010372; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET SCAN Cisco Torch TFTP Scan"; content:"|52 61 6E 64 30 6D 53 54 52 49 4E 47 00 6E 65 74 61 73 63 69 69|"; offset:2; depth:21; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008414; classtype:attempted-recon; sid:2008414; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"root"; within:15; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010642; classtype:attempted-recon; sid:2010642; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"administrator"; within:25; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010643; classtype:attempted-recon; sid:2010643; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> any 21 (msg:"ET SCAN Grim's Ping ftp scanning tool"; flow:to_server,established; content:"PASS "; content:"gpuser@home.com"; within:18; reference:url,archives.neohapsis.com/archives/snort/2002-04/0448.html; reference:url,grimsping.cjb.net; reference:url,doc.emergingthreats.net/2007802; classtype:network-scan; sid:2007802; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP PING IPTools"; itype: 8; icode: 0; content:"|A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7|"; depth: 64; reference:url,www.ks-soft.net/ip-tools.eng; reference:url,www.ks-soft.net/ip-tools.eng/index.htm; reference:url,doc.emergingthreats.net/2000575; classtype:misc-activity; sid:2000575; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack"; content:"nng Snort (Snort)"; offset:90; threshold:type threshold, track by_dst, count 4, seconds 15; reference:url,packetstormsecurity.nl/filedesc/nng-4.13r-public.rar.html; reference:url,doc.emergingthreats.net/2008560; classtype:misc-activity; sid:2008560; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any 502 (msg:"ET SCAN Modbus Scanning detected"; content:"|00 00 00 00 00 02|"; flow:established,to_server; depth:6; threshold: type both, track by_src, count 100, seconds 10; reference:url,code.google.com/p/modscan/; reference:url,www.rtaautomation.com/modbustcp/; reference:url,doc.emergingthreats.net/2009286; classtype:bad-unknown; sid:2009286; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.0 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:5; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-323.html; reference:url,doc.emergingthreats.net/2001906; classtype:protocol-command-decode; sid:2001906; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.1 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:32; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-Protocol.html; reference:url,doc.emergingthreats.net/2002842; classtype:protocol-command-decode; sid:2002842; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 3306 -> any any (msg:"ET SCAN Non-Allowed Host Tried to Connect to MySQL Server"; flow:from_server,established; content:"|6A 04|Host|20 27|"; depth:70; content:"|27 20|is not allowed to connect to this MySQL server"; distance:0; reference:url,www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html; reference:url,doc.emergingthreats.net/2010493; classtype:attempted-recon; sid:2010493; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 2048"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2000537; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sO"; dsize:0; ip_proto:21; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000536; classtype:attempted-recon; sid:2000536; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (2)"; fragbits:!D; dsize:0; flags:A,12; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000540; classtype:attempted-recon; sid:2000540; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sF"; fragbits:!M; dsize:0; flags:F,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000543; classtype:attempted-recon; sid:2000543; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sN"; fragbits:!M; dsize:0; flags:0,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000544; classtype:attempted-recon; sid:2000544; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sX"; fragbits:!M; dsize:0; flags:FPU,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000546; classtype:attempted-recon; sid:2000546; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 137 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple NBTStat Query Responses to External Destination, Possible Automated Windows Network Enumeration"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21|"; depth:55; threshold: type threshold, track by_dst, count 10, seconds 60; reference:url,technet.microsoft.com/en-us/library/cc940106.aspx; reference:url,doc.emergingthreats.net/2009767; classtype:attempted-recon; sid:2009767; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET 137 -> $EXTERNAL_NET any (msg:"ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21|"; depth:55; reference:url,technet.microsoft.com/en-us/library/cc940106.aspx; reference:url,doc.emergingthreats.net/2009768; classtype:attempted-recon; sid:2009768; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN PRO Search Crawler Probe"; flow:to_server,established; content:"PASS "; nocase; depth:5; content:"crawler"; nocase; within:30; pcre:"/^PASS\s+PRO(-|\s)*search\s+Crawler/smi"; reference:url,sourceforge.net/project/showfiles.php?group_id=149797; reference:url,doc.emergingthreats.net/2008179; classtype:not-suspicious; sid:2008179; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious Scan"; content:"From|3A 20 22|sipvicious"; threshold: type limit, count 1, seconds 10, track by_src; reference:url,blog.sipvicious.org; reference:url,doc.emergingthreats.net/2008578; classtype:attempted-recon; sid:2008578; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Modified Sipvicious User-Agent Detected (sundayddr)"; content:"|0d 0a|User-Agent|3A| sundayddr"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,honeynet.org.au/?q=sunday_scanner; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011766; classtype:attempted-recon; sid:2011766; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipsak SIP scan"; content:"sip|3a|sipsak@"; offset:90; reference:url,sipsak.org/; reference:url,doc.emergingthreats.net/2008598; classtype:attempted-recon; sid:2008598; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan"; content:"SIVuS_VoIP_Scanner <sip|3a|SIVuS"; offset:130; threshold:type threshold, track by_src, count 3, seconds 10; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; reference:url,doc.emergingthreats.net/2008609; classtype:attempted-recon; sid:2008609; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Components Scan"; content:"sip|3a|sivus-discovery@vopsecurity.org"; offset:110; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; reference:url,doc.emergingthreats.net/2008610; classtype:attempted-recon; sid:2008610; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET SCAN External to Internal UPnP Request udp port 1900"; content:"MSEARCH * HTTP/1.1"; depth:18; content:"MAN|3a| ssdp|3a|"; nocase; distance:0; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008094; classtype:attempted-recon; sid:2008094; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Smap VOIP Device Scan"; content:"<sip|3a|smap@"; offset:80; depth:40; reference:url,www.go2linux.org/smap-find-voip-enabled-devices; reference:url,doc.emergingthreats.net/2008526; classtype:attempted-recon; sid:2008526; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Toolkit Torturer Scan"; content:"interesting-Method"; content:"sip|3a|1_unusual.URI"; content:"to-be!sure"; offset:20; depth:60; reference:url,sourceforge.net/projects/voiper; reference:url,doc.emergingthreats.net/2008568; classtype:attempted-recon; sid:2008568; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"; content:"sip|3a|tester@"; content:"Via|3a| SIP/2.0"; offset:20; depth:60; threshold: type threshold, track by_dst, count 5, seconds 15; reference:url,sourceforge.net/projects/voiper; reference:url,doc.emergingthreats.net/2008577; classtype:attempted-recon; sid:2008577; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 400"; depth:13; threshold: type threshold, track by_dst, count 30, seconds 60; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html; reference:url,support.microsoft.com/kb/247249; reference:url,doc.emergingthreats.net/2009884; classtype:attempted-recon; sid:2009884; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 404 Error Messages (Page Not Found), Possible Web Application Scan/Directory Guessing Attack"; flow:from_server,established; content:"HTTP/1.1 404"; depth:13; threshold: type threshold, track by_dst, count 30, seconds 60; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html; reference:url,en.wikipedia.org/wiki/HTTP_404; reference:url,doc.emergingthreats.net/2009885; classtype:attempted-recon; sid:2009885; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ProxyReconBot POST method to Mail"; flow:established,to_server; content:"POST "; depth:5; content:"|3A|25 HTTP/"; within:200; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2003870; classtype:misc-attack; sid:2003870; rev:7; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SIP erase_registrations/add registrations attempt"; content:"REGISTER "; depth:9; content:"User-Agent|3a| Hacker"; reference:url,www.hackingvoip.com/sec_tools.html; reference:url,doc.emergingthreats.net/2008640; classtype:attempted-recon; sid:2008640; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35, seconds 60; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/2009749; classtype:attempted-recon; sid:2009749; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,1024:2048] (msg:"ET SCAN DCERPC rpcmgmt ifids Unauthenticated BIND"; flow:established,to_server; content:"|05|"; content:"|80 bd a8 af 8a 7d c9 11 be f4 08 00 2b 10 29 89|"; distance:31; reference:url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf; reference:url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf; reference:url,seclists.org/fulldisclosure/2003/Aug/0432.html; reference:url,doc.emergingthreats.net/2009832; classtype:attempted-recon; sid:2009832; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Acunetix Version 6 (Free Edition) Scan Detected"; flow:to_server,established; content:"(Acunetix Web Vulnerability Scanner"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2009646; classtype:attempted-recon; sid:2009646; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN RatProxy in-use"; flow:established,to_server; content:"X-Ratproxy-Loop|3A| "; threshold: type limit, track by_src,count 1, seconds 60; classtype:attempted-recon; sid:2011975; rev:2; metadata:created_at 2010_11_24, updated_at 2010_11_24;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipp SIP Stress Test Detected"; content:"sip|3a|sipp@"; content:"Subject|3a| Performance Test"; offset:90; depth:90; threshold: type threshold, track by_dst, count 20, seconds 15; reference:url,sourceforge.net/projects/sipp/; reference:url,doc.emergingthreats.net/2008579; classtype:attempted-recon; sid:2008579; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN sipscan probe"; content:"sip|3a|thisisthecanary@"; content:"sip|3a|test@"; offset:30; depth:70; reference:url,www.hackingvoip.com/sec_tools.html; reference:url,doc.emergingthreats.net/2008641; classtype:attempted-recon; sid:2008641; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser)"; content:"From|3A 20 22|sipsscuser|22|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,honeynet.org.au/?q=sunday_scanner; classtype:attempted-recon; sid:2012204; rev:3; metadata:created_at 2011_01_20, updated_at 2011_01_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; content:"|29| Havij|0d 0a|Connection|3a| "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2012606; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_03_30, updated_at 2020_04_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Havij SQL Injection Tool User-Agent Outbound"; flow:established,to_server; content:"|29| Havij|0d 0a|Connection|3a| "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2011924; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_11_12, updated_at 2020_04_20;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; nocase; classtype:network-scan; sid:2101918; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:"UNION ALL SELECT NULL, NULL, NULL, NULL"; http_uri; content:"-- AND"; http_uri; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012754; rev:2; metadata:created_at 2011_04_29, updated_at 2020_04_20;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:2100478; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:2100465; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:2100483; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; reference:arachnids,155; classtype:misc-activity; sid:2100372; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:2100469; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:2100484; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:2100471; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:2100474; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:2100476; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:2101638; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; classtype:attempted-recon; sid:2100637; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert ftp any any -> $HOME_NET any (msg:"ET SCAN Nessus FTP Scan detected (ftp_anonymous.nasl)"; flow:to_server,established; content:"pass nessus@"; depth:12; nocase; reference:url,www.nessus.org/plugins/index.php?view=single&id=10079; reference:url,osvdb.org/show/osvdb/69; classtype:attempted-recon; sid:2013263; rev:3; metadata:created_at 2011_07_13, updated_at 2011_07_13;)

alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nessus FTP Scan detected (ftp_writeable_directories.nasl)"; flow:to_server,established; content:"MKD"; nocase; depth:3; content:"Nessus"; nocase; reference:url,www.nessus.org/plugins/index.php?view=single&id=19782; reference:url,osvdb.org/show/osvdb/76; classtype:attempted-recon; sid:2013264; rev:2; metadata:created_at 2011_07_13, updated_at 2011_07_13;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Version Query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:2101541; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Potential muieblackcat scanner double-URI and HTTP library"; flow:established,to_server; content:"GET //"; depth:6; fast_pattern; content:"HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Accept-Language|3a| en-us|0d 0a|Accept-Encoding|3a| gzip, deflate|0d 0a|Host|3a| "; http_header; content:"|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; http_header; distance:0; metadata: former_category SCAN; classtype:attempted-recon; sid:2013116; rev:5; metadata:created_at 2011_06_24, updated_at 2011_06_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Kingcope KillApache.pl Apache mod_deflate DoS attempt"; flow:established,to_server; content:"Range|3a|bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14"; http_header; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013472; rev:4; metadata:created_at 2011_08_26, updated_at 2020_04_20;)

#alert ip any any <> 127.0.0.0/8 any (msg:"GPL SCAN loopback traffic";  reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:2100528; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert ip any any -> any any (msg:"GPL SCAN same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:2100527; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN NMAP SQL Spider Scan"; flow:established,to_server; content:"GET"; http_method; content:" OR sqlspider"; http_uri; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:2; metadata:created_at 2011_10_19, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Paros Proxy Scanner Detected"; flow:to_server,established; content:"Paros/"; http_header; fast_pattern; pcre:"/^User-Agent\x3a[^\n]+Paros\//H"; reference:url,www.parosproxy.org; reference:url,doc.emergingthreats.net/2008187; classtype:attempted-recon; sid:2008187; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_20;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger . query"; flow:to_server,established; content:"."; reference:arachnids,130; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:2100333; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:2103151; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger 0 Query"; flow:to_server,established; content:"0"; reference:arachnids,131; reference:arachnids,378; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:2100332; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Account Enumeration Attempt"; flow:to_server,established; content:"a b c d e f"; nocase; reference:nessus,10788; classtype:attempted-recon; sid:2100321; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN cybercop query"; flow:to_server,established; content:"|0A|     "; depth:10; reference:arachnids,132; reference:cve,1999-0612; classtype:attempted-recon; sid:2100331; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:2100329; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Null Request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:2100324; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Probe 0 Attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:2100325; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Redirection Attempt"; flow:to_server,established; content:"@"; reference:arachnids,251; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:2100330; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Root Query"; flow:to_server,established; content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:2100323; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Search Query"; flow:to_server,established; content:"search"; reference:arachnids,375; reference:cve,1999-0259; classtype:attempted-recon; sid:2100322; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL SCAN adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; reference:arachnids,332; classtype:suspicious-login; sid:2100353; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLix SQL Injection Vector Scan"; flow:established,to_server; content:"GET"; http_header; content:"myVAR=1234"; http_header; content:"Windows 98"; http_header; distance:36; within:120; reference:url,www.owasp.org/index.php/Category%3aOWASP_SQLiX_Project; reference:url,doc.emergingthreats.net/2008654; classtype:attempted-recon; sid:2008654; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2020_04_20;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Gootkit Scanner User-Agent Inbound"; flow:established,to_server; content:"Gootkit auto-rooter scanner"; http_header; metadata: former_category SCAN; classtype:web-application-attack; sid:2014022; rev:2; metadata:created_at 2011_12_12, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (manager)"; flow:to_server,established; content:"Authorization|3a| Basic bWFuYWdlcjp"; fast_pattern:15,17; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008455; classtype:web-application-attack; sid:2008455; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (tomcat)"; flow:to_server,established; content:"Authorization|3a| Basic dG9tY2F0"; fast_pattern:15,14; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008454; classtype:web-application-attack; sid:2008454; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization|3a| Basic YWRtaW46"; fast_pattern:15,14; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008453; classtype:web-application-attack; sid:2008453; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN nessus 2.x 404 probe"; flow:to_server,established; content:"/NessusTest"; http_uri; nocase; reference:nessus,10386; classtype:attempted-recon; sid:2102585; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan"; content:"|00 00|"; content:"|06 0D 06 01 30 13 02 07 08|"; distance:40; within:10; reference:url,sourceforge.net/projects/enumiax/; reference:url,doc.emergingthreats.net/2008606; classtype:attempted-recon; sid:2008606; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan"; itype:3; dsize:>69; content:"securityfocus"; content:"securityfocus"; distance:50; within:15; reference:url,xprobe.sourceforge.net/; reference:url,doc.emergingthreats.net/2009298; classtype:attempted-recon; sid:2009298; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible jBroFuzz Fuzzer Detected"; flow:to_server,established; content:"Host|3a| localhost"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-GB|3b| rv|3b|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; threshold: type threshold, track by_src, count 3, seconds 6; reference:url,www.owasp.org/index.php/Category%3aOWASP_JBroFuzz; reference:url,doc.emergingthreats.net/2009476; classtype:attempted-recon; sid:2009476; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Vega Web Application Scan"; flow:established,to_server; content:"Vega/"; http_header; pcre:"/User-Agent\x3A[^\r\n]+Vega\x2F/H"; threshold: type limit, track by_src, count 5, seconds 40; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; classtype:attempted-recon; sid:2013249; rev:3; metadata:created_at 2011_07_11, updated_at 2011_07_11;)

#alert tcp [184.154.42.194,50.116.22.209,69.64.43.135,69.64.43.137,69.64.43.142,216.17.107.104,216.17.102.194,216.17.106.90,216.17.107.174,64.6.100.124,46.17.98.214] any -> $HOME_NET any (msg:"ET SCAN critical.io Scan"; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,critical.io/; classtype:network-scan; sid:2014893; rev:5; metadata:created_at 2012_06_14, updated_at 2012_06_14;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HTExploit Method"; flow:established,to_server; dsize:>6; content:"POTATO "; depth:7; reference:url,www.mkit.com.ar/labs/htexploit/download.php; classtype:trojan-activity; sid:2015552; rev:2; metadata:created_at 2012_07_31, updated_at 2012_07_31;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:2100625; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:2100626; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:2100627; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:2100628; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:2100629; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN sensepost.exe command shell attempt"; flow:to_server,established; content:"/sensepost.exe"; http_uri; nocase; reference:nessus,11003; classtype:web-application-activity; sid:2100989; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"GPL SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:2100613; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:2100624; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:2100612; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:2100617; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; http_header; nocase; content:"YWRtaW46cGFzc3dvcmQ"; distance:0; http_header; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46cGFzc3dvcmQ/Hi"; reference:nessus,11737; classtype:default-login-attempt; sid:2102230; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:2101133; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:2101139; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN cybercop scan"; flow:to_server,established; content:"/cybercop"; http_uri; nocase; reference:arachnids,374; classtype:web-application-activity; sid:2101099; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"GPL SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:2100619; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ZmEu Scanner User-Agent Inbound"; flow:established,to_server; content:"ZmEu"; http_user_agent; depth:4; classtype:trojan-activity; sid:2012936; rev:3; metadata:created_at 2011_06_06, updated_at 2011_06_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat admin-blank login credentials"; flow:to_server,established; content:"/manager/html"; nocase; http_uri; content:"|0d 0a|Authorization|3a| Basic YWRtaW46|0d 0a|"; http_header; flowbits:set,ET.Tomcat.login.attempt; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009218; classtype:attempted-admin; sid:2009218; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Absinthe SQL Injection Tool HTTP Header Detected"; flow:established,to_server; content:"Absinthe"; nocase; http_user_agent; depth:8; reference:url,0x90.org/releases/absinthe; reference:url,doc.emergingthreats.net/2009555; classtype:attempted-recon; sid:2009555; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nessus User Agent"; flow: established,to_server; content:"Nessus"; nocase; depth:40; http_user_agent; threshold: type limit, track by_src,count 1, seconds 60; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; classtype:attempted-recon; sid:2002664; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; http_user_agent; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Brutus Scan Outbound"; flow:established,to_server; content:"Brutus/AET"; http_user_agent; classtype:attempted-recon; sid:2015702; rev:3; metadata:created_at 2012_09_17, updated_at 2012_09_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ZmEu exploit scanner"; flow:established,to_server; content:"Made by ZmEu"; http_user_agent; depth:12; threshold: type limit, track by_src, seconds 180, count 1; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2010715; classtype:web-application-attack; sid:2010715; rev:9; metadata:created_at 2010_07_30, updated_at 2018_02_14;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Suspicious User-Agent inbound (bot)"; flow:to_server,established; content:"bot/"; nocase; http_user_agent; depth:4; threshold: type limit, count 3, seconds 300, track by_src; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/bin/view/Main/2008228; classtype:trojan-activity; sid:2008228; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN FHScan core User-Agent Detect"; flow:to_server,established; content:"FHScan Core 1."; http_user_agent; reference:url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html; classtype:attempted-recon; sid:2014541; rev:5; metadata:created_at 2012_04_12, updated_at 2012_04_12;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:" AND "; http_uri; content:"AND ("; http_uri; pcre:"/\x20AND\x20[0-9]{6}\x3D[0-9]{4}/U"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012755; rev:4; metadata:created_at 2011_04_29, updated_at 2011_04_29;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL MySQL Remote FAST Account Password Cracking"; flow:to_server,established; content:"|11|"; offset:3; depth:4; threshold:type both,track by_src,count 100,seconds 1; reference:url,www.securityfocus.com/archive/1/524927/30/0/threaded; classtype:protocol-command-decode; sid:2015986; rev:5; metadata:created_at 2012_12_04, updated_at 2012_12_04;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN GET with HTML tag in start of URI seen with PHPMyAdmin scanning"; flow:established,to_server; content:"<title>"; http_uri; depth:7; content:"GET"; http_method; classtype:web-application-attack; sid:2016222; rev:2; metadata:created_at 2013_01_16, updated_at 2013_01_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Cisco Torch IOS HTTP Scan"; flow:to_server,established; content:"Cisco-torch"; http_user_agent; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008415; classtype:attempted-recon; sid:2008415; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Core-Project Scanning Bot UA Detected"; flow:established,to_server; content:"core-project/1.0"; http_user_agent; classtype:web-application-activity; sid:2008529; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:2100467; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Apache mod_deflate DoS via many multiple byte Range values"; flow:established,to_server; content:"Range|3a|"; nocase; content:"bytes="; nocase; distance:0; isdataat:10,relative; content:","; within:11; isdataat:10,relative; content:","; within:11; isdataat:10,relative; content:","; within:11; isdataat:70,relative; content:!"|0d 0a|"; within:12; pcre:"/Range\x3a\s?bytes=[-0-9,\x20]{100}/iH"; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013473; rev:5; metadata:created_at 2011_08_26, updated_at 2011_08_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Arachni Web Scan"; flow:established,to_server; content:"/Arachni-"; http_uri; threshold: type limit, track by_src, seconds 60, count 1; reference:url,www.arachni-scanner.com/; classtype:attempted-recon; sid:2017142; rev:2; metadata:created_at 2013_07_12, updated_at 2013_07_12;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP GET invalid method case"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011031; classtype:bad-unknown; sid:2011031; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP POST invalid method case"; flow:established,to_server; content:"post "; depth:5; nocase; content:!"POST "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown; sid:2011032; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP HEAD invalid method case"; flow:established,to_server; content:"head "; depth:5; nocase; content:!"HEAD "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011033; classtype:bad-unknown; sid:2011033; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> any any (msg:"ET SCAN NETWORK Outgoing Masscan detected"; flow:established,to_server; content:"masscan/"; depth:8; http_user_agent; reference:url,blog.erratasec.com/2013/10/that-dlink-bug-masscan.html; reference:url,blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html; classtype:network-scan; sid:2017615; rev:4; metadata:created_at 2013_10_18, updated_at 2013_10_18;)

alert http any any -> $HOME_NET any (msg:"ET SCAN NETWORK Incoming Masscan detected"; flow:established,to_server; content:"masscan/"; depth:8; http_user_agent; reference:url,blog.erratasec.com/2013/10/that-dlink-bug-masscan.html; reference:url,blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html; classtype:network-scan; sid:2017616; rev:4; metadata:created_at 2013_10_18, updated_at 2013_10_18;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Httprint Web Server Fingerprint Scan"; flow:established,to_server; content:"GET"; http_method; content:"/antidisestablishmentarianism"; http_uri; reference:url,www.net-square.com/httprint/; reference:url,www.net-square.com/httprint/httprint_paper.html; reference:url,doc.emergingthreats.net/2008416; classtype:attempted-recon; sid:2008416; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nikto Web App Scan in Progress"; flow:to_server,established; content:"(Nikto"; http_user_agent; threshold: type both, count 5, seconds 60, track by_src; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; classtype:web-application-attack; sid:2002677; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 3072"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009583; classtype:attempted-recon; sid:2009583; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 4096"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:4096; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009584; classtype:attempted-recon; sid:2009584; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN NMAP SIP Version Detect OPTIONS Scan"; flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19; classtype:attempted-recon; sid:2018317; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5060:5061 (msg:"ET SCAN NMAP SIP Version Detection Script Activity"; content:"Via|3A| SIP/2.0/TCP nm"; content:"From|3A| <sip|3A|nm@nm"; within:150; fast_pattern; classtype:attempted-recon; sid:2018318; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN IBM NSA User Agent"; flow:established,to_server; content:"Network-Services-Auditor"; http_user_agent; threshold: type limit, track by_src,count 1, seconds 60; reference:url,ftp.inf.utfsm.cl/pub/Docs/IBM/Tivoli/pdfs/sg246021.pdf; reference:url,doc.emergingthreats.net/2003171; classtype:attempted-recon; sid:2003171; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sV"; fragbits:!M; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000545; classtype:attempted-recon; sid:2000545; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Chroot-apache0day Unknown Web Scanner User Agent"; flow:established,to_server; content:"chroot-apach0day"; nocase; http_user_agent; depth:16; reference:url,isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chroot-apach0day+/18453; classtype:attempted-recon; sid:2018800; rev:4; metadata:created_at 2014_07_29, updated_at 2014_07_29;)

#alert tcp 188.95.234.6 any -> $HOME_NET [22,443] (msg:"ET SCAN Non-Malicious SSH/SSL Scanner on the run"; threshold: type limit, track by_src, seconds 60, count 1; reference:url,pki.net.in.tum.de/node/21; reference:url,isc.sans.edu/diary/SSH%2bscans%2bfrom%2b188.95.234.6/15532; classtype:network-scan; sid:2016763; rev:7; metadata:created_at 2013_04_17, updated_at 2013_04_17;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja MSSQL Version Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28substring%28%28select%20%40%40version"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009038; classtype:attempted-recon; sid:2009038; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; flow:to_server,established; content:"Nmap NSE"; http_user_agent; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:2009359; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for Off-line Analysis"; flow:established,to_server; content:"pavuk"; http_user_agent; nocase; reference:url,pavuk.sourceforge.net/about.html; reference:url,doc.emergingthreats.net/2009827; classtype:attempted-recon; sid:2009827; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Default Mysqloit User Agent Detected - Mysql Injection Takover Tool"; flow:established,to_server; content:"Mysqloit"; http_user_agent; reference:url,code.google.com/p/mysqloit/; classtype:attempted-recon; sid:2009882; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Mysqloit Operating System Fingerprint/SQL Injection Test Scan Detected"; flow:established,to_server; content:"+UNION+select+'BENCHMARK(10000000,SHA1(1))"; http_uri; reference:url,code.google.com/p/mysqloit/; reference:url,doc.emergingthreats.net/2009883; classtype:attempted-recon; sid:2009883; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN SQL Injection Attempt (Agent uil2pn)"; flow:to_server,established; content:"uil2pn"; http_user_agent; reference:url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html; reference:url,doc.emergingthreats.net/2010215; classtype:web-application-attack; sid:2010215; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN pangolin SQL injection tool"; flow:established,to_server; content:"pangolin"; http_user_agent; reference:url,www.lifedork.net/pangolin-best-sql-injection-tool.html; classtype:web-application-activity; sid:2010343; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Springenwerk XSS Scanner User-Agent Detected"; flow:to_server,established; content:"Springenwerk"; http_user_agent; threshold: type limit, count 1, seconds 60, track by_src; reference:url,springenwerk.org/; reference:url,doc.emergingthreats.net/2010508; classtype:attempted-recon; sid:2010508; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Skipfish Web Application Scan Detected (2)"; flow:established,to_server; content:"GET"; http_method; content:".old"; http_uri; content:"Mozilla/5.0 SF/"; http_user_agent; content:"Range|3A| bytes=0-199999"; http_header; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010956; classtype:attempted-recon; sid:2010956; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN crimscanner User-Agent detected"; flow:established,to_server; content:"GET"; http_method; content:"crimscanner/"; nocase; http_user_agent; reference:url,doc.emergingthreats.net/2010954; classtype:network-scan; sid:2010954; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible DavTest WebDav Vulnerability Scanner Initial Check Detected"; flow:established,to_server; content:"PROPFIND "; depth:9; content:"D|3A|propfind xmlns|3A|D=|22|DAV|3A 22|><D|3A|allprop/></D|3A|propfind>"; distance:0; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011088; classtype:attempted-recon; sid:2011088; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET SCAN w3af Scan Remote File Include Retrieval"; flow:established,to_server; content:"/w3af/remoteFileInclude.html"; http_uri; nocase; content:"Host|3A| w3af.sourceforge.net"; http_header; nocase; reference:url,w3af.sourceforge.net; classtype:web-application-activity; sid:2011389; rev:5; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible WafWoof Web Application Firewall Detection Scan"; flow:established,to_server; content:"GET"; http_method; content:"/<invalid>hello.html"; http_uri; reference:url,code.google.com/p/waffit/; reference:url,doc.emergingthreats.net/2011720; classtype:attempted-recon; sid:2011720; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Internal Dummy Connection User-Agent Inbound"; flow:established,to_server; content:"(internal dummy connection)"; http_user_agent; classtype:trojan-activity; sid:2012937; rev:3; metadata:created_at 2011_06_06, updated_at 2011_06_06;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Nikto Scan Remote File Include Retrieval"; flow:established,to_server; content:"/rfiinc.txt"; http_uri; content:"Host|3A| cirt.net|0d 0a|"; http_header; nocase; reference:url,cirt.net/nikto2; classtype:web-application-activity; sid:2011390; rev:4; metadata:affected_product Any, attack_target Server, deployment Datacenter, tag Remote_File_Include, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;)

#alert tcp any any -> any any (msg:"ET SCAN Malformed Packet SYN FIN"; flags:SF; classtype:bad-unknown; sid:2011367; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp any any -> any any (msg:"ET SCAN Malformed Packet SYN RST"; flags:SR; classtype:bad-unknown; sid:2011368; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Simple Slowloris Flooder"; flow:established,to_server; content:"POST"; http_method; content:"Content-length|3A| 5235|0D 0A|"; http_header; content:!"User-Agent|3a|"; http_header; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf; classtype:web-application-attack; sid:2016033; rev:4; metadata:created_at 2012_12_13, updated_at 2012_12_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix Accept HTTP Header detected scan in progress"; flow:established,to_server; content:"Accept|3a 20|acunetix"; http_header; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/; classtype:attempted-recon; sid:2019963; rev:2; metadata:created_at 2014_12_17, updated_at 2014_12_17;)

alert tcp any any -> $HOME_NET 1720 (msg:"ET SCAN H.323 Scanning device"; flow:established,to_server; content:"|40 04 00 63 00 69 00 73 00 63 00 6f|"; fast_pattern; offset:55; depth:12; threshold: type limit, track by_src, count 1, seconds 60; reference:url,videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/; classtype:network-scan; sid:2020853; rev:2; metadata:created_at 2015_04_07, updated_at 2015_04_07;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP =XXXXXXXX Likely Precursor to Scan"; itype:8; icode:0; content:"=XXXXXXXX"; reference:url,doc.emergingthreats.net/2010686; classtype:network-scan; sid:2010686; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src; reference:url,doc.emergingthreats.net/2006546; classtype:attempted-admin; sid:2006546; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt response"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/530\s+(Login|User|Failed|Not)/smi"; threshold: type threshold, track by_dst, count 5, seconds 300; reference:url,doc.emergingthreats.net/2002383; classtype:unsuccessful-user; sid:2002383; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET any (msg:"ET SCAN Nmap NSE Heartbleed Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:attempted-recon; sid:2021023; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)

alert tcp $HOME_NET any -> any any (msg:"ET SCAN Nmap NSE Heartbleed Response"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:attempted-recon; sid:2021024; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP OPTIONS invalid method case"; flow:established,to_server; content:"options"; http_method; nocase; content:!"OPTIONS"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011034; classtype:bad-unknown; sid:2011034; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5820 (msg:"ET SCAN Potential VNC Scan 5800-5820"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002910; classtype:attempted-recon; sid:2002910; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg:"ET SCAN Potential VNC Scan 5900-5920"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002911; classtype:attempted-recon; sid:2002911; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002992; classtype:misc-activity; sid:2002992; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"ET SCAN Rapid POP3S Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002993; classtype:misc-activity; sid:2002993; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002994; classtype:misc-activity; sid:2002994; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002995; classtype:misc-activity; sid:2002995; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"ET SCAN Potential SSH Scan OUTBOUND"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2003068; classtype:attempted-recon; sid:2003068; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Arachni Scanner Web Scan"; flow:established,to_server; content:"Arachni/"; http_header; pcre:"/User-Agent\x3a[^\r\n]+Arachni\/v?\d\.\d\.\d$/iH"; threshold: type limit, track by_src, count 1, seconds 300; reference:url,arachni-scanner.com; reference:url,github.com/Zapotek/arachni; classtype:attempted-recon; sid:2014869; rev:5; metadata:created_at 2012_06_07, updated_at 2012_06_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Scanning for Vulnerable JBoss"; flow:established,to_server; content:"POST"; http_method; content:"/invoker/"; http_uri; depth:9; content:"servlet/"; http_uri; content:"Content-Type|3a 20|application/x-java-serialized-object|3b 0d 0a|"; http_header; content:"org.jboss.invocation.MarshalledValue"; http_client_body; reference:url,blog.imperva.com/2015/12/zero-day-attack-strikes-again-java-zero-day-vulnerability-cve-2015-4852-tracked-by-imperva.html; classtype:web-application-attack; sid:2022240; rev:2; metadata:created_at 2015_12_08, updated_at 2015_12_08;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET SCAN Possible WordPress xmlrpc.php BruteForce in Progress - Response"; flow:established,from_server; flowbits:isset,ET.XMLRPC.PHP; file_data; content:"<name>faultCode</name>"; content:"<int>403</int>"; content:"<string>Incorrect username or password.</string>"; threshold:type both, track by_src, count 5, seconds 120; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018755; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2014_07_23, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 3"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"select unhex("; fast_pattern; distance:0; content:"into dumpfile|20 27|"; distance:0; metadata: former_category CURRENT_EVENTS; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022581; rev:1; metadata:created_at 2016_03_01, updated_at 2016_03_01;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"ET SCAN Possible SSL Brute Force attack or Site Crawl"; flow: established,to_server; flags: S; threshold: type threshold, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2001553; classtype:attempted-dos; sid:2001553; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET SCAN Behavioral Unusually fast inbound Telnet Connections, Potential Scan or Brute Force"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,www.rapid7.com/nexpose-faq-answer2.htm; reference:url,doc.emergingthreats.net/2001904; classtype:misc-activity; sid:2001904; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3127 (msg:"ET SCAN Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 10 , seconds 60; reference:url,doc.emergingthreats.net/2002973; classtype:misc-activity; sid:2002973; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET SCAN Behavioral Unusually fast outbound Telnet Connections, Potential Scan or Brute Force"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,www.rapid7.com/nexpose-faq-answer2.htm; reference:url,doc.emergingthreats.net/2008230; classtype:misc-activity; sid:2008230; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET SCAN Redis SSH Key Overwrite Probing"; flow:to_server,established; content:"*"; depth:1; content:"config"; content:"set"; distance:0; content:"dir"; distance:0; content:"/.ssh"; distance:0; isdataat:!5,relative; reference:url,antirez.com/news/96; classtype:misc-attack; sid:2023510; rev:2; metadata:attack_target Client_Endpoint, deployment Datacenter, tag SCAN_Redis_SSH, signature_severity Minor, created_at 2016_07_07, performance_impact Low, updated_at 2016_11_15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 (msg:"ET SCAN MS Terminal Server Traffic on Non-standard Port"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; fast_pattern; classtype:attempted-recon; sid:2023753; rev:2; metadata:affected_product Microsoft_Terminal_Server_RDP, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2017_01_23, performance_impact Low, updated_at 2017_02_23;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP Delphi Likely Precursor to Scan"; itype:8; icode:0; content:"Pinging from Delphi code written"; metadata: former_category SCAN; reference:url,www.koders.com/delphi/fid942A4EAF946B244BD3CD9BC83FEAAC35BA1F38AB.aspx; reference:url,doc.emergingthreats.net/2010681; classtype:misc-activity; sid:2010681; rev:3; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple MySQL Login Failures Possible Brute Force Attempt"; flow:from_server,established; dsize:<251; byte_test:1,<,0xfb,0,little; content:"|ff 15 04 23 32 38 30 30 30|"; offset:4; threshold: type threshold, track by_src, count 5, seconds 120; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2010494; classtype:attempted-recon; sid:2010494; rev:4; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:15; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> any 139 (msg:"ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001579; classtype:misc-activity; sid:2001579; rev:15; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> any 137 (msg:"ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001580; classtype:misc-activity; sid:2001580; rev:15; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001581; classtype:misc-activity; sid:2001581; rev:15; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> any 1434 (msg:"ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001582; classtype:misc-activity; sid:2001582; rev:15; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> any 1433 (msg:"ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001583; classtype:misc-activity; sid:2001583; rev:16; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001972; classtype:network-scan; sid:2001972; rev:20; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Suspicious User-Agent Containing SQL Inject/ion Likely SQL Injection Scanner"; flow:established,to_server; content:"SQL"; nocase; depth:200; http_user_agent; content:"Inject"; nocase; distance:0; http_user_agent; metadata: former_category HUNTING; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2010087; classtype:attempted-recon; sid:2010087; rev:7; metadata:affected_product Web_Server_Applications, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag SQL_Injection, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Suspicious User-Agent Containing Web Scan/er Likely Web Scanner"; flow:established,to_server; content:"web"; nocase; depth:200; http_user_agent; content:"scan"; nocase; distance:0; http_user_agent; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2010088; classtype:attempted-recon; sid:2010088; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Suspicious User-Agent Containing Security Scan/ner Likely Scan"; flow:established,to_server; content:"security"; nocase; http_user_agent; content:"scan"; nocase; distance:0; http_user_agent; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2010089; classtype:attempted-recon; sid:2010089; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_11;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP @hello request Likely Precursor to Scan"; itype:8; icode:0; content:"@hello ???"; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2010641; classtype:misc-activity; sid:2010641; rev:3; metadata:created_at 2010_07_30, updated_at 2017_05_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; metadata: former_category SCAN; reference:url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811; classtype:misc-activity; sid:2013479; rev:5; metadata:created_at 2011_08_29, updated_at 2017_05_11;)

alert http $HOME_NET any -> any any (msg:"ET SCAN Possible Nmap User-Agent Observed"; flow:to_server,established; content:"|20|Nmap"; http_user_agent; fast_pattern; metadata: former_category SCAN; classtype:web-application-attack; sid:2024364; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, signature_severity Informational, created_at 2017_06_08, performance_impact Low, updated_at 2017_06_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN struts-pwn User-Agent"; flow:established,to_server; content:"struts-pwn"; depth:10; http_user_agent; fast_pattern;metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Perimeter, signature_severity Critical; metadata: former_category SCAN; reference:url,github.com/mazen160/struts-pwn_CVE-2017-9805/blob/master/struts-pwn.py; reference:cve,2017-9805; reference:url,paladion.net/paladion-cyber-labs-discovers-a-new-ransomware/; classtype:attempted-user; sid:2024843; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Minor, created_at 2017_10_16, performance_impact Moderate, updated_at 2017_10_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"OpenVAS"; http_user_agent; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:5; metadata:created_at 2011_04_26, updated_at 2011_04_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DirBuster Web App Scan in Progress"; flow:to_server,established; content:"DirBuster"; depth:9; http_user_agent; reference:url,owasp.org; reference:url,doc.emergingthreats.net/2008186; classtype:web-application-attack; sid:2008186; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Sqlmap SQL Injection Scan"; flow:to_server,established; content:"sqlmap"; depth:6; http_user_agent; threshold: type limit, count 2, seconds 40, track by_src; reference:url,sqlmap.sourceforge.net; reference:url,doc.emergingthreats.net/2008538; classtype:attempted-recon; sid:2008538; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)

alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; ssh_proto; content:"PUTTY"; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category SCAN; classtype:network-scan; sid:2019876; rev:6; metadata:created_at 2014_12_05, updated_at 2017_12_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"ET SCAN Suspicious inbound to PostgreSQL port 5432"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2010939; classtype:bad-unknown; sid:2010939; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 4333 (msg:"ET SCAN Suspicious inbound to mSQL port 4333"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2010938; classtype:bad-unknown; sid:2010938; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET SCAN Suspicious inbound to Oracle SQL port 1521"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2010936; classtype:bad-unknown; sid:2010936; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:"ET SCAN Suspicious inbound to MSSQL port 1433"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2010935; classtype:bad-unknown; sid:2010935; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NYU Internet Census UA Inbound"; content:"NYU Internet Census"; http_user_agent; depth:19; metadata: former_category SCAN; reference:url,scan.lol; classtype:network-scan; sid:2025461; rev:2; metadata:deployment Perimeter, deployment Datacenter, signature_severity Informational, created_at 2018_04_03, updated_at 2018_04_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN PHP Attack Tool Morfeus F Scanner"; flow:established,to_server; content:"Morfeus"; nocase; http_user_agent; depth:7; metadata: former_category WEB_SERVER; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; reference:url,doc.emergingthreats.net/2003466; classtype:web-application-attack; sid:2003466; rev:15; metadata:created_at 2010_07_30, updated_at 2018_04_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN HP Enterprise VAN SDN Controller"; flow:established,to_server; content:"/sdn/ui/app/rs/hpws/config"; http_uri; isdataat:!1,relative; content:"X-Auth-Token|3a| AuroraSdnToken"; http_header; fast_pattern; metadata: former_category SCAN; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-recon; sid:2025760; rev:1; metadata:attack_target Networking_Equipment, deployment Datacenter, signature_severity Major, created_at 2018_06_28, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ntop-ng Authentication Bypass via Session ID Guessing"; flow:established,to_server; content:"/lua/network_load.lua"; http_uri; fast_pattern; content:"session="; http_cookie; content:"user="; http_cookie; threshold: type threshold, track by_dst, count 255, seconds 10; metadata: former_category SCAN; reference:cve,2018-12520; reference:url,exploit-db.com/exploits/44973/; classtype:attempted-recon; sid:2025780; rev:2; metadata:attack_target Server, deployment Datacenter, signature_severity Critical, created_at 2018_07_03, performance_impact Low, updated_at 2018_07_18;)

alert udp any any -> $HOME_NET 4070 (msg:"ET SCAN HID VertX and Edge door controllers discover"; dsize:<45; content:"discover|3b|013|3b|"; metadata: former_category SCAN; reference:url,exploit-db.com/exploits/44992/; classtype:attempted-recon; sid:2025822; rev:2; metadata:attack_target IoT, deployment Datacenter, created_at 2018_07_10, updated_at 2018_07_18;)

alert http any any -> $HOME_NET any (msg:"ET SCAN Geutebrueck re_porter 7.8.974.20 Information Disclosure"; flow:established,to_server; content:"GET"; http_method; content:"/statistics/gscsetup.xml"; http_uri; metadata: former_category SCAN; reference:cve,2018-15534; reference:url,exploit-db.com/exploits/45240/; classtype:attempted-recon; sid:2026008; rev:1; metadata:attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_08_22, performance_impact Low, updated_at 2018_08_22;)

alert http any any -> $HOME_NET any (msg:"ET SCAN Hikvision IP Camera 5.4.0 Information Disclosure"; flow:established,to_server; content:"GET"; http_method; content:"/System/configurationFile?auth=YWRtaW46MTEK"; http_uri; metadata: former_category SCAN; reference:url,exploit-db.com/exploits/45231/; classtype:attempted-recon; sid:2026015; rev:1; metadata:attack_target IoT, deployment Datacenter, signature_severity Major, created_at 2018_08_22, performance_impact Low, updated_at 2018_08_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Hello Peppa! Scan Activity"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"=die(|27|Hello, Peppa!|27|"; http_client_body; fast_pattern; metadata: former_category SCAN; reference:url,isc.sans.edu/diary/rss/23860; classtype:attempted-recon; sid:2026464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_10, malware_family Hello_Peppa, performance_impact Moderate, updated_at 2018_10_10;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN StarDotStar HELO, suspected AUTH LOGIN botnet"; flow:established,to_server; content:"HELO|20 2a 2e 2a 0d 0a|"; depth:11; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2026463; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_09, updated_at 2018_10_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DirBuster Scan in Progress"; flow:established,to_server; content:"/thereIsNoWayThat-You-CanBeThere"; nocase; http_uri; threshold: type limit, track by_src,count 1, seconds 60; reference:url,www.owasp.org/index.php/Category%3aOWASP_DirBuster_Project; classtype:attempted-recon; sid:2011914; rev:2; metadata:created_at 2010_11_09, updated_at 2019_09_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Metasploit WMAP GET len 0 and type"; flow:established,to_server; content:"GET"; http_method; content:"|0d 0a|Content-Type|3A| text/plain|0d 0a|Content-Length|3A| 0|0d 0a|"; http_header; threshold: type limit, track by_src,count 1,seconds 60; classtype:attempted-recon; sid:2011974; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_11_24, updated_at 2019_09_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Goatzapszu Header from unknown Scanning Tool"; flow:established,to_server; content:"Goatzapszu|3a|"; nocase; http_header; classtype:attempted-recon; sid:2012077; rev:3; metadata:created_at 2010_12_18, updated_at 2019_09_26;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN nessus 1.X 404 probe"; flow:to_server,established; content:"/nessus_is_probing_you_"; http_uri; reference:arachnids,301; classtype:web-application-attack; sid:2101102; rev:11; metadata:created_at 2010_09_23, updated_at 2019_09_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Medusa User-Agent"; flow: established,to_server; content:"User-Agent|3A| Teh Forest Lobster"; fast_pattern:10,20; nocase; http_header; threshold: type limit, track by_src,count 1, seconds 60; reference:url,www.foofus.net/~jmk/medusa/medusa.html; classtype:attempted-recon; sid:2011887; rev:3; metadata:created_at 2010_10_31, updated_at 2019_09_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DotDotPwn User-Agent"; flow:established,to_server; content:"User-Agent|3A| DotDotPwn"; nocase; http_header; threshold:type limit, track by_src,count 1, seconds 60; reference:url,dotdotpwn.sectester.net; classtype:attempted-recon; sid:2011915; rev:3; metadata:created_at 2010_11_09, updated_at 2019_09_26;)

alert tcp $HOME_NET any -> $HOME_NET 2555 (msg:"ET SCAN Internal to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008092; classtype:attempted-recon; sid:2008092; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; classtype:attempted-recon; sid:2008093; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DEBUG Method Request with Command"; flow:established,to_server; content:"DEBUG "; depth:6; content:"|0d 0a|Command|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008312; classtype:attempted-recon; sid:2008312; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Fast-Track Tool Spidering User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| pymills-spider/"; reference:url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes; reference:url,doc.emergingthreats.net/2011721; classtype:attempted-recon; sid:2011721; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLBrute SQL Scan Detected"; flow:to_server,established; content:"AND not exists (select * from master..sysdatabases)"; offset:60; depth:60; reference:url,www.justinclarke.com/archives/2006/03/sqlbrute.html; reference:url,www.darknet.org.uk/2007/06/sqlbrute-sql-injection-brute-force-tool/; reference:url,doc.emergingthreats.net/2009477; classtype:attempted-recon; sid:2009477; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL User Scan"; content:"?param=a"; flow:to_server,established; content:"if%20ascii%28substring%28%28select%20system%5Fuser"; distance:2; threshold: type threshold, track by_src, count 20, seconds 10; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009040; classtype:attempted-recon; sid:2009040; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Database User Rights Scan"; flow:to_server,established; content:"?param=a"; content:"if%20is%5Fsrvrolemember%28%27sysadmin"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009041; classtype:attempted-recon; sid:2009041; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Authentication Mode Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28%28select%20serverproperty%28%27IsIntegratedSecurityOnly"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009042; classtype:attempted-recon; sid:2009042; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using sp_configure"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Esp%5Fconfigure%20%27show%20advanced%20options"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009043; classtype:attempted-admin; sid:2009043; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Create xp_cmdshell Session"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell%20%27cmd%20%2FC%20%25TEMP"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009044; classtype:attempted-admin; sid:2009044; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Stompy Web Application Session Scan"; flow:to_server,established; content:"Session Stomper"; offset:100; depth:25; reference:url,www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/; reference:url,doc.emergingthreats.net/2008605; classtype:attempted-recon; sid:2008605; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af Scan In Progress ARGENTINA Req Method"; flow:to_server,established; content:"ARGENTINA "; depth:10; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2011027; classtype:attempted-recon; sid:2011027; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| WhatWeb/"; reference:url,www.morningstarsecurity.com/research/whatweb; reference:url,doc.emergingthreats.net/2010960; classtype:attempted-recon; sid:2010960; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wapiti Web Server Vulnerability Scan"; flow:to_server,established; content:"GET /"; depth:5; content:"?http|3A|//www.google."; within:100; nocase; content:"|0d 0a|User-Agent|3A 20|Python-httplib2"; distance:0; reference:url,wapiti.sourceforge.net/; reference:url,doc.emergingthreats.net/2008417; classtype:attempted-recon; sid:2008417; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Inspathx Path Disclosure Scanner User-Agent Detected"; flow:established,to_server; content:"User-Agent|3A| inspath [path disclosure finder"; http_header; threshold:type limit, count 1, seconds 30, track by_src; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011808; rev:4; metadata:created_at 2010_10_12, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Inspathx Path Disclosure Scan"; flow:established,to_server; content:"GET"; http_method; content:"varhttp|3A|/"; http_uri; nocase; content:"wwwhttp|3A|/"; http_uri; nocase; content:"htmlhttp|3A|/"; http_uri; nocase; threshold:type limit, count 1, seconds 30, track by_src; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011809; rev:6; metadata:created_at 2010_10_12, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN WebHack Control Center User-Agent Inbound (WHCC/)"; flow:to_server,established; content:"User-Agent|3a| "; nocase; content:"WHCC"; fast_pattern; nocase; distance:0; within:50; pcre:"/User-Agent\:[^\n]+WHCC/i"; reference:url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start=; reference:url,doc.emergingthreats.net/2003924; classtype:trojan-activity; sid:2003924; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Netsparker Default User-Agent"; flow:to_server,established; content:" Netsparker)"; http_user_agent; threshold:type limit,track by_src,count 1,seconds 60; reference:url,www.mavitunasecurity.com/communityedition/; classtype:attempted-recon; sid:2011029; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Skipfish Web Application Scan Detected"; flow:established,to_server; content:"Mozilla/5.0 SF"; http_user_agent; threshold:type limit, count 10, seconds 60, track by_src; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010953; classtype:attempted-recon; sid:2010953; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN bsqlbf Brute Force SQL Injection"; flow:established,to_server; content:"bsqlbf"; http_user_agent; nocase; reference:url,code.google.com/p/bsqlbf-v2/; reference:url,doc.emergingthreats.net/2008362; classtype:web-application-activity; sid:2008362; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL XPCmdShell Scan"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; classtype:attempted-recon; sid:2009039; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WebShag Web Application Scan Detected"; flow:to_server,established; content:"webshag"; http_user_agent; reference:url,www.scrt.ch/pages_en/outils.html; classtype:attempted-recon; sid:2009158; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; content:"GET"; http_method; content:"C|3a|/WINDOWS/system32/calc.exe"; http_header; content:"|0d 0a|"; within:9; http_header; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/Hm"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; classtype:attempted-recon; sid:2011028; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ProxyReconBot CONNECT method to Mail"; flow:established,to_server; content:"CONNECT "; depth:8; content:"|3A|25 HTTP/"; within:200; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2003869; classtype:misc-attack; sid:2003869; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Acunetix Version 6 Crawl/Scan Detected"; flow:to_server,established; content:"/acunetix-wvs-test-for-some-inexistent-file"; http_uri; threshold: type threshold, track by_dst, count 2, seconds 5; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2008571; classtype:attempted-recon; sid:2008571; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Netsparker Scan in Progress"; flow:to_server,established; content:"/Netsparker-"; http_uri; threshold:type limit,track by_src,count 1,seconds 60; reference:url,www.mavitunasecurity.com/communityedition/; reference:url,doc.emergingthreats.net/2011030; classtype:attempted-recon; sid:2011030; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Httprecon Web Server Fingerprint Scan"; flow:to_server,established; content:"GET"; http_method; content:"/etc/passwd?format="; http_uri; content:"><script>alert('xss')"; http_uri; content:"traversal="; http_uri; reference:url,www.computec.ch/projekte/httprecon/; reference:url,doc.emergingthreats.net/2008627; classtype:attempted-recon; sid:2008627; rev:10; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wikto Scan"; flow:to_server,established; content:"GET"; http_method; content:"/.adSensePostNotThereNoNobook"; http_uri; reference:url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm; reference:url,doc.emergingthreats.net/2008617; classtype:attempted-recon; sid:2008617; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wikto Backend Data Miner Scan"; flow:to_server,established; content:"GET"; http_method; content:"/actSensePostNotThereNoNotive"; http_uri; reference:url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm; reference:url,doc.emergingthreats.net/2008629; classtype:attempted-recon; sid:2008629; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Asp-Audit Web Scan Detected"; flow:to_server,established; content:"GET"; http_method; content:"STYLE=x|3a|e/**/xpression(alert('asp-audit'))>"; http_uri; reference:url,www.hacker-soft.net/Soft/Soft_2895.htm; reference:url,wiki.remote-exploit.org/backtrack/wiki/asp-audit; reference:url,doc.emergingthreats.net/2009479; classtype:attempted-recon; sid:2009479; rev:11; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WSFuzzer Web Application Fuzzing"; flow:to_server,established; content:"/ServiceDefinition"; http_uri; fast_pattern; content:"Python-urllib/"; depth:14; http_user_agent; reference:url,www.owasp.org/index.php/Category%3aOWASP_WSFuzzer_Project; reference:url,doc.emergingthreats.net/2008628; classtype:attempted-recon; sid:2008628; rev:9; metadata:created_at 2010_07_30, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Positive Technologies XSpider Security Scanner User-Agent (PTX)"; flow:to_server,established; content:"PTX|0d 0a|"; http_header; fast_pattern; pcre:"/^User-Agent\x3a[^\n]+PTX\r$/Hm"; reference:url,www.securitylab.ru/forum/forum16/topic26800/; classtype:attempted-recon; sid:2013779; rev:5; metadata:created_at 2011_10_19, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af User-Agent 2"; flow:established,to_server; content:"w3af.sf.net"; http_header; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]+?w3af\.sf\.net/Hmi"; classtype:attempted-recon; sid:2015484; rev:3; metadata:created_at 2012_07_17, updated_at 2019_10_07;)

alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET SCAN Nessus Netbios Scanning"; content:"n|00|e|00|s|00|s|00|u|00|s"; fast_pattern; reference:url,www.tenable.com/products/nessus/nessus-product-overview; classtype:attempted-recon; sid:2015754; rev:3; metadata:created_at 2012_10_01, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SFTP/FTP Password Exposure via sftp-config.json"; flow:to_server,established; content:"/sftp-config.json"; fast_pattern; http_uri; reference:url,blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html; classtype:attempted-recon; sid:2015940; rev:3; metadata:created_at 2012_11_26, updated_at 2019_10_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan - TCP"; flow:established,to_server; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017161; rev:2; metadata:created_at 2013_07_17, updated_at 2019_10_07;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan"; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017162; rev:3; metadata:created_at 2013_07_17, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN FOCA uri"; flow:established,to_server; content:"GET"; http_method; content:"/*F0C4~1*/foca.aspx?aspxerrorpath=/"; http_uri; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; content:!"Connection|3a 20|"; http_header; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017950; rev:4; metadata:created_at 2014_01_09, updated_at 2019_10_07;)

alert udp $EXTERNAL_NET 10000: -> $HOME_NET 10000: (msg:"ET SCAN NMAP OS Detection Probe"; dsize:300; content:"CCCCCCCCCCCCCCCCCCCC"; fast_pattern; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; depth:255; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; within:45; classtype:attempted-recon; sid:2018489; rev:4; metadata:created_at 2014_05_20, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible WordPress xmlrpc.php wp.getUsersBlogs Flowbit Set"; flow:established,to_server; content:"/xmlrpc.php"; http_uri; nocase; fast_pattern; flowbits:set,ET.XMLRPC.PHP; flowbits:noalert; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018754; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2014_07_23, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grendel-Scan Web Application Security Scan Detected"; flow:to_server,established; content:"GET"; http_method; content:"/random"; nocase; http_uri; fast_pattern; pcre:"/\x2Frandom\w+?\x2E(?:c(?:f[cm]|gi)|ht(?:ml?|r)|(?:ws|x)dl|a(?:sp|xd)|p(?:hp3|l)|bat|swf|vbs|do)/Ui"; threshold: type threshold, track by_dst, count 20, seconds 40; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009481; classtype:attempted-recon; sid:2009481; rev:9; metadata:created_at 2010_07_30, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Xenu Link Sleuth Scanner Outbound"; flow:to_server,established; content:"GET"; http_method; content:"Xenu Link Sleuth"; http_user_agent; fast_pattern; classtype:attempted-recon; sid:2021058; rev:4; metadata:created_at 2015_05_05, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN COMMIX Command injection scan attempt"; flow:to_server,established; content:"|55 73 65 72 2d 41 67 65 6e 74 3a 20 63 6f 6d 6d 69 78|"; fast_pattern; http_header; threshold: type limit, count 1, seconds 60, track by_src; reference:url,github.com/stasinopoulos/commix/blob/master/README.md; classtype:web-application-activity; sid:2022243; rev:3; metadata:created_at 2015_12_11, updated_at 2019_10_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 1"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"GRANT ALTER, ALTER ROUTINE"; distance:0; nocase; within:30; content:"TO root@% WITH"; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022579; rev:2; metadata:created_at 2016_03_01, updated_at 2019_10_07;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 2"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"set global log_bin_trust_function_creators=1"; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022580; rev:2; metadata:created_at 2016_03_01, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix scan in progress acunetix_wvs_security_test in http_uri"; flow:established,to_server; content:"acunetix_wvs_security_test"; http_uri; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/; classtype:web-application-attack; sid:2023687; rev:3; metadata:affected_product Any, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2016_12_28, performance_impact Low, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix scan in progress acunetix variable in http_uri"; flow:established,to_server; content:"|24|acunetix"; http_uri; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/; classtype:web-application-attack; sid:2023688; rev:3; metadata:affected_product Any, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2016_12_28, performance_impact Low, updated_at 2019_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET SCAN DominoHunter Security Scan in Progress"; flow:established,to_server; content:"DominoHunter"; nocase; http_user_agent; depth:12; reference:url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html; classtype:web-application-attack; sid:2013171; rev:3; metadata:created_at 2011_07_02, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Toata Scanner User-Agent Detected"; flow:to_server,established; content:"Toata dragostea "; http_user_agent; depth:16; threshold: type limit, count 1, seconds 60, track by_src; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/2009159; classtype:attempted-recon; sid:2009159; rev:8; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Automated Injection Tool User-Agent (AutoGetColumn)"; flow:established,to_server; content:"AutoGetColumn"; http_user_agent; depth:13; reference:url,doc.emergingthreats.net/2009154; classtype:attempted-recon; sid:2009154; rev:9; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grendel Web Scan - Default User Agent Detected"; flow:to_server,established; content:"Mozilla/5.0 (compatible|3b 20|Grendel-Scan"; nocase; http_user_agent; depth:37; fast_pattern; content:"http|3a|//www.grendel-scan.com"; http_header; nocase; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009480; classtype:attempted-recon; sid:2009480; rev:9; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN JCE Joomla Scanner"; flow:established,to_server; content:"BOT/0.1 (BOT for JCE)"; http_user_agent; depth:21; classtype:web-application-attack; sid:2016032; rev:4; metadata:created_at 2012_12_13, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat Web Application Manager scanning"; flow:established,to_server; content:"GET"; http_method; content:"/manager/html"; nocase; fast_pattern; http_uri; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http_user_agent; depth:38; isdataat:!1,relative; content:"Authorization|3a 20|Basic"; http_header; content:!"Proxy-Authorization|3a 20|Basic"; nocase; http_header; reference:url,doc.emergingthreats.net/2010019; classtype:attempted-recon; sid:2010019; rev:10; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Suspicious User-Agent - get-minimal - Possible Vuln Scan"; flow:established,to_server; content:"get-minimal"; http_user_agent; depth:11; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2003634; classtype:attempted-admin; sid:2003634; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af User Agent"; flow: established,to_server; content:"w3af.sourceforge.net"; http_user_agent; depth:20; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:12; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN DavTest WebDav Vulnerability Scanner Default User Agent Detected"; flow:established,to_server; content:"DAV.pm/v"; depth:8; http_user_agent; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011089; classtype:attempted-recon; sid:2011089; rev:5; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grabber.py Web Scan Detected"; flow:to_server,established; content:"Grabber"; depth:7; http_user_agent; reference:url,rgaucher.info/beta/grabber/; reference:url,doc.emergingthreats.net/2009483; classtype:attempted-recon; sid:2009483; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Mini MySqlatOr SQL Injection Scanner"; flow:to_server,established; content:"prog.CustomCrawler"; depth:18; http_user_agent; reference:url,www.scrt.ch/pages_en/minimysqlator.html; reference:url,doc.emergingthreats.net/2008729; classtype:attempted-recon; sid:2008729; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQL Power Injector SQL Injection User Agent Detected"; flow:to_server,established; content:"SQL Power Injector"; depth:18; http_user_agent; reference:url,www.sqlpowerinjector.com/index.htm; reference:url,en.wikipedia.org/wiki/Sql_injection; reference:url,doc.emergingthreats.net/2009769; classtype:attempted-recon; sid:2009769; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Open-Proxy ScannerBot (webcollage-UA) "; flow:established,to_server; content:"webcollage/"; depth:11; nocase; http_user_agent; reference:url, stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; reference:url,doc.emergingthreats.net/2010768; classtype:bad-unknown; sid:2010768; rev:7; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; flow:to_server,established; urilen:1; content:"GET"; http_method; content:"4.75 [en] (Windows NT 5.0"; http_user_agent; http_protocol; content:"HTTP/1.0"; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; classtype:attempted-recon; sid:2008537; rev:8; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Hydra User-Agent"; flow:established,to_server; content:"Mozilla/4.0 (Hydra)"; nocase; http_user_agent; fast_pattern; depth:19; threshold: type limit, track by_src,count 1, seconds 60; reference:url,freeworld.thc.org/thc-hydra; classtype:attempted-recon; sid:2011497; rev:5; metadata:created_at 2010_09_27, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Internet Scanning Project HTTP scan"; flow:established,to_server; content:"research-scanner/"; http_user_agent; depth:17; content:"internetscanningproject.org"; distance:0; http_header; reference:url,www.internetscanningproject.org; classtype:attempted-recon; sid:2018782; rev:3; metadata:created_at 2014_07_25, updated_at 2019_10_15;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WITOOL SQL Injection Scan"; flow:to_server,established; content:"union+select"; http_raw_uri; content:"select+user"; http_raw_uri; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|MyIE2"; fast_pattern; http_user_agent; depth:56; threshold: type threshold, track by_dst, count 2, seconds 30; reference:url,witool.sourceforge.net/; reference:url,doc.emergingthreats.net/2009833; classtype:attempted-recon; sid:2009833; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_10_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN McAfee/Foundstone Scanner Web Scan"; flow:established,to_server; content:"Mozilla/5.0 (Windows|3b 20|Windows NT 6.1|3b 20|en-US)"; http_user_agent; fast_pattern; depth:44; isdataat:!1,relative; content:"|0D 0A|Accept-Encoding|3a 20|text|0D 0A|"; http_header; threshold: type both, count 2, seconds 120, track by_src; reference:url,www.mcafee.com/us/products/vulnerability-manager.aspx; classtype:attempted-recon; sid:2013492; rev:5; metadata:created_at 2011_08_30, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|DEMONS"; http_header; fast_pattern; pcre:"/^DEMONS(?:(?:\/|\s)[0-9]\.0)?$/Vi"; metadata: former_category MALWARE; classtype:attempted-admin; sid:2029015; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_11_21, updated_at 2019_11_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Hakai"; http_header; fast_pattern; pcre:"/^Hakai(?:(?:\/|\s)[0-9]\.0)?$/Vi"; metadata: former_category MALWARE; classtype:attempted-admin; sid:2029016; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_11_21, updated_at 2019_11_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Messiah"; http_header; fast_pattern; pcre:"/^Messiah(?:(?:\/|\s)[0-9]\.0)?$/Vi"; metadata: former_category MALWARE; classtype:attempted-admin; sid:2029017; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_11_21, updated_at 2019_11_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Liquor"; http_header; fast_pattern; pcre:"/^Liquor(?:(?:\/|\s)[0-9]\.0)?$/Vi"; metadata: former_category MALWARE; classtype:attempted-admin; sid:2029018; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_11_21, updated_at 2019_11_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|B4ckdoor|0d 0a|"; http_header; metadata: former_category MALWARE; classtype:attempted-admin; sid:2029019; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_11_21, updated_at 2019_11_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Nija"; http_header; fast_pattern; pcre:"/^Nija(?:(?:\/|\s)[0-9]\.0)?$/Vi"; metadata: former_category MALWARE; classtype:attempted-admin; sid:2029020; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_11_21, updated_at 2019_11_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Gemini"; http_header; fast_pattern; pcre:"/^Gemini(?:(?:\/|\s)[0-9]\.0)?$/Vi"; metadata: former_category MALWARE; classtype:attempted-admin; sid:2029021; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_11_21, updated_at 2019_11_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Kayla"; http_header; fast_pattern; pcre:"/^Kayla(?:(?:\/|\s)[0-9]\.0)?$/Vi"; metadata: former_category MALWARE; classtype:attempted-admin; sid:2029023; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_11_21, updated_at 2019_11_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Sector"; http_header; fast_pattern; pcre:"/^Sector(?:(?:\/|\s)[0-9]\.0)?$/Vi"; metadata: former_category MALWARE; classtype:attempted-admin; sid:2029024; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_11_21, updated_at 2019_11_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|OSIRIS"; http_header; fast_pattern; pcre:"/^OSIRIS(?:(?:\/|\s)[0-9]\.0)?$/Vi"; metadata: former_category MALWARE; classtype:attempted-admin; sid:2029026; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_11_21, updated_at 2019_11_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Zmap User-Agent (zgrab)"; flow:established,to_server; content:"Mozilla/5.0 zgrab/0.x"; http_user_agent; depth:21; isdataat:!1,relative; classtype:network-scan; sid:2029054; rev:1; metadata:created_at 2019_11_26, updated_at 2019_11_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Watchfire AppScan Web App Vulnerability Scanner"; flow:established,to_server; content:"/appscan_fingerprint/mac_address"; nocase; http_uri; reference:url,www.watchfire.com/products/appscan/default.aspx; reference:url,doc.emergingthreats.net/2008311; classtype:attempted-recon; sid:2008311; rev:8; metadata:created_at 2010_07_30, updated_at 2019_12_19;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Dark Nexus IoT Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|dark_NeXus"; http_header; fast_pattern; classtype:attempted-admin; sid:2029208; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_12_30, updated_at 2019_12_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomato Router Default Credentials (admin:admin)"; flow:to_server,established; content:"GET"; http_method; content:"/admin-scripts.asp"; http_uri; nocase; content:"Authorization|3a 20|Basic|20|YWRtaW46YWRtaW4="; http_header; metadata: former_category SCAN; reference:url,unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/; classtype:attempted-admin; sid:2029317; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2020_01_23, performance_impact Low, updated_at 2020_01_23;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomato Router Default Credentials (root:admin)"; flow:to_server,established; content:"GET"; http_method; content:"/admin-scripts.asp"; http_uri; nocase; content:"Authorization|3a 20|Basic|20|cm9vdDphZG1pbg=="; http_header; metadata: former_category SCAN; reference:url,unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/; classtype:attempted-admin; sid:2029318; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2020_01_23, performance_impact Low, updated_at 2020_01_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 1"; flow:established,to_server; http_request_line; content:"GET @"; depth:5; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013791; rev:3; metadata:created_at 2011_10_24, updated_at 2020_02_05;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat upload from external source"; flow:to_server,established; flowbits:isset,ET.Tomcat.login.attempt; content:"POST"; http_method; content:"/manager/html/upload"; http_uri; nocase; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009220; classtype:successful-admin; sid:2009220; rev:7; metadata:created_at 2010_07_30, updated_at 2020_02_10;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Hello, World"; http_header; nocase; fast_pattern; pcre:"/^Hello, World(?:(?:\/|\s)[0-9]\.0)?$/Vi"; metadata: former_category SCAN; classtype:attempted-admin; sid:2029022; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_11_21, updated_at 2020_02_13;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai User-Agent Observed (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Ankit|0d 0a|"; http_header; nocase; fast_pattern; metadata: former_category SCAN; classtype:attempted-admin; sid:2029473; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_02_17, updated_at 2020_02_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat admin-admin login credentials"; flow:to_server,established; content:"/manager/html"; nocase; http_uri; content:"|0d 0a|Authorization|3a 20|Basic|20|YWRtaW46YWRtaW4=|0d 0a|"; fast_pattern; http_header; flowbits:set,ET.Tomcat.login.attempt; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009217; classtype:attempted-admin; sid:2009217; rev:9; metadata:created_at 2010_07_30, updated_at 2020_02_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN abdullkarem Wordpress PHP Scanner"; flow:established,to_server; content:"GET"; http_method; content:".php?"; nocase; http_uri; content:"&php"; nocase; http_uri; distance:0; content:"&wphp"; nocase; http_uri; distance:0; content:"&abdullkarem="; nocase; http_uri; fast_pattern; distance:0; http_protocol; content:"HTTP/1.0"; depth:8; isdataat:!1,relative; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; classtype:web-application-attack; sid:2021949; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2015_10_14, updated_at 2020_02_28;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Polaris Botnet User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|polaris botnet"; http_header; fast_pattern; classtype:attempted-admin; sid:2029577; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_03_05, updated_at 2020_03_05;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 2"; flow:established,to_server; content:"|3a|@"; http_uri; http_request_line; content:"GET|20 3a|@"; depth:6; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013792; rev:5; metadata:created_at 2011_10_24, updated_at 2020_03_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN libwww-perl GET to // with specific HTTP header ordering without libwww-perl User-Agent"; flow:established,to_server; content:"TE|3a 20|deflate,gzip|3b|q=0.3|0d 0a|Connection|3a 20|TE, close|0d 0a|Host|3a 20|"; http_header; depth:53; content:"User-Agent|3a 20|"; within:100; http_header; content:!"libwww-perl/"; http_user_agent; http_header_names; content:"|0d 0a|TE|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:26; isdataat:!1,relative; http_request_line; content:"GET //"; fast_pattern; depth:6; threshold:type threshold, track by_dst, count 10, seconds 20; classtype:attempted-recon; sid:2013416; rev:10; metadata:created_at 2011_08_16, updated_at 2020_03_11;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Polaris Botnet User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|polaris|0d 0a|"; fast_pattern; http_header; metadata: former_category SCAN; classtype:attempted-admin; sid:2029645; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_03_18, updated_at 2020_03_18;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|APEP"; http_header; fast_pattern; metadata: former_category MALWARE; classtype:attempted-admin; sid:2029025; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2019_11_21, updated_at 2020_03_23;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|DVRBOT"; http_header; fast_pattern; metadata: former_category SCAN; classtype:attempted-admin; sid:2029759; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_03_29, updated_at 2020_03_29;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|iamdelta"; http_header; fast_pattern; classtype:attempted-admin; sid:2029763; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_03_30, updated_at 2020_03_30;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|NoIr_x.86/"; http_header; fast_pattern; classtype:attempted-admin; sid:2029769; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_03_31, updated_at 2020_03_31;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Hello/"; http_header; fast_pattern; classtype:attempted-admin; sid:2029792; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_04_02, updated_at 2020_04_02;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|XTC|0d 0a|"; http_header; fast_pattern; classtype:attempted-admin; sid:2029790; rev:2; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_04_02, updated_at 2020_04_03;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|XTC BOTNET|0d 0a|"; fast_pattern; http_header; classtype:attempted-admin; sid:2029808; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_04_03, updated_at 2020_04_03;)

alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Kratos"; fast_pattern; http_header; classtype:attempted-admin; sid:2029929; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_04_17, updated_at 2020_04_17;)